[clue] Speaker for 2014-11-11 talk.

Andrew Diederich andrewdied at gmail.com
Mon Nov 10 19:44:58 MST 2014 

On Mon, Nov 10, 2014 at 6:59 PM, Aaron D. Johnson <adj at fnord.greeley.co.us>
wrote:

> Andrew Diederich writes:
> > Encrypting the file before you send it doesn't help protecting the
> > transit of the file.  (I vaguely remember, from years ago, that
> > combining certain layered encryption made the contents easier to
> > figure out.)  If you need the file encrypted from where it starts,
> > or need it encrypted where it ends up, then encrypting it makes
> > sense.  But otherwise it doesn't.
>
> Encrypting and signing it before sending it assures the receiver that
> its contents were not disclosed in transit and that the contents of
> the file were not modified while moving across a network controlled by
> other, possibly hostile, parties.
>
> Whether that is part of the David's security team's requirements, I
> cannot say.
>
> Does that make sense?  I may not be explaining very well.


Yes, that makes sense. It ties in to the foot-stomp that, to get the right
implementation, you need to know what the security requirements really are.
:) I pulled out my Security+ book just now to get the words right. It talks
about confidentiality, integrity, and availability. The last is just
disaster recovery and redundancy. In-transit confidentiality is covered by
sftp working over the ssh protocol, assuming the sending and receiving
servers aren't cracked. For the at-rest part, encrypting the file makes
that better. For integrity (i.e. making sure the file hasn't been modified)
a signature works, and we've all seen tarballs with md5 or SHA hashes for
the same purpose.

And if anyone has a security team that quickly and clearly identifies the
security requirements for the system, understands your product and the
cost/benefit of the various implementation choices, and can prioritize the
work, just keep giving them money until they have no thought of leaving.
They're worth it.

-- 
Andrew Diederich
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cluedenver.org/pipermail/clue/attachments/20141110/9410c22d/attachment.html

More information about the clue mailing list