Category Archives: Encryption

What is Tokenization vs Encryption – Benefits & Uses Cases …

Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.

Edward Snowden

There are two primary approaches to encryption: symmetric key and asymmetric key encryption. In symmetric key encryption, one key is used to both encrypt and decrypt the information. Symmetric key encryption is analogous to the key used to both unlock and lock the door to a house. The big drawback of this approach is that if the key is compromised, it can be used to unlock, or decrypt, all of the data it was used to secure. For this reason, asymmetric key encryption was developed to allow multiple parties to exchange encrypted data without managing the same encryption key.

In asymmetric key encryption (also called public-key encryption), two different keys are used for the encryption and decryption processes. The public key can be freely distributed since it is only used to lock the data and never to unlock it. For example, a merchant can use a public key to encrypt payment data before sending a transaction to be authorized by a payment processing company. The latter company would need to have the private key to decrypt the card data to process the payment. Asymmetric key encryption is also used to validate identity on the Internet using SSL certificates.

Regardless of what type of key is utilized, users of encryption typically practice regular key rotation in order to reduce the likelihood of a compromised key being used to decrypt all sensitive data. Rotating keys limits the amount of data thats encrypted using a single key. In the event that an encryption key is compromised, only data encrypted with that key would be vulnerable.

Until now, one of the drawbacks of encrypting data within applications is that encryption breaks application functionality such as sorting and searching. Because cipher text is in a different format from the original data, encryption may also break field validation if an application requires specific formats within fields such as payment card numbers or email addresses. New order-preserving, format-preserving, and searchable encryption schemes are making it easier for organizations to protect their information without sacrificing end user functionality within business critical applications. However, there is usually a tradeoff between application functionality and the strength of encryption.

Tokenization is the process of turning a meaningful piece of data, such as an account number, into a random string of characters called a token that has no meaningful value if breached. Tokens serve as reference to the original data, but cannot be used to guess those values. Thats because, unlike encryption, tokenization does not use a mathematical process to transform the sensitive information into the token. There is no key, or algorithm, that can be used to derive the original data for a token. Instead, tokenization uses a database, called a token vault, which stores the relationship between the sensitive value and the token. The real data in the vault is then secured, often via encryption.

The token value can be used in various applications as a substitute for the real data. If the real data needs to be retrieved for example, in the case of processing a recurring credit card payment the token is submitted to the vault and the index is used to fetch the real value for use in the authorization process. To the end user, this operation is performed seamlessly by the browser or application nearly instantaneously. Theyre likely not even aware that the data is stored in the cloud in a different format.

The advantage of tokens is that there is no mathematical relationship to the real data they represent. If they are breached, they have no meaning. No key can reverse them back to the real data values. Consideration can also be given to the design of a token to make it more useful. For example, the last four digits of a payment card number can be preserved in the token so that the tokenized number (or a portion of it) can be printed on the customers receipt so she can see a reference to her actual credit card number. The printed characters might be all asterisks plus those last four digits. In this case, the merchant only has a token, not a real card number, for security purposes.

The most common use case for tokenization is protecting payment card data so that merchants can reduce their obligations under PCI DSS. Encryption can also be used to secure account data, but because the data is still present, albeit in ciphertext format, the organization must ensure the entire technology infrastructure used to store and transmit this data is fully compliant with PCI DSS requirements. In 2011, the Payment Card Industry Security Standards Council (PCI SSC), the organization responsible for enforcing PCI DSS, issued a set of tokenization guidelines. While the guidance has not yet been added to the official PCI DSS standard, qualified PCI assessors now accept tokenization as a viable solution to meet requirements under the standard.

Increasingly, tokens are being used to secure other types of sensitive or personally identifiable information, including social security numbers, telephone numbers, email addresses, account numbers and so on. The backend systems of many organizations rely on Social Security numbers, passport numbers, and drivers license numbers as unique identifiers. Since this unique identifier is woven into these systems, its very difficult to remove them. And these identifiers are also used to access information for billing, order status, and customer service. Tokenization is now being used to protect this data to maintain the functionality of backend systems without exposing PII to attackers.

While encryption can be used to secure structured fields such as those containing payment card data and PII, it can also used to secure unstructured data in the form of long textual passages, such as paragraphs or even entire documents. Encryption is also the ideal way to secure data exchanged with third parties and protect data and validate identity online, since the other party only needs a small encryption key. SSL or Secure Sockets Layer, the foundation of sharing data securely on the Internet today, relies on encryption to create a secure tunnel between the end user and the website. Asymmetric key encryption is also an important component of SSL certificates used to validate identity.

Encryption and tokenization are both regularly used today to protect data stored in cloud services or applications. Depending on the use case, an organization may use encryption, tokenization, or a combination of both to secure different types of data and meet different regularly requirements. McAfeeCASB, for example, leveragesan irreversible one-way process to tokenize user identifying information on premises and obfuscate enterprise identity.

As more data moves to the cloud, encryption and tokenization are being used to secure data stored in cloud services. Most notably, if a government agency subpoenas the data stored in the cloud, the service provider can only turn over encrypted or tokenized information with no way to unlock the real data. The same is true is a cyber criminal gains access to data stored in a cloud service.

Read more:
What is Tokenization vs Encryption – Benefits & Uses Cases …

Device Encryption | it.ucsf.edu

What is encryption? Why do I need it?

Encryption is the process of encoding information so that only authorized persons can read it. It is used to protect confidential and legally protected data. If an unencrypted laptop, tablet, smartphone, or other device is lost or stolen, and if it contained legally protected information, you or the University might be held liable for damages, you could be sent to prison, or the University could take corrective action against you.

The UCSF Minimum Security Standards state, Given the prevalence of restricted data in the UCSF environment, all endpoints (desktops, laptops, and mobile devices including smartphones and tablets) used for UCSF business must be encrypted.”UCSF Minimum Security Standards for Electronic Information Resources

This is true:

You are legally obligated to report a lost or stolen device used for UCSF business, research, or studies:

Devices include: desktop computers, laptop computers, tablet computers, smartphones, cdroms, dvdroms, floppy disks, and any media that can store data.

Including desktops and laptops for Mac and Windows:

How To Determine Your Computer Encryption Status

Please follow the instructions for setting up your UCSF email on your phone; that will also ensure your phone is encrypted.

If needed, contact the IT Service Desk for help.

Do both of the following:

Copy the data to your encrypted desktop or laptop computer. Or:

How To Determine Your Computer Encryption Status

Dell Data Protection Encryption (DDPE)

DDPE Frequently Asked Questions (FAQ)

Encryption Project

Contact the IT Service Desk.

See the original post:
Device Encryption | it.ucsf.edu

5 Common Encryption Algorithms and the Unbreakables of the Future

Mchten Sie diesen Beitrag in Deutsch zu lesen? Lesen Sie die Deutsch-Version hier.

While security is an afterthought for many PC users, its a major priority for businesses of any size. It has to be when the Ponemon Institute tells us that security breaches are costing companies millions every year.

Even if you dont have millions to lose, protecting what you do have should be a high priority.

There are several forms of security technology available, but encryption is one that everyday computer users should know about.

Encryption is an interesting piece of technology that works by scrambling data so it is unreadable by unintended parties. Lets take a look at how it works with the email-friendly software PGP (or GPG for you open source people).

Say I want to send you a private message, so I encrypt it using either one of these programs. Heres the message:

wUwDPglyJu9LOnkBAf4vxSpQgQZltcz7LWwEquhdm5kSQIkQlZtfxtSTsmawq6gVH8SimlC3W6TDOhhL2FdgvdIC7sDv7G1Z7pCNzFLp0lgB9ACm8r5RZOBiN5ske9cBVjlVfgmQ9VpFzSwzLLODhCU7/2THg2iDrW3NGQZfz3SSWviwCe7GmNIvp5jEkGPCGcla4Fgdp/xuyewPk6NDlBewftLtHJVf=PAb3

Once encrypted, the message literally becomes a jumbled mess of random characters. But, equipped with the secret passcode I text you, you can decrypt it and find the original message.

Come on over for hot dogs and soda!

Whether its in transit like our hot dog party email or resting on your hard drive, encryption works to keep prying eyes out of your business even if they happen to somehow gain access to your network or system.If you want to learn more about how encryption helps protect business data,you can read our article on how encryption aids cloud security.

The technology comes in many forms, with key size and strength generally being the biggest differences in one variety from the next.

Triple DES was designed to replace the original Data Encryption Standard (DES) algorithm, which hackers eventually learned to defeat with relative ease. At one time, Triple DES was the recommended standard and the most widely used symmetric algorithm in the industry.

Triple DES uses three individual keys with 56 bits each. The total key length adds up to 168 bits, but experts would argue that 112-bits in key strength is more like it.

Despite slowly being phased out, Triple DES still manages to make a dependable hardware encryption solution for financial services and other industries.

RSA is a public-key encryption algorithm and the standard for encrypting data sent over the internet. It also happens to be one of the methods used in our PGP and GPG programs.

Unlike Triple DES, RSA is considered an asymmetric algorithm due to its use of a pair of keys. Youve got your public key, which is what we use to encrypt our message, and a private key to decrypt it. The result of RSA encryption is a huge batch of mumbo jumbo that takes attackers quite a bit of time and processing power to break.

Blowfish is yet another algorithm designed to replace DES. This symmetric cipher splits messages into blocks of 64 bits and encrypts them individually.

Blowfish is known for both its tremendous speed and overall effectiveness as many claim that it has never been defeated. Meanwhile, vendors have taken full advantage of its free availability in the public domain.

Blowfish can be found in software categories ranging from e-commerce platforms for securing payments to password management tools, where it used to protect passwords. Its definitely one of the more flexible encryption methods available.

Computer security expert Bruce Schneier is the mastermind behind Blowfish and its successor Twofish. Keys used in this algorithm may be up to 256 bits in length and as a symmetric technique, only one key is needed.

Twofish is regarded as one of the fastest of its kind, and ideal for use in both hardware and software environments. Like Blowfish, Twofish is freely available to anyone who wants to use it. As a result, youll find it bundled in encryption programs such as PhotoEncrypt, GPG, and the popular open source software TrueCrypt.

The Advanced Encryption Standard (AES) is the algorithm trusted as the standard by the U.S. Government and numerous organizations.

Although it is extremely efficient in 128-bit form, AES also uses keys of 192 and 256 bits for heavy duty encryption purposes.

AES is largely considered impervious to all attacks, with the exception of brute force, which attempts to decipher messages using all possible combinations in the 128, 192, or 256-bit cipher. Still, security experts believe that AES will eventually be hailed the de facto standard for encrypting data in the private sector.

Cyber attacks are constantly evolving, so security specialists must stay busy in the lab concocting new schemes to keep them at bay. Expert observers are hopeful that a new method called Honey Encryption will deter hackers by serving up fake data for every incorrect guess of the key code. This unique approach not only slows attackers down, but potentially buries the correct key in a haystack of false hopes. Then there are emerging methods like quantum key distribution, which shares keys embedded in photons over fiber optic, that might have viability now and many years into the future as well.

Whether its protecting your email communications or stored data, some type of encryption should be included in your lineup of security tools. Successful attacks on victims like Target show that its not 100 percent bulletproof, but without it, youre offering up convenient access to your data. Find some tools that give you a piece of mind and stick with em!

Visit link:
5 Common Encryption Algorithms and the Unbreakables of the Future

Top 5 best encryption software tools of 2018 | TechRadar

If you’re looking for the best encryption software for your needs in 2018, then you’ve come to the right place, as we’ve listed the top software that will keep your important files and documents safe from malicious users.

The sad fact is that as hackers are become ever more adept at stealing private information, we must be ever more vigilant when it comes to protecting our files, regardless of if we are a business or home user, and this is where our list of the best encryption software of 2018 comes in.

Encryption tools encode data so that it can only be unlocked with a certain key, making it harder for third-parties to gain access. This means that only people who have access to that key can also access the data, making encryption software an essential tool for keeping data safe.

These encryption tools can be used to protect data such as email addresses, customer transactions and passwords, and other crucial information which you really cant afford to potentially expose. Many companies are also using encryption software to ensure internal online conversations and emails are kept private.

So which are the best encryption tools? Read on for our pick of the very best tools for keeping your data safe.

Free encryption for everyone

Platforms: Windows, macOS, Linux | Resources covered: Encryption and brute-force attack protection | Cloud-based: No | Integrations: No | Free trial: N/A

Basic version is completely free

Provides effective encryption

Selective approach

Initial download is a bit confusing

VeraCrypt is one of the most popular security tools, providing you with enterprise-grade encryption for important data.

The system is quite easy to use, and all it really does is add encrypted passwords to your data and partitions. All you have to do is give the tool a few details about your data, such as volume size, location and specified hashing algorithms and then the program does its thing.

Whats also nifty about VeraCrypt is that its immune to brute-force attacks, so you never have to worry about hackers decrypting your passwords and other sensitive data. The basic version of the software is completely free, as well.

Encryption for small teams and individuals

Platforms: Windows, macOS | Resources covered: Encryption, password protection, mobile apps | Cloud-based: Yes | Integrations: Google Docs, Dropbox | Free trial: 30 days (fully free version also available)

Strong encryption for personal use

Free version available

Mainly mobile-oriented

While free software can be convenient for some, its not always as powerful as premium offerings, and AxCrypt is a good bet if you want something reliable. The software has been designed specifically for individuals and small teams within businesses.

It provides strong security, with files protected by either 128-bit or 256-bit AES encryption, which should thwart any intruders. There are also cloud storage capabilities thrown into the mix the software will automatically protect files saved on services such as Google Drive and Dropbox.

AxCrypt is fully multilingual, and it can work with languages such as Dutch, French, German, Italian, Korean, Spanish, Swedish, Russian and Portuguese with more support planned for the future. As well as this, theres passport management, and you can access your encrypted files through a smartphone app.

The Premium package is $27 per year (roughly 20, AU$34), while there is a free version which has much fewer options.

Effective encryption for individuals

Platforms: Windows, Android, iOS | Resources covered: Encryption, password protection, brute-force attack prevention | Cloud-based: Yes | Integrations: No | Free trial: N/A

Free to download basic version

Effective personal encryption

Mainly mobile oriented

Although its important to protect assets on company computers, its also crucial to add protection to any device that stores critical data. For instance, most employees have access to their company emails and other accounts on their smartphones, and they need to be protected.

Folder Lock is a good option when it comes to adding encryption to your mobile devices. The app can protect your personal files, photos, videos, contacts, wallet cards, notes and audio recordings stored in your handset.

There are some other hidden security features, too. Not only is there encryption, but you can also set a decoy password, hacker deterrents, log unauthorised login attempts, back up all your passwords and get notified on potential brute-force attacks. The basic app is free to download, with a pro version available if you want more.

Powerful protection indeed

Platforms: Windows | Resources covered: Encryption, password protection, brute-force attack prevention | Cloud-based: No | Integrations: No | Free trial: 30 days

Uses multiple encryption methods

Powerful encryption

It may be too complicated for some

Windows-only

CryptoExpert is Windows desktop software which offers secure data vaults for all your data, ensuring its always protected from potential breaches.

It provides more powerful encryption than some of the other tools and apps listed in this article, boasting fast on-the-fly operation. The system can back up a range of different files, including certificates, Word, Excel and PowerPoint files, multimedia files and email databases.

The best thing about CryptoExpert 8 is that it can secure vaults of unlimited size, and it uses Blowfish, Cast, 3DES and AES-256 encryption algorithms. The latter are highly effective and industry-acclaimed. Itll work with 32-bit and 64-bit versions of Windows 7, 8 and 10.

A quality cloud-based solution

Platforms: Desktop | Resources covered: Encryption, password protection, brute-force attack prevention, secure file storage | Cloud-based: Yes | Integrations: No | Free trial: 30 days

Completely cloud-based

Affordable monthly plan

Not everyone wants cloud-based security

CertainSafe is highly effective cloud-based encryption software which attempts to mitigate all aspects of risk and is compliant with industry regulations.

With the platform, you can store and share documents, private messages, photos, videos and other files without exposing them to third-party sources. You can even collaborate and communicate with colleagues through the system, with all correspondence encrypted.

CertainSafe also adds automated security for business databases and applications, meaning you dont always have to do things manually. You can subscribe for a monthly plan, but before making any decisions, theres the option to get a free trial and try things out that way.

Continued here:
Top 5 best encryption software tools of 2018 | TechRadar

New EBS Encryption for Additional Data Protection | AWS …

We take data protection very seriously! Over the years we have added a number of security and encryption features to various parts of AWS. We protect data at rest with Server Side Encryption for Amazon S3 and Amazon Glacier, multiple tiers of encryption for Amazon Redshift, and Transparent Data Encryption for Oracle and SQL Server databases via Amazon RDS. We protect data in motion with extensive support for SSL/TLS in CloudFront, Amazon RDS, and Elastic Load Balancing.

Today we are giving you yet another option, with support for encryption of EBS data volumes and the associated snapshots. You can now encrypt data stored on an EBS volume at rest and in motion by setting a single option. When you create an encrypted EBS volume and attach it to a supported instance type, data on the volume, disk I/O, and snapshots created from the volume are all encrypted. The encryption occurs on the servers that host the EC2 instances, providing encryption of data as it moves between EC2 instances and EBS storage.

Enabling EncryptionYou can enable EBS encryption when you create a new volume:

You can see the encryption state of each of your volumes from the console:

Important DetailsAdding encryption to a provisioned IOPS (PIOPS) volume will not affect the provisioned performance. Encryption has a minimal effect on I/O latency.

The snapshots that you take of an encrypted EBS volume are also encrypted and can be moved between AWS Regions as needed. You cannot share encrypted snapshots with other AWS accounts and you cannot make them public.

As I mentioned earlier, your data is encrypted before it leaves the EC2 instance. In order to be able to do this efficiently and with low latency, the EBS encryption feature is only available on EC2s M3, C3, R3, CR1, G2, and I2 instances. You cannot attach an encrypted EBS volume to other instance types.

Also, you cannot enable encryption for an existing EBS volume. Instead, you must create a new, encrypted volume and copy the data from the old one to the new one using the file manipulation tool of your choice. Rsync (Linux) and Robocopy (Windows) are two good options, but there are many others.

Each newly created volume gets a unique 256-bit AES key; volumes created from encrypted snapshots share the key. You do not need to manage the encryption keys because they are protected by our own key management infrastructure, which implements strong logical and physical security controls to prevent unauthorized access. Your data and associated keys are encrypted using the industry-standard AES-256 algorithm.

Encrypt NowEBS encryption is available now in all eight of the commercial AWS Regions and you can start using it today! There is no charge for encryption and it does not affect the published EBS Service Level Agreement (SLA) for availability.

Jeff;

Continue reading here:
New EBS Encryption for Additional Data Protection | AWS …

Best Encryption Software 2018 – Encrypt Files on Windows PCs

How much does encryption software cost?

Most encryption software costs about $40 and can be used on multiple devices. If it only comes with one user license, look to see if it includes self-extracting files. This allows you to send encrypted files to another user or to yourself through email and open it on another device that doesnt have the same program installed on it. Usually this is done by providing the receiver with a password that unlocks and decrypts the file.

Key Features of Encryption Software

Version CompatibilityIf your computer runs an older version of Windows, such as Vista or XP, make sure the encryption program supports your operating system. On the flip side, you need to make sure you choose software that has changed with the times and supports the latest versions of Windows, including 8 and 10.

While all the programs we tested are compatible with every version of Windows, we feel thatSensiGuardis a good choice for older computers because it only has the most essential tools and wont bog down your old PC. Plus, it is easy to move to a new computer if you choose to upgrade. However, it takes a while to encrypt and decrypt files.

If you have a Mac computer, you need a program that is designed specifically for that operating system none of the programs we tested are compatible with both Windows and Mac machines. We believe Concealer is the best option for Macs, but Espionage 3 is also a good choice.

Mac encryption software doesnt have as many extra security features as Windows programs. They typically lack virtual keyboards, self-extracting file creators and password recovery tools. Mac programs also take a lot more time to secure files compared to Windows software.

SecurityEncryption software uses different types of ciphers to scramble your data, and each has its own benefits. Advanced Encryption Standard, or 256-bit key AES, is used by the U.S. government, including the National Security Agency (NSA), and is one of the strongest ciphers available. It scrambles each bit of information. Blowfish and its newer version, Twofish, are encryption algorithms that use block ciphers they scramble blocks of text or several bits of information at once rather than one bit at a time.

The main differences between these algorithms are performance and speed, and the average user wont notice the difference. Blowfish and Twofish cant encrypt large files, so if you need to secure gigabytes of data, use AES encryption. Blowfish and Twofish algorithms are considered practically unbreakable, though given enough time and computing power, both could theoretically be broken.

AES has long been recognized as the superior algorithm and is required for financial institutions, schools, government agencies and healthcare facilities that deal with sensitive personal information. Because of this we preferred programs that use it and ensured these were included in our final choice of the best encryption software.

Follow this link:
Best Encryption Software 2018 – Encrypt Files on Windows PCs

Download BestCrypt Volume Encryption 3.78.05 / 4.01.09 Beta

BestCrypt Volume Encryption is a comprehensive and practical program that provides transparent encryption of all the data stored in your disk devices, regardless of their type. It allows you to encrypt modern volumes, MS-DOS style disk partitions and various Windows 8 storage spaces.

Once you launch the application, you will notice that all the available partitions are listed in the main window, no matter the type of file system they are, be it NTFS, FAT or FAT32. It encrypts each partition you want and allows you to get access to them without keeping in mind all the necessary aspects regarding the physical location of the volume.

For those who have worked with the Disk Management feature (that each Windows operating system comes with), they will surely know how to work with this application since its main window is quite similar with the aforementioned utility, except for the menus. Basic details about each volume are also displayed, so you can easily view each ones capacity, status, file system type, volume type and algorithm.

Moreover, as BestCrypt Volume Encryption allows you to encrypt data with strong algorithms, namely AES (Rijndael), RC6, Serpent and Twofish, you can rest assured that all your data is secured against unauthorized users.

When it comes to encrypting the selected volume, you are able to choose the algorithm you are interested in, select the format mode, then specify the password that will protect your entire volume. In case you dont complete the encryption procedure, the application will notify you at a predefined period of time.

Another important function of BestCrypt Volume Encryption is that it allows you to manage passwords for encrypted volumes in several ways. In case you want to insert a new password, simply choose the volume you are interested in, then run the Add Password command, from the Volume menu.

To sum things up, BestCrypt Volume Encryption enables you to encrypt any volume you want with ease, so all your data will stay protects against unauthorized access. Also, you are able to boot encrypted volumes only from trusted network.

Volume encryptor Encrypt volume HDD encryption Encrypt Encryptor HDD Disk

See the original post:
Download BestCrypt Volume Encryption 3.78.05 / 4.01.09 Beta

End-to-end encryption – Wikipedia

End-to-end encryption (E2EE) is a system of communication where only the communicating users can read the messages. In principle, it prevents potential eavesdroppers including telecom providers, Internet providers, and even the provider of the communication service from being able to access the cryptographic keys needed to decrypt the conversation.[1] The systems are designed to defeat any attempts at surveillance or tampering because no third parties can decipher the data being communicated or stored. For example, companies that use end-to-end encryption are unable to hand over texts of their customers’ messages to the authorities.[2]

In an E2EE system, encryption keys must only be known to the communicating parties. To achieve this goal, E2EE systems can encrypt data using a pre-arranged string of symbols, called a pre-shared secret (PGP), or a one-time secret derived from such a pre-shared secret (DUKPT). They can also negotiate a secret key on the spot using Diffie-Hellman key exchange (OTR).[3]

As of 2016, typical server-based communications systems do not include end-to-end encryption. These systems can only guarantee the protection of communications between clients and servers, meaning that users have to trust the third parties who are running the servers with the original texts. End-to-end encryption is regarded as safer because it reduces the number of parties who might be able to interfere or break the encryption.[4] In the case of instant messaging, users may use a third-party client to implement an end-to-end encryption scheme over an otherwise non-E2EE protocol.[5]

Some non-E2EE systems, such as Lavabit and Hushmail, have described themselves as offering “end-to-end” encryption when they did not.[6] Other systems, such as Telegram and Google Allo, have been criticized for not having end-to-end encryption, which they offer, enabled by default.[7][8]

Some encrypted backup and file sharing services provide client-side encryption. The encryption they offer is here not referred to as end-to-end encryption, because the services are not meant for sharing messages between users. However, the term “end-to-end encryption” is often used as a synonym for client-side encryption.[citation needed]

End-to-end encryption ensures that data is transferred securely between endpoints. But, rather than try to break the encryption, an eavesdropper may impersonate a message recipient (during key exchange or by substituting his public key for the recipient’s), so that messages are encrypted with a key known to the attacker. After decrypting the message, the snoop can then encrypt it with a key that they share with the actual recipient, or their public key in case of asymmetric systems, and send the message on again to avoid detection. This is known as a man-in-the-middle attack.[1][9]

Most end-to-end encryption protocols include some form of endpoint authentication specifically to prevent MITM attacks. For example, one could rely on certification authorities or a web of trust.[10] An alternative technique is to generate cryptographic hashes (fingerprints) based on the communicating users public keys or shared secret keys. The parties compare their fingerprints using an outside (out-of-band) communication channel that guarantees integrity and authenticity of communication (but not necessarily secrecy), before starting their conversation. If the fingerprints match, there is in theory, no man in the middle.[1]

When displayed for human inspection, fingerprints are usually encoded into hexadecimal strings. These strings are then formatted into groups of characters for readability. For example, a 128-bit MD5 fingerprint would be displayed as follows:

Some protocols display natural language representations of the hexadecimal blocks.[11] As the approach consists of a one-to-one mapping between fingerprint blocks and words, there is no loss in entropy. The protocol may choose to display words in the user’s native (system) language.[11] This can, however, make cross-language comparisons prone to errors.[12] In order to improve localization, some protocols have chosen to display fingerprints as base 10 strings instead of hexadecimal or natural language strings.[13][12] Modern messaging applications can also display fingerprints as QR codes that users can scan off each other’s devices.[13]

The end-to-end encryption paradigm does not directly address risks at the communications endpoints themselves. Each user’s computer can still be hacked to steal his or her cryptographic key (to create a MITM attack) or simply read the recipients decrypted messages both in real time and from log files. Even the most perfectly encrypted communication pipe is only as secure as the mailbox on the other end.[1] Major attempts to increase endpoint security have been to isolate key generation, storage and cryptographic operations to a smart card such as Google’s Project Vault.[14] However, since plaintext input and output are still visible to the host system, malware can monitor conversations in real time. A more robust approach is to isolate all sensitive data to a fully air gapped computer.[15] PGP has been recommended by experts for this purpose:

If I really had to trust my life to a piece of software, I would probably use something much less flashy GnuPG, maybe, running on an isolated computer locked in a basement.

However, as Bruce Schneier points out, Stuxnet developed by US and Israel successfully jumped air gap and reached Natanz nuclear plant’s network in Iran.[16] To deal with key exfiltration with malware, one approach is to split the Trusted Computing Base behind two unidirectionally connected computers that prevent either insertion of malware, or exfiltration of sensitive data with inserted malware.[17]

A backdoor is usually a secret method of bypassing normal authentication or encryption in a computer system, a product, or an embedded device, etc[18]. Companies may also willingly or unwillingly introduce backdoors to their software that help subvert key negotiation or bypass encryption altogether. In 2013, information leaked by Edward Snowden showed that Skype had a backdoor which allowed Microsoft to hand over their users’ messages to the NSA despite the fact that those messages were officially end-to-end encrypted.[19][20]

Read the original here:
End-to-end encryption – Wikipedia

Download Symantec Encryption Desktop 10.4.0 Build 1100

Having private information in emails end up in the wrong hands is a worst-case scenario, especially in the corporate environment. Leaving aside the encryption capabilities provided by any reputable email client, the end-to-end email encryption provided by Symantec Encryption Desktop can automatically safeguard the content in the user’s emails, making the transfer between source and destination clients much more difficult to intercept.

Symantec Encryption Desktop is compatible with the most popular email clients, namely Microsoft Outlook, Exchange and Office 365, Windows Live Mail, Thunderbird, Lotus Notes / Domino Server, and can also encrypt data on Exchange, IBM Domino, and vSphere servers.

In its endeavor to achieve unbreakable data protection, it relies on PGP technology and uses strong public key algorithms, such as DSA (1024-bit keys only), RSA (up to 4096-bit keys), and Diffie-Hellman. Popular mail protocols are supported (POP3, SMTP, IMAP, MAPI, and Lotus Notes).

To benefit from automatic email encryption, users must create a new PGP key for their email account and configure the security policies they want Symantec Encryption Desktop to apply. Aside from the default policies, users can create additional rules for message encoding. Advanced messaging safety standards are supported, such as PGP/MIME RFC 3156, S/MIME v3 RFC 2633, X.509 v3, or OpenPGP RFC 4880.

While its main purpose is to secure email content, Symantec Encryption Desktop also delivers additional data protection tools. It can create so-called PGP Zips, meaning it can encrypt the contents of any folder on the computer. Going even further, it can encrypt entire disks or partitions, rendering the computer unable to boot in case anyone tries to break into it without permission.

Additionally, it enables users to generate virtual disks, each having its own unique PGP key, where sensitive data can be stored safely. And, as expected, it also comprises a data wiping tool that can shred important files users want to get rid of permanently.

Having Symantec’s proven technology at its core, the Encryption Desktop utility relies on user-generated PGP keys to protect important information that is transferred from and to email clients, as well as data stored locally on the user’s computer. What’s more, it can be used for secure file sharing and allows users to encrypt or sign data in opened windows or located in the clipboard.

Email encryption Encrypt disk End-to-end encryption Encryption Email Sign Encrypt

Originally posted here:
Download Symantec Encryption Desktop 10.4.0 Build 1100

HTTPS – Wikipedia

HTTP Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP) for secure communication over a computer network, and is widely used on the Internet.[1][2] In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS), or formerly, its predecessor, Secure Sockets Layer (SSL). The protocol is therefore also often referred to as HTTP over TLS,[3] or HTTP over SSL.

The principal motivation for HTTPS is authentication of the accessed website and protection of the privacy and integrity of the exchanged data while in transit. It protects against man-in-the-middle attacks. The bidirectional encryption of communications between a client and server protects against eavesdropping and tampering of the communication.[4] In practice, this provides a reasonable assurance that one is communicating without interference by attackers with the website that one intended to communicate with, as opposed to an impostor.

Historically, HTTPS connections were primarily used for payment transactions on the World Wide Web, e-mail and for sensitive transactions in corporate information systems.[citation needed] Since 2018[update][citation needed], HTTPS is used more often by webusers than the original non-secure HTTP, primarily to protect page authenticity on all types of websites; secure accounts; and keep user communications, identity, and web browsing private.

The Uniform Resource Identifier (URI) scheme HTTPS has identical usage syntax to the HTTP scheme. However, HTTPS signals the browser to use an added encryption layer of SSL/TLS to protect the traffic. SSL/TLS is especially suited for HTTP, since it can provide some protection even if only one side of the communication is authenticated. This is the case with HTTP transactions over the Internet, where typically only the server is authenticated (by the client examining the server’s certificate).

HTTPS creates a secure channel over an insecure network. This ensures reasonable protection from eavesdroppers and man-in-the-middle attacks, provided that adequate cipher suites are used and that the server certificate is verified and trusted.

Because HTTPS piggybacks HTTP entirely on top of TLS, the entirety of the underlying HTTP protocol can be encrypted. This includes the request URL (which particular web page was requested), query parameters, headers, and cookies (which often contain identity information about the user). However, because host (website) addresses and port numbers are necessarily part of the underlying TCP/IP protocols, HTTPS cannot protect their disclosure. In practice this means that even on a correctly configured web server, eavesdroppers can infer the IP address and port number of the web server (sometimes even the domain name e.g. http://www.example.org, but not the rest of the URL) that one is communicating with, as well as the amount (data transferred) and duration (length of session) of the communication, though not the content of the communication.[4]

Web browsers know how to trust HTTPS websites based on certificate authorities that come pre-installed in their software. Certificate authorities (such as Let’s Encrypt, Digicert, Comodo, GoDaddy and GlobalSign) are in this way being trusted by web browser creators to provide valid certificates. Therefore, a user should trust an HTTPS connection to a website if and only if all of the following are true:

HTTPS is especially important over insecure networks (such as public Wi-Fi access points), as anyone on the same local network can packet-sniff and discover sensitive information not protected by HTTPS. Additionally, many free to use and paid WLAN networks engage in packet injection in order to serve their own ads on webpages. However, this can be exploited maliciously in many ways, such as injecting malware onto webpages and stealing users’ private information.[5]

HTTPS is also very important for connections over the Tor anonymity network, as malicious Tor nodes can damage or alter the contents passing through them in an insecure fashion and inject malware into the connection. This is one reason why the Electronic Frontier Foundation and the Tor project started the development of HTTPS Everywhere,[4] which is included in the Tor Browser Bundle.[6]

As more information is revealed about global mass surveillance and criminals stealing personal information, the use of HTTPS security on all websites is becoming increasingly important regardless of the type of Internet connection being used.[7][8] While metadata about individual pages that a user visits is not sensitive, when combined, they can reveal a lot about the user and compromise the user’s privacy.[9][10][11]

Deploying HTTPS also allows the use of HTTP/2 (or its predecessor, the now-deprecated protocol SPDY), that are new generations of HTTP, designed to reduce page load times, size and latency.

It is recommended to use HTTP Strict Transport Security (HSTS) with HTTPS to protect users from man-in-the-middle attacks, especially SSL stripping.[11][12]

HTTPS should not be confused with the little-used Secure HTTP (S-HTTP) specified in RFC 2660.

As of April2018[update], 33.2% of Alexa top 1,000,000 websites use HTTPS as default,[13] 57.1% of the Internet’s 137,971 most popular websites have a secure implementation of HTTPS,[14] and 70% of page loads (measured by Firefox Telemetry) use HTTPS.[15]

Most browsers display a warning if they receive an invalid certificate. Older browsers, when connecting to a site with an invalid certificate, would present the user with a dialog box asking whether they wanted to continue. Newer browsers display a warning across the entire window. Newer browsers also prominently display the site’s security information in the address bar. Extended validation certificates turn the address bar green in newer browsers. Most browsers also display a warning to the user when visiting a site that contains a mixture of encrypted and unencrypted content.

Most web browsers alert the user when visiting sites that have invalid security certificates.

The Electronic Frontier Foundation, opining that “In an ideal world, every web request could be defaulted to HTTPS”, has provided an add-on called HTTPS Everywhere for Mozilla Firefox that enables HTTPS by default for hundreds of frequently used websites. A beta version of this plugin is also available for Google Chrome and Chromium.[16][17]

The security of HTTPS is that of the underlying TLS, which typically uses long-term public and private keys to generate a short-term session key, which is then used to encrypt the data flow between client and server. X.509 certificates are used to authenticate the server (and sometimes the client as well). As a consequence, certificate authorities and public key certificates are necessary to verify the relation between the certificate and its owner, as well as to generate, sign, and administer the validity of certificates. While this can be more beneficial than verifying the identities via a web of trust, the 2013 mass surveillance disclosures drew attention to certificate authorities as a potential weak point allowing man-in-the-middle attacks.[18][19] An important property in this context is forward secrecy, which ensures that encrypted communications recorded in the past cannot be retrieved and decrypted should long-term secret keys or passwords be compromised in the future. Not all web servers provide forward secrecy.[20][needs update]

A site must be completely hosted over HTTPS, without having part of its contents loaded over HTTPfor example, having scripts loaded insecurelyor the user will be vulnerable to some attacks and surveillance. Also having only a certain page that contains sensitive information (such as a log-in page) of a website loaded over HTTPS, while having the rest of the website loaded over plain HTTP, will expose the user to attacks. On a site that has sensitive information somewhere on it, every time that site is accessed with HTTP instead of HTTPS, the user and the session will get exposed. Similarly, cookies on a site served through HTTPS have to have the secure attribute enabled.[11]

HTTPS URLs begin with “https://” and use port 443 by default, whereas HTTP URLs begin with “http://” and use port 80 by default.

HTTP is not encrypted and is vulnerable to man-in-the-middle and eavesdropping attacks, which can let attackers gain access to website accounts and sensitive information, and modify webpages to inject malware or advertisements. HTTPS is designed to withstand such attacks and is considered secure against them (with the exception of older, deprecated versions of SSL).

HTTP operates at the highest layer of the TCP/IP model, the Application layer; as does the TLS security protocol (operating as a lower sublayer of the same layer), which encrypts an HTTP message prior to transmission and decrypts a message upon arrival. Strictly speaking, HTTPS is not a separate protocol, but refers to use of ordinary HTTP over an encrypted SSL/TLS connection.

Everything in the HTTPS message is encrypted, including the headers, and the request/response load. With the exception of the possible CCA cryptographic attack described in the limitations section below, the attacker can only know that a connection is taking place between the two parties and their domain names and IP addresses.

To prepare a web server to accept HTTPS connections, the administrator must create a public key certificate for the web server. This certificate must be signed by a trusted certificate authority for the web browser to accept it without warning. The authority certifies that the certificate holder is the operator of the web server that presents it. Web browsers are generally distributed with a list of signing certificates of major certificate authorities so that they can verify certificates signed by them.

Let’s Encrypt, launched in April 2016,[21] provides free and automated SSL/TLS certificates to websites.[22] According to the Electronic Frontier Foundation, “Let’s Encrypt” will make switching from HTTP to HTTPS “as easy as issuing one command, or clicking one button.”[23]. The majority of web hosts and cloud providers already leverage Let’s Encrypt, providing free certificates to their customers.

The system can also be used for client authentication in order to limit access to a web server to authorized users. To do this, the site administrator typically creates a certificate for each user, a certificate that is loaded into their browser. Normally, that contains the name and e-mail address of the authorized user and is automatically checked by the server on each reconnect to verify the user’s identity, potentially without even entering a password.

An important property in this context is perfect forward secrecy (PFS). Possessing one of the long-term asymmetric secret keys used to establish an HTTPS session should not make it easier to derive the short-term session key to then decrypt the conversation, even at a later time. DiffieHellman key exchange (DHE) and Elliptic curve DiffieHellman key exchange (ECDHE) are in 2013 the only ones known to have that property. Only 30% of Firefox, Opera, and Chromium Browser sessions use it, and nearly 0% of Apple’s Safari and Microsoft Internet Explorer sessions.[20] Among the larger internet providers, only Google supports PFS since 2011[update] (State of September 2013).[citation needed]

A certificate may be revoked before it expires, for example because the secrecy of the private key has been compromised. Newer versions of popular browsers such as Firefox,[24] Opera,[25] and Internet Explorer on Windows Vista[26] implement the Online Certificate Status Protocol (OCSP) to verify that this is not the case. The browser sends the certificate’s serial number to the certificate authority or its delegate via OCSP and the authority responds, telling the browser whether the certificate is still valid.[27]

SSL and TLS encryption can be configured in two modes: simple and mutual. In simple mode, authentication is only performed by the server. The mutual version requires the user to install a personal client certificate in the web browser for user authentication.[28] In either case, the level of protection depends on the correctness of the implementation of software and the cryptographic algorithms in use.

SSL/TLS does not prevent the indexing of the site by a web crawler, and in some cases the URI of the encrypted resource can be inferred by knowing only the intercepted request/response size.[29] This allows an attacker to have access to the plaintext (the publicly available static content), and the encrypted text (the encrypted version of the static content), permitting a cryptographic attack.

Because TLS operates at a protocol level below that of HTTP, and has no knowledge of the higher-level protocols, TLS servers can only strictly present one certificate for a particular address and port combination.[30] In the past, this meant that it was not feasible to use name-based virtual hosting with HTTPS. A solution called Server Name Indication (SNI) exists, which sends the hostname to the server before encrypting the connection, although many old browsers do not support this extension. Support for SNI is available since Firefox 2, Opera 8, Safari 2.1, Google Chrome 6, and Internet Explorer 7 on Windows Vista.[31][32][33]

From an architectural point of view:

A sophisticated type of man-in-the-middle attack called SSL stripping was presented at the Blackhat Conference 2009. This type of attack defeats the security provided by HTTPS by changing the https: link into an http: link, taking advantage of the fact that few Internet users actually type “https” into their browser interface: they get to a secure site by clicking on a link, and thus are fooled into thinking that they are using HTTPS when in fact they are using HTTP. The attacker then communicates in clear with the client.[34] This prompted the development of a countermeasure in HTTP called HTTP Strict Transport Security.

HTTPS has been shown vulnerable to a range of traffic analysis attacks. Traffic analysis attacks are a type of side-channel attack that relies on variations in the timing and size of traffic in order to infer properties about the encrypted traffic itself. Traffic analysis is possible because SSL/TLS encryption changes the contents of traffic, but has minimal impact on the size and timing of traffic. In May 2010, a research paper by researchers from Microsoft Research and Indiana University discovered that detailed sensitive user data can be inferred from side channels such as packet sizes. More specifically, the researchers found that an eavesdropper can infer the illnesses/medications/surgeries of the user, his/her family income and investment secrets, despite HTTPS protection in several high-profile, top-of-the-line web applications in healthcare, taxation, investment and web search.[35] Although this work demonstrated vulnerability of HTTPS to traffic analysis, the approach presented by the authors required manual analysis and focused specifically on web applications protected by HTTPS.

The fact that most modern websites, including Google, Yahoo!, and Amazon, use HTTPS causes problems for many users trying to access public Wi-Fi hot spots, because a Wi-Fi hot spot login page fails to load if the user tries to open an HTTPS resource.[36][37] Several websites, such as neverssl.com or nonhttps.com, guarantee that they will always remain accessible by HTTP.

Netscape Communications created HTTPS in 1994 for its Netscape Navigator web browser.[38] Originally, HTTPS was used with the SSL protocol. As SSL evolved into Transport Layer Security (TLS), HTTPS was formally specified by RFC 2818 in May 2000.

Read this article:
HTTPS – Wikipedia