Category Archives: Encryption

Security and encryption | Documentation | Turtl

Turtl uses encryption to protect your data in such a way that only you, andthose you choose, are able to view your data. Keep reading for a high-leveloverview of Turts encryption and how it protects you.

Simply put, encryption is the process of scrambling data. Generally, this isdone using a key which is usually a passphrase. The only way to de-scramblethe data is using that passphrase.

Turtls encryption works by generating a key for you based on youremail and password. This key is used to lock and unlock (or encrypt anddecrypt) your data and keep it private. All of the encryption in Turtl happensbefore any data leaves the app, meaning that even if someone is snooping in onyour connection or someone hacks our database, everything youve put into Turtlis just gibberish to them.

Without the keys that only you hold, your data is useless.

As mentioned, Turtl creates a key for you when you log in based on your emailand password. It wouldnt be very useful if you had to give people this key whenyou shared data with them because it would give them access to all your data.Instead, Turtl generates a new, random key for each object. This key is whatis sent to people when sharing, allowing them to unlock the specific item yousend them and nothing else.

Keys are stored one of two ways:

If youre looking for a more comprehensive look at how Turtl does encryption,check out the encryption specifics page of the docswhich goes over the ciphers, block modes, and other methods Turtl uses whenhandling your data.

Encryption specifics

Turtl has a feature that keeps you logged in if the app is closed and reopened.This feature may have security implications. Read more about the Stay logged infeature.

Here are some possible scenarios where Turtls security measures will fail you.We try to provide an exhaustive list so youre aware of the dangers of relyingon Turtl.

More:
Security and encryption | Documentation | Turtl

Encryption | General Data Protection Regulation (GDPR)

Companies can reduce the probability of a data breach and thus reduce the risk of fines in the future, if they chose to use encryption of personal data. The processing of personal data is naturally associated with a certain degree of risk. Especially nowadays, where cyber-attacks are nearly unavoidable for companies above a given size. Therefore, risk management plays an ever-larger role in IT security and data encryption is suited, among other means, for these companies.

In general, encryption refers to the procedure that converts clear text into a hashed code using a key, where the outgoing information only becomes readable again by using the correct key. This minimises the risk of an incident during data processing, as encrypted contents are basically unreadable for third parties who do not have the correct key. Encryption is the best way to protect data during transfer and one way to secure stored personal data. It also reduces the risk of abuse within a company, as access is limited only to authorised people with the right key.

The Regulation also recognizes these risks when processing personal data and places the responsibility on the controller and the processor in Art. 32(1) of the General Data Protection Regulation to implement appropriate technical and organisational measures to secure personal data. The GDPR deliberately does not define which specific technical and organisational measures are considered suitable in each case, in order to accommodate individual factors. However, it gives the controller a catalogue of criteria to be considered when choosing methods to secure personal data. Those are the state of the art, implementation costs and the nature, scope, context and purposes of the processing. In addition to these criteria, one always has to consider the severity of the risks to the rights and freedoms of the data subject and how likely those risks could manifest. This basically boils down to the following: The higher the risks involved in the data processing and the more likely these are to manifest, the stronger the taken security measures have to be and the more measures must be taken. Encryption as a concept is explicitly mentioned as one possible technical and organisational measure to secure data in the list of Art. 32(1) of the GDPR, which is not exhaustive. Again, the GDPR does not mention explicit encryption methods to accommodate for the fast-paced technological progress. When choosing a method one must also apply the criteria catalogue above. To answer the question of what is currently considered state of the art data protection officers usually rely on the definitions set out in information security standards like ISO/IEC 27001 or other national IT-security guidelines.

Encryption of personal data has additional benefits for controllers and/or order processors. For example, the loss of a state of the art encrypted mobile storage medium which holds personal data is not necessarily considered a data breach, which must be reported to the data protection authorities. In addition, if there is a data breach, the authorities must positively consider the use of encryption in their decision on whether and what amount a fine is imposed as per Art. 83(2)(c) of the GDPR.

Authorities

Expert contribution

Visit link:
Encryption | General Data Protection Regulation (GDPR)

Using Encryption and Authentication Correctly (for PHP …

“Encryption is not authentication” is common wisdom among cryptography experts, but it is only rarely whispered among developers whom aren’t also cryptography experts. This is unfortunate; a lot of design mistakes could be avoided if this information were more widely known and deeply understood. (These mistakes are painfully common in home-grown PHP cryptography classes and functions, as many of the posts on Crypto Fails demonstrates.)

The concept itself is not difficult, but there is a rich supply of detail and nuance to be found beneath the surface.

Encryption is the process of rendering a message such that it becomes unreadable without possessing the correct key. In the simple case of symmetric cryptography, the same key is used for encryption as is used for decryption. In asymmetric cryptography, it is possible to encrypt a message with a user’s public key such that only possessing their private key can read it. Our white paper on PHP cryptography covers anonymous public-key encryption.

Authentication is the process of rendering a message tamper-resistant (typically within a certain very low probability, typically less than 1 divided by the number of particles in the known universe) while also proving it originated from the expected sender.

Note: When we say authenticity, we mean specifically message authenticity, not identity authenticity. That is a PKI and key management problem, which we may address in a future blog post.

In respect to the CIA triad: Encryption provides confidentiality. Authentication provides integrity.

Encryption does not provide integrity; a tampered message can (usually) still decrypt, but the result will usually be garbage. Encryption alone also does not inhibit malicious third parties from sending encrypted messages.

Authentication does not provide confidentiality; it is possible to provide tamper-resistance to a plaintext message.

A common mistake among programmers is to confuse the two. It is not uncommon to find a PHP library or framework that encrypts cookie data and then trusts it wholesale after merely decrypting it.

Message encryption without message authentication is a bad idea. Cryptography expert Moxie Marlinspike wrote about why message authentication matters (as well as the correct order of operations) in what he dubbed, The Cryptographic Doom Principle.

We previously defined encryption and specified that it provides confidentiality but not integrity or authenticity. You can tamper with an encrypted message and give the recipient garbage. But what if you could use this garbage-generating mechanism to bypass a security control? Consider the case of encrypted cookies.

The above code provides AES encryption in Cipher-Block-Chaining mode. If you pass a 32-byte string for $key, you can even claim to provide 256-bit AES encryption for your cookies and people might be misled into believing it’s secure.

Let’s say that, after logging into this application, you see that you receive a session cookie that looks like kHv9PAlStPZaZJHIYXzyCnuAhWdRRK7H0cNVUCwzCZ4M8fxH79xIIIbznxmiOxGQ7td8LwTzHFgwBmbqWuB+sQ==.

Let’s change a byte in the first block (the initialization vector) and iteratively sending our new cookie until something changes. It should take a total of 4096 HTTP requests to attempt all possible one-byte changes to the IV. In our example above, after 2405 requests, we get a string that looks like this: kHv9PAlStPZaZZHIYXzyCnuAhWdRRK7H0cNVUCwzCZ4M8fxH79xIIIbznxmiOxGQ7td8LwTzHFgwBmbqWuB+sQ==

For comparison, only one character differs in the base64-encoded cookie (kHv9PAlStPZaZJ vs kHv9PAlStPZaZZ):

The original data we stored in this cookie was an array that looked like this:

But after merely altering a single byte in the initialization vector, we were able to rewrite our message to read:

Depending on how the underlying app is set up, you might be able to flip one bit and become and administrator. Even though your cookies are encrypted.

If you would like to reproduce our results, our encryption key was 000102030405060708090a0b0c0d0e0f (convert from hexadecimal to raw binary).

As stated above, authentication aims to provide both integrity (by which we mean significant tamper-resistance) to a message, while proving that it came from the expected source (authenticity). The typical way this is done is to calculate a keyed-Hash Message Authentication Code (HMAC for short) for the message and concatenate it with the message.

It is important that an appropriate cryptographic tool such as HMAC is used here and not just a simple hash function.

These two functions are prefixed with unsafe because they are vulnerable to a number of flaws:

To authenticate a message, you always want some sort of keyed Message Authentication Code rather than just a hash with a key.

Using a hash without a key is even worse. While a hash function can provide simple message integrity, any attacker can calculate a simple checksum or non-keyed hash of their forged message. Well-designed MACs require the attacker to know the authentication key to forge a message.

Simple integrity without authenticity (e.g. a checksum or a simple unkeyed hash) is insufficient for providing secure communications.

In cryptography, if a message is not authenticated, it offers no integrity guarantees either. Message Authentication gives you Message Integrity for free.

The only surefire way to prevent bit-rewriting attacks is to make sure that, after encrypting your information, you authenticate the encrypted message. This detail is very important! Encrypt then authenticate. Verify before decryption.

Let’s revisit our encrypted cookie example, but make it a little safer. Let’s also switch to CTR mode, in accordance with industry recommended best practices. Note that the encryption key and authentication key are different.

Now we’re a little closer to our goal of robust symmetric authenticated encryption. There are still a few more questions left to answer, such as:

Fortunately, these questions are already answered in existing cryptography libraries. We highly recommend using an existing library instead of writing your own encryption features. For PHP developers, you should use defuse/php-encryption (or libsodium if it’s available for you). If you still believe you should write your own, consider using openssl, not mcrypt.

Note: There is a narrow band of use-cases where authenticated encryption is either impractical (e.g. software-driven full disk encryption) or unnecessary (i.e. the data is never sent over the network, even by folder synchronization services such as Dropbox). If you suspect your problems or goals permit unauthenticated ciphertext, consult a professional cryptographer, because this is not a typical use-case.

If you wish to implement encrypted cookies in one of your projects, check out Halite. It has a cookie class dedicated to this use case.

If you want to reinvent this wheel yourself, you can always do something like this:

For developers without access to libsodium (i.e. you aren’t allowed to install PHP extensions through PECL in production), one of our blog readers offered an example secure cookie implementation that uses defuse/php-encryption (the PHP library we recommend).

In our previous examples, we focused on building the encryption and authentication as separate components that must be used with care to avoid cryptographic doom. Specifically, we focused on AES in Cipher Block-Chaining mode (and more recently in Counter mode).

However, cryptographers have developed newer, more resilient modes of encryption that encrypt and authenticate a message in the same operation. These modes are called AEAD modes (Authenticated Encryption with Associated Data). Associated Data means whatever your application needs to authenticate, but not to encrypt.

AEAD modes are typically intended for stateful purposes, e.g. network communications where a nonce can be managed easily.

Two reliable implementations of AEAD are AES-GCM and ChaCha20-Poly1305.

In a few years, we anticipate the CAESAR competition will produce a next-generation authenticated encryption mode that we can recommend over these two.

And most importantly: Use a library with a proven record of resilience under the scrutiny of cryptography experts rather than hacking something together on your own. You’ll be much better off for it.

Read the original here:
Using Encryption and Authentication Correctly (for PHP …

Encryption | SANS Security Awareness

What Is Encryption?

You may hear people use the term encryption and how you should use it to protect yourself and your information. However, encryption can be confusing and you should understand its limitations. In this newsletter, we explain in simple terms what encryption is, how it protects you, and how to implement it properly.

You have a tremendous amount of sensitive information on your devices, such as personal documents, pictures, and emails. If you were to have one of your devices lost or stolen, all of your sensitive information could be accessed by whoever possesses it. In addition, you may conduct sensitive transactions online, such as banking or shopping. If anyone were to monitor these activities, they could steal your information, such as your financial account or credit card numbers. Encryption protects you in these situations by helping ensure unauthorized people cannot access or modify your information.

Encryption has been around for thousands of years. Today, encryption is far more sophisticated, but it serves the same purpose — to pass a secret message from one place to another by ensuring only those authorized to read the message can access it. When information is not encrypted, it is called plain-text. This means anyone can easily read or access it. Encryption converts this information into a non-readable format called cipher-text. Todays encryption works by using complex mathematical operations and a unique key to convert your information into cipher-text. The key is what locks or unlocks your information. In most cases, your key is a password or passcode.

In general, there are two types of data to encrypt: data at rest (such as the data stored on your mobile device) and data in motion (such as retrieving email or messaging a friend).

Encrypting data at rest is vital to protect information in case your computer or mobile device is lost or stolen. Todays devices are extremely powerful and hold a tremendous amount of information, but are also very easy to lose. In addition, other types of mobile media can hold sensitive information, such as USB flash drives or external hard drives. Full Disk Encryption (FDE) is a widely used encryption technique that encrypts the entire drive in your system. This means that everything on the system is automatically encrypted for you; you do not have to decide what or what not to encrypt. Today, most computers come with FDE, but you may have to manually turn it on or enable it. It is called FileVault on Mac computers, while on Windows computers, depending on the version you have, you can use Bitlocker or Device Encryption. Most mobile devices also support FDE. iOS on iPhones and iPads automatically enable FDE once a passcode has been set. Starting with Android 6.0 (Marshmallow), Google is requiring FDE be enabled by default, provided the hardware meets certain minimum standards.

Information is also vulnerable when it is in transit. If the data is not encrypted, it can be monitored, modified, and captured online. This is why you want to ensure that any sensitive online transactions and communications are encrypted. A common type of online encryption is HTTPS. This means all traffic between your browser and a website is encrypted. Look for https:// in the URL, a lock icon on your browser, or your URL bar turning green. Another example is when you send or receive email. Most email clients provide encrypted capabilities, which you may have to enable. A third example of encrypting data in transit is between two users chatting with each other, such as with iMessage, Wickr, Signal, WhatsApp, or Telegram. Apps like these use end-to-end encryption, which prevents third parties from accessing data while its transferred from one end system or device to another. This means only you and the person youre communicating with can read what is sent.

To be sure you are protected when using encryption, it is paramount that you use it correctly:

OUCH! newsletter is under the Creative Commons license. You are free to share / distribute it but may not sell or modify it.

Continue reading here:
Encryption | SANS Security Awareness

Types of Encryption | Office of Information Technology

Whole disk

Whole disk encryption, as the name implies, refers to the encryption of an entire physical or logical disk. While this is currently done mostly with software, hardware based disk encryption is a growing technology which is expected to surpass software products for whole disk encryption over the next few years. This form of encryption generally encrypts the entire contents of a disk or volume and decrypts/encrypts it during use after a key has been given. This means the data is protected from situations like laptop/disk loss or theft where the data would be encrypted and require a key to decrypt. It would not protect from situations like sending information over the network (e-mail, websites, etc) or from situations where the decryption key was already entered such as the user walking away from their logged-in computer.

When an individual wishes to encrypt a single file or group of files there are several options. Most encryption software has the ability to encrypt files individually using a password or other key. Many encryption programs have the ability to create an encrypted “virtual drive”. This is an encrypted file that, when opened with the key, looks like another drive attached to the computer allowing the user to easily open and save files into an encrypted area. Some other applications, like MS Office and OpenOffice, have built-in, single-file encryption features.

This approach can protect against data disclosure on a lost or stolen computer, but only if all of the private information was encrypted. Individual file/folder encryption relies on user education and good practices to ensure that all appropriate information is encrypted.

Depending on how the encryption software is used, this approach can provide protection from data disclosure when transferring information over the network. E.g. an individual file can be encrypted and then sent as an email attachment, assuming the recipient has the ability to decrypt it.

Allowing multiple users to simultaneously access encrypted information is more complicated than a single user. The encryption software must allow the use of either multiple keys (i.e. one for each user) or a shared key (e.g. a shared password). Additionally, the software must deal with multi-user file locking issues (this is usually a problem with the virtual drive approach mentioned in the last section).

This approach can provide an additional layer of protection against the disclosure of highly confidential data on file servers in the event they are compromised. It can also help protect against disclosure on backup media as the files would remain encrypted when backed up.

This approach can get complicated if not all users have the encryption software installed, or they are not configured consistently. This could lead users being unable to access encrypted information or incorrectly believing they have encrypted information when they have not. For these reasons, special attention should be paid to how encryption software behaves and users should be educated to recognize the encryption status of files.

Encrypting information in a database can be done at a couple of levels. The application accessing the database can encrypt information before putting it into the database. This requires intelligence at the application level, but no additional database features. Many databases have built-in encryption functions which applications can use to encrypt data as it is written. This usually requires features at both the application and database level. An encryption application can sit between the application and database, encrypting/decrypting information as it is written and read. This requires buying and installing additional software, but may not require modifications to the application or database.

As mentioned earlier, some applications that arent specifically designed for encryption do have basic encryption functions. Most notably, common productivity suites like Microsoft Office and OpenOffice contain file encryption features. Be cautious of the quality of the built-in encryption features, even within the Microsoft Office product line, some versions (like Office 2007) have a good mechanism, others have poor ones (like Office 2000 and earlier) and still others require proper configuration to provide good protection (like Office 2003). These features can be very handy because they dont require additional licenses, require less training and can be effective for both in transit and at rest encryption. Additionally, they can work well for file exchange since the recipient is more likely to have the ability to decrypt the file. In short, built-in encryption functions can be convenient options, but you should research their effectiveness before using them.

There are a couple of different levels to encryption with email, first is encrypting just an attached file and second is encrypting an entire message. Encrypting an attached file can be accomplished using any single-file encryption process that “sticks” to the file. Naturally, the recipient must have a way of decrypting the file. There are only a couple of commonly used email message encryption technologies, most notably S/MIME and PGP. While S/MIME support is integrated into many email clients, it requires users to have trusted certificates which can be complicated to properly deploy. Using PGP to encrypt email requires installing software, but there are both free and commercial options.

Both of these technologies also allow for digital “signing” of email without encrypting it. This signing process allows the recipient to be certain a message was not altered in transit, but does not protect the content from prying eyes.

Encrypting information while in transit on a network is one of the most common, and important, uses of encryption. One of the most popular forms of this encryption is Secure Sockets Layer (SSL)/Transport Layer Security (TLS), commonly used to encrypt web traffic in transit. Any web application that transmits or collects sensitive information should encrypt the information using SSL/TLS. There are a number of other uses for SSL/TLS encryption, including securing authentication for email communication between clients and servers. SSL/TLS can also be used for “tunneling” to encrypt other forms of network transmission that dont have their own encryption features.

Another common network encryption technology is Secure Shell (SSH) which is largely used for encrypted terminal connections (replacing telnet) and encrypted file transfers (SFTP replacing FTP). Like SSL/TLS, SSH can also be used for tunneling.

A more general form of network traffic encryption is IP Security (IPSec), which operates at a more basic layer than SSL or SSH and can be applied to any network traffic. However, using IPSec requires common configuration between the two computers communicating, so it is generally used within a company/department rather than across the internet.

For wireless networks there are other encryption options that only encrypt information between the computer and the wireless access point. For this reason, they only protect from snooping on wireless and not after the information leaves the access point onto a wired network. The two most common forms are called Wired Equivalent Privacy (WEP) and WiFI Protected Access (WPA). WEP is no longer considered a secure protocol. WPA is much stronger, but has shortcomings and an updated WPA2 standard has been released which improves its security.

Read more from the original source:
Types of Encryption | Office of Information Technology

Use Your own Encryption Keys with S3s Server-Side …

Amazon S3 stores trillions of objects and processes more than a million requests per second for them.

As the number of use cases for S3 has grown, so have the requests for additional ways to protect data in motion (as it travels to and from S3) and at rest (while it is stored). The first requirement is met by the use of SSL, which has been supported by S3 from the very beginning. There are several options for the protection of data at rest. First, users of the AWS SDKs for Ruby and Java can also use client-side encryption to encrypt data before it leaves the client environment. Second, any S3 user can opt to use server-side encryption.

Today we are enhancing S3s support for server-side encryption by giving you the option to provide your own keys. You now have a choice you can use the existing server-side encryption model and let AWS manage your keys, or you can manage your own keys and benefit from all of the other advantages offered by server-side encryption.

You now have the option to store data in S3 using keys that you manage, without having to build, maintain, and scale your own client-side encryption fleet, as many of our customers have done in the past.

Use Your KeysThis new feature is accessible via the S3 APIs and is very easy to use. You simply supply your encryption key as part of a PUT and S3 will take care of the rest. It will use your key to apply AES-256 encryption to your data, compute a one-way hash (checksum) of the key, and then expeditiously remove the key from memory. It will return the checksum as part of the response, and will also store the checksum with the object. Heres the flow:

Later, when you need the object, you simply supply the same key as part of a GET. S3 will decrypt the object (after verifying that the stored checksum matches that of the supplied key) and return the decrypted object, once again taking care to expeditiously remove the key from memory.

Key ManagementIn between, it is up to you to manage your encryption keys and to make sure that you know which keys were used to encrypt each object. You can store your keys on-premises or you can use AWS Cloud HSM, which uses dedicated hardware to help you to meet corporate, contractual and regulatory compliance requirements for data security.

If you enable S3s versioning feature and store multiple versions of an object, you are responsible for tracking the relationship between objects, object versions, and keys so that you can supply the proper key when the time comes to decrypt a particular version of an object. Similarly, if you use S3s Lifecycle rules to arrange for an eventual transition to Glacier, you must first restore the object to S3 and then retrieve the object using the key that was used to encrypt it.

If you need to change the key associated with an object, you can invoke S3s COPY operation, passing in the old and the new keys as parameters. Youll want to mirror this change within your key management system, of course!

Ready to EncryptThis feature is available now and you can start using it today. There is no extra charge for encryption, and theres no observable effect on PUT or GET performance. To learn more, read the documentation on Server Side Encryption With Customer Keys.

Jeff;

View original post here:
Use Your own Encryption Keys with S3s Server-Side …

What is Tokenization vs Encryption – Benefits & Uses Cases …

Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.

Edward Snowden

There are two primary approaches to encryption: symmetric key and asymmetric key encryption. In symmetric key encryption, one key is used to both encrypt and decrypt the information. Symmetric key encryption is analogous to the key used to both unlock and lock the door to a house. The big drawback of this approach is that if the key is compromised, it can be used to unlock, or decrypt, all of the data it was used to secure. For this reason, asymmetric key encryption was developed to allow multiple parties to exchange encrypted data without managing the same encryption key.

In asymmetric key encryption (also called public-key encryption), two different keys are used for the encryption and decryption processes. The public key can be freely distributed since it is only used to lock the data and never to unlock it. For example, a merchant can use a public key to encrypt payment data before sending a transaction to be authorized by a payment processing company. The latter company would need to have the private key to decrypt the card data to process the payment. Asymmetric key encryption is also used to validate identity on the Internet using SSL certificates.

Regardless of what type of key is utilized, users of encryption typically practice regular key rotation in order to reduce the likelihood of a compromised key being used to decrypt all sensitive data. Rotating keys limits the amount of data thats encrypted using a single key. In the event that an encryption key is compromised, only data encrypted with that key would be vulnerable.

Until now, one of the drawbacks of encrypting data within applications is that encryption breaks application functionality such as sorting and searching. Because cipher text is in a different format from the original data, encryption may also break field validation if an application requires specific formats within fields such as payment card numbers or email addresses. New order-preserving, format-preserving, and searchable encryption schemes are making it easier for organizations to protect their information without sacrificing end user functionality within business critical applications. However, there is usually a tradeoff between application functionality and the strength of encryption.

Tokenization is the process of turning a meaningful piece of data, such as an account number, into a random string of characters called a token that has no meaningful value if breached. Tokens serve as reference to the original data, but cannot be used to guess those values. Thats because, unlike encryption, tokenization does not use a mathematical process to transform the sensitive information into the token. There is no key, or algorithm, that can be used to derive the original data for a token. Instead, tokenization uses a database, called a token vault, which stores the relationship between the sensitive value and the token. The real data in the vault is then secured, often via encryption.

The token value can be used in various applications as a substitute for the real data. If the real data needs to be retrieved for example, in the case of processing a recurring credit card payment the token is submitted to the vault and the index is used to fetch the real value for use in the authorization process. To the end user, this operation is performed seamlessly by the browser or application nearly instantaneously. Theyre likely not even aware that the data is stored in the cloud in a different format.

The advantage of tokens is that there is no mathematical relationship to the real data they represent. If they are breached, they have no meaning. No key can reverse them back to the real data values. Consideration can also be given to the design of a token to make it more useful. For example, the last four digits of a payment card number can be preserved in the token so that the tokenized number (or a portion of it) can be printed on the customers receipt so she can see a reference to her actual credit card number. The printed characters might be all asterisks plus those last four digits. In this case, the merchant only has a token, not a real card number, for security purposes.

The most common use case for tokenization is protecting payment card data so that merchants can reduce their obligations under PCI DSS. Encryption can also be used to secure account data, but because the data is still present, albeit in ciphertext format, the organization must ensure the entire technology infrastructure used to store and transmit this data is fully compliant with PCI DSS requirements. In 2011, the Payment Card Industry Security Standards Council (PCI SSC), the organization responsible for enforcing PCI DSS, issued a set of tokenization guidelines. While the guidance has not yet been added to the official PCI DSS standard, qualified PCI assessors now accept tokenization as a viable solution to meet requirements under the standard.

Increasingly, tokens are being used to secure other types of sensitive or personally identifiable information, including social security numbers, telephone numbers, email addresses, account numbers and so on. The backend systems of many organizations rely on Social Security numbers, passport numbers, and drivers license numbers as unique identifiers. Since this unique identifier is woven into these systems, its very difficult to remove them. And these identifiers are also used to access information for billing, order status, and customer service. Tokenization is now being used to protect this data to maintain the functionality of backend systems without exposing PII to attackers.

While encryption can be used to secure structured fields such as those containing payment card data and PII, it can also used to secure unstructured data in the form of long textual passages, such as paragraphs or even entire documents. Encryption is also the ideal way to secure data exchanged with third parties and protect data and validate identity online, since the other party only needs a small encryption key. SSL or Secure Sockets Layer, the foundation of sharing data securely on the Internet today, relies on encryption to create a secure tunnel between the end user and the website. Asymmetric key encryption is also an important component of SSL certificates used to validate identity.

Encryption and tokenization are both regularly used today to protect data stored in cloud services or applications. Depending on the use case, an organization may use encryption, tokenization, or a combination of both to secure different types of data and meet different regularly requirements. McAfeeCASB, for example, leveragesan irreversible one-way process to tokenize user identifying information on premises and obfuscate enterprise identity.

As more data moves to the cloud, encryption and tokenization are being used to secure data stored in cloud services. Most notably, if a government agency subpoenas the data stored in the cloud, the service provider can only turn over encrypted or tokenized information with no way to unlock the real data. The same is true is a cyber criminal gains access to data stored in a cloud service.

Read more:
What is Tokenization vs Encryption – Benefits & Uses Cases …

Device Encryption | it.ucsf.edu

What is encryption? Why do I need it?

Encryption is the process of encoding information so that only authorized persons can read it. It is used to protect confidential and legally protected data. If an unencrypted laptop, tablet, smartphone, or other device is lost or stolen, and if it contained legally protected information, you or the University might be held liable for damages, you could be sent to prison, or the University could take corrective action against you.

The UCSF Minimum Security Standards state, Given the prevalence of restricted data in the UCSF environment, all endpoints (desktops, laptops, and mobile devices including smartphones and tablets) used for UCSF business must be encrypted.”UCSF Minimum Security Standards for Electronic Information Resources

This is true:

You are legally obligated to report a lost or stolen device used for UCSF business, research, or studies:

Devices include: desktop computers, laptop computers, tablet computers, smartphones, cdroms, dvdroms, floppy disks, and any media that can store data.

Including desktops and laptops for Mac and Windows:

How To Determine Your Computer Encryption Status

Please follow the instructions for setting up your UCSF email on your phone; that will also ensure your phone is encrypted.

If needed, contact the IT Service Desk for help.

Do both of the following:

Copy the data to your encrypted desktop or laptop computer. Or:

How To Determine Your Computer Encryption Status

Dell Data Protection Encryption (DDPE)

DDPE Frequently Asked Questions (FAQ)

Encryption Project

Contact the IT Service Desk.

See the original post:
Device Encryption | it.ucsf.edu

5 Common Encryption Algorithms and the Unbreakables of the Future

Mchten Sie diesen Beitrag in Deutsch zu lesen? Lesen Sie die Deutsch-Version hier.

While security is an afterthought for many PC users, its a major priority for businesses of any size. It has to be when the Ponemon Institute tells us that security breaches are costing companies millions every year.

Even if you dont have millions to lose, protecting what you do have should be a high priority.

There are several forms of security technology available, but encryption is one that everyday computer users should know about.

Encryption is an interesting piece of technology that works by scrambling data so it is unreadable by unintended parties. Lets take a look at how it works with the email-friendly software PGP (or GPG for you open source people).

Say I want to send you a private message, so I encrypt it using either one of these programs. Heres the message:

wUwDPglyJu9LOnkBAf4vxSpQgQZltcz7LWwEquhdm5kSQIkQlZtfxtSTsmawq6gVH8SimlC3W6TDOhhL2FdgvdIC7sDv7G1Z7pCNzFLp0lgB9ACm8r5RZOBiN5ske9cBVjlVfgmQ9VpFzSwzLLODhCU7/2THg2iDrW3NGQZfz3SSWviwCe7GmNIvp5jEkGPCGcla4Fgdp/xuyewPk6NDlBewftLtHJVf=PAb3

Once encrypted, the message literally becomes a jumbled mess of random characters. But, equipped with the secret passcode I text you, you can decrypt it and find the original message.

Come on over for hot dogs and soda!

Whether its in transit like our hot dog party email or resting on your hard drive, encryption works to keep prying eyes out of your business even if they happen to somehow gain access to your network or system.If you want to learn more about how encryption helps protect business data,you can read our article on how encryption aids cloud security.

The technology comes in many forms, with key size and strength generally being the biggest differences in one variety from the next.

Triple DES was designed to replace the original Data Encryption Standard (DES) algorithm, which hackers eventually learned to defeat with relative ease. At one time, Triple DES was the recommended standard and the most widely used symmetric algorithm in the industry.

Triple DES uses three individual keys with 56 bits each. The total key length adds up to 168 bits, but experts would argue that 112-bits in key strength is more like it.

Despite slowly being phased out, Triple DES still manages to make a dependable hardware encryption solution for financial services and other industries.

RSA is a public-key encryption algorithm and the standard for encrypting data sent over the internet. It also happens to be one of the methods used in our PGP and GPG programs.

Unlike Triple DES, RSA is considered an asymmetric algorithm due to its use of a pair of keys. Youve got your public key, which is what we use to encrypt our message, and a private key to decrypt it. The result of RSA encryption is a huge batch of mumbo jumbo that takes attackers quite a bit of time and processing power to break.

Blowfish is yet another algorithm designed to replace DES. This symmetric cipher splits messages into blocks of 64 bits and encrypts them individually.

Blowfish is known for both its tremendous speed and overall effectiveness as many claim that it has never been defeated. Meanwhile, vendors have taken full advantage of its free availability in the public domain.

Blowfish can be found in software categories ranging from e-commerce platforms for securing payments to password management tools, where it used to protect passwords. Its definitely one of the more flexible encryption methods available.

Computer security expert Bruce Schneier is the mastermind behind Blowfish and its successor Twofish. Keys used in this algorithm may be up to 256 bits in length and as a symmetric technique, only one key is needed.

Twofish is regarded as one of the fastest of its kind, and ideal for use in both hardware and software environments. Like Blowfish, Twofish is freely available to anyone who wants to use it. As a result, youll find it bundled in encryption programs such as PhotoEncrypt, GPG, and the popular open source software TrueCrypt.

The Advanced Encryption Standard (AES) is the algorithm trusted as the standard by the U.S. Government and numerous organizations.

Although it is extremely efficient in 128-bit form, AES also uses keys of 192 and 256 bits for heavy duty encryption purposes.

AES is largely considered impervious to all attacks, with the exception of brute force, which attempts to decipher messages using all possible combinations in the 128, 192, or 256-bit cipher. Still, security experts believe that AES will eventually be hailed the de facto standard for encrypting data in the private sector.

Cyber attacks are constantly evolving, so security specialists must stay busy in the lab concocting new schemes to keep them at bay. Expert observers are hopeful that a new method called Honey Encryption will deter hackers by serving up fake data for every incorrect guess of the key code. This unique approach not only slows attackers down, but potentially buries the correct key in a haystack of false hopes. Then there are emerging methods like quantum key distribution, which shares keys embedded in photons over fiber optic, that might have viability now and many years into the future as well.

Whether its protecting your email communications or stored data, some type of encryption should be included in your lineup of security tools. Successful attacks on victims like Target show that its not 100 percent bulletproof, but without it, youre offering up convenient access to your data. Find some tools that give you a piece of mind and stick with em!

Visit link:
5 Common Encryption Algorithms and the Unbreakables of the Future

Top 5 best encryption software tools of 2018 | TechRadar

If you’re looking for the best encryption software for your needs in 2018, then you’ve come to the right place, as we’ve listed the top software that will keep your important files and documents safe from malicious users.

The sad fact is that as hackers are become ever more adept at stealing private information, we must be ever more vigilant when it comes to protecting our files, regardless of if we are a business or home user, and this is where our list of the best encryption software of 2018 comes in.

Encryption tools encode data so that it can only be unlocked with a certain key, making it harder for third-parties to gain access. This means that only people who have access to that key can also access the data, making encryption software an essential tool for keeping data safe.

These encryption tools can be used to protect data such as email addresses, customer transactions and passwords, and other crucial information which you really cant afford to potentially expose. Many companies are also using encryption software to ensure internal online conversations and emails are kept private.

So which are the best encryption tools? Read on for our pick of the very best tools for keeping your data safe.

Free encryption for everyone

Platforms: Windows, macOS, Linux | Resources covered: Encryption and brute-force attack protection | Cloud-based: No | Integrations: No | Free trial: N/A

Basic version is completely free

Provides effective encryption

Selective approach

Initial download is a bit confusing

VeraCrypt is one of the most popular security tools, providing you with enterprise-grade encryption for important data.

The system is quite easy to use, and all it really does is add encrypted passwords to your data and partitions. All you have to do is give the tool a few details about your data, such as volume size, location and specified hashing algorithms and then the program does its thing.

Whats also nifty about VeraCrypt is that its immune to brute-force attacks, so you never have to worry about hackers decrypting your passwords and other sensitive data. The basic version of the software is completely free, as well.

Encryption for small teams and individuals

Platforms: Windows, macOS | Resources covered: Encryption, password protection, mobile apps | Cloud-based: Yes | Integrations: Google Docs, Dropbox | Free trial: 30 days (fully free version also available)

Strong encryption for personal use

Free version available

Mainly mobile-oriented

While free software can be convenient for some, its not always as powerful as premium offerings, and AxCrypt is a good bet if you want something reliable. The software has been designed specifically for individuals and small teams within businesses.

It provides strong security, with files protected by either 128-bit or 256-bit AES encryption, which should thwart any intruders. There are also cloud storage capabilities thrown into the mix the software will automatically protect files saved on services such as Google Drive and Dropbox.

AxCrypt is fully multilingual, and it can work with languages such as Dutch, French, German, Italian, Korean, Spanish, Swedish, Russian and Portuguese with more support planned for the future. As well as this, theres passport management, and you can access your encrypted files through a smartphone app.

The Premium package is $27 per year (roughly 20, AU$34), while there is a free version which has much fewer options.

Effective encryption for individuals

Platforms: Windows, Android, iOS | Resources covered: Encryption, password protection, brute-force attack prevention | Cloud-based: Yes | Integrations: No | Free trial: N/A

Free to download basic version

Effective personal encryption

Mainly mobile oriented

Although its important to protect assets on company computers, its also crucial to add protection to any device that stores critical data. For instance, most employees have access to their company emails and other accounts on their smartphones, and they need to be protected.

Folder Lock is a good option when it comes to adding encryption to your mobile devices. The app can protect your personal files, photos, videos, contacts, wallet cards, notes and audio recordings stored in your handset.

There are some other hidden security features, too. Not only is there encryption, but you can also set a decoy password, hacker deterrents, log unauthorised login attempts, back up all your passwords and get notified on potential brute-force attacks. The basic app is free to download, with a pro version available if you want more.

Powerful protection indeed

Platforms: Windows | Resources covered: Encryption, password protection, brute-force attack prevention | Cloud-based: No | Integrations: No | Free trial: 30 days

Uses multiple encryption methods

Powerful encryption

It may be too complicated for some

Windows-only

CryptoExpert is Windows desktop software which offers secure data vaults for all your data, ensuring its always protected from potential breaches.

It provides more powerful encryption than some of the other tools and apps listed in this article, boasting fast on-the-fly operation. The system can back up a range of different files, including certificates, Word, Excel and PowerPoint files, multimedia files and email databases.

The best thing about CryptoExpert 8 is that it can secure vaults of unlimited size, and it uses Blowfish, Cast, 3DES and AES-256 encryption algorithms. The latter are highly effective and industry-acclaimed. Itll work with 32-bit and 64-bit versions of Windows 7, 8 and 10.

A quality cloud-based solution

Platforms: Desktop | Resources covered: Encryption, password protection, brute-force attack prevention, secure file storage | Cloud-based: Yes | Integrations: No | Free trial: 30 days

Completely cloud-based

Affordable monthly plan

Not everyone wants cloud-based security

CertainSafe is highly effective cloud-based encryption software which attempts to mitigate all aspects of risk and is compliant with industry regulations.

With the platform, you can store and share documents, private messages, photos, videos and other files without exposing them to third-party sources. You can even collaborate and communicate with colleagues through the system, with all correspondence encrypted.

CertainSafe also adds automated security for business databases and applications, meaning you dont always have to do things manually. You can subscribe for a monthly plan, but before making any decisions, theres the option to get a free trial and try things out that way.

Continued here:
Top 5 best encryption software tools of 2018 | TechRadar