Category Archives: Encryption
Why You Should Be Encrypting Your Devices and How to Easily Do It – Gizmodo
Is the data on your phone or laptop encrypted? Should it be? And what does encrypting your data do to it anyway? Here well explain the ins and outs of encryption, and how you can make sure that everything in your digital life is safe from prying eyes.
Despite some of the complicated math involved, encryption isnt difficult to understandsimply put, it locks your files and data away using a secret code, just like a pair of spies might talk in code to hide what theyre really saying. If anyone else overhears that conversation, it sounds like gibberish, and its the same with encrypted files.
To make sense of encrypted data, you need the key to the code, which on your phone is often your PIN numberget past the lock screen, and your files and apps are no longer gibberish. Thats why being able to unlock an encrypted phone is so important to making sense of the data on it.
It applies to data we have stored on our devices and data we send through the air, to and from the internet. Apps with end-to-end encryption cant be spied on, much to the chagrin of law enforcement agencies and governments worldwide, and only the sender and intended recipient gets to see the real message.
You can go a long way down into the technical details of encryption, but it essentially just scrambles the data. The number of bits is often listed next to the type of encryption being used tell you how many possible combinations there are for the unlock codesomething locked with 256-bit encryption would take a bank of supercomputers billions of years to decode using brute force alone.
If the disk is not encrypted your device can easily be booted off a USB drive and the unencrypted data extracted, explains cybersecurity expert Professor Alan Woodward from the University of Surrey. You can even just take out the hard drive and mount it on another machine to examine data unless the disc is encrypted.
Different types of encryption algorithms have been developed for different purposes, with varying compromises between complexity and speed, though most of the time you wont have to worry about which flavor of encryption youre using (most of the time you just wont get a choice).
For example, the encryption on the iPhone is the 256-bit AES standard also used by the US military, which has the benefit of being both very speedy to apply and impossible to crack by running through the various unlock code combinations, as weve already pointed out.
If you do get a choice, Professor Woodward recommends looking for packages and encryption methods that have gone through some kind of public audit or independent testing to verify the methods used.
In some cases, such as the encryption supplied by Apple and Microsoft, you have little choice but to accept their assurances, but if using a third-party package look for audits, he told Gizmodo. Its the same as with secure messaging apps, its a sign of how robust the developers believe their system to be if they put it up for scrutiny.
If your data isnt encrypted, anyone who happens across your phone or laptop can get at the files within pretty easily; with encryption added, accessing the same data becomes very, very difficult (though not impossible, if other security loopholes can be found on the device). But do you need it in place if youre not carrying government secrets or company financials with you?
As security expert and Chief Technology Officer at IBM Resilient Bruce Schneier puts it in his blog: Encryption should be enabled for everything by default, not a feature you turn on only if youre doing something you consider worth protecting.
This is important. If we only use encryption when were working with important data, then encryption signals that datas importance. If only dissidents use encryption in a country, that countrys authorities have an easy way of identifying them. But if everyone uses it all of the time, encryption ceases to be a signal.
Even if you dont mind the thought of other people rifling through your folders of GIFs and angry letters to your Internet Service Provider, any device you own contains a wealth of information about you thats best kept private, from contacts to browsing histories.
Whether you think it worth doing is really whether you think your device has valuable data, says Professor Woodward. Youd be surprised what you do have: Contacts, emails, passwords. People underestimate the value of these to criminals. So, on the whole I think it is worth doing.
Youre building a wall between everything on your phone or computer, and anyone else who might want to look at it who isnt you. The good news is, encryption has become so important that a lot of devices now include it by default, so you dont necessarily need to do anything to stay protected.
iOS has been encrypting data for years, and encryption is now switched on by default in macOS as well: To check, open System Preferences, click Security & Privacy, then open the FileVault tab. If encryption isnt enabled, you can start the process here, and Apple has more information on its official support page.
After lagging behind iPhones for several years, just about all new Android devices are also now encrypted by default, as long as theyre running Android 6.0 Marshmallow or later. If your Android device isnt encrypted, and can be encrypted with its current OS version, then youll find the option by tapping the Security link in Settings.
That just leaves Windowssome PCs that ship with Windows 10 come with something called Device Encryption enabled, as long as you set it up and sign in with a Microsoft account. To check if this applies to you, from Settings click System then About and see if theres a Device Encryption section at the bottom.
If you dont have Device Encryption on your machine then the next option is BitLockerbut that requires upgrading to Windows 10 Pro. You may think the $100 is worth it, but free options, like the open source VeraCrypt, are available as well.
Were not going to go into too much detail about the data traveling to and from your devices, but encryption applies here toowith encryption in place, if someone should intercept the data going to or leaving from your computer, they wont be able to make sense of it.
A lot of apps apply encryption by default, and its also added when you connect to HTTPS sites such as Facebook, Gmail, Amazon and many others. Adding a password to your Wi-Fi network at home encrypts the data moving across it, and if youre using a public Wi-Fi network that anyone can access you should consider installing a VPN to encrypt your data and keep it scrambled.
Finally, its important to remember that nothing keeps your devices 100 percent protected, not even encryption (though it of course goes a long way towards doing that)dont think because your phone or laptop is encrypted you can become complacent about all the other precautions you need to put in place to stay safe.
Original post:
Why You Should Be Encrypting Your Devices and How to Easily Do It - Gizmodo
How can enterprises secure encrypted traffic from cloud applications? – TechTarget
A recent report found that cloud-based application use is driving up the use of SSL/TLS. What is the correlation...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.
between the two? Are there any drawbacks that network security teams should be aware of when it comes to increased SSL/TLS traffic?
With many applications being utilized in a SaaS model, it's important to encrypt the traffic between end users and applications. When personal and sensitive data is transferred, processed or stored off local premises, the connections between these points need to be secured.
Many large websites default to SSL/TLS, increasing the encrypted traffic on the internet. This is a plus for data security, but malicious actors can and do take advantage of this encryption with their malware, spoofing and C2 servers. With organizations like Let's Encrypt and Amazon Web Services, attackers use these flexible, well-designed and inexpensive technologies for malicious purposes. It's for this reason that enterprises need to make monitoring of encrypted traffic and decryption appliances mandatory in networks.
The recent increase in SSL/TLS traffic within networks is cause for both delight and concern. The security community has seen the need for encryption, but so have malicious actors. From a network security standpoint, it's important to be cautious when dealing with encrypted traffic. Its use is only going to grow from here, and the majority of internet traffic will move toward end-to-end encryption.
With this increased traffic, network security administrators should look for decryption methods for monitoring and visibility purposes. It's one thing to understand where the traffic is destined to go -- many companies are using this to alert them of known malicious IP addresses -- but it's a completely different thing to have the capability to review the complete packet data for risks outside the source and destination IP addresses.
Including SSL inspection hardware on encrypted traffic at choke points within a network for additional visibility should become a priority. However, doing so will increase overhead, so validate the current resources on the hardware and determine what increase in resources might occur.
Organizations rely on SaaS apps more than ever now, so there needs to be visibility into what's being sent to these third-party providers. Another step organizations can take to increase their data governance around encrypted traffic is to use tools that enable visibility into encrypted traffic, and that also include data loss prevention functions to search for sensitive or malicious data being sent to SaaS apps. Cloud access security brokers are also in a growing field that can help organizations gain insight into their traffic.
When adding SSL inspection to your arsenal of security monitoring, be aware of how your appliance is encrypting outbound data. There were issues in the past with particular proxies re-encrypting the data with lower security standards than organizations were using -- or thought they were using. Also, keep in mind that key management on the certifications being used for inspection should be handled carefully, as to not disrupt traffic during expirations.
Ask the expert:Want to ask Matt Pascucci a question about security?Submit your question nowvia email. (All questions are anonymous.)
Find out why HTTPS interception tools weaken TLS security
Learn why the lack of SSL traffic inspection poses a threat to enterprises
Check out the SSL VPN based on open source software
Go here to see the original:
How can enterprises secure encrypted traffic from cloud applications? - TechTarget
Black Hats, White Hats, and Hard Hats The Need for Encryption in Mining and Resources – Australian Mining
Mineral Blue announcesFedora, a socially responsible encryption system.
Are you concerned by criminals having access to strong encryption? Youre right to be worried. Modern encryption is virtually impossible for governments to crack. That means criminals can operate in secret.
At the same time, honest people need access to cryptography. Without it, every innocent transaction is at risk.
Governments routinely ask encryption providers to provide backdoors that enable them to decrypt ciphertext. This puts providers in a difficult position. Backdoors create weaknesses that can be exploited by a different set of criminals.
This may already be happening, without your knowledge.
Fedora solves this problem by providing secure private key access to the government of your choice from the outset.
Fedora is aimed at socially responsible businesses and individuals.
Fedora isopen source, andfree.
Fedora goes live on Google Play on January 1.
Mineral Blue is an advanced, cloud-based safe work system for the mining and resources industries.www.mineral.blue
To download this whitepaper, fill in and submit the form below:
See the original post:
Black Hats, White Hats, and Hard Hats The Need for Encryption in Mining and Resources - Australian Mining
Encryption Explained – Arizona Daily Wildcat
An indicator that a tool or system is working well, especially in programming, is that you never have to think about it. It can chug along in the background, without us giving it any attention. Imagine that using your refrigerator required an intimate understanding of endothermic reactions, or that opening it required a complete mechanical comprehension of how a compressor works.
Thankfully, it doesnt, and all we need to know is how to open and shut the door. The same goes for encryption.
Its likely that you used some form of encryption today. Whenever you log into a website, encryption protects your information while its sent to its destination. Most smart phones and computers also use some form of encryption to protect their contents. This encryption is what caused the controversy surrounding the FBIs demand for Apple to break into one of the San Bernardino shooters phones.
If it werent for encryption, services such as online banking and social media wouldnt exist, and while digital encryption is relatively new on the timeline of human existence, the practice of obfuscating communication is not.
Encryption grew out of cryptography, the art of writing and solving codes. Though various forms of cryptography have existed for thousands of years, one of the first and most recognizable forms of encryption was used by Julius Caesar. Dubbed the Caesar Cipher, it works by simply shifting all the letters in the alphabet by some fixed number.
RELATED:UA astronomers make observations on blinking brown dwarfs
So if the number is three, the letter "A" becomes "D," "Y" becomes "B" and "HELLO" becomes "KHOOR". To decrypt the message, you just shift all the letters back by three. Though this is a simple and specific example, it adheres to the main ideas of how encryption works.
Anything encrypted uses some variation of two main components, a cipher text and a key. The cipher text is the message after its been encrypted and the key is the algorithm used to turn the cipher text back into readable text. In the previous example, "KHOOR" was the cipher text and the number three was the key. Modern encryption algorithms hold trueo these two main concepts but are vastly more complex.
An encryption system is only as good as the number of possible keys to decrypt it. Being limited by the alphabet, the Caesar Cipher has just 25 possible keys, and a computer could try all 25 in the blink of an eye. As the popularity of computers grew, so did the need for encryption systems that are difficult for computers to crack.
Algorithms were needed that were difficult for a computer to solve, but easy for a computer to confirm that a provided solution was correct. One way this was achieved was by creating algorithms with so many possible keys that it would take an eternity for a computer to crack it.
Throughout the digital revolution, mathematicians and computer scientists employed various encryption methods until we arrived at two main schools of thought regarding encryption: symmetric and asymmetric cryptography.
In symmetric cryptography, the same key is used to encrypt and decrypt the cipher. This type of encryption is most often associated with computer hardware, such as encrypting your hard drive, because its simplicity makes it less resource-demanding and therefore more efficient.
RELATED:UA study finds distrust a unique phenomenon
Asymmetric encryption, also known as Public Key Cryptography, relies on two separate keys. The first is the public key, which is the key that can be safely shared with others to encrypt a message. The second key is the private key, which is the only thing that can decrypt something encrypted with the associated public key.
The basic idea is that I can send you my public key, which you use to encrypt a message that you send to me. I then use my private key to decrypt your message. This makes asymmetric encryption perfect for things such as authenticating passwords when you log into a website.
All major cryptographic systems today are in one of these two categories, though each category contains countless different encryption algorithms, each with strengths and weaknesses. An important way weaknesses are addressed is a principle by Claude Shannon, called Shannons Maxim. It states that "one ought to design systems under the assumption that the enemy will immediately gain full familiarity with them." This essentially means that an algorithm should be able to be released to the public without this making it easier to be cracked.
As you can probably tell, theres a lot to be said about encryption and its role in our world today. These ideas are just the tip of the iceberg; theres still a great deal to be learned. As always, gaining a better understanding of how things work only stands to broaden our worldview as well as satisfy our curiosity. As our friend Claude Shannon once said, "I just wondered how things were put together."
Follow Brian Winkler onTwitter
Here is the original post:
Encryption Explained - Arizona Daily Wildcat
‘Independent’ gov law reviewer wants users preemptively identified before they’re ‘allowed’ to use encryption – The Register
The UKs independent reviewer of terrorism legislation appears to have gone rogue, saying that encryption should be withheld from people who dont verify their identities on social media.
Max Hill QC is supposedly the reviewer of government laws designed to stop terrorists. His latest statement, carried in tonights London Evening Standard, appears to be strongly echoing the views of the very government he is supposed to be scrutinising and holding to account.
A discussion I have had with some of the tech companies is whether it is possible to withhold encryption pending positive identification of the internet user, Hill was reported as telling the papers home affairs correspondent, Martin Evans.
If the technology would permit that sort of perusal, identification and verification, prior to posting that would form a very good solution and would not involve wholesale infringement on free speech use of the internet, added the lawyer.
Hills words are concerningly close to those of Home Secretary Amber Rudd, who recently argued that real people [sic] actively want State snoopers to peer into their private lives.
The Independent Reviewer of Terrorism Legislation (IRTL) is supposed to act as a check and balance on the government, reporting to Parliament on how anti-terror laws are used in practice and how they affect both their intended targets and the wider population. On the IRTLs website it even states: The uniqueness of the role lies in its complete independence from government.
Hills interview with the Standard will raise serious and far-reaching questions about his claimed independence from government, particularly as it leans heavily on the tech sector to fall into line and do as British ministers want.
The Investigatory Powers Act, better known by the moniker the Snoopers Charter, allows the British government to demand that technology companies break their encryption by introducing a backdoor to permit snooping on users of services such as social media and chat apps.
While sensible people accept and understand that to introduce a crypto backdoor for one is to introduce a backdoor for all, the British government has consistently done the equivalent of shouting LA LA LA I CANT HEAR YOU every time this is pointed out.
Rohan Silva, a one-time advisor to former prime minister David Cameron, was torn a new one by information security experts when he suggested that end-to-end crypto could somehow be selectively broken for those who see themselves as the good guys.
Both former GCHQ director Robert Hannigan and former MI5 chief Lord Evans have spoken in favour of end-to-end encryption.
Sponsored: The Joy and Pain of Buying IT - Have Your Say
See the article here:
'Independent' gov law reviewer wants users preemptively identified before they're 'allowed' to use encryption - The Register
High-Dimensional Quantum Encryption Performed in Real-World … – Futurism
Quantum Encryption
For the first time, researchers have sent a quantum-secured message containing more than one bit of information per photon through the air above a city. The demonstration showed that it could one day be practical to use high-capacity, free-space quantum communication to create a highly secure link between ground-based networks and satellites, a requirement for creating a global quantum encryption network.
Quantum encryption uses photons to encode information in the form of quantum bits. In its simplest form, known as 2D encryption, each photon encodes one bit: either a one or a zero. Scientists have shown that a single photon can encode even more informationa concept known as high-dimensional quantum encryptionbut until now this has never been demonstrated with free-space optical communication in real-world conditions. With eight bits necessary to encode just one letter, for example, packing more information into each photon would significantly speed up data transmission.
Our work is the first to send messages in a secure manner using high-dimensional quantum encryption in realistic city conditions, including turbulence, said research team lead, Ebrahim Karimi, University of Ottawa, Canada. The secure, free-space communication scheme we demonstrated could potentially link Earth with satellites, securely connect places where it is too expensive to install fiber, or be used for encrypted communication with a moving object, such as an airplane.
As detailed inOptica, The Optical Societys journal for high impact research, the researchers demonstrated 4D quantum encryption over afree-space optical networkspanning two buildings 0.3 kilometers apart at the University of Ottawa. This high-dimensional encryption scheme is referred to as 4D because each photon encodes two bits of information, which provides the four possibilities of 01, 10, 00 or 11.
In addition to sending more information per photon, high-dimensional quantum encryption can also tolerate more signal-obscuring noise before the transmission becomes unsecure. Noise can arise from turbulent air, failed electronics, detectors that dont work properly and from attempts to intercept the data. This higher noise threshold means that when 2D quantum encryption fails, you can try to implement 4D because it, in principle, is more secure and more noise resistant, said Karimi.
Today, mathematical algorithms are used to encrypt text messages, banking transactions and health information. Intercepting these encrypted messages requires figuring out the exact algorithm used to encrypt a given piece of data, a feat that is difficult now but that is expected to become easier in the next decade or so as computers become more powerful.
Given the expectation that current algorithms may not work as well in the future, more attention is being given to stronger encryption techniques such asquantum key distribution, which uses properties of light particles known as quantum states to encode and send the key needed to decrypt encoded data.
Although wired and free-space quantum encryption has been deployed on some small, local networks, implementing it globally will require sending encrypted messages between ground-based stations and the satellite-based quantum communication networks that would link cities and countries. Horizontal tests through the air can be used to simulate sending signals to satellites, with about three horizontal kilometers being roughly equal to sending the signal through the Earths atmosphere to a satellite.
Before trying a three-kilometer test, the researchers wanted to see if it was even possible to perform 4D quantum encryption outside. This was thought to be so challenging that some other scientists in the field said that the experiment would not work. One of the primary problems faced during any free-space experiment is dealing with air turbulence, which distorts the optical signal.
For the tests, the researchers brought their laboratory optical setups to two different rooftops and covered them with wooden boxes to provide some protection from the elements. After much trial and error, they successfully sent messages secured with 4D quantum encryption over their intracity link. The messages exhibited an error rate of 11 percent, below the 19 percent threshold needed to maintain a secure connection. They also compared 4Dencryptionwith 2D, finding that, after error correction, they could transmit 1.6 times more information per photon with 4Dquantum encryption, even with turbulence.
After bringing equipment that would normally be used in a clean, isolated lab environment to a rooftop that is exposed to the elements and has no vibration isolation, it was very rewarding to see results showing that we could transmit secure data, said Alicia Sit, an undergraduate student in Karimis lab.
As a next step, the researchers are planning to implement their scheme into a network that includes three links that are about 5.6 kilometers apart and that uses a technology known as adaptive optics to compensate for the turbulence. Eventually, they want to link this network to one that exists now in the city. Our long-term goal is to implement aquantumcommunication network with multiple links but using more than four dimensions while trying to get around the turbulence, said Sit.
This article was provided byOptical Society of America. Materials may have been edited for clarity and brevity.
More here:
High-Dimensional Quantum Encryption Performed in Real-World ... - Futurism
News in brief: Call to link encryption to ID; Facebook maps everyone … – Naked Security
Your daily round-up of some of the other stories in the news
A lawyer has suggested that access to encryption technologies on social media should be denied to those who dont verify their identities.
Max Hill QC, who is leading a review of the UKs terrorism laws, told the London Evening Standard that A discussion I have had with some of the tech companies is whether it is possible to withhold encryption pending positive identification of the internet user. He added that he didnt think this would involved wholesale infringement on free speech use of the internet.
Hills views seem to be building on a declaration by UK home secretary Amber Rudd that real people dont want unbreakable encryption.
Naked Securitys Paul Ducklin has discussed the technical feasibility of intercepting encryption, and concluded then that Rudd has as much chance of getting US firms to buy that idea as successfully hosting a mad-hatters tea party with a chocolate teapot.
However, the idea of tying verified identities to encryption is a new development. Well be returning to this story in more detail next week but in the meantime, what do you think?
Facebook knows where you live and it knows where every other human on the planet lives, too, to within 15ft.
Janna Lewis, who manages innovation partnerships for Facebook, told the Space Technology and Investment Forum in San Francisco this week that the social media giant has created a data map of all the humans on the planet by combining census information with satellite data, reported CNBC on Friday.
The aim, said Lewis, is to help Facebook understand how it can deliver internet connectivity to everyone on Earth. Our data showed the best way to connect cities is an internet in the sky, she said, adding: Were trying to connect people from the stratosphere and from space, using high-altitude drone aircraft and satellites, to supplement earth-based networks.
A British man accused of being behind a cyberattack on two of the UKs biggest banks has been extradited from Germany to face charges.
Daniel Kaye, 29, of Egham, Surrey, is facing nine charges under the Computer Misuse Act, two charges of blackmail and one of possession of criminal property. Hes accused of using the Mirai botnet to launch DDoS attacks on Lloyds, Halifax and Bank of Scotland over two days in January this year.
Hes alleged to have asked Lloyds for a ransom of 75,000-worth of Bitcoin, which was not paid. Kaye is also charged with endangering human welfare with an alleged attack against Liberias biggest ISP, Lonestar MTN.
The UKs National Crime Agency said: The investigation leading to these charges was complex and crossed borders. Our cybercrime officers have analysed reams of data on the way. Cybercrime is not victimless and we are determined to bring suspects before the courts.
Catch up with all of todays stories on Naked Security
Follow @NakedSecurityFollow @katebevan
See the article here:
News in brief: Call to link encryption to ID; Facebook maps everyone ... - Naked Security
It’s Time to Replace Your Encryption-Key Spreadsheet – Data Center Knowledge
When a company stores critical data, whether in its own data center or in the cloud, encryption key management is vital to keeping that data secure, and letting the data center or cloud provider control the keys isn't always an option.
Cyberattacks on enterprises are on the rise, but most enterprise IT shops are still using archaic key-management methods. For many, key management is a painful process, often because of those outdated methods, but there are solutions out there that take the pain out.
Related: How Google's Custom Security Chip Secures Servers at Boot
Instead of letting a colocation or a cloud provider control its encryption keys, a company normally encrypt the critical data and then sends it out to the storage location, said Chris Day, chief cybersecurity officer at Cyxtera Technologies, a security-focused data center provider formed this year as a result of an acquisition of CenturyLinks massive global data center portfolio by a group of investors.
"The security benefits are obvious when the customer properly manages their own keys," he said. "However, key management can be complex, and many organizations do not possess the skills in-house to properly do so."
In fact, according to a surveyconducted earlier this year by the Ponemon Institute and Thales e-Security, 59 percent of companies said there was a high degree of pain associated with key management, up from 53 percent the year before.
Top reasons for the pain? There was no clear ownership of the key-management function, followed by a lack of skilled people and isolated or fragmented key-management systems.
Keys to external clouds and hosted services are the hardest types of keys to manage, according to the survey.
It doesn't help that 51 percent of companies use manual processes, such as paper or spreadsheets, to keep track of encryption keys. Only 37 percent of companies have formal key-management infrastructure in place.
On this front, however, the situation is improving slightly. In last year's survey, 57 percent said they used manual processes, and only 31 percent had key-management infrastructure in place.
Having a centralized key-management system offers other benefits besides just being able to unlock data.
That includes compliance requirements, such as data sovereignty concerns, said Daren Glenister, field CTO at Intralinks.
"[Customer-managed keys] show that even though data resides in a certain country, it may ultimately be controlled in a separate country," he said.
Key-management tools also make it possible for companies to replace their keys on a regular basis.
"Keys ought to be rotated or expired without affecting access to legacy data," said Vamshi Sriperumbudur, VP of marketing at CipherCloud, which helps companies protect data stored in Dropdox, Salesforce, Office 365, Box, and other cloud services.
And if someone wants to access the data stored in the cloud, they have to talk to the company itself to get the keys, he added. "No-one -- whether its law enforcement, cloud provider system admins, or cyber criminals -- can access sensitive information under any circumstances without contacting the data owner first."
Finally, by having a good key-management system a company doesn't have to worry about a storage vendor having backups of its key data that might be hanging around when they're no longer needed.
"If you need to shred all keys, you hit the button on the local hardware security module, and it does it for you," said Ashwin Krishnan, SVP of product management at HyTrust, which offers key-management software that can run locally, behind a customer's firewall, or in a cloud.
"Some customers might not be capable, or might not want to invest in managing keys on-premises," he said. "But they can easily make a case for hosted key management."
Continued here:
It's Time to Replace Your Encryption-Key Spreadsheet - Data Center Knowledge
Legislation to limit smartphone encryption ‘may be necessary,’ deputy AG Rosenstein says – Washington Times
Legislation may be needed to solve the Justice Departments ongoing problem with uncrackable digital encryption, Deputy Attorney General Rod Rosenstein said Wednesday.
Speaking at the 10th Annual Utah National Security and Anti-Terrorism Conference in Salt Lake City, Utah, Mr. Rosenstein called strong encryption one of the most significant and growing challenges currently faced by law enforcement and raised the possibility of passing laws limiting its use.
The use of encrypted services poses a novel threat to public safety. We can disrupt attacks only if we are able to learn about them, Mr. Rosenstein told attendees, according to remarks published by the Justice Department.
Robust, hard-to-crack encryption became a hot-button issue after a married couple killed more than a dozen people in San Bernardino, California, in Dec. 2015 and left behind a password-protected and purportedly impenetrable Apple iPhone. The Department of Justice sued Apple in federal court the following year in hopes of compelling their assistance with respect to cracking into the phone, but ultimately relented after seeking the help of an undisclosed, third-party security company at a hefty cost.
Investigators have continued to encounter issue attempting to glean evidence from safeguarded smartphones and eavesdrop on communication platforms increasingly protected with strong encryption in the wake of San Bernardino, and Mr. Rosenstein said Wednesday that lawmakers may have to intervene if their problems persist.
After a terrorist attack, obtaining stored electronic information is an effective and necessary law enforcement technique. But, as we saw after the San Bernardino attack, obtaining electronic data can be time-consuming, expensive, and uncertain if technology providers refuse to cooperate, Mr. Rosenstein said.
Unfortunately, some companies are unwilling to help enforce court orders to obtain evidence of criminal activity stored in electronic devices. I hope that technology companies will work with us to stop criminals from defeating law enforcement. Otherwise, legislation may be necessary, Mr. Rosenstein added.
Absent legislation, Mr. Rosenstein previously requested more than $20 million in federal funding back in June devoted entirely toward solving the governments inability to crack strong encryption a dilemma Washington for years has referred to as going dark.
The seriousness of this threat cannot be overstated, he testified on Capitol Hill at the time. This phenomenon is severely impairing our ability to conduct investigations and bring criminals to justice.
James Comey, the former FBI director ousted by President Trump in May, said during a congressional hearing days earlier that roughly 46 percent of the approximately 3,000 smartphones and other electronic devices seized by investigators during a recent six-month span were effectively impenetrable because of strong encryption.
That means half of the devices that we encounter in terrorism cases, in counterintelligence cases, in gang cases, in child pornography cases, cannot be opened with any technique, Mr. Comey told the Senate Judiciary Committee. That is a big problem. And so the shadow continues to fall.
The Obama administration was not in a position where they were seeking legislation, Mr. Comey said at the time. I dont know yet how President Trump intends to approach this.
Tech companies including Apple and Google have previously opposed the governments attempts at weakening or bypassing strong encryptions on account of security and privacy repercussions and have fought in the past against efforts in the U.S. and abroad to outlaw encryption.
Go here to see the original:
Legislation to limit smartphone encryption 'may be necessary,' deputy AG Rosenstein says - Washington Times
Cipher Suites: Ciphers, Algorithms and Negotiating Security Settings – Hashed Out by The SSL Store (registration) (blog)
Heres what you need to know about the algorithms behind SSL/TLS encryption.
If you study SSL and encryption long enough, eventually youre going to come across the word cipher. Aside from just generally being a cool word, ciphers are a very important part of encryption.
So, what are encryption ciphers?
Ciphers are algorithms, more specifically theyre a set of steps for both performing encryption as well as the corresponding decryption. Nowadays ciphers are dependent upon the advanced processing capabilities of computers. That hasnt always been the case though. One of the first, well-known historical ciphers belonged to Caesar emperor of Rome and purveyor of fancy appetizer salads who used it to communicate with his generals during military operations.
Over the years, ciphers have become more complex, but the logic behind them has stayed the same. Whether it was Caesar crossing the Rubicon, the infamous Enigma cipher of World War II or some of the algorithms of todaythe idea has always been to encode or encipher a message in such a way that only the intended party can read it.
For all intents and purposes, when we discuss ciphers as they relate specifically to SSL encryption, there are two kinds of algorithms: symmetric and asymmetric. This really comes down to the kind of encryption youre going to be performing, again, symmetric or asymmetric.
Symmetric encryption involves two keys that are the same, or as the name quite cleverly implies, symmetric. Both keys can perform both functions: encryption and decryption. You see this during an encrypted web connection between a browser and a server. After the SSL certificate has been authenticated and the SSL handshake is complete, the browser and server exchange symmetric session keys that allow them to communicate securely for the duration of the visit. While these session keys are in play, they are making use of a symmetric cipher.
Conversely, with asymmetric encryption, you are talking about different keys with different abilities. The most obvious example of this is the public/private key pair that is used during the SSL handshake. In this scenario, one key encrypts and the other key decrypts. This kind of encryption requires a different kind of cipheran asymmetric algorithm.
There are many different ciphers that are commonly used in encryption in conjunction with one another. Thats because, specifically as it relates to SSL, youre not using just a single algorithm but rather a set of algorithms that are grouped together in what is referred to as a Cipher Suite.
Were building towards that concept, so well get there in a little bit. But, now that weve got an understanding of the two types of algorithm symmetric and asymmetric we can look at some of the different ciphers and the functions they serverthen well talk about building a cipher suite.
Here are some examples of ciphers and other similar algorithms:
RSA
RSA is named after the gentlemen that created it: Rivest, Shamir and Adleman. This is a fairly common asymmetric cryptosystem that uses prime numbers and has a wide range of applications.
Diffie-Hellman
Named after Whitfield Diffie and Martin Hellman, this is a public key protocol used primarily for exchanging cryptographic keys over public channels. Prior to methods like DH, keys had to be transmitted in physical form.
Elliptic Curve Diffie-Hellman
A key agreement protocol that gives two parties with elliptic curve public-private key pairs to establish a shared secret (used either directly as a key or to derive one) securely over a public channel.
PSK
Typically written as TLS-PSK, this is a cipher that provides secure communication based on pre-shared symmetric keys exchanged between parties in advance.
AES
Advanced Encryption Standard, a.k.a. Rijndael, is an NIST approved encryption cipher with a block size of 128 bit, and symmetric keys with lengths of either 128, 192 or 256 bits.
Camellia
A symmetric key block cipher with similar capabilities and key sizes to AES. It was developed in Japan by NTT and Mitsubishi and is approved by the ISO/IEC, EU and the Japanese CRYPTREC project.
ARIA
Another block cipher that is similar to AES, ARIA was developed by a group of researchers in South Korea in 2003.
Hash-Based Message Authentication Code (HMAC)
This is a type of message authentication that uses cryptographic hashes to both authenticate a message and ensure data integrity, think SHA-256.
Authenticated Encryption
AE or AEAD provides confidentiality, integrity and authentication assurances on data under a single programming interface. Typically used in conjunction with a block cipher.
Obviously, this is an incomplete list, there are dozens of other ciphers. But this should at least give you some more context when we begin discussing cipher suites in the next section.
A Cipher Suite is a combination of algorithms used to negotiate security settings during the SSL/TLS handshake. After the ClientHello and ServerHello messages are exchanged, the client sends a prioritized list of cipher suites it supports. The server then responds with the cipher suite it has selected from the list.
Cipher suites are named combinations of:
So, for instance, heres an example of a cipher suite:
Ive color-coated it to help you distinguish between the ciphers.
TLS is the protocol. Starting with ECDHE we can see that during the handshake the keys will be exchanged via ephemeral Elliptic Curve Diffie Hellman (ECDHE). RSA is the authentication algorithm. AES_128_GCM is the bulk encryption algorithm. Finally, SHA-256 is the hashing algorithm.
Most browsers and servers have a list of cipher suites that they support, the two will compare the lists in order of priority against one another during the handshake in order to determine the security settings that will be used.
Of course, as TLS 1.3 inches towards a final release, this is all going to change. While previous versions of SSL/TLS through TLS 1.2 used the version of cipher suites described here, in version 1.3 cipher suites will change structure as they will only be used to negotiate encryption and HMAC algorithms.
Because the structure of 1.3 cipher suites is different from its predecessors, they will not be interchangeable with older TLS versions.
For those that like to skim, here are the key takeaways from todays conversation:
Original post:
Cipher Suites: Ciphers, Algorithms and Negotiating Security Settings - Hashed Out by The SSL Store (registration) (blog)