Category Archives: Encryption

Email Encryption Options for MDaemon Email Server

MDaemon uses a layered approach to email encryption for safely sending your emails and attachments. On the client-side, MDaemon Webmail users can enable basic encryption features when sending emails and attachments within Webmail. On the server-side, Administrators have the ability to use encryption, decryption, and basic key management capabilities.

MDaemon Webmail uses HTTPS connections to power its webmail encryption

MDaemon supports Open PGP to power its server-side email encryption

When composing a message, MDaemon Webmail users can use the Advanced Options screen to instruct MDaemon to encrypt the message, retrieve their public key, or retrieve the public key of another user (if available). This greatly simplifies the process of sending secure, encrypted email using MDaemon PGP.

On the server side, OpenPGP for MDaemon has been added to give administrators the ability to use encryption, decryption, and basic key management capabilities through OpenPGP support.

This additional layer helps administrators who want to ensure user compliance by managing encryption settings at the server versus the user implemented client level. Also, MDaemon’s Content Filter now contains actions to encrypt and decrypt messages. And finally, server-side encryption capabilities are beneficial when using email archiving with MDaemon.

MDaemon Webmail has a unique setting that allows it to be used as basic public key server. When this feature is enabled, Webmail will honor requests for your users’ public keys using a specially formatted URL. Additionally, MDaemon’s OpenPGP feature supports collection of public keys over DNS. This helps to automate the process of exchanging encryption keys.

MDaemon’s OpenPGP features can verify embedded signatures found within messages. This helps the recipient ensure that the message is authentic. MDaemon Webmail will display an icon or text label for verified messages. Webmail will also display labels for messages with valid DKIM signatures, messages decrypted by OpenPGP, and messages signed with an OpenPGP key.

Automated Encryption Key Exchange allows the process of exchanging public keys for OpenPGP to take place during the SMTP message delivery process. When this feature is enabled, authorized users will no longer need to manually send their public key to another user from whom they wish to receive encrypted email.

Visit link:
Email Encryption Options for MDaemon Email Server

How to Encrypt Files on Windows – Tutorial – Toms Guide

If you’re looking for a simple way to keep files and folders private on your Windows computer, you have several options right in front of you. Thanks to the Microsoft Office Suite, you can use a built-in encryption feature to password-protect Office files, such as Word documents or PowerPoint presentations.

Some Windows operating systems also come with Encrypting File System (EFS), which lets you encrypt any kind of file, as well as whole folders and subfolders. Note, however, that EFS is only available for Windows 10 Pro, Windows 7 Professional, Windows 7 Ultimate, Windows 7 Enterprise, Windows 8 Pro or Windows 8 Enterprise. Users with a Home edition of Windows will need to use either Office Suite encryption or a third-party solution, such as TrueCrypt, VeraCrypt or 7-Zip.

Illustration: Toms GuideTo set up your Windows encryption, you’ll want to follow these step-by-step instructions.

MORE: Best Password Managers

Before you start altering your files, there are some tips you need to keep in mind.

This process encrypts individual files compatible with Microsoft Office applications such as Word, PowerPoint or Excel. Once you encrypt a file this way, you’ll need to reopen it in Microsoft Office; you won’t be able to open it in Google Docs, Adobe Reader or LibreOffice. These steps work for all up-to-date versions of Office, across Windows 7 and Windows 10.

1. Open a Microsoft Office program and click Open Other Documents.

2. Click Browse.

3. Select a file you want to encrypt and click Open.

4. Click the File tab at the top of the page.

5. Click “Protect Document” on the left side.

3. Select Encrypt with Password from the pop-up menu.

4. Enter a password for the file. You’ll be prompted to re-enter the same password, then click OK. After you exit this file, you’ll have to enter the same password to reopen it. Be sure to store this password in a separate, safe place.

You’re not quite done yet, though. One of the flaws with Microsoft Office’s encryption is that unencrypted versions of recently opened files might still be stored in your computer’s temporary memory. You’ll want to go clear that out after you’ve encrypted a file.

1. Click the Start button.

2. Type “Disk Cleanup” into the text field and select Disk Cleanup.

3. Wait for the loading bar to complete, it’s calculating how many files it will be able to delete.

4. After the window “Disk Cleanup for OS (C:) appears, check the box next to “Temporary files” (you may need to scroll down) and click OK.

5. A new pop-up window will appear asking you to confirm the deletion. Click Delete Files.

6. Youll see a new pop-up window (pictured below) with a loading bar running as your files are deleted. Once it’s finished, the window will disappear and the temporary files are gone.

EFS works by letting you apply encryption to already-existing files or folders in your file system. You can still edit or modify these files or folders following the encryption process. With EFS you won’t notice any change in the way you access your files; all you have to do is log in to your Windows account at startup and the files will be accessible. However, this means that you need to pick a strong, difficult-to-guess password for your Windows user account. Note: Step 7 is time-sensitive, so make sure to click the “Back up your file encryption key” prompt after confirming attribute changes in step 6. Missing that prompt means you’ll need to start over again.

1. Right-click on the file or folder you wish to encrypt.

2. Click Properties selection at the bottom of the menu.

3. Click Advanced under the General tab. This will bring up a second pop-up window entitled Advanced Attributes.

4. Check “Encrypt contents to secure data.”

5. Click OK.

6. Click Apply.

7. Choose how extensive you want the encryption to be, click OK. You can choose to encrypt just that folder, or to encrypt all of the folder’s subfolders and files. We recommend the latter. Whichever you choose, click that option and then press OK.

8. Make sure to click the “Back up your file encryption key” pop-up message before it disappears. If you miss the pop-up message, you’ll need to restart your machine and try again.

The computer creates an encryption key using an encryption certificate provided by Microsoft. Now your file or folder is encrypted, you won’t need a password to access it other than the password you use to sign into your Windows profile when you turn the computer on.

You should back up that encryption key to a separate device, because if that key is ever lost or damaged, you won’t be able to access your encrypted files. The easiest method is with an external USB drive, so plug one into your PC before starting.

1. Click the option “Back up now (recommended).”

2. Click Next.

3. Click Next again.

4. Check the box next to Password, enter your password twice and click Next.

5. Click Browse.

6. Navigate to a directory, such as a USB drive, name your encryption key and click save.

7. Click Next.

8. Click Finish.

9. Click OK, now eject your USB drive (or wherever you stored the file) and keep it somewhere safe where you’ll remember it.

Windows’ built-in encryption isn’t a perfect solution. If you encrypt a single file, the computer stores an unencrypted version of that file in its temporary memory, so a savvy snoop can still access it.

It’s fairly easy for an attacker to break Windows encryption using a brute-force attack, which is when an attacker uses a program that methodically guesses every possible combination of letters and numbers, starting with common passwords.

MORE: Your Router’s Security Stinks: Here’s How to Fix It

If you’re very serious about security and privacy, you might not trust a Microsoft solution. The FBI and NSA can require U.S. companies to hand over data or encryption keys. For those reasons, we suggest using a free third-party service, such as TrueCrypt, its successor VeraCrypt or WinZip.

More here:
How to Encrypt Files on Windows – Tutorial – Toms Guide

Encryption, Key Management – bank information security

Please fill out the following fields:

CountryUnited StatesCanadaIndiaAfghanistanAlbaniaAlgeriaAmerican SamoaAndorraAngolaAnguillaAntarcticaAntigua and BarbudaArgentinaArmeniaArubaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBoliviaBosnia and HerzegovinaBotswanaBouvet IslandBrazilBritish Indian Ocean Trty.Brunei DarussalamBulgariaBurkina FasoBurundiCambodiaCameroonCape VerdeCayman IslandsCentral African RepublicChadChileChinaChristmas IslandCocos (Keeling) IslandsColombiaComorosCongoCook IslandsCosta RicaCote D’IvoireCroatiaCubaCyprusCzech RepublicDenmarkDjiboutiDominicaDominican RepublicEast TimorEcuadorEgyptEl SalvadorEquatorial GuineaEritreaEstoniaEthiopiaFalkland Islands (Malvinas)Faroe IslandsFijiFinlandFranceFrance, MetropolitanFrench GuianaFrench PolynesiaFrench Southern TerritoriesGabonGambiaGeorgiaGermanyGhanaGibraltarGreeceGreenlandGrenadaGuadeloupeGuamGuatemalaGuineaGuinea-BissauGuyanaHaitiHondurasHong KongHungaryIcelandIndonesiaIran (Islamic Republic of)IraqIrelandIsraelItalyJamaicaJapanJordanKazakhstanKenyaKiribatiKoreaKorea (Democratic)KuwaitKyrgystanLaosLatviaLebanonLesothoLiberiaLibyaLiechtensteinLithuaniaLuxembourgMacauMacedoniaMadagascarMalawiMalaysiaMaldivesMaliMaltaMarshall IslandsMartiniqueMauritaniaMauritiusMayotteMexicoMicronesiaMoldovaMonacoMongoliaMontserratMoroccoMozambiqueMyanmarNamibiaNauruNepalNetherlandsNetherlands AntillesNeutral ZoneNew CaledoniaNew ZealandNicaraguaNigerNigeriaNiueNorfolk IslandNorthern Mariana IslandsNorwayOmanPakistanPalauPanamaPapua New GuineaParaguayPeruPhilippinesPitcairnPolandPortugalPuerto RicoQatarReunionRomaniaRussian FederationRwandaSaint HelenaSaint Kitts and NevisSaint LuciaSaint Pierre and MiquelonSaint Vincent and the GrenadinesSamoaSan MarinoSao Tome and PrincipeSaudi ArabiaSenegalSerbiaSeychellesSierra LeoneSingaporeSlovakiaSloveniaSolomon IslandsSomaliaSouth AfricaSpainSri LankaSudanSurinameSvalbard and Jan MayenSwazilandSwedenSwitzerlandSyrian Arab RepublicTaiwanTajikistanTanzaniaThailandTogoTokelauTongaTrinidad and TobagoTunisiaTurkeyTurkmenistanTurks and Caicos IslandsTuvaluUgandaUkraineUnited Arab EmiratesUnited KingdomUruguayUS Minor Outlying IslandsUzbekistanVanuatuVatican City StateVenezuelaViet NamVirgin Islands (British)Virgin Islands (US)Wallis and FutunaWestern SaharaYemenYugoslaviaZaireZambiaZimbabwe

Title Level Attorney / General Counsel / Counsel AVP Board of Director C Level – Other CCO CEO / President CFO Chairperson CIO CISO / CSO COO CRO CTO Director EVP / SVP / FVP Head Healthcare Professional Manager / Supervisor Partner VP –Other Title Level–

Job Function Anti-Money Laundering (AML) Audit Business Continuity/Disaster Recovery Business Development Cashier / Customer Service / Administrative Clinical Healthcare Professional Compliance / BSA Data Management Debit/Credit Card/Electronic Banking eCommerce / eBusiness Executive Management Finance / Accounting Founder / Owner Fraud HR / Training Information Security Information Technology Legal Lending Loss Prevention Marketing Network / Systems / Web Operations Others Policies / Procedures Product Management Project Regulatory Affairs Risk Management Sales Security / Privacy Vendor Management –Other Job Function–

Subscription Preferences:


Risk Management

Data Breach



Read more:
Encryption, Key Management – bank information security

Which Types of Encryption are Most Secure?

by Top Ten Reviews Contributor

Encryption can protect your consumer information, emails and other sensitive data as well as secure network connections. Today, there are many options to choose from, and finding one that is both secure and fits your needs is a must. Here are four encryption methods and what you should know about each one.


The Advanced Encryption Standard, AES, is a symmetric encryption algorithm and one of the most secure. The United States Government use it to protect classified information, and many software and hardware products use it as well. This method uses a block cipher, which encrypts data one fixed-size block at a time, unlike other types of encryption, such as stream ciphers, which encrypt data bit by bit.

AES is comprised of AES-128, AES-192 and AES-256. The key bit you choose encrypts and decrypts blocks in 128 bits, 192 bits and so on. There are different rounds for each bit key. A round is the process of turning plaintext into cipher text. For 128-bit, there are 10 rounds; 192-bit has 12 rounds; and 256-bit has 14 rounds.

Since AES is a symmetric key encryption, you must share the key with other individuals for them to access the encrypted data. Furthermore, if you dont have a secure way to share that key and unauthorized individuals gain access to it, they can decrypt everything encrypted with that specific key.


Triple Data Encryption Standard, or 3DES, is a current standard, and it is a block cipher. Its similar to the older method of encryption, Data Encryption Standard, which uses 56-bit keys. However, 3DES is a symmetric-key encryption that uses three individual 56-bit keys. It encrypts data three times, meaning your 56-bit key becomes a 168-bit key.

Unfortunately, since it encrypts data three times, this method is much slower than others. Also, because 3DES uses shorter block lengths, it is easier to decrypt and leak data. However, many financial institutions and businesses in numerous other industries use this encryption method to keep information secure. As more robust encryption methods emerge, this one is being slowly phased out.


Twofish is a symmetric block cipher based on an earlier block cipher Blowfish. Twofish has a block size of 128-bits to 256 bits, and it works well on smaller CPUs and hardware. Similar to AES, it implements rounds of encryption to turn plaintext into cipher text. However, the number of rounds doesnt vary as with AES; no matter the key size, there are always 16 rounds.

In addition, this method provides plenty of flexibility. You can choose for the key setup to be slow but the encryption process to be quick or vice versa. Furthermore, this form of encryption is unpatented and license free, so you can use it without restrictions.


This asymmetric algorithm is named after Ron Rivest, Adi Shamir and Len Adelman. It uses public-key cryptography to share data over an insecure network. There are two keys: one public and one private. The public key is just as the name suggests: public. Anyone can access it. However, the private key must be confidential. When using RSA cryptography, you need both keys to encrypt and decrypt a message. You use one key to encrypt your data and the other to decrypt it.

According to Search Security, RSA is secure because it factors large integers that are the product of two large prime numbers. Additionally, the key size is large, which increases the security. Most RSA keys are 1024-bits and 2048-bits long. However, the longer key size does mean its slower than other encryption methods.

While there are many additional encryption methods available, knowing about and using the most secure ones ensures your confidential data stays secure and away from unwanted eyes.

Follow this link:
Which Types of Encryption are Most Secure?

JSON Object Signing and Encryption (JOSE)

HS256 HMAC using SHA-256 alg Required [IESG] [RFC7518, Section 3.2] n/a HS384 HMAC using SHA-384 alg Optional [IESG] [RFC7518, Section 3.2] n/a HS512 HMAC using SHA-512 alg Optional [IESG] [RFC7518, Section 3.2] n/a RS256 RSASSA-PKCS1-v1_5 using SHA-256 alg Recommended [IESG] [RFC7518, Section 3.3] n/a RS384 RSASSA-PKCS1-v1_5 using SHA-384 alg Optional [IESG] [RFC7518, Section 3.3] n/a RS512 RSASSA-PKCS1-v1_5 using SHA-512 alg Optional [IESG] [RFC7518, Section 3.3] n/a ES256 ECDSA using P-256 and SHA-256 alg Recommended+ [IESG] [RFC7518, Section 3.4] n/a ES384 ECDSA using P-384 and SHA-384 alg Optional [IESG] [RFC7518, Section 3.4] n/a ES512 ECDSA using P-521 and SHA-512 alg Optional [IESG] [RFC7518, Section 3.4] n/a PS256 RSASSA-PSS using SHA-256 and MGF1 with SHA-256 alg Optional [IESG] [RFC7518, Section 3.5] n/a PS384 RSASSA-PSS using SHA-384 and MGF1 with SHA-384 alg Optional [IESG] [RFC7518, Section 3.5] n/a PS512 RSASSA-PSS using SHA-512 and MGF1 with SHA-512 alg Optional [IESG] [RFC7518, Section 3.5] n/a none No digital signature or MAC performed alg Optional [IESG] [RFC7518, Section 3.6] n/a RSA1_5 RSAES-PKCS1-v1_5 alg Recommended- [IESG] [RFC7518, Section 4.2] n/a RSA-OAEP RSAES OAEP using default parameters alg Recommended+ [IESG] [RFC7518, Section 4.3] n/a RSA-OAEP-256 RSAES OAEP using SHA-256 and MGF1 with SHA-256 alg Optional [IESG] [RFC7518, Section 4.3] n/a A128KW AES Key Wrap using 128-bit key alg Recommended [IESG] [RFC7518, Section 4.4] n/a A192KW AES Key Wrap using 192-bit key alg Optional [IESG] [RFC7518, Section 4.4] n/a A256KW AES Key Wrap using 256-bit key alg Recommended [IESG] [RFC7518, Section 4.4] n/a dir Direct use of a shared symmetric key alg Recommended [IESG] [RFC7518, Section 4.5] n/a ECDH-ES ECDH-ES using Concat KDF alg Recommended+ [IESG] [RFC7518, Section 4.6] n/a ECDH-ES+A128KW ECDH-ES using Concat KDF and “A128KW” wrapping alg Recommended [IESG] [RFC7518, Section 4.6] n/a ECDH-ES+A192KW ECDH-ES using Concat KDF and “A192KW” wrapping alg Optional [IESG] [RFC7518, Section 4.6] n/a ECDH-ES+A256KW ECDH-ES using Concat KDF and “A256KW” wrapping alg Recommended [IESG] [RFC7518, Section 4.6] n/a A128GCMKW Key wrapping with AES GCM using 128-bit key alg Optional [IESG] [RFC7518, Section 4.7] n/a A192GCMKW Key wrapping with AES GCM using 192-bit key alg Optional [IESG] [RFC7518, Section 4.7] n/a A256GCMKW Key wrapping with AES GCM using 256-bit key alg Optional [IESG] [RFC7518, Section 4.7] n/a PBES2-HS256+A128KW PBES2 with HMAC SHA-256 and “A128KW” wrapping alg Optional [IESG] [RFC7518, Section 4.8] n/a PBES2-HS384+A192KW PBES2 with HMAC SHA-384 and “A192KW” wrapping alg Optional [IESG] [RFC7518, Section 4.8] n/a PBES2-HS512+A256KW PBES2 with HMAC SHA-512 and “A256KW” wrapping alg Optional [IESG] [RFC7518, Section 4.8] n/a A128CBC-HS256 AES_128_CBC_HMAC_SHA_256 authenticated encryption algorithm enc Required [IESG] [RFC7518, Section 5.2.3] n/a A192CBC-HS384 AES_192_CBC_HMAC_SHA_384 authenticated encryption algorithm enc Optional [IESG] [RFC7518, Section 5.2.4] n/a A256CBC-HS512 AES_256_CBC_HMAC_SHA_512 authenticated encryption algorithm enc Required [IESG] [RFC7518, Section 5.2.5] n/a A128GCM AES GCM using 128-bit key enc Recommended [IESG] [RFC7518, Section 5.3] n/a A192GCM AES GCM using 192-bit key enc Optional [IESG] [RFC7518, Section 5.3] n/a A256GCM AES GCM using 256-bit key enc Recommended [IESG] [RFC7518, Section 5.3] n/a EdDSA EdDSA signature algorithms alg Optional [IESG] [RFC8037, Section 3.1] [RFC8032] RS1 RSASSA-PKCS1-v1_5 with SHA-1 JWK Prohibited [W3C_Web_Cryptography_Working_Group] [] [draft-irtf-cfrg-webcrypto-algorithms] RSA-OAEP-384 RSA-OAEP using SHA-384 and MGF1 with SHA-384 alg Optional [W3C_Web_Cryptography_Working_Group] [] n/a RSA-OAEP-512 RSA-OAEP using SHA-512 and MGF1 with SHA-512 alg Optional [W3C_Web_Cryptography_Working_Group] [] n/a A128CBC AES CBC using 128 bit key JWK Prohibited [W3C_Web_Cryptography_Working_Group] [] [draft-irtf-cfrg-webcrypto-algorithms] A192CBC AES CBC using 192 bit key JWK Prohibited [W3C_Web_Cryptography_Working_Group] [] [draft-irtf-cfrg-webcrypto-algorithms] A256CBC AES CBC using 256 bit key JWK Prohibited [W3C_Web_Cryptography_Working_Group] [] [draft-irtf-cfrg-webcrypto-algorithms] A128CTR AES CTR using 128 bit key JWK Prohibited [W3C_Web_Cryptography_Working_Group] [] [draft-irtf-cfrg-webcrypto-algorithms] A192CTR AES CTR using 192 bit key JWK Prohibited [W3C_Web_Cryptography_Working_Group] [] [draft-irtf-cfrg-webcrypto-algorithms] A256CTR AES CTR using 256 bit key JWK Prohibited [W3C_Web_Cryptography_Working_Group] [] [draft-irtf-cfrg-webcrypto-algorithms] HS1 HMAC using SHA-1 JWK Prohibited [W3C_Web_Cryptography_Working_Group] [] [draft-irtf-cfrg-webcrypto-algorithms]

See the original post:
JSON Object Signing and Encryption (JOSE)

What Is Encryption, and How Does It Work?

Encryption has a long history dating back to when the ancient Greeks and Romans sent secret messages by substituting letters only decipherable with a secret key. Join us for a quick history lesson and learn more about how encryption works.

In todays edition of HTG Explains, well give you a brief history of encryption, how it works, and some examples of different types of encryptionmake sure you also check out the previous edition, where we explained why so many geeks hate Internet Explorer.

Image by xkcd, obviously.

The ancient Greeks used a tool called a Scytale to help encrypt their messages more quickly using a transposition cipherthey would simply wrap the strip of parchment around the cylinder, write out the message, and then when unwound wouldnt make sense.

This encryption method could be fairly easily broken, of course, but its one of the first examples of encryption actually being used in the real world.

Julius Caesar used a somewhat similar method during his time by shifting each letter of the alphabet to the right or left by a number of positionsan encryption technique known as Caesars cipher. For instance, using the example cipher below youd write GEEK as JHHN.


Since only the intended recipient of the message knew the cipher, it would be difficult for the next person to decode the message, which would appear as gibberish, but the person that had the cipher could easily decode and read it.

Other simple encryption ciphers like the Polybius square used a polyalphabetic cipher that listed each letter with the corresponding numeric positions across the top and side to tell where the position of the letter was.

Using a table like the one above you would write the letter G as 23, or GEEK as 23 31 31 43.

Enigma Machine

During World War II, the Germans used the Enigma machine to pass encrypted transmissions back and forth, which took years before the Polish were able to crack the messages, and give the solution to the Allied forces, which was instrumental to their victory.

Lets face it: modern encryption techniques can be an extremely boring subject, so instead of just explaining them with words, weve put together a comic strip that talks about the history of encryption, inspired by Jeff Mosers stick figure guide to AES. Note: clearly we cannot convey everything about encryptions history in a comic strip.

Back in those days, people do not have a good encryption method to secure their electronic communication.

Lucifer was the name given to several of the earliest civilian block ciphers, developed by Horst Feistel and his colleagues at IBM.

The Data Encryption Standard (DES) is a block cipher (a form of shared secret encryption) that was selected by the National Bureau of Standards as an official Federal Information Processing Standard (FIPS) for the United States in 1976 and which has subsequently enjoyed widespread use internationally.

Concerns about security and the relatively slow operation of DES in software motivated researchers to propose a variety of alternative block cipher designs, which started to appear in the late 1980s and early 1990s: examples include RC5, Blowfish, IDEA, NewDES, SAFER, CAST5 and FEAL

The Rijndael encryption algorithm was adopted by the US Government as standard symmetric-key encryption, or Advanced Encryption Standard (AES). AES was announced by National Institute of Standards and Technology (NIST) as U.S. FIPS PUB 197 (FIPS 197) on November 26, 2001 after a 5-year standardization process in which fifteen competing designs were presented and evaluated before Rijndael was selected as the most suitable encryption algorithm.

Many encryption algorithms exist, and they are all suited to different purposesthe two main characteristics that identify and differentiate one encryption algorithm from another are its ability to secure the protected data against attacks and its speed and efficiency in doing so.

As a good example of the speed difference between different types of encryption, you can use the benchmarking utility built into TrueCrypts volume creation wizardas you can see, AES is by far the fastest type of strong encryption.

There are both slower and faster encryption methods, and they are all suited for different purposes. If youre simply trying to decrypt a tiny piece of data every so often, you can afford to use the strongest possible encryption, or even encrypt it twice with different types of encryption. If you require speed, youd probably want to go with AES.

For more on benchmarking different types of encryption, check out a report from Washington University of St. Louis, where they did a ton of testing on different routines, and explained it all in a very geeky write-up.

All the fancy encryption algorithm that we have talked about earlier are mostly used for two different types of encryption:

To explain this concept, well use the postal service metaphor described in Wikipedia to understand how symmetric key algorithms works.

Alice puts her secret message in a box, and locks the box using a padlock to which she has a key. She then sends the box to Bob through regular mail. When Bob receives the box, he uses an identical copy of Alices key (which he has somehow obtained previously, maybe by a face-to-face meeting) to open the box, and read the message. Bob can then use the same padlock to send his secret reply.

Symmetric-key algorithms can be divided into stream ciphers and block ciphersstream ciphers encrypt the bits of the message one at a time, and block ciphers take a number of bits, often in blocks of 64 bits at a time, and encrypt them as a single unit. Theres a lot of different algorithms you can choose fromthe more popular and well-respected symmetric algorithms include Twofish, Serpent, AES (Rijndael), Blowfish, CAST5, RC4, TDES, and IDEA.

In an asymmetric key system, Bob and Alice have separate padlocks, instead of the single padlock with multiple keys from the symmetric example. Note: this is, of course, a greatly oversimplified example of how it really works, which is much more complicated, but youll get the general idea.

First, Alice asks Bob to send his open padlock to her through regular mail, keeping his key to himself. When Alice receives it she uses it to lock a box containing her message, and sends the locked box to Bob. Bob can then unlock the box with his key and read the message from Alice. To reply, Bob must similarly get Alices open padlock to lock the box before sending it back to her.

The critical advantage in an asymmetric key system is that Bob and Alice never need to send a copy of their keys to each other. This prevents a third party (perhaps, in the example, a corrupt postal worker) from copying a key while it is in transit, allowing said third party to spy on all future messages sent between Alice and Bob. In addition, if Bob were careless and allowed someone else to copy his key, Alices messages to Bob would be compromised, but Alices messages to other people would remain secret, since the other people would be providing different padlocks for Alice to use.

Asymmetric encryption uses different keys for encryption and decryption. The message recipient creates a private key and a public key. The public key is distributed among the message senders and they use the public key to encrypt the message. The recipient uses their private key any encrypted messages that have been encrypted using the recipients public key.

Theres one major benefit to doing encryption this way compare to symmetric encryption. We never need to send anything secret (like our encryption key or password) over an insecure channel. Your public key goes out to the worldits not secret and it doesnt need to be. Your private key can stay snug and cozy on your personal computer, where you generated itit never has to be e-mailed anywhere, or read by attackers.

For many years, the SSL (Secure Sockets Layer) protocol has been securing web transactions using encryption between your web browser and a web server, protecting you from anybody that might be snooping on the network in the middle.

SSL itself is conceptually quite simple. It begins when the browser requests a secure page (usually https://)

The web server sends its public key with its certificate.The browser checks that the certificate was issued by a trusted party (usually a trusted root CA), that the certificate is still valid and that the certificate is related to the site contacted.The browser then uses the public key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data.The web server decrypts the symmetric encryption key using its private key and uses the browsers symmetric key to decrypt its URL and http data.The web server sends back the requested html document and http data encrypted with the browsers symmetric key. The browser decrypts the http data and html document using the symmetric key and displays the information.

And now you can securely buy that eBay item you really didnt need.

If you made it this far, were at the end of our long journey to understanding encryption and a little bit of how it worksstarting from the early days of encryption with the Greeks and Romans, the rise of Lucifer, and finally how SSL uses asymmetric and symmetric encryption to help you buy that fluffy pink bunny on eBay.

Were big fans of encryption here at How-To Geek, and weve covered a lot of different ways to do things like:

Of course encryption is far too complicated a topic to really explain everything. Did we miss something important? Feel free to lay some knowledge on your fellow readers in the comments.

Read this article:
What Is Encryption, and How Does It Work?

The Pitfalls of Facebook Merging Messenger, Instagram, and …

In an effort led by CEO Mark Zuckerberg, Facebook has plans to rearchitect WhatsApp, Instagram direct messages, and Facebook Messenger so that messages can travel across any of the platforms. The New York Times first reported the move Friday, noting also that Zuckerberg wants the initiative to “incorporate end-to-end encryption.” Melding those infrastructures would be a massive task regardless, but designing the scheme to universally preserve end-to-end encryptionin a way that users understandposes a whole additional set of critical challenges.

As things stand now, WhatsApp chats are end-to-end encrypted by default, while Facebook Messenger only offers the feature if you turn on “Secret Conversations.” Instagram does not currently offer any form of end-to-end encryption for its chats. WhatsApp’s move to add default encryption for all users was a watershed moment in 2016, bringing the protection to a billion people by flipping one switch.

Facebook is still in the early planning stages of homogenizing its messaging platforms, a move that could increase the ease and number of secured chats online by a staggering order of magnitude. But cryptographers and privacy advocates have already raised a number of obvious hurdles the company faces in doing so. End-to-end encrypted chat protocols ensure that data is only decrypted and intelligible on the devices of the sender and recipient. At least, that’s the idea. In practice, it can be difficult to use the protection effectively if it’s enabled for some chats and not for others and can turn on and off within a chat at different times. In attempting to unify its chat services, Facebook will need to find a way to help users easily understand and control end-to-end encryption as the ecosystem becomes more porous.

“The big problem I see is that only WhatsApp has default end-to-end encryption,” says Matthew Green, a cryptographer at Johns Hopkins. “So if the goal is to allow cross-app traffic, and its not required to be encrypted, then what happens? There are a whole range of outcomes here.”

WhatsApp users, for example, can assume that all of their chats are end-to-end encrypted, but what will happen in Facebook’s newly homogenized platform if an Instagram user messages a WhatsApp user? It’s unclear what sort of defaults Facebook will impose, and how it will let users know whether their chats are encrypted.

Facebook can also glean more data from unencrypted chats and introduce monetizable experiences like bots into them. The company has had a notoriously hard time earning revenue off of WhatsApp’s 1.5 billion users, in part because of end-to-end encryption.

“We want to build the best messaging experiences we can; and people want messaging to be fast, simple, reliable and private,” a Facebook spokesperson said in a statement on Friday. “We’re working on making more of our messaging products end-to-end encrypted and considering ways to make it easier to reach friends and family across networks. As you would expect, there is a lot of discussion and debate as we begin the long process of figuring out all the details of how this will work.”

Facebook emphasizes that this gradual process will allow it to work out all the kinks before debuting a monolithic chat structure. But encryption’s not the only area of concern. Privacy advocates are concerned about the potential creation of a unified identity for people across all three services, so that messages go to the right place. Such a setup could be convenient in many ways, but it could also have complicated ramifications.

In 2016, WhatsApp started sharing user phone numbers and other analytics with Facebook, perforating what had previously been a red line between the two services. WhatsApp still lets users make an account with only a phone number, while Facebook requires your legal name under its controversial “real name” policy. The company maintains this rule to prevent confusion and fraud, but its rigidity has caused problems for users who have other safety and security reasons for avoiding their legal or given name, such as being transgender.

“If the goal is to allow cross-app traffic, and its not required to be encrypted, then what happens?”

Matthew Green, Johns Hopkins University

In a Wall Street Journal opinion piece on Thursday evening, Zuckerberg wrote that, “Theres no question that we collect some information for adsbut that information is generally important for security and operating our services as well.” An indelible identity across Facebook’s brands could have security benefits like enabling stronger anti-fraud protections. But it could also unlock an even richer and more nuanced user data trove for Facebook to mine, and potentially make it harder to use one or more of the services without tying those profiles to a central identity.

“The obvious identity issue is usernames. I’m one thing on Facebook and another on Instagram,” says Jim Fenton, an independent identity privacy and security consultant. “In some ways, having the three linked more closely together would be good because it would make it more transparent that they are connected. But there are some Instagram and WhatsApp users who don’t want to use Facebook. This might be seen as a way to try to push more people in.”

Such a change to how chat works on the three brands isn’t just a potentially massive shift for usersit also seems to have stirred deep controversy within Facebook itself, and may have contributed to the departure last year of WhatsApp cofounders Jan Koum and Brian Acton.

End-to-end encryption is also difficult to implement correctly, because any oversight or bug can undermine the whole scheme. For example, both WhatsApp and Facebook Messenger currently use the open-source Signal protocol (used in the Signal encrypted messaging app), but the implementations are different, because one service has the encryption on by default and the other doesn’t. Melding these different approaches could create opportunities for error.

“Theres a world where Facebook Messenger and Instagram get upgraded to the default encryption of WhatsApp, but that probably isn’t happening,” Johns Hopkins’ Green says. “Its too technically challenging and would cost Facebook access to lots of data.”

And while end-to-end encryption can’t solve every privacy issue for everyone all the time anyway, it’s harder to know how to take advantage of it safely when a service doesn’t offer it consistently, and creates potential privacy issues when it centralizes identities.

“I think they can work this out,” Fenton says. “The bigger problem in my opinion is user confusion.”

See the original post:
The Pitfalls of Facebook Merging Messenger, Instagram, and …

Encryption: Avoiding the Pitfalls That Can Lead to Breaches

Cybercrime , Cybersecurity , Data Breach

The Marriott mega-breach is calling attention to the issues of whether organizations are storing too much data and whether they’re adequately protecting it with the proper encryption steps.

See Also: The Role of Threat Intelligence in Cyber Resilience

In its revised findings about a mega-breach that it now says affected 327 million customers, Marriott notes that 25.6 million passport numbers were exposed in the breach, of which 5.25 million were unencrypted. “There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers,” Marriott says. But that doesn’t mean that the attackers couldn’t later brute-force decrypt the numbers (see: Marriott Mega-Breach: Victim Count Drops to 383 Million).

Also exposed in the breach were approximately 8.6 million encrypted payment cards that were being stored by Marriott. By the time the breach was discovered in late 2018, however, Marriott says most of the payment cards had already expired. As with the passport data, “there is no evidence that the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers,” Marriott says.

U.S. Sen. Mark Warner, D-Virginia, says the breach highlights a failure by many organizations to minimize the amount of data they routinely store on consumers.

“It’s unacceptable that Marriott was retaining sensitive data like passport numbers for so long, and it’s unconscionable that it kept this data unencrypted,” said Warner, who co-chairs the Senate Cybersecurity Caucus, the Wall Street Journal reported.

Meanwhile, security experts around the world are calling attention to the need to take all necessary steps to properly encrypt sensitive data that organizations store.

Although cryptography is being added to more backend applications, it’s often being implemented incorrectly, contends Steve Marshall, chief information security officer and head of cyber consulting at Bytes Software Services, a U.K.-based IT company. “This often leaves organizations with a false sense of security, which, unfortunately becomes evident when they are attacked,” he says.

And with governments across the world pushing for encryption backdoors to be used by law enforcement, the hacking risks could get worse.

Jagdeep Singh, head of risk and governance at Instarem, a Singapore-based payments company, says many companies worldwide make common mistakes when implementing encryption. For example, they:

Tarun Pant, CEO at SecurelyShare, a Bangalore-based company, says too many organizations focus on encrypting data while it’s transmitted but fail to encrypt it when it’s at rest.

“Many organizations don’t do end-to-end encryption of data,” he says. “Hence, the weakest link is often the source of the breach. Data at rest, if not encrypted with source key, leads to breaches from within the organization.”

Too many companies take a “check list” approach to data security, focusing narrowly on regulatory compliance. These firms often don’t devote enough time and effort to properly implementing encryption, security experts say.

“Many development teams adding encryption to their code call it a day once they achieve the minimum security needed for a regulatory checkmark. This attitude is dangerous,” Singh says (see: Demystifying DevSecOps and Its Role in App Security).

Kevin Bocek, vice president of security strategy and threat intelligence for Salt Lake City, Utah-based Venafi, a cybersecurity company that develops software to secure and protect cryptographic keys, says managing machine identities that are used to establish encryption is challenging for many organizations.

“Investigations have shown that simply not keeping track of machine identities, like TLS certificates, can create encrypted tunnels for hackers to hide in,” Bocek says. “In addition, if a simple machine identity, like a key and certificate, not being updated, mobile networks across entire countries can be impacted.”

Depending on where encryption occurs – column level vs. application level – what encryption techniques are used and what kind of vulnerability is being exploited, attackers can use many different techniques to cause data breaches, says Sandesh Anand, managing consultant at Synopsys, a Mountain View, Calif.-based technology company.

“Practitioners should not build their own crypto algorithms or libraries,” he stresses. “They should instead focus on implementing well-known, peer-reviewed, secure algorithms properly.”

Anand says the best algorithms to use are AES or Advanced Encryption Standard for symmetric encryption algorithm, RSA for asymmetric encryption algorithm and SHA-256 for hashing.

Mistakes in key management also can lead to trouble, Anand says. “Often firms end up either using short keys or they end up using the same key for months,” he says. “Then there is the problem of insecure key management.”

Pune-based Rohan Vibhandik, a security researcher with a multinational company, notes: “Storing or transmitting keys insecurely remains a common mistake, especially in case of a symmetric key where a single key is used at both ends – encryption and decryption.”

While it’s important to secure the storage of machine identities, including keys, it’s become even more critical to be able to have the capability to change machine identities fast, Bocek stresses.

“Browsers can distrust Certificate Authorities. This means businesses have to quickly find and change out machine identities, like TLS keys and certificates, used for encryption,” he says.

While encryption plays an important role in data security, it’s not a cure-all, security experts stress.

“Encryption is just one of the many controls that protect data while in transit or at rest,” Singh says. “However, there are numerous ways to circumvent encryption in a client-server model. “Also, encryption technologies and the way they get adopted are still evolving.”

Anand notes: “Remember: The strength of a chain is the weakest link. So, if crypto keys are lying around in insecure locations or if database admins use weak passwords, data can still be breached. Finally, insecure application controls can also lead to a breach.”

An important aspect of encryption is proper key management.

“Key management is a challenge that grows with the size and complexity of your environment,” Pant says. “The larger the user base, the more diverse the environment, the more distributed the keys are. Hence the challenges of key management will be greater.”

Singh recommends organizations avoid saving keys in the same server as the encrypted data.

“One needs to ensure that private keys, when stored, are non-exportable. Also, one must not use the same keys for both directions,” he says. He also recommends adoption of proper standards, including TLS, or Transport Layer Security, while data is in transit. “Avoid using secure sockets layer as it is outdated,” he emphasizes.

To help ensure that encrypted data remains untampered, adding a layer of hashing and salting is essential, Vibhandik says.

“When data is encrypted, one must hash it using functions like MD5 and SHA,” he says. “To provide further layered security to the hashed data, SALT function must be used; that can prevent tampering of data.

“One must remember that hashing does not add any privacy to data; it only saves against any data alteration or tampering attempts. Encryption provides privacy to your data but does not make it tamper proof. So a combination of both is important for endpoint and end-to-end communication and data security.”

See the original post here:
Encryption: Avoiding the Pitfalls That Can Lead to Breaches

Encryption | Information Technology Services

This InfoCenteris a collection of resourcesaboutencryption for stored informationonportable devices, such as laptops, tablets, and externally attachedstorage. (Refer to TLS certificates in the Related InfoCenters box forinformation related toencrypted network communications.) The Help Desk provides general support for Windows BitLocker and for OSX FileVault2 full disk encryption.Questionsshould normally be handled by a departmental IT support person, and if necessary willbe escalated to the InformationSecurity & PolicyOffice or the ITS Enterprise Client Management team.

Encryption is a method to protect digital information, byscrambling it as it travels across the Internet, or scrambling it when the information is “at rest”or stored on our computers. This ensures that only authorized users can decrypt (un-scramble) the information and use it. Encryption enhances the privacy and confidentiality, as well as the integrity and authenticity of our information. It helps us keep our information safe.

Portable devices such as laptops, tablets, and USB storage are most at risk for being misplaced or stolen. If a device is lost or stolen, encryption prevents unauthorized users from accessing data stored locally on the device. Without encryption, unauthorized users canuse various techniques to bypass the accounts and permissions in order to access the localdrive contents.

In order to meet our legal obligations and our responsibility to protect the privacy of those we serve, The University of Iowa requires full disk encryption to be implemented onall university owned mobile computing devices (i.e.laptops,tablets, USBstorage). The best way to avoid theft or lossof sensitive data is to keepit in a secure file storage offering such as OneDrive, RDSS,or department shared drives, where it’s physically secured and regularly backed up. Then,you can easily access the information remotelyfrom your mobile computer. However, encryption is oursafety net for new files,temporary (cached) files, and other information that is stored on a mobile device.

Everyone uses network encryption today: over https connections from your browser to a website, over cellular phone-to-tower communications, and also over wireless networks that require a login or connection password, such as Eduroam, in order to protect the privacy of communications. Full disk encryption is similarly designed to protect information when its stored.

Encryption | Information Technology Services

Encryption – Investopedia

What is Encryption

Encryption is a means of securing digital data using an algorithm and a password, or key. The encryption process translates information using an algorithm that turns plain text unreadable. When an authorized user needs to read the data, they may decrypt the data using a binary key.

Encryption is an important way for individuals and companies to protect sensitive information from hacking. For example, websites that transmit credit card and bank account numbers should always encrypt this information to prevent identity theft and fraud.

Encryption strength depends on the length of the encryption security key. In the latter quarter of the 20th century, web developers used either 40 bit encryption, which is a key with 240 possible permutations, or 56 bit encryption. However, by the end of the century hackers could break those keys through brute-force attacks. This led to a 128 bit system as the standard encryption length for web browsers.

The Advanced Encryption Standard (AES) is a protocol for data encryption created in 2001 by the U.S. National Institute of Standards and Technology. AES uses a 128 bit block size, and key lengths of 128, 192 and 256 bits.

AES uses a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data. Asymmetric-key algorithms use different keys for the encryption and decryption processes.

Today, 128-bit encryption is standard but most banks, militaries and governments use 256-bit encryption.

In May of 2018, the Wall Street Journal reported that despite the importance and accessibility of encryption, many corporations still fail to encrypt sensitive data. By some estimates, companies encryped only one-third of all sensitive corporate data in 2016, leaving the remaining two thirds sensitive to theft or fraud.

Encryption makes it more difficult for a company to analyze its own data, using either standard means or artificial intelligence. Speedy data analysis can sometimes mean the difference between which of two competing companies gains a market advantage, which partly explains why companiesresist encrypting data.

Consumers should understand that encryption does not always protect data from hacking. For example, in 2013 hackers attacked Target Corporation and managed to compromise the information of up to 40 million credit cards. According to Target, the credit card information was encrypted, but the hackers sophistication still broke through the encryption. This hack was the second largest breach of its kind in U.S. history and led to an investigation by the U.S. Secret Service and the Justice Department.

See the original post:
Encryption – Investopedia