Modern encryption techniques provide several important security properties, well known to most practitioners. Or are they? What are in fact the guarantees of, say, HTTPS TLS cipher suites using authenticated encryption, IPSec vs. SSL VPNs, Property Preserving Encryption, or token vaults? We live in an era of embedded Hardware Security Modules that cost less than $1 in volume, and countless options now exist for encrypting streaming network data, files, volumes, and even entire databases. Let’s take a deep dive into the edge of developed practice to discuss real-world threat scenarios to public cloud and IoT data, and look closely at how we can address specific technical risks with our current encryption toolkits. Advanced math not required.
Kenneth White is a security researcher whose work focuses on networks and global systems. He is co-director of the Open Crypto Audit Project (OCAP), currently managing a large-scale audit of OpenSSL on behalf of the Linux Foundation’s Core Infrastructure Initiative. Previously, White was Principal Scientist at Washington DC-based Social & Scientific Systems where he led the engineering team that designed and ran global operations and security for the largest clinical trial network in the world, with research centers in over 100 countries. White co-founded CBX Group which provides security services to major organizations including World Health, UNICEF, Doctors without Borders, the US State Department, and BAO Systems. Together with Matthew Green, White co-founded the TrueCrypt audit project, a community-driven initiative to conduct the first comprehensive cryptanalysis and public security audit of the widely used TrueCrypt encryption software.
White holds a Masters from Harvard and is a PhD candidate in neuroscience and cognitive science, with applied research in real-time classification and machine learning. His work on network security and forensics and been cited by media including the Wall Street Journal, Forbes, Reuters, Wired and Nature. White is a technical reviewer for the Software Engineering Institute, and publishes and speaks frequently on computational modeling, security engineering, and trust. He tweets @kennwhite.