SCS-C01 Amazon AWS Certified Security Specialty – Domain 5 – Data Protection part 1

1. Introduction to Cryptography

Hey everyone and welcome to the Knowledge Portal video series. And today we will be speaking about cryptography. Now, cryptography was generally considered as one of the most boring subject during the Bachelor’s time in network security. The reason why is because it was full of mathematics. But after passing out from the Bachelor’s, we realized that the wireless devices actually works a lot based on cryptography. And there were some weak cryptographic algorithms like RC Four which were easily hacked. And once you break that, you can get the WiFi password. So doing those fun things, cryptography really became one of the very interesting subjects. So let’s go ahead and talk about cryptography in an interesting way. So this is something that I would really relate to a lot of people over here.

Me and my friend many years back, we used to have some secret code words. So when we used to go out with other people for a trick and we were quite bored and we wanted to have some different adventure, then we used to say that secret code word which only me and my friend used to understand. So even if we tell it among a group of people, only me and my friend would understand the true meaning of that code word. So this is something that I am sure most of you might be related to, like you might have some secret code words among you and your brother or you and your sister that your parents would not understand. So the main meaning or the main importance of having this secret code word is that only the receiving and the intended sender would be able to understand the true message of the code.

And even if it is transmitted in between a lot of people, only you and the receiver would understand. And this is the basis about the encryption. So when we talk about a very simple encryption algorithm, it is a direct one to one mapping. So you have some symbols on the left hand side and it is mapped to a specific alphabet. So this symbol is map to A. Then you have this curly braces like symbol map to B. Then there are various other symbols which are mapped. So whenever you are sending some kind of a message via let’s assume a letter, then instead of writing A, you would draw this symbol, instead of writing I, you would draw this symbol. So even if someone would open up the letter and try to read the message, he would not understand it because it is all in a symbolic form.

So this is considered as one of the most simplest encryption algorithm. So let’s look into how that would work out. So on the first row you have the plaintext and second you have the cipher. So what you are doing is you are mapping a specific alphabet of a plain text to a specific alphabet of a cipher text. So A is mapped to y, b is mapped to G, C is mapped to A, D is mapped to B, and so on. So when you have a normal password over here, let’s assume that this is your password, which is my password. And now, if you do a mapping, you see M. M is mapped with K, so you replace M with K. Y is mapped with W. Y is mapped with W. Similarly, P is mapped with N, so you have P is mapped with N. So your normal password, after you perform a specific algorithm based encryption, it gets converted into a ciphertext.

So this is a plain text data and this is a ciphertext data. Ciphertext is once it is encrypted with some kind of encryption algorithm. So now, if attacker tries to read this specific message, he will not understand the true meaning unless he has this similar mapping. So this is a very simple encryption algorithm which was used like thousands of years ago. So nowadays encryption algorithms are super complex and encryption is one topic which was extensively used during the World War times, specifically during the World War Two. So let’s go ahead and understand one of the very important encryption algorithm type, which is symmetrical encryption. So what you really have here is you have a plaintext data. In our case, it is Knowledge Portal. You run it through an encryption algorithm and you feed in a secret key.

So encryption algorithm along with the secret key will encrypt this plaintext data and you have a resultant ciphertext data. So this is a ciphertext data. And on the other side, on the receiving side, you have the encryption algorithm, you do the decryption, you have the encryption algorithm, you pass in the secret key again and you have the resultant plain text data over here. So one very important part over here is the secret key. So without secret key, you will not be able to decrypt the encrypted data which is present. So let’s go ahead and understand on how that would really work. So, there is a nice website called Encipher It, which is a classic example of a symmetric key encryption. So, as suggested, we’ll put a plain text data Knowledge Portal. Now, I click on Insipherite and it is asking me for a password.

Let me feed in a password and I’ll click on NCI for it. So it has given me the encrypted data back. So now let me just cancel it. Once I copy the encrypted data, you will see that Knowledge Portal is converted to some random value. So if an attacker tries to get this specific value, he’ll not be able to get the true plaintext data back unless and until he has the secret key through which the plaintext data was encrypted. So once I put in here, if I put decipher, it will ask me for the decryption password. So if I give a random decryption password, which is not correct, and I try to decrypt it, it says that it is an invalid password. So I have to put the right decryption key. And now you see, I got my plaintext data back. So one very important thing to remember is that the key is of prime importance.

If your secret key is lost, then the encryption will be broken and during the WiFi. So when you configure your WiFi, you put your password. So that password is your secret key, which will encrypt the communication between your hardware and your wireless device. So if you give away your password, it is very easy to break the encryption based algorithms which is present. So, going back to the PPT, the question again is why encryption is required. So this is one of the very simple example where this is your computer and this is, let’s assume, your Gmail server and there is a hacker who is sitting in between. So when you go to a Gmail login form, it will ask you for an email ID and a password. So you put in your email ID, you put in your password. And if an attacker is sniffing into a network and he will be able to get your email address and password in a plain text and he can use it anytime.

And now, after encryption, if your password is encrypted, even if an attacker is sniffing the network, he’ll find that the password is not in plaintext data. So he cannot use it to log into a Gmail server unless and until he decrypts this specific password. And this is one of the prime importance of an encryption nowadays. In most of the login forms, almost all the banks and all the big providers, they use Https. So that S stands for Secure. Secure means there is some kind of an encryption which is used so that even a third party who is trying to access your messages, he’ll not be able to find that in a plaintiff data. So, when we were speaking about this simple design algorithm, you might find that this is quite easy. But in reality, the encryption algorithms are super complex and it is really very difficult to break encryption algorithm nowadays. So there are some standard algorithms which are used as far as 2017, 2018 are concerned. We will be speaking them in the upcoming lectures.

But just understand that it is not quite easy to break encryption algorithm. So, speaking about some real world scenarios, during the World War II, there was a very famous machine called as Enigma, which used to encrypt the data. And it was used by the Germans. And it used to be a real pain because any communication that they used to send among their team members across the country, the enemies, they were able to capture the communication, but they were not able to decrypt it because it was encrypted with a very famous machine called as Enigma. And one of the true value of this machine was the secret key used to rotate every single day. So even if the enemy used to find out the secret key, he would not be able to decrypt the data as far as today is concerned, because the secret key used to change every single day.

And there is a very famous movie called as The Imitation Game, which is specifically based on the Enigma cipher. And it is a story about a British mathematician called as Allen, who is trying to build a machine that would decrypt the encryption codes, which are specifically built using the Enigma cipher. So I would really encourage you to watch this movie as it will give you great insights related to the importance of cryptography and ciphers in communications. So this is it, about this lecture. I hope you got the basic understanding on what a cryptography is and why is it used. So this is it. About this lecture. In the upcoming lecture, we’ll go more detail into the topics related to the encryption. I hope this has been informative for you, and if you have any doubts, questions, suggestion, feel free to mail us at instructors at the rate Kblabs in, or connect us at Twitter, Facebook and LinkedIn. Thanks for watching.

2. Plain Text vs Encrypted Text Based Algorithms

Hey everyone and welcome to the Knowledge Portal video series. So in the earlier lecture we had understood the basics about what a protocols are, and today we’ll understand protocols as far as the cryptography is concerned. So there are two types of protocols. One is plain text and second is encrypted text. So let’s go ahead and understand more about it. So, this is one of the slides which we discussed us in the earlier lectures, where there are various types of protocols which are available. You have FTP DNS TCPs FTP http IP and many more now, each of these protocols, some of these protocols will natively send data in plain text. However, some of the protocols will natively send data in an encrypted format.

So one classic example that we will be discussing today in practical is the file transfer protocol FTP and the secure file transfer protocol SFTP. So FTP will send the data natively in plain text. So an attacker who is sniffing the network will be able to look into everything in plain text format. However, when we use SFTP, everything will be in an encrypted format. So even if an attacker is sniffing the traffic, he will not be able to understand how or what exactly the data is being sent. So let’s do one thing, let’s go to our practical session and understand about these two protocols in practical scenario. So, we have a favorite center s machine up and running. Let me just maximize the screen so it will become visible.

So what I’ll do is I’ll log into root and let’s open up the wireshark. So wire shark is a great tool to sniff the network traffic. Perfect. So let’s do one thing, let’s verify if I have my FTP related package installed. Perfect. So I have my Vs Ftpd package installed and we will look into this specific aspect with both FTP and SFTP protocol. Perfect. So let’s do one thing. In my wireshark I’ll select the interface. So just if you want to try it out, I have my main interface which is ENS 33. I have also a loopback interface and I have my third interface as well. So since I have my Vs Ftpd package up and running, let’s verify and let’s do a quick netstat. I’ll do a net and you see I have Vs Ftpd running on port 21.

So for the time being, so that we don’t receive unnecessary traffic, I’ll select a loop back as the primary interface and I’ll click on Start. So now you see I don’t really have any packets which are flowing here. So let’s do one thing, let’s connect to FTP on one to 70 or zero one. And now it is asking me for the username. The username will be zura. So this will be the username which is present in the machine. Let me just verify, okay Zeelbora, it is asking me for a password. I’ll put in the password and now you see it is saying login successful. So I was able to successfully able to log into FTP. Now, we have discussed that FTP is a plain text protocol. So if you will see, there is a lot of packets which have been captured. So let’s do one thing, I’ll maximize the screen and since we had logged in via FTP, FTP is a plain text protocol.

And now if you see within the protocol type, which is FTP, it is saying that the request username was Zelbora. So you will be actually be able to find this under the FTP protocol. So the username is Zeelbora and we had also entered the password. So in my case, the password was string password. So it is actually showing me the password in plain text. So this is what an attacker can actually do if he’s sniffing into your traffic, he can get both your username and password in plain text and he can get all the responses if you see login successful. So, this is one of the challenges with plain text protocol. Let’s do one thing, I’ll close this terminal and this time we will be using encrypted text protocol, which would be SFTP. So I’ll restart the session.

Perfect. So I’ll use SFTP, Zelbora, Adelaide, 12701, it is asking me for password. I’ll feed in the password and now I’m connected via SFTP. So now I close this session. Let me maximize the screen. And here, if you will see the initial, there is a key exchange. So, key exchange is basically used to exchange the secret key which will be used to encrypt the data. And once the key has been received, all the data which you see all the data is in form of encrypted packets. So even if you open up the strings, you will not be able to find the plaintext data. It seems someone is calling me, I’ll pick up later. So, this is all the packets which are part of SFTP are in encrypted format. So in this case, even if a user or even if an attacker is watching your traffic or sniffing your traffic, all he’ll get is he’ll get the packets in encrypted format.

So you will see this is the encrypted packet and he’ll not be able to make out or he’ll not be able to decrypt the packet unless and until he has the secret key. So this is the reason why having the encrypted protocols to be used is extremely important. And this is the reason why specifically in the login forms you will find that websites are using Https, which basically encrypts all the communication so that your login cannot be found. So, this is it. About this lecture, I hope this has been informed and I look forward to seeing the Netflix.

3. CloudHSM

Hey everyone, and welcome back. In today’s video, we will be discussing about the cloud HSM. Now, a cloud HSM is basically a HSM device. And HSM stands for the hardware security module. Now, these devices, this is a hardware device. It is basically a special kind of a device, which is specifically designed to safeguard and manage the digital keys for a stronger authentication. So let me give you an example. So let’s say this is a key. I hope you are able to see it. So let’s say that this key is of a locker and you have a very, very important data inside the locker. So the safety of that data or the safety of that item which is present inside the locker is dependent on this specific key over here. All right? Now, if this key is lost or if this key is stolen, then the data or the item which is present within the locker is at risk.

So I actually took it from my mom. I’ll quickly give it back to her before she comes anyways. So, similar to the key example that we took, when it comes to data, we make use of encryption keys. So let’s say that you have generated an encryption key and that encryption key is used to encrypt all the data within your database. Now, the problem is, where will you store that encryption key? Will you put it in your notepad file or will you put it in Evernote or where? So this device basically solves the problem for that. Now, HSM device is primarily used for storing the keys. However, it is not just limited to that in terms of functionality. It can do a lot of other functions, but the primary one is storing the keys. Now, this device, typically it must be tamper resistant.

That means that if anyone tries to tamper with this hardware, because this is a hardware device. Now, let’s say that you have this hardware device stored in your data center, and data center is managed by some different organization. And if someone from that organization tries to open up this device to maybe take the hard disk out. So you need to be very careful with that, because if he gets the access to the hard disk and if it is not encrypted there, then he’ll get the access to your key. So this device is a tamper resistant. Basically, what happens is that if anyone tries to tamper with this device, it automatically deletes the key. So this is one of the important characteristic of a typical HSM. Now, the problem with this HSM device is that they are quite expensive.

And if you go for compliance and you are storing some kind of a PIA data or some critical data, compliance will mandate you to have a HSM. And these HSM devices are quite costly. And this is the reason why AWS has really come up with a great offering of Cloud HSM. Now, cloud HSM is AWS offering of using a dedicated HSM within your cloud. Now, prior to the cloud HSM, what organization used to do is that they used to buy this HSM device and they used to store it in their on premise location and then they used to encrypt all of the data, maybe in the database in AWS or in any other cloud provider. So, since there was HSM in on premise and data in cloud, it used to bring a lot of latency. And this is the reason why. If your data is in cloud, you can go with the cloud HSM and you will have a minimal amount of latency there.

Now, you need to make sure that the HSM device that you are buying, make sure that it is internationally recognized against the standards like Phipps 140 or Common criteria. Now, when it comes to the cloud HSM pricing, this was the older pricing. So earlier the problem was that organization had to pay an upfront cost of $5,000 if you wanted to get a cloud HSM. And on top of that, you had to pay an hourly fee of $1. 88 per hour. And because of this upfront free lot of startups, a lot of organization, they were not really opting for the cloud HSM device. However, now good news is that AWS has removed the upfront pricing. So you see, it says that there are no upfront cost to using cloud HSM. So the only thing that you pay is for the device at hourly basis. So for Virginia, you have $1. 60 per hour, then you have $1. 45 per r.

In Ohio, Mumbai is quite expensive. It is $2. 5 per r anyways. So I hope you understood what a cloud HSM is at the high level overview and also the pricing aspect. So let’s discuss some of the important pointers for exam, as far as the cloud HSM is concerned. First is the cloud HSM is single tenanted. That basically means that it is a single physical device which can only be used for you. So it is not a shared device. Now, the second important point is that it must be used within the VPC. Now, we can also integrate cloud HSM with various other services like Redshift and RDS for Oracle and new services, they’ll keep on coming. Now, for fault tolerance, we need to build the cluster of two HSM device. So let’s say that you purchased one cloud HSM and due to some reason it might be power network or the hardware issue.

If this cloud HSM goes down, then basically your keys will not be accessible till that time. And this is the reason why it’s better to have a fault tolerant in place. And in order to do that, you need to build a cluster of two cloud HSM. Now. AWS uses SafeNet Luna HSM appliance for the Cloud HSM. This is an important point to remember. Do make sure that you remember the safe net Luna SA part and also these HSMs are FIPS validated. Now, the cloud HSM, they typically have two partitions. One is for the AWS monitor and second is for the cryptographic partition where you can store the keys. So the cryptographic partition is something that no one except you have access to. So this is the high level overview and the important pointers associated with the cloud HSN. I hope this video has been informative for you and I look forward to seeing you in the next video.