Category Archives: Encryption

Security Awareness – Encryption | Office of Information …

Overview

Encryption is the transformation of information into a form that is only readable by those with particular knowledge or technology to prevent others who might have access to the information from reading it. It has long been used for messages in transit, whether carried by hand, transmitted via radio or sent over a computer network if the message is intercepted, the interceptor would be unable to interpret the information. It also serves an important role for stored information to protect it in case of loss or theft.

While the concepts and processes of encryption greatly pre-date modern computing, the topic has become increasingly popular in computing over the past few years. This has largely been fueled by the vast increase of information transfer over computer networks and the increased security concerns that accompany a massively interconnected “always online” computing environment.

OIToffers and supports PGP software and licenses to faculty and staff for whole disk encryption. Whole disk encryption will keep educational records and confidential data secure in case your laptop is lost or stolen. This information should only be stored on a mobile device, like a laptop, when there is a specific business purpose. Find out if PGP whole disk encryption is right for you.

If we had a number we wished to keep secret (say the combination to a safe), one option to protect it is to encrypt the number, after all we can’t store the combination to the safe inside the safe. Let’s say the combination is 12-28-11 which we shorten to just 122811. Let’s use some simple math to make it into a scrambled number.

Here’s an equation that adds a secret number (n) to the combination and then multiplies the result by the same secret number:

If we pick 5 as our secret number, then we get:

Our scrambled number, 614080, is an encrypted version of our safe combination. To get our combination number back, we need to know our secret number and the formula used to create the scrambled number. Here’s the formula:

We insert our secret number and our scrambled number:

And solve the equation to find our combination:

We have successfully developed our own encryption process for our safe combination.

The process of transforming readable information into an unreadable form. Making the safe combination into the scrambled number.

Decrypt

The process of transforming encrypted information back into its readable form. Making the scrambled number back into the safe combination.

Key

The item used, along with the algorithm, to encrypt and decrypt information. . In the example above, the secret number, n, was our key. The key could be a password, a special file or a hardware device often called a token Strong encryption processes may use multiple keys like both a password and a token.

Key length

Algorithm

The mathematical technique used, along with the key(s), to encrypt and decrypt information. In the example above, the equation, n*(combination + n)=scrambled number, was our algorithm. Popular encryption algorithms include: AES, DES, triple-DES, RSA, blowfish, IDEA

Information is considered “at rest” when it is saved to a computer or storage device (like a CD, tape or thumbdrive) which is usually in contrast to “in transit”. Note that data can be considered “at rest” while physically moving like someone carrying a CD with information.

Information is “in transit” when it is being transferred over a network. This could be copying a file from a file server, submitting a webpage order form or sending an email.

The behavior of an encryption technology/product which keeps a file encrypted when it is moved between disks or computers. Many forms of encryption only keep information encrypted when stored in a particular location.

Symmetrical vs Asymmetrical

Encryption/decryption processes are often referred to as being either symmetrical or asymmetrical, which relates to what keys are used to encrypt and decrypt information.

In symmetrical encryption, the same key is used to encrypt and decrypt the information. The most common use of this technique is password encryption where the same password is used to encrypt and decrypt the information. This method is simple and useful when sharing the key isn’t problematic (either the key isn’t shared or all parties are trusted with the information). It requires that all parties who need to encrypt or decrypt the information safely obtain the key.

In asymmetrical encryption, there are two different keys one used to encrypt the information and one used to decrypt the information. In this approach, the key used to encrypt the information cannot be used to decrypt it. This technique is useful when sharing a key might be problematic. These two keys are often referred to as public and private keys. As the names imply, the public key is openly distributed as it can only be used to encrypt information and the private key that can decrypt the information is protected.

Key managementPerhaps the most important aspect of encryption deployment is management of keys. This includes what types of keys are used (passwords, files, tokens, certificates, etc), how they are given to users, how they are protected and how to deal with a lost key scenario. Each technology and product handles this differently, but the lost key scenario is usually the most concerning since it could lead to either an unauthorized person decrypting information or the inability for authorized people to decrypt information. Many encryption horror stories come in the form of not being able to decrypt the only copy of very important information. Pay careful attention to key generation, distribution, use, recovery and security when looking into encryption options.

Impacts to system/data managementWhen files or disks are encrypted, an IT administrator might have to adapt some of their management processes or tools. For example, what impact do encrypted hard drives have on system imaging? What about the use of wake-on-LAN for management? The answers to these questions vary with your management processes and the encryption product, so it’s important to understand how encryption products will impact your IT environment.

When does encryption stay with the file?Many forms of encryption only protect information while it is transferred over the network (like a website using SSL) or while it is stored in a particular place (like on an encrypted hard drive). This means that once the file is moved out of the situation, it is no longer encrypted. This often confuses users who think encryption “sticks” to files and they can email a file stored on an encrypted disk and it will stay encrypted as an email attachment, or copy a file from an encrypted disk to a thumb drive and the file will remain encrypted. It’s important to understand the conditions under which a file will be encrypted and explain those conditions to those in your department. Since encryption conditions vary by technology, product and implementation, there isn’t a general rule.

Follow this link:
Security Awareness – Encryption | Office of Information …

Data Encryption and Decryption (Windows)

This documentation is archived and is not being maintained.

Encryption is the process of translating plain text data (plaintext) into something that appears to be random and meaningless (ciphertext). Decryption is the process of converting ciphertext back to plaintext.

To encrypt more than a small amount of data, symmetric encryption is used. A symmetric key is used during both the encryption and decryption processes. To decrypt a particular piece of ciphertext, the key that was used to encrypt the data must be used.

The goal of every encryption algorithm is to make it as difficult as possible to decrypt the generated ciphertext without using the key. If a really good encryption algorithm is used, there is no technique significantly better than methodically trying every possible key. For such an algorithm, the longer the key, the more difficult it is to decrypt a piece of ciphertext without possessing the key.

It is difficult to determine the quality of an encryption algorithm. Algorithms that look promising sometimes turn out to be very easy to break, given the proper attack. When selecting an encryption algorithm, it is a good idea to choose one that has been in use for several years and has successfully resisted all attacks.

For more information, see Data Encryption and Decryption Functions.

Go here to read the rest:
Data Encryption and Decryption (Windows)

Trumps DOJ tries to rebrand weakened encryption as responsible …

A high-ranking Department of Justice official took aim at encryption of consumer products today, saying that encryption creates “law-free zones” and should be scaled back by Apple and other tech companies. Instead of encryption that can’t be broken, tech companies should implement “responsible encryption” that allows law enforcement to access data, he said.

“Warrant-proof encryption defeats the constitutional balance by elevating privacy above public safety,” Deputy Attorney General Rod Rosenstein said in a speech at the US Naval Academy today (transcript). “Encrypted communications that cannot be intercepted and locked devices that cannot be opened are law-free zones that permit criminals and terrorists to operate without detection by police and without accountability by judges and juries.”

Rosenstein was nominated by President Donald Trump to be the DOJ’s second-highest-ranking official, after Attorney General Jeff Sessions. He was confirmed by the Senate in April.

Rosenstein’s speech makes several references to Apple, continuing a battle over encryption between Apple and the US government that goes back to the Obama administration. Last year, Apple refused to help the government unlock and decrypt the San Bernardino gunman’s iPhone, but the FBI ended up paying hackers fora vulnerabilitythat it used to access data on the device.

“Fortunately, the government was able to access data on that iPhone without Apple’s assistance,” Rosenstein said. “But the problem persists. Today, thousands of seized devices sit in storage, impervious to search warrants.”

“If companies are permitted to create law-free zones for their customers, citizens should understand the consequences,” he also said. “When police cannot access evidence, crime cannot be solved. Criminals cannot be stopped and punished.”

We asked Apple for a response to Rosenstein’s speech and will update this story if we get one.

Separately, state lawmakers in New York and California have proposed legislationto prohibit the sale of smartphones with unbreakable encryption.

Despite his goal of giving law enforcement access to encrypted data on consumer products, Rosenstein acknowledged the importance of encryption to the security of computer users. He said that “encryption is a foundational element of data security and authentication,” that “it is essential to the growth and flourishing of the digital economy,” and that “we in law enforcement have no desire to undermine it.”

But Rosenstein complained that “mass-market products and services incorporating warrant-proof encryption are now the norm,” that instant-messaging service encryption cannot be broken by police, and that smartphone makers have “engineer[ed] away” the ability to give police access to data.

Apple CEO Tim Cook has argued in the past that the intentional inclusion of vulnerabilities in consumer products wouldn’t just help law enforcement solve crimesit would also help criminals hack everyday people who rely on encryption to ensure their digital safety.

Rosenstein claimed that this problem can be solved with “responsible encryption.” He said:

Responsible encryption is achievable. Responsible encryption can involve effective, secure encryption that allows access only with judicial authorization. Such encryption already exists. Examples include the central management of security keys and operating system updates; the scanning of content, like your e-mails, for advertising purposes; the simulcast of messages to multiple destinations at once; and key recovery when a user forgets the password to decrypt a laptop.

No one calls any of those functions a “back door.” In fact, those capabilities are marketed and sought out by many users.

It’s not clear exactly how Rosenstein would implement his desired responsible encryption.

Rosenstein’s”key recovery when a user forgets the password to decrypt a laptop” reference seems to refer to Apple and Microsoft providing the ability to store recovery keys in the cloud. But users who encrypt Mac or Windows laptops aren’t required to do thisthey can store the keys locally only if they prefer. To guarantee law enforcement access in this scenario, people who encrypt laptops would have to be forced to store their keys in the cloud. Alternatively, Apple and Microsoft would have to change the way their disk encryption systems work, overriding the consumer’s preference to have an encrypted system that cannot be accessed by anyone else.

Rosenstein gave some further insight into how “responsible encryption” might work in this section of his speech:

We know from experience that the largest companies have the resources to do what is necessary to promote cybersecurity while protecting public safety. A major hardware provider, for example, reportedly maintains private keys that it can use to sign software updates for each of its devices. That would present a huge potential security problem, if those keys were to leak. But they do not leak, because the company knows how to protect what is important. Companies can protect their ability to respond to lawful court orders with equal diligence.

Of course, there are many examples of companies leaking sensitive data due to errors or serious vulnerabilities. The knowledge that errors will happen at some point explains why technology companies take so many precautions to protect customer data. Maintaining a special system that lets third parties access data that would otherwise only be accessible by its owner increases the risk that sensitive data will get into the wrong hands.

Rosenstein claimed that “responsible encryption can protect privacy and promote security without forfeiting access for legitimate law enforcement needs supported by judicial approval.” But he doubts that tech companies will do so unless forced to:

Technology companies almost certainly will not develop responsible encryption if left to their own devices. Competition will fuel a mindset that leads them to produce products that are more and more impregnable. That will give criminals and terrorists more opportunities to cause harm with impunity.

“Allow me to conclude with this thought,” Rosenstein said just before wrapping up his speech. “There is no constitutional right to sell warrant-proof encryption. If our society chooses to let businesses sell technologies that shield evidence even from court orders, it should be a fully-informed decision.”

Go here to see the original:
Trumps DOJ tries to rebrand weakened encryption as responsible …

How to encrypt (almost) anything | PCWorld

It’s all too easy to neglect data security, especially for a small business. While bigger organizations have IT departments, service contracts, and enterprise hardware, smaller companies frequently rely on consumer software, which lacks the same sort of always-on security functionality.

But that doesnt mean that your data is unimportant, or that it has to be at risk.

Encryption is a great way to keep valuable data safewhether youre transmitting it over the Internet, backing it up on a server, or just carrying it through airport security on your laptop. Encrypting your data makes it completely unreadable to anyone but you or its intended recipient. Best of all, much of the software used in offices and on personal computers already has encryption functionality built in. You just need to know where to find it. In this article, Ill show you where and how.

Any discussion about encryption needs to start with a different topic: password strength. Most forms of encryption require you to set a password, which allows you to encrypt the file and to decrypt it later on when you want to view it again. If you use a weak password, a hacker can break the encryption and access the filedefeating the purpose of encryption.

A strong password should be at least 10 characters, though 12 is better. It should include a mix of uppercase and lowercase letters, as well as numbers and symbols. If you find letters-only easier to remember, such a password can still be secure if its significantly longer; think 20 characters or more.

If youre unsure aboutwhether your password is good enough, run it through Microsofts free password checker. Never use a password rated less than Strong.

You probably already have a login password for Windows on your PC, but that wont actually protect your data if somebody steals your computer or hard drivethe thief can simply plug your drive into another PC and access the data directly. If you have lots of sensitive information on your computer, you want to employ full-disk encryption, which protects all your data even if your hardware falls into the wrong hands.

Microsofts BitLocker software makes setting up full-disk encryption in Windows incredibly easyas long as your computer meets the following two criteria:

1. You have the Ultimate or Enterprise version of Windows 7 or Vista, or the Pro or Enterprise version of Windows 8.

2. Your computer has a TPM (Trusted Platform Module) chip.

The easiest way to see if your computer has a TPM chip is simply to attempt to enable BitLocker. Windows will let you know if you dont have one.

To enable BitLocker, go to Control Panel > System and Security > BitLocker Drive Encryption, or do a search for BitLocker in Windows 8. In the BitLocker menu, click Turn on BitLocker next to the drive(s) you wish to encrypt. Its as easy as that.

If your PC doesnt meet the requirements for BitLocker, you can still useTrueCrypt or DiskCryptor for free full-disk encryption.

For full-disk encryption of thumb drives and USB hard drives, you can use BitLocker To Go, which is designed for removable media. You still need a professional or enterprise version of Windows, but you dont need a TPM to use BitLocker To Go.

All you have to do is plug in the device you want to encrypt, and then once again go to the BitLocker menu. At the bottom of the menu, youll see the BitLocker To Go section, where you can click Turn on BitLockernext to the device.

Sometimes you want to encrypt your outgoing and incoming Internet traffic. If youre on an unsecured Wi-Fi network (at an airport, for instance), a hacker can intercept the data traveling to and from your laptop, which might contain sensitive information. To make that data useless to eavesdroppers, you can encrypt it, using a VPN.

A virtual private network creates a secure tunnel to a trusted third-party server. Data sent through this tunnel (either to or from your computer) is encrypted, so its safe even if intercepted. You can find Web-based VPNs that charge a small monthly fee but provide very easy access, or you can set up your own personal or business VPN.

The process of selecting or setting up a VPN is a little too long to describe here, so see ourarticle on VPN for beginners and experts alike.

If you or other people in your organization use Dropbox or SugarSync, youll be glad to know that those popular cloud storage services already encrypt your data, protecting it in transit and while it sits on their servers. Unfortunately, those same services also hold the decryption keys, which means that they can decrypt your files if, for instance, law enforcement directs them to do so.

If you have any really sensitive files in your cloud storage, use a second layer of encryption to keep them safe from prying eyes. The most straightforward way to do this is to use TrueCrypt to create an encrypted volume inside of your Dropbox. (For a complete guide to encrypting anything with TrueCrypt, see the end of this article.)

If you want to be able to access the data from other computers, consider putting a portable version of TrueCrypt in your Dropbox, as well. To do so, run the TrueCrypt installer; during the installation, choose the Extract option, and choose to put the extracted files in your Dropbox or other cloud storage.

Next page: Encrypt your email and nearly anything else…

Read the original here:
How to encrypt (almost) anything | PCWorld

Data Encryption: Hardware & Software Security: Online …

Data can be encrypted two ways: at rest and in transit.

Please note: employing these two types of encryption safeguards must occur in tandem; it’s not automatic. Data encrypted at rest does not guarantee it remains encrypted as it traverses a network. Conversely, data encrypted “over the wire” does not offer any safeguard that the content remains encrypted after it has reached its destination.

Refers to data storage either in a database, on a disk, or on some other form of media.

Note: Indiana law recognizes the value of disk encryption such that a lost/stolen laptop or storage media is not considered a breach if that media was encrypted (and the encryption key was notavailable with the device).

Refers to data that is encrypted as it traverses a network including via web applications, smart phone apps, chats, etc. In-transit basically refers to the point at which the data leaves the storage drive or database until it’s re-saved or delivered to its destination. Protecting information in transit essentially ensures protection from others attempting to snoop or eavesdrop on information as it traverses the network.

Symmetric key algorithms use related, often identical keys to both encrypt and then decrypt information. In practice, this is known mostly as a shared secret between two or more parties.

Asymmetric key algorithms, however, use different keys to encrypt and decrypt information; one key encrypts (or locks) while the other decrypts (or unlocks). In practice, this is known mostly as a public/private key; the public key can be shared openly, the private key should not. In mostcryptographic systems, it is extremely difficult to determine the private key values based on the public key.

Excerpt from:
Data Encryption: Hardware & Software Security: Online …

How To Enable BitLocker Drive Encryption In Windows 10?

User Ratings:

This tutorialdetails how to enable BitLocker drive encryption in Windows 10. One of Windows most important security features, BitLocker drive encryption protects your important data by encrypting the entire disk volumes it is stored on. It uses a specialized Encrypting File System to achieve this. As the latest and greatest version of Microsofts line of operating systems, Windows 10 features an improved version of BitLocker, with enhanced data encryption abilities. You can easily enable BitLocker drive encryption for some (or all) of your disk drive partitions, using Windows 10. The encrypted partitions (and the data stored on them) is secured against all kinds of data loss and threats. Lets dig in deeper, and see how you can enable BitLocker drive encryption in Windows 10.

The detailed explanation of what BitLocker is pretty complicated and as such, the way it works to do what it does too, is verbose enough to warrant another article. However, at a basic level, BitLocker can be explained as a built in encryption feature of Windows that secures your data against all kinds of threats by encrypting the entire disk volumes it is stored on. It uses AES-256 encryption algorithm in Cipher Block Chaining (CBC) mode to do this. This, combined with an Encrypting File System (EFS) and a dedicated Trusted Platform Module (TPM) chip provide your valuable digital data some really high quality protection.

Although the way BitLocker works is pretty complicated, enabling it to secure your data in Windows 10 is a walk in the park. The whole process is really simple, easy and takes a few clicks. Heres how to enable BitLocker drive encryption in Windows 10:

Step 1: Open up Control Panel, and select BitLocker Drive Encryption. You should see the following drive selection screen

As illustrated by the above screenshot, you can select the drive partition whose contents you want to encrypt with BitLocker Drive Encryption. Click the Turn on BitLocker option against the desired drive partition to proceed to the next step.

Step 2: Once the selected drive is initialized, you are required to specify a password for locking/unlocking the drive. As is always recommended for passwords, choose a password having a combination of upper and lower case alphabets, numbers, and special symbols. Once done, hit Next.

Step 3: The encryption wizard will now automatically create a digital recovery key that can be used to restore access to the encrypted drive, should you forget the password. The wizard also presents you with multiple options for saving the recovery key. You can save it to your Microsoft account, a file, a USB drive, or even take a printout of it.

Step 4: As a last step, the encryption wizard will ask you to choose the encryption method. You can either choose to encrypt the used disk space (faster), or the entire drive (slower, but better). After selecting the appropriate option, hit Next to start the encryption process

Thats it! Windows will now encrypt the contents of the selected disk partition using BitLocker drive encryption. Based on the disk space selected for encryption and the volume of data it holds, this process might take a while. Easy, right?

Also See:How To Dual Boot Windows 10 With Windows 7?

BitLocker drive encryption is a pretty advanced and useful feature of Windows and with the latest Windows 10, its better than ever. The fact that you can encrypt the contents of entire volumes makes it highly usable, especially for those who have to carry large volumes of sensitive digital information from one system to another. And with the easy encryption wizard, enabling BitLocker drive encryption in Windows 10 is as easy as it can be. This is one feature you should definitely check out in Windows 10, youll love it!

Visit link:
How To Enable BitLocker Drive Encryption In Windows 10?

Private Internet Access | VPN Encryption

Private Internet Access | VPN Encryption

Javascript is disabled in your browser. Some features of the site may not work as intended.

Private Internet Access uses the open source, industry standard OpenVPN to provide you with a secure VPN tunnel. OpenVPN has many options when it comes to encryption. Our users are able to choose what level of encryption they want on their VPN sessions. We try to pick the most reasonable defaults and we recommend most people stick with them. That said, we like to inform our users and give them the freedom to make their own choices.

Data encryption: AES-128

Data authentication: SHA1

Handshake: RSA-2048

Data encryption: None

Data authentication: None

Handshake: ECC-256k1

Data encryption: AES-256

Data authentication: SHA256

Handshake: RSA-4096

Data encryption: AES-128

Data authentication: None

Handshake: RSA-2048

This is the symmetric cipher algorithm with which all of your data is encrypted and decrypted. The symmetric cipher is used with an ephemeral secret key shared between you and the server. This secret key is exchanged with the Handshake Encryption.

Advanced Encryption Standard (256-bit) in CBC mode.

No Encryption. None of your data will be encrypted. Your login details will be encrypted. Your IP will still be hidden. This may be a viable option if you want the best performance possible while only hiding your IP address. This would be similar to a SOCKS proxy but with the benefit of not leaking your username and password.

This is the message authentication algorithm with which all of your data is authenticated. This is only used to protect you from active attacks. If you are not worried about active attackers you can turn off Data Authentication.

HMAC using Secure Hash Algorithm (256-bit).

No Authentication. None of your encrypted data will be authenticated. An active attacker could potentially modify or decrypt your data. This would not give any opportunities to a passive attacker.

This is the encryption used to establish a secure connection and verify you are really talking to a Private Internet Access VPN server and not being tricked into connecting to an attacker’s server. We use TLS v1.2 to establish this connection. All our certificates use SHA512 for signing.

2048bit Ephemeral Diffie-Hellman (DH) key exchange and 2048-bit RSA certificate for verification that the key exchange really happened with a Private Internet Access server.

Like RSA-2048 but 3072-bit for both key exchange and certificate.

Like RSA-2048 but 4096-bit for both key exchange and certificate.

Ephemeral Elliptic Curve DH key exchange and an ECDSA certificate for verification that the key exchange really happened with a Private Internet Access server. Curve secp256k1 (256-bit) is used for both. This is the same curve that Bitcoin uses to sign its transactions.

Like ECC-256k1 but curve prime256v1 (256-bit, also known as secp256r1) is used for both key exchange and certificate.

Like ECC-256k1 but curve secp521r1 (521-bit) is used for both key exchange and certificate.

We display a warning in 3 cases:

The recent NSA revelations have raised concerns that certain or possibly all Elliptic Curves endorsed by US standards bodies may have backdoors allowing the NSA to more easily crack them. There is no proof of this for curves used with signing and key exchange and there are experts who think this to be unlikely. We therefore give users the option but display a warning anytime you select an Elliptic Curve setting. We also included the less standard curve secp256k1, which is what Bitcoin uses, was generated by Certicom (a Canadian company) instead of NIST (as the other curves were), and seems to have less places to hide a backdoor. There is strong evidence that a random number generator which uses ECC was backdoored but it was not widely used.

An active attack is one where an attacker gets “between” you and the VPN server, in a position where they can modify or inject data into your VPN session. OpenVPN was designed to be secure against active attackers as long as you are using both data encryption and data authentication.

A passive attack is one where an attacker simply records all data passing over the network but does not modify or inject any new data. An example of a passive attacker is an entity that performs the dragnet capture and storage of all network traffic but does not interfere with or modify it. As long as you are using data encryption your OpenVPN session is secure against passive attackers.

Ephemeral keys are encryption keys which are generated randomly and only used for a certain amount of time, after which they are discarded and securely erased. An ephemeral key exchange is the process by which these keys are created and exchanged. Diffie-Hellman is an algorithm used to perform this exchange. The idea behind ephemeral keys is that once you are done using them and they are thrown away, no one will ever be able to decrypt the data which they were used to encrypt, even if they eventually got full access to all the encrypted data and to both the client and the server.

Originally posted here:
Private Internet Access | VPN Encryption

Encryption Substitutes | Privacy | Encryption

NationalSecurity,Technology,andLaw

A HOOVER INSTITUTION ESSAY

ENCRYPTION SUBSTITUTES

ANDREW KEANE WOODS

Aegis Paper Series No. 1705

Introduction

Policy experts have suggested that the rise of encrypted data is not the end of intelligence collection because law enforcement can look to substitutes

other sources of intelligence, such as metadata

that prove to be just as valuable or more valuable than decrypting encrypted data.

1

This paper focuses on the other side of that insight: on the substitutes available for privacy-seekers beyond encryption, such as placing ones data in a jurisdiction that is beyond the reach of law enforcement. This framework puts encryption in context: there are many ways to keep ones data private, just as there are many ways that the government might get access to that data. While encryption is typically treated as a stand-alone computer security issue, it is a piece of a larger debate about government access to personal data.

2

Law enforcement ofcials are, in general, agnostic about the method through which they obtain evidence

what matters is obtaining it. Privacy-seekers are similarly agnostic about how they secure their privacy

what matters is having it. This means that policymakers have a wide set of options

not only about

whether

to allow law enforcement to access personal data, but also

how

to do so. This wide set of options is not reected in the debate over encryption, which is typically framed in all-or-nothing terms. Some privacy advocates take a stance that seems to allow no room for compromise (an argument that can be boiled down to its math!

3

) and some government actors do the same (essentially arguing, its terrorism!

4

). Widening the scope of the policy discussion to include related issues

what I will call encryption substitutes

may increase the chances of compromise and may generate better policy.In this short essay, I make a few simple assumptions that bear mentioning at the outset. First, I assume that governments have good and legitimate reasons for getting access to personal data. These include things like controlling crime, ghting terrorism, and regulating territorial borders. Second, I assume that people have a right to expect privacy in their personal data. Therefore, policymakers should seek to satisfy both law enforcement and privacy concerns without unduly burdening one or the other. Of course, much of the debate over government access to data is about how to respect

See the original post here:
Encryption Substitutes | Privacy | Encryption

PGP Encryption Tool – iGolder

This tool is simple to use: enter a public PGP key and the message you wish to encrypt, and click on the Encrypt Message button. If you do not have a public PGP key, simply use our PGP Key Generator to generate your own public/private key pair. You are also welcome to use the iGolder public PGP key to contact us or just to test our PGP-encryption tool.

iGolder respects your privacy and does not log nor monitors any activity (encryption) done on this web page.

PGP Public Key (paste the public key of the recipient you are about to send a message)

Message to Encrypt (enter the message text you wish encrypt)

Encrypted Message

Copy & paste this encrypted message and sent it by email to owner of the public PGP key you encrypted the message. Your friend is welcome to use the PGP Decrypt Tool to decrypt the message you sent him.

Visit link:
PGP Encryption Tool – iGolder

encryption – How to encrypt String in Java – Stack Overflow

This is the first page that shows up via google, and the security vulnerabilities in all the implementations make me cringe so I’m posting this to add information regarding encryption for others as it has been 7 Years from the orignal post. I hold a Masters Degree in Computer Engineering and spent a lot of time studying and learning Cryptography so I’m throwing my 2 cents in to make the internet a safer place.

Also, do note that a lot of implementation might be secure for a given situation, but why use those and potentially accidentally make a mistake? Use the strongest tools you have available unless you have a specific reason not to. Overall I highly advise using a library and staying away from the nitty gritty details if you can. I recommend Jasypt.

I will outline the basics of secure symmetric cryptography below and point out common mistakes I see online.

First thing first you need to pick a symmetric key Block Cipher. A Block Cipher is a tool used to create Pseudo-Randomness. Make sure to NEVER, I repeat NEVER use DES, I would even say NEVER use 3DES. The only Block Cipher that even Snowden’s NSA release was able to verify being truly as close to Pseudo-Random as possible is AES 256.

Now let’s talk about encryption modes. Never Use ECB this is bad at hiding repeating data as shown by the famous Linux penguin.

When implementing in Java note that if you use the following code, ECB mode is set by default:

… AVOID THIS! Which is seen in a a lot of examples online

If you have no Idea what you are doing I would strictly stick to GCM, and as said before if you really have no idea just use Jasypt. The only other modes that I would even mention are decent as well are CBC and CTR mode, but unlike GCM an attacker could modify the encrypted message in these modes and that is why they are not entirely secure.

So in the typical java implementation this is the setup you want:

GCM is built upon CTR mode and doesn’t require padding. but if for whatever reason you choose to use for example CBC Mode do so with PKCS7Padding as follows:

Another very important note, is that when it comes to cryptography a Key and a Password are not the same things. A Key in cryptography needs to have a certain amount of entropy and randomness to be considered secure. This is why you need to make sure to use the Cryptography libraries Key generating algorithm to pick a key.

Along with a Key we also have a thing called an IV. While a key is a secret and you should only share it with people you want to be able to decrypt the message, the IV is public. It’s used to make sure that if you encrypt two messages that are the same, the encryption looks different. Now what most people are not aware of is that IV’s can not repeat for the same key. The moment you repeat an IV in modes like GCM, CBC, CTR you actually compromise the entire security of the system. This is why you need to make sure first your IV is not static and that you are using the proper Cryptography library to generate a random IV with a really low probability of accidentally creating two of the same.

I have by now hopefully gone through all other posts and edited them to take out vulnerabilities. But to make your life easy with Jasypt here is how you use it!

Gradle

Setup

Encryption

Decryption

For more security use the StrongTextEncryptor util class provided below but it is slower. (you may need to download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files to use it):

Setup

Encryption

Decryption

Isn’t this just so much cleaner? 🙂

Note that when using Jasypt you don’t have to worry about the key being truly random as discussed above just use a strong password, their library converts your strong password into a proper crypto key. But remember a weak password is still a weak password

Android Developers

One important point to point out here is know that your android code is reverse engineer able. That means if you store the password in plain text in your code. A hacker can easily retrieve it. Usually for these type of encryption you want to use Asymmetric Cryptography and so on. This is outside the scope of this post so I will avoid diving into it.

An interesting reading from 2013: Points out that 88% of Crypto implementations in android were done improperly and this is really the basis of me coming here and ranting so much.

Original post:
encryption – How to encrypt String in Java – Stack Overflow