Download presentation
Presentation is loading. Please wait.
Published byPrimrose Hopkins Modified over 7 years ago
1
Encryption
2
Advanced Encryption Standard
The SubBytes step, one of four stages in a round of AES
3
Advanced Encryption Standard
Derived from Square
4
Advanced Encryption Standard
Successors Anubis, Grand Cru
5
Advanced Encryption Standard
Structure Substitution-permutation network
6
Advanced Encryption Standard
Attacks have been published that are computationally faster than a full brute force attack, though none as of 2013 are computationally feasible:
7
Advanced Encryption Standard
For AES-128, the key can be recovered with a computational complexity of using bicliques. For biclique attacks on AES-192 and AES-256, the computational complexities of and respectively apply. Related-key attacks can break AES-192 and AES-256 with complexities 2176 and 299.5, respectively.
8
Advanced Encryption Standard
The Advanced Encryption Standard (AES) is a specification for the encryption of electronic data established by the U.S
9
Advanced Encryption Standard
AES has been adopted by the U.S. government and is now used worldwide. It supersedes the Data Encryption Standard (DES), which was published in The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data.
10
Advanced Encryption Standard
AES is available in many different encryption packages, and is the first publicly accessible and open cipher approved by the National Security Agency (NSA) for top secret information when used in an NSA approved cryptographic module (see Security of AES, below).
11
Advanced Encryption Standard
The name Rijndael (Dutch pronunciation: [ˈrɛindaːl]) is a play on the names of the two inventors (Joan Daemen and Vincent Rijmen).
12
Advanced Encryption Standard Description of the cipher
AES is based on a design principle known as a substitution-permutation network, and is fast in both software and hardware. Unlike its predecessor DES, AES does not use a Feistel network. AES is a variant of Rijndael which has a fixed block size of 128 bits, and a key size of 128, 192, or 256 bits. By contrast, the Rijndael specification per se is specified with block and key sizes that may be any multiple of 32 bits, both with a minimum of 128 and a maximum of 256 bits.
13
Advanced Encryption Standard Description of the cipher
AES operates on a 4×4 column-major order matrix of bytes, termed the state, although some versions of Rijndael have a larger block size and have additional columns in the state. Most AES calculations are done in a special finite field.
14
Advanced Encryption Standard Description of the cipher
The key size used for an AES cipher specifies the number of repetitions of transformation rounds that convert the input, called the plaintext, into the final output, called the ciphertext. The number of cycles of repetition are as follows:
15
Advanced Encryption Standard Description of the cipher
Each round consists of several processing steps, each containing five similar but different stages, including one that depends on the encryption key itself. A set of reverse rounds are applied to transform ciphertext back into the original plaintext using the same encryption key.
16
Advanced Encryption Standard High-level description of the algorithm
KeyExpansion—round keys are derived from the cipher key using Rijndael's key schedule. AES requires a separate 128-bit round key block for each round plus one more.
17
Advanced Encryption Standard High-level description of the algorithm
AddRoundKey—each byte of the state is combined with a block of the round key using bitwise xor.
18
Advanced Encryption Standard High-level description of the algorithm
SubBytes—a non-linear substitution step where each byte is replaced with another according to a lookup table.
19
Advanced Encryption Standard High-level description of the algorithm
ShiftRows—a transposition step where each row of the state is shifted cyclically a certain number of steps.
20
Advanced Encryption Standard High-level description of the algorithm
MixColumns—a mixing operation which operates on the columns of the state, combining the four bytes in each column.
21
Advanced Encryption Standard The SubBytes step
In the SubBytes step, each byte in the state matrix is replaced with a SubByte using an 8-bit substitution box, the Rijndael S-box
22
Advanced Encryption Standard The ShiftRows step
The ShiftRows step operates on the rows of the state; it cyclically shifts the bytes in each row by a certain offset
23
Advanced Encryption Standard The MixColumns step
In the MixColumns step, the four bytes of each column of the state are combined using an invertible linear transformation. The MixColumns function takes four bytes as input and outputs four bytes, where each input byte affects all four output bytes. Together with ShiftRows, MixColumns provides diffusion in the cipher.
24
Advanced Encryption Standard The MixColumns step
During this operation, each column is multiplied by the known matrix that for the 128-bit key is:
25
Advanced Encryption Standard The MixColumns step
The multiplication operation is defined as: multiplication by 1 means no change, multiplication by 2 means shifting to the left, and multiplication by 3 means shifting to the left and then performing XOR with the initial unshifted value. After shifting, a conditional XOR with 0x1B should be performed if the shifted value is larger than 0xFF.
26
Advanced Encryption Standard The MixColumns step
In more general sense, each column is treated as a polynomial over GF(28) and is then multiplied modulo x4+1 with a fixed polynomial c(x) = 0x03 · x3 + x2 + x + 0x02. The coefficients are displayed in their hexadecimal equivalent of the binary representation of bit polynomials from GF(2)[x]. The MixColumns step can also be viewed as a multiplication by a particular MDS matrix in a finite field. This process is described further in the article Rijndael mix columns.
27
Advanced Encryption Standard The AddRoundKey step
In the AddRoundKey step, the subkey is combined with the state. For each round, a subkey is derived from the main key using Rijndael's key schedule; each subkey is the same size as the state. The subkey is added by combining each byte of the state with the corresponding byte of the subkey using bitwise XOR.
28
Advanced Encryption Standard Optimization of the cipher
On systems with 32-bit or larger words, it is possible to speed up execution of this cipher by combining the SubBytes and ShiftRows steps with the MixColumns step by transforming them into a sequence of table lookups
29
Advanced Encryption Standard Optimization of the cipher
If the resulting four-kilobyte table size is too large for a given target platform, the table lookup operation can be performed with a single 256-entry 32-bit (i.e. 1 kilobyte) table by the use of circular rotates.
30
Advanced Encryption Standard Optimization of the cipher
Using a byte-oriented approach, it is possible to combine the SubBytes, ShiftRows, and MixColumns steps into a single round operation.
31
Advanced Encryption Standard Security
Until May 2009, the only successful published attacks against the full AES were side-channel attacks on some specific implementations. The National Security Agency (NSA) reviewed all the AES finalists, including Rijndael, and stated that all of them were secure enough for U.S. Government non-classified data. In June 2003, the U.S. Government announced that AES could be used to protect classified information:
32
Advanced Encryption Standard Security
The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use.
33
Advanced Encryption Standard Security
AES has 10 rounds for 128-bit keys, 12 rounds for 192-bit keys, and 14 rounds for 256-bit keys. By 2006, the best were on 7 rounds for 128-bit keys, 8 rounds for 192-bit keys, and 9 rounds for 256-bit keys.
34
Advanced Encryption Standard Known attacks
For cryptographers, a cryptographic "break" is anything faster than a brute force—performing one trial decryption for each key (see Cryptanalysis). This includes results that are infeasible with current technology. The largest successful publicly known brute force attack against any block-cipher encryption was against a 64-bit RC5 key by distributed.net in 2006.
35
Advanced Encryption Standard Known attacks
AES has a fairly simple algebraic description. In 2002, a theoretical attack, termed the "XSL attack", was announced by Nicolas Courtois and Josef Pieprzyk, purporting to show a weakness in the AES algorithm due to its simple description. Since then, other papers have shown that the attack as originally presented is unworkable; see XSL attack on block ciphers.
36
Advanced Encryption Standard Known attacks
During the AES process, developers of competing algorithms wrote of Rijndael, "...we are concerned about [its] use...in security-critical applications." However, in October 2000 at the end of the AES selection process, Bruce Schneier, a developer of the competing algorithm Twofish, wrote that while he thought successful academic attacks on Rijndael would be developed someday, "I do not believe that anyone will ever discover an attack that will allow someone to read Rijndael traffic."
37
Advanced Encryption Standard Known attacks
On July 1, 2009, Bruce Schneier blogged about a related-key attack on the 192-bit and 256-bit versions of AES, discovered by Alex Biryukov and Dmitry Khovratovich, which exploits AES's somewhat simple key schedule and has a complexity of In December 2009 it was improved to This is a follow-up to an attack discovered earlier in 2009 by Alex Biryukov, Dmitry Khovratovich, and Ivica Nikolić, with a complexity of 296 for one out of every 235 keys.
38
Advanced Encryption Standard Known attacks
Another attack was blogged by Bruce Schneier on July 30, 2009 and released as a preprint on August 3, 2009
39
Advanced Encryption Standard Known attacks
In November 2009, the first known-key distinguishing attack against a reduced 8-round version of AES-128 was released as a preprint. This known-key distinguishing attack is an improvement of the rebound or the start-from-the-middle attacks for AES-like permutations, which view two consecutive rounds of permutation as the application of a so-called Super-Sbox. It works on the 8-round version of AES-128, with a time complexity of 248, and a memory complexity of 232.
40
Advanced Encryption Standard Known attacks
In July 2010 Vincent Rijmen published an ironic paper on "chosen-key-relations-in-the-middle" attacks on AES-128.
41
Advanced Encryption Standard Known attacks
The first key-recovery attacks on full AES were due to Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger, and were published in The attack is based on bicliques and is faster than brute force by a factor of about four. It requires operations to recover an AES-128 key. For AES-192 and AES-256, and operations are needed, respectively.
42
Advanced Encryption Standard Side-channel attacks
Side-channel attacks do not attack the underlying cipher thus don't relate to how security is described here, but rather attack implementations of the cipher on systems which inadvertently leak data. There are several such known attacks on certain implementations of AES.
43
Advanced Encryption Standard Side-channel attacks
The custom server was designed to give out as much timing information as possible (the server reports back the number of machine cycles taken by the encryption operation); however, as Bernstein pointed out, "reducing the precision of the server's timestamps, or eliminating them from the server's responses, does not stop the attack: the client simply uses round-trip timings based on its local clock, and compensates for the increased noise by averaging over a larger number of samples."
44
Advanced Encryption Standard Side-channel attacks
In October 2005, Dag Arne Osvik, Adi Shamir and Eran Tromer presented a paper demonstrating several cache-timing attacks against AES. One attack was able to obtain an entire AES key after only 800 operations triggering encryptions, in a total of 65 milliseconds. This attack requires the attacker to be able to run programs on the same system or platform that is performing AES.
45
Advanced Encryption Standard Side-channel attacks
In December 2009 an attack on some hardware implementations was published that used differential fault analysis and allows recovery of a key with a complexity of 232.
46
Advanced Encryption Standard Side-channel attacks
Like some earlier attacks this one requires the ability to run unprivileged code on the system performing the AES encryption, which may be achieved by malware infection far more easily than commandeering the root account.
47
Advanced Encryption Standard NIST/CSEC validation
From NSTISSP #11, National Policy Governing the Acquisition of Information Assurance: "Encryption products for protecting classified information will be certified by NSA, and encryption products intended for protecting sensitive information will be certified in accordance with NIST FIPS "
48
Advanced Encryption Standard NIST/CSEC validation
The Government of Canada also recommends the use of FIPS 140 validated cryptographic modules in unclassified applications of its departments.
49
Advanced Encryption Standard NIST/CSEC validation
Although NIST publication 197 ("FIPS 197") is the unique document that covers the AES algorithm, vendors typically approach the CMVP under FIPS 140 and ask to have several algorithms (such as Triple DES or SHA1) validated at the same time
50
Advanced Encryption Standard NIST/CSEC validation
The Cryptographic Algorithm Validation Program (CAVP) allows for independent validation of the correct implementation of the AES algorithm at a reasonable cost
51
Advanced Encryption Standard NIST/CSEC validation
FIPS validation is challenging to achieve both technically and fiscally
52
Advanced Encryption Standard Test vectors
Test vectors are a set of known ciphers for a given input and key. NIST distributes the reference of AES test vectors as AES Known Answer Test (KAT) Vectors (in ZIP format).
53
Advanced Encryption Standard Performance
High speed and low RAM requirements were criteria of the AES selection process. Thus AES performs well on a wide variety of hardware, from 8-bit smart cards to high-performance computers.
54
Advanced Encryption Standard Performance
On a Pentium Pro, AES encryption requires 18 clock cycles per byte, equivalent to a throughput of about 11 MB/s for a 200 MHz processor. On a 1.7 GHz Pentium M throughput is about 60 MB/s.
55
Advanced Encryption Standard Performance
On Intel Core i3/i5/i7 CPUs supporting AES-NI instruction set extensions, throughput can be over 700 MB/s per thread.
56
BitTorrent Throttling and encryption
Since BitTorrent makes up a large proportion of total traffic, some ISPs have chosen to throttle (slow down) BitTorrent transfers. For this reason, methods have been developed to disguise BitTorrent traffic in an attempt to thwart these efforts.
57
BitTorrent Throttling and encryption
Protocol header encrypt (PHE) and Message stream encryption/Protocol encryption (MSE/PE) are features of some BitTorrent clients that attempt to make BitTorrent hard to detect and throttle. At the moment Vuze, Bitcomet, KTorrent, Transmission, Deluge, µTorrent, MooPolice, Halite, rTorrent and the latest official BitTorrent client (v6) support MSE/PE encryption.
58
BitTorrent Throttling and encryption
In September 2006 it was reported that some software could detect and throttle BitTorrent traffic masquerading as HTTP traffic.
59
BitTorrent Throttling and encryption
Reports in August 2007 indicated that Comcast was preventing BitTorrent seeding by monitoring and interfering with the communication between peers
60
BitTorrent Throttling and encryption
In general, although encryption can make it difficult to determine what is being shared, BitTorrent is vulnerable to traffic analysis. Thus, even with MSE/PE, it may be possible for an ISP to recognize BitTorrent and also to determine that a system is no longer downloading but only uploading data, and terminate its connection by injecting TCP RST (reset flag) packets.
61
Electronic business Encryption
The level of the actual encryption can be adjusted and should be based on the information
62
Digital Video Broadcasting - Encryption and metadata
The conditional access system (DVB-CA) defines a Common Scrambling Algorithm (DVB-CSA) and a physical Common Interface (DVB-CI) for accessing scrambled content. DVB-CA providers develop their wholly proprietary conditional access systems with reference to these specifications. Multiple simultaneous CA systems can be assigned to a scrambled DVB program stream providing operational and commercial flexibility for the service provider.
63
Digital Video Broadcasting - Encryption and metadata
DVB is also developing a Content Protection and Copy Management system for protecting content after it has been received (DVB-CPCM), which is intended to allow flexible use of recorded content on a home network or beyond, while preventing unconstrained sharing on the Internet. DVB-CPCM has been the source of much controversy in the popular press and It is said that CPCM is the DVB's answer to the failed American Broadcast Flag.
64
Digital Video Broadcasting - Encryption and metadata
DVB transports include metadata called Service Information (DVB-SI, ETSI EN , ETSI TR ) that links the various elementary streams into coherent programs and provides human-readable descriptions for electronic program guides as well as for automatic searching and filtering
65
Digital Video Broadcasting - Encryption and metadata
Recently, DVB has adopted a profile of the metadata defined by the TV-Anytime Forum (DVB-TVA, ETSI TS ). This is an XML Schema based technology and the DVB profile is tailored for enhanced Personal Digital Recorders. DVB lately also started an activity to develop a service for IPTV (DVB-IPI, ETSI TR , ETSI TS , ETSI TS ) which also includes metadata definitions for a broadband content guide (DVB-BCG, ETSI TS ).
66
XML Encryption Although XML Encryption can be used to encrypt any kind of data, it is nonetheless known as "XML Encryption" because an XML element (either an EncryptedData or EncryptedKey element) contains or refers to the cipher text, keying information, and algorithms.
67
XML Encryption Both XML Signature and XML Encryption use the KeyInfo element, which appears as the child of a SignedInfo, EncryptedData, or EncryptedKey element and provides information to a recipient about what keying material to use in validating a signature or decrypting encrypted data.
68
XML Encryption The KeyInfo element is optional: it can be attached in the message, or be delivered through a secure channel.
69
XML Encryption XML Encryption is different from and unrelated to Transport Layer Security, which is used to send encrypted messages (including xml content, both encrypted and otherwise) over the internet.
70
XML Encryption It has been reported that this specification has severe security concerns.
71
XML Encryption - Notes ^ "RUB Researchers break W3C standard". Ruhr University Bochum. 19 October Retrieved 29 June 2012.
72
OpenVPN - Encryption It can also use hardware acceleration to get better encryption performance
73
Btrfs - Encryption The current recommendation for encryption with Btrfs is to use a full-disk encryption mechanism such as dm-crypt/LUKS on the underlying devices, and to create the Btrfs filesystem on top of that layer (and that if a RAID is to be used with encryption, encrypting a dm-raid device or a hardware-RAID device gives much faster disk performance than dm-crypt overlaid by Btrfs' own filesystem-level RAID features).
74
ISO PIN encryption To protect the PIN during transmission from the PIN entry device to the verifier, the standard requires that the PIN be encrypted, and specifies several formats that may be used. In each case, the PIN is encoded into a 64-bit PIN block, which is then encrypted by an "approved algorithm" (currently TDEA, according to part 2 of the standard).
75
Encryption For technical reasons, an encryption scheme usually needs a key-generation algorithm to randomly produce keys.
76
Encryption - Symmetric key encryption
In Symmetric-key schemes, the encryption and decryption keys are the same. Thus communicating parties must agree on a secret key before they wish to communicate.
77
Encryption - Public key encryption
In public-key encryption schemes, the encryption key is published for anyone to use and encrypt messages. However, only the receiving party has access to the decryption key and is capable of reading the encrypted messages. Public-key encryption is a relatively recent invention: historically, all encryption schemes have been symmetric-key (also called private-key) schemes.:478
78
Encryption - Public key encryption
One of the earliest public key encryption applications was called Pretty Good Privacy (PGP). It was written in 1991 by Phil Zimmermann and was purchased by Symantec in 2010.
79
Encryption - How encryption is used
Digital rights management systems which prevent unauthorized use or reproduction of copyrighted material and protect software against reverse engineering (see also copy protection) is another somewhat different example of using encryption on data at rest.
80
Encryption - How encryption is used
Encryption is also used to protect data in transit, for example data being transferred via networks (e.g. the Internet, e-commerce), mobile telephones, wireless microphones, wireless intercom systems, Bluetooth devices and bank automatic teller machines. There have been numerous reports of data in transit being intercepted in recent years. Encrypting data in transit also helps to secure it as it is often difficult to physically secure all access to networks.
81
Encryption - Message verification
Sometimes an adversary can obtain unencrypted information without directly undoing the encryption
82
Encryption - Message verification
Digital signature and encryption must be applied at message creation time (i.e. on the same device it has been composed) to avoid tampering. Otherwise any node between the sender and the encryption agent could potentially tamper it. It should be noted that encrypting at the time of creation only adds security if the encryption device itself has not been tampered with.
83
Encryption - Further reading
Fouché Gaines, Helen (1939), Cryptanalysis: A Study of Ciphers and Their Solution, New York: Dover Publications Inc, ISBN
84
Encryption - Further reading
Preneel, Bart, "Advances in Cryptology — EUROCRYPT 2000", Springer Berlin Heidelberg, 2000, ISBN
85
UT-VPN uses the OpenSSL library to provide encryption to packets.
UT-VPN - Encryption UT-VPN uses the OpenSSL library to provide encryption to packets.
86
Digital signature - Using separate key pairs for signing and encryption
If an encryption key is lost, a backup or key escrow should be utilized to continue viewing encrypted content
87
Opportunistic encryption
Opportunistic encryption (OE) refers to any system that, when connecting to another system, attempts to encrypt the communications channel otherwise falling back to unencrypted communications. This method requires no pre-arrangement between the two systems.
88
Opportunistic encryption
Opportunistic encryption can be used to combat passive wiretapping. (An active wiretapper, on the other hand, can disrupt encryption negotiation to force an unencrypted channel.) It does not provide a strong level of security as authentication may be difficult to establish and secure communications are not mandatory. Yet, it does make the encryption of most internet traffic easy to implement, which removes a significant impediment to the mass adoption of Internet traffic security.
89
Opportunistic encryption - Routers
The FreeS/WAN project was one of the early proponents of OE. Openswan has also been ported to the OpenWrt project. Openswan uses DNS records to facilitate the key exchange between the systems.
90
Opportunistic encryption - Routers
It is possible to use OpenVPN and networking protocols to set up dynamic VPN links which act similar to OE for specific domains.
91
Opportunistic encryption - Unix and unix-like systems
The FreeS/WAN and forks such as Openswan and strongSwan offer VPNs which can also operate in OE mode using IPsec based technology. Obfuscated TCP is another method of implementing OE.
92
Opportunistic encryption - Windows OS
Windows platforms have an implementation of OE installed by default. This method uses IPsec to secure the traffic and is a simple procedure to turn on. It is accessed via the MMC and "Ip Security Policies on Local Computer" and then edit the properties to assign the "(Request Security)" policy. This will turn on optional IPsec in a Kerberos environment.
93
Opportunistic encryption - Windows OS
In a non-Kerberos environment, a certificate from a Certificate Authority (CA) which is common to any system with which you communicate securely is required.
94
Opportunistic encryption - Windows OS
Many systems also have problems when either side is behind a NAT. This problem is addressed by NAT Traversal (NAT-T) and is accomplished by adding a DWORD of 2 to the registry: HKLM\SYSTEM\CurrentControlSet\Services\IPsec\AssumeUDPEncapsulationContextOnSendRule Using the filtering options provided in MMC, it is possible to tailor the networking to require, request or permit traffic to various domains and protocols to use encryption.
95
Opportunistic encryption - E-mail
Opportunistic encryption can also be used for specific traffic like using the SMTP STARTTLS extension for relaying messages across the Internet, or the Internet Message Access Protocol (IMAP) STARTTLS extension for reading . With this implementation, it is not necessary to obtain a certificate from a certificate authority, as a self-signed certificate can be used.
96
Opportunistic encryption - E-mail
Many systems employ a variant with third-party add-ons to traditional packages by first attempting to obtain an encryption key and if unsuccessful, then sending the in the clear. PGP, Hushmail, and Ciphire, among others can all be set up to work in this mode.
97
Opportunistic encryption - VoIP
Phil Zimmermann, Alan Johnston, and Jon Callas have proposed a new VoIP encryption protocol called ZRTP
98
Opportunistic encryption - Websites
For encrypting WWW/HTTP connections, typically HTTPS is used. This can also be used for opportunistic website encryption. Most browsers verify the webserver's identity to make sure that an SSL certificate is signed by a trusted certificate authority. The easiest way to enable opportunistic website encryption is by using self-signed certificates, but this causes browsers to display a warning each time the website is visited unless the user imports the website's certificate into their browser.
99
Opportunistic encryption - Websites
There are add-ons for Firefox called HTTPS Everywhere by EFF and HTTPSfinder. These addons find and automatically switch the connection to HTTPS when possible.
100
Cryptography - Forced disclosure of encryption keys
Key disclosure law
101
Cryptography - Forced disclosure of encryption keys
In the United Kingdom, the Regulation of Investigatory Powers Act gives UK police the powers to force suspects to decrypt files or hand over passwords that protect encryption keys. Failure to comply is an offence in its own right, punishable on conviction by a two-year jail sentence or up to five years in cases involving national security. Successful prosecutions have occurred under the Act; the first in 2009, resulting in a term of 13 months' imprisonment.
102
Cryptography - Forced disclosure of encryption keys
Similar forced disclosure laws in Australia, Finland, France, and India compel individual suspects under investigation to hand over encryption keys or passwords during a criminal investigation (see Key disclosure law).
103
Cryptography - Forced disclosure of encryption keys
In the United States, the federal criminal case of United States v. Fricosu addressed whether a person can be compelled to reveal his or her encryption passphrase or password, despite the U.S. Constitution's Fifth Amendment protection against self-incrimination. In 2012, the court ruled that under the All Writs Act, the defendant was required to produce an unencrypted Hard Drive.
104
Cryptography - Forced disclosure of encryption keys
In many jurisdictions, the legal status of forced disclosure remains unclear.
105
Microsoft Point-to-Point Encryption
Microsoft Point-to-Point Encryption (MPPE) is a protocol for encrypting data across Point-to-Point Protocol (PPP) and virtual private network (VPN) links. It uses the RSA RC4 encryption algorithm. MPPE supports 40-bit, 56-bit and 128-bit session keys, which are changed frequently to improve security. The exact frequency that the keys are changed is negotiated, but may be as frequent as every packet.
106
Microsoft Point-to-Point Encryption
MPPE alone does not compress or expand data, but the protocol is often used in conjunction with Microsoft Point-to-Point Compression which compresses data across PPP or VPN links.
107
Microsoft Point-to-Point Encryption
Negotiation of MPPE happens within the Compression Control Protocol (CCP), a subprotocol of PPP. This can lead to incorrect belief that it is a compression protocol.
108
Data masking - Encryption
The encryption algorithm often requires that a "key" be applied to view the data based on user rights
109
Data masking - Encryption
The data encryption method of masking requires extensive design and testing to ensure that the method is fit for purpose for your data type and application
110
Data masking - Encryption
Recently, the problem of encrypting data while preserving the properties of the entities got a recognition and newly acquired interest among the vendors and academia. New challenge gave birth to algorithms called FPE ( format preserving encryption). They are based on the accepted AES algorithmic mode that makes them being recognized by NIST.
111
Session Initiation Protocol - Encryption
The increasing concerns about security of calls that run over the public Internet has made SIP encryption more popular
112
Wi-Fi Protected Access - Encryption protocol
The RC4 stream cipher is used with a 128-bit per-packet key, meaning that it dynamically generates a new key for each packet. Used by WPA.
113
Wi-Fi Protected Access - Encryption protocol
CCMP (Counter Cipher Mode with block chaining message authentication code Protocol)
114
Wi-Fi Protected Access - Encryption protocol
An AES-based encryption mechanism that is stronger than TKIP. Used by WPA2. Among informal names are "AES" and "AES-CCMP". According to the n specification, this encryption protocol must be used to achieve the fast n high bitrate schemes, though not all implementations enforce this. Otherwise, the data rate will not exceed 54 MBit/s.
115
Wired Equivalent Privacy - Encryption details
WEP was included as the privacy component of the original IEEE standard ratified in September WEP uses the stream cipher RC4 for confidentiality, and the CRC-32 checksum for integrity. It was deprecated in 2004 and is documented in the current standard.
116
Wired Equivalent Privacy - Encryption details
Standard 64-bit WEP uses a 40 bit key (also known as WEP-40), which is concatenated with a 24-bit initialization vector (IV) to form the RC4 key. At the time that the original WEP standard was drafted, the U.S. Government's export restrictions on cryptographic technology limited the key size. Once the restrictions were lifted, manufacturers of access points implemented an extended 128-bit WEP protocol using a 104-bit key size (WEP-104).
117
Wired Equivalent Privacy - Encryption details
A 64-bit WEP key is usually entered as a string of 10 hexadecimal (base 16) characters (0-9 and A-F)
118
Wired Equivalent Privacy - Encryption details
A 128-bit WEP key is usually entered as a string of 26 hexadecimal characters. Twenty-six digits of four bits each gives 104 bits; adding the 24-bit IV produces the complete 128-bit WEP key. Most devices also allow the user to enter it as 13 ASCII characters.
119
Wired Equivalent Privacy - Encryption details
A 256-bit WEP system is available from some vendors. As with the other WEP-variants 24 bits of that is for the IV, leaving 232 bits for actual protection. These 232 bits are typically entered as 58 hexadecimal characters. ((58 × 4 bits =) 232 bits) + 24 IV bits = 256-bit WEP key.
120
Key size - Key size and encryption system
Encryption systems are often grouped into families. Common families include symmetric systems (e.g. AES) and asymmetric systems (e.g. RSA); they may alternatively be grouped according to the central algorithm used (e.g. elliptic curve cryptography).
121
Key size - Key size and encryption system
As each of these is of a different level of cryptographic complexity, it is usual to have different key sizes for the same level of security, depending upon the algorithm used. For example, the security available with a 1024-bit key using asymmetric RSA is considered approximately equal in security to an 80-bit key in a symmetric algorithm (Source: RSA Security).
122
Key size - Key size and encryption system
The actual degree of security achieved over time varies, as more computational power and more powerful mathematical analytic methods become available
123
McEliece cryptosystem - Message encryption
Suppose Bob wishes to send a message m to Alice whose public key is :
124
McEliece cryptosystem - Message encryption
Bob computes the ciphertext as .
125
Google Talk - Encryption
It is possible to have end-to-end encryption over the Google Talk network using Off-the-Record Messaging|OTR (off-the-record) encryption using other chat clients like Adium (for Mac) or Pidgin (software)|Pidgin (for Linux and Windows).
126
Google Talk - Encryption
Google's version of Off the Record is not Off-the-Record Messaging|OTR (off-the-record) encryption. Enabling Off the record inside Gmail's Chat turns off logging of messages, but does not enable encryption.
127
BlackBerry PlayBook - Encryption
Because BlackBerry Bridge accesses mail, calendar, and contacts directly from a tethered BlackBerry phone, the PlayBook meets the same encryption standards as the BlackBerry phone. Some cryptographic components of the BlackBerry OS (kernels, cryptography-related OS and Java modules) are certified under FIPS 140-2, which makes the tablet eligible for use by U.S. federal government agencies.
128
BlackBerry PlayBook - Encryption
The BlackBerry PlayBook OS2.1 update in September 2012 enabled full-disk encryption on the device, using the same algorithm as previously used that had been limited to the Enterprise kernel handling the tethered content from a paired BlackBerry phone.
129
Digg - AACS encryption key controversy
Although some users defended Digg's actions, as a whole the community staged a widespread revolt with numerous articles and comments being made using the encryption key
130
Government Communications Headquarters - Public key encryption
Early in the 1970s, the asymmetric key algorithm was invented by staff member Clifford Cocks, a mathematics graduate. This fact was kept secret until (originally published in The Sunday Telegraph)
131
Verifiable computing - An example scheme based on Fully homomorphic encryption
Gennaro et al. defined a verifiable computation scheme for any function F using Yao’s Garbled CircuitA. Yao (1982). Protocols for secure computations. In Proceedings of the IEEE Symposium on Foundations of Computer Science, pp A. Yao (1986). How to generate and exchange secrets. In Proceedings of the IEEE Symposium on Foundations of Computer Science, pp combined with a Fully homomorphic encryption|fully homomorphic encryption system.
132
This verifiable computation scheme 'VC' is defined as follows:
Verifiable computing - An example scheme based on Fully homomorphic encryption This verifiable computation scheme 'VC' is defined as follows:
133
Verifiable computing - An example scheme based on Fully homomorphic encryption
'VC = (KeyGen, ProbGen, Compute, Verify)' consists of four algorithms as follows:
134
Verifiable computing - An example scheme based on Fully homomorphic encryption
# 'KeyGen(F, λ) → (PK, SK)': The randomized Key generation|key generation algorithm generates two keys, public and private, based on the security parameter λ. The public key encodes the target function F and is sent to the worker to compute F. On the other hand, the secret key is kept private by the client.
135
Verifiable computing - An example scheme based on Fully homomorphic encryption
# 'ProbGenSK(x) → (σx, τx)': The problem generation algorithm encodes the function input x into two values, public and private, using the secret key SK. The public value σx is given to the worker to compute F(x) with, while the secret value τx is kept private by the client.
136
Verifiable computing - An example scheme based on Fully homomorphic encryption
# 'ComputePK(σx) → σy': The worker computes an encoded value σy of the function’s output y = F(x) using the client’s public key PK and the encoded input σx.
137
Verifiable computing - An example scheme based on Fully homomorphic encryption
# 'VerifySK(τx,σy) → y ∪ ⊥': The verification algorithm converts the worker’s encoded output σy into the actual output of the function F using both the secret key SK and the secret “decoding” τx. It outputs y = F(x) if the σy represents a valid output of F on x, or outputs ⊥ otherwise.
138
Verifiable computing - An example scheme based on Fully homomorphic encryption
The protocol of the verifiable computations scheme defined by Gennaro et al. works as follows:
139
Verifiable computing - An example scheme based on Fully homomorphic encryption
The homomorphic properties of the encryption scheme enable the worker to obtain an encryption of the correct output wire
140
Verifiable computing - An example scheme based on Fully homomorphic encryption
The definition of the verifiable computation scheme states that the scheme should be both correct and secure
141
RSA (algorithm) - Encryption
Alice and Bob|Alice transmits her public key to Alice and Bob|Bob and keeps the private key secret. Bob then wishes to send message to Alice.
142
RSA (algorithm) - Encryption
He first turns into an integer , such that mvar|0≤m c \equiv m^e \pmod .
143
RSA (algorithm) - Encryption
This can be done quickly using the method of exponentiation by squaring. Bob then transmits to Alice.
144
RSA (algorithm) - Encryption
Note that at least nine values of will yield a ciphertext equal to ,
145
RSA (algorithm) - Encryption
Namely, the values of m which are equal to -1, 0, or 1 modulo p while also equal to -1, 0, or 1 modulo q. There will be more values of m having c=m if p-1 or q-1 has other divisors in common with e-1 besides 2 because this gives more values of m such that m^\textp\text=1 or m^\textq\text=1 respectively.
146
RSA (algorithm) - Encryption
but this is very unlikely to occur in practice.
147
Cryptography - Forced disclosure of encryption keys
In the United Kingdom, the Regulation of Investigatory Powers Act 2000|Regulation of Investigatory Powers Act gives UK police the powers to force suspects to decrypt files or hand over passwords that protect encryption keys
148
Cryptography - Forced disclosure of encryption keys
In the United States, the federal criminal case of United States v. Fricosu addressed whether a person can be compelled to reveal his or her encryption passphrase or password, despite the U.S. Constitution's Fifth Amendment to the United States Constitution|Fifth Amendment protection against self-incrimination. In 2012, the court ruled that under the All Writs Act, the defendant was required to produce an unencrypted Hard Drive.
149
QR code - Encryption Encrypted QR codes, which are not very common, have a few implementations. An Android (Operating System)|Android app, for example, manages encryption and decryption of QR codes using the Data Encryption Standard|DES algorithm (56 bits). The Japanese immigration system uses encrypted QR codes when issuing visa in passports as shown in the figure here.
150
BitTorrent (protocol) - Throttling and encryption
Protocol header encrypt (PHE) and BitTorrent protocol encryption|Message stream encryption/Protocol encryption (MSE/PE) are features of some BitTorrent clients that attempt to make BitTorrent hard to detect and throttle. At the moment Vuze, Bitcomet, KTorrent, Transmission (BitTorrent client)|Transmission, Deluge (BitTorrent client)|Deluge, µTorrent, MooPolice, Halite, rTorrent and the latest official BitTorrent client (v6) support MSE/PE encryption.
151
BitTorrent (protocol) - Throttling and encryption
Reports in August 2007 indicated that Comcast was preventing BitTorrent seeding by monitoring and interfering with the communication between peers
152
Computer networks - End to end encryption
End-to-end encryption generally includes protections of both confidentiality and data integrity|integrity.
153
Computer networks - End to end encryption
Examples of end-to-end encryption include Pretty Good Privacy|PGP for , Off-the-Record Messaging|OTR for instant messaging, ZRTP for telephony, and Terrestrial Trunked Radio|TETRA for radio.
154
Computer networks - End to end encryption
Some systems which normally offer end-to-end encryption have been discovered to contain a Backdoor (computing)|back door, which causes negotiation of the encryption key between the communicating parties to be subverted, for example Skype.
155
Computer networks - End to end encryption
The end-to-end encryption paradigm does not directly address risks at the communications endpoints themselves, such as the Exploit (computer security)|technical exploitation of Client (computing)|clients, poor quality random number generators, or key escrow. E2EE also does not address traffic analysis which relates to things such as the identities of the end points and the times and quantities of messages that are sent.
156
RSA (algorithm) - Encryption
Namely, the values of m which are equal to −1, 0, or 1 modulo p while also equal to −1, 0, or 1 modulo q. There will be more values of m having c = m if p − 1 or q − 1 has other divisors in common with e − 1 besides 2 because this gives more values of m such that m^\textp\text = 1 or m^\textq\text = 1 respectively.
157
Data Encryption Standard
The publication of an NSA-approved encryption standard simultaneously resulted in its quick international adoption and widespread academic scrutiny
158
Data Encryption Standard
In recent years, the cipher has been superseded by the Advanced Encryption Standard (AES)
159
Data Encryption Standard
Some documentation makes a distinction between DES as a standard and DES as an algorithm, referring to the algorithm as the 'DEA' ('Data Encryption Algorithm').
160
Data Encryption Standard - History of DES
The origins of DES go back to the early 1970s
161
Data Encryption Standard - NSA's involvement in the design
On 17 March 1975, the proposed DES was published in the Federal Register
162
Data Encryption Standard - NSA's involvement in the design
where \overline is the bitwise complement of x. E_K denotes encryption with key K. P and C denote plaintext and ciphertext blocks respectively. The complementation property means that the work for a brute force attack could be reduced by a factor of 2 (or a single bit) under a chosen-plaintext attack|chosen-plaintext assumption. By definition, this property also applies also to TDES cipher.
163
Data Encryption Standard - NSA's involvement in the design
DES also has four so-called Weak key#Weak_keys_in_DES|weak keys. Encryption (E) and decryption (D) under a weak key have the same effect (see involution (mathematics)|involution):
164
Data Encryption Standard - NSA's involvement in the design
:E_K(E_K(P)) = P or equivalently, E_K = D_K.
165
Data Encryption Standard - NSA's involvement in the design
:E_(E_(P)) = P or equivalently, E_ = D_.
166
Data Encryption Standard - NSA's involvement in the design
It is easy enough to avoid the weak and semiweak keys in an implementation, either by testing for them explicitly, or simply by choosing keys randomly; the odds of picking a weak or semiweak key by chance are negligible. The keys are not really any weaker than any other keys anyway, as they do not give an attack any advantage.
167
Data Encryption Standard - NSA's involvement in the design
DES has also been proved not to be a group (mathematics)|group, or more precisely, the set \ (for all possible keys K) under functional composition is not a group, nor close to being a group.[ Campbell and Wiener, 1992] This was an open question for some time, and if it had been the case, it would have been possible to break DES, and multiple encryption modes such as Triple DES would not increase the security.
168
Data Encryption Standard - NSA's involvement in the design
It is known that the maximum cryptographic security of DES is limited to about 64 bits, even when independently choosing all round subkeys instead of deriving them from a key, which would otherwise permit a security of 768 bits.
169
Data Encryption Standard - Replacement algorithms
Concerns about security and the relatively slow operation of DES in software motivated researchers to propose a variety of alternative block cipher designs, which started to appear in the late 1980s and early 1990s: examples include RC5, Blowfish (cipher)|Blowfish, International Data Encryption Algorithm|IDEA, NewDES, SAFER, CAST5 and FEAL
170
Data Encryption Standard - Replacement algorithms
GDES was a DES variant proposed as a way to speed up encryption, but it was shown to be susceptible to differential cryptanalysis.
171
Data Encryption Standard - Replacement algorithms
In 2001, after an international competition, NIST selected a new cipher, the Advanced Encryption Standard (AES), as a replacement
172
Pretty Good Privacy - PGP Corporation encryption applications
PGP encryption applications include and attachments, digital signatures, laptop full disk encryption, file and folder security, protection for IM sessions, batch file transfer encryption, and protection for files and folders stored on network servers and, more recently, encrypted and/or signed HTTP request/responses by means of a client side (Enigform) and a server side (mod openpgp) module
173
Pretty Good Privacy - PGP Corporation encryption applications
The PGP Desktop 9.x family includes PGP Desktop , PGP Whole Disk Encryption, and PGP NetShare. Additionally, a number of Desktop bundles are also available. Depending on application, the products feature desktop , digital signatures, IM security, whole disk encryption, file and folder security, Self-Decrypting Archive|self decrypting archives, and secure shredding of deleted files. Capabilities are licensed in different ways depending on features required.
174
Pretty Good Privacy - PGP Corporation encryption applications
It is used for automated encryption in the gateway and manages PGP Desktop 9.x clients
175
Pretty Good Privacy - PGP Corporation encryption applications
The PGP Universal server automates the creation, management, and expiration of keys, sharing these keys among all PGP encryption applications.
176
Pretty Good Privacy - PGP Corporation encryption applications
The Symantec PGP platform has now undergone a rename. PGP Desktop is now known as Symantec Encryption Desktop, and the PGP Universal Server is now known as Symantec Encryption Server. The current shipping versions are Symantec Encryption Desktop (Windows and Mac OS platforms) and Symantec Encryption Server
177
Pretty Good Privacy - PGP Corporation encryption applications
Also available are PGP Command Line, which enables command line-based encryption and signing of information for storage, transfer, and backup, as well as the PGP Support Package for BlackBerry which enables RIM BlackBerry devices to enjoy sender-to-recipient messaging encryption.
178
Pretty Good Privacy - PGP Corporation encryption applications
New versions of PGP applications use both OpenPGP and the S/MIME, allowing communications with any user of a NIST specified standard.
179
Cryptographic software - Encryption
Encryption software executes an algorithm that is designed to encrypt computer data in such a way that it cannot be recovered without access to the key. Software encryption is a fundamental part of all aspects of modern computer communication and file protection and may include features like file shredding.
180
Cryptographic software - Encryption
The purpose of encryption is to prevent third parties from recovering the original information. This is particularly important for sensitive data like Creditcard numbers.
181
Cryptographic software - Encryption choices
The more popular options were submitted to the National Institute of Standards and Technology or NIST for the 'Advanced Encryption Standard' (Advanced Encryption Standard|AES) competition
182
Cryptographic software - Choosing encryption
There are several factors that affect the choice of an encryption algorithm including speed and security. The simplest method would be an XOR operation, with a constant value k, of each byte of plain text b, to produce a cipher value c.
183
Cryptographic software - Choosing encryption
Ciphers can be categorized into two general types: Public-key cryptography|public key ciphers and symmetric key algorithm|symmetric key ciphers.
184
Cryptographic software - Choosing encryption
That is, encryption with one member of a key pair is only easily reversed (decrypted) using the other member of the pair
185
Cryptographic software - Choosing encryption
Symmetric key ciphers (also referred to as secret key ciphers) are called such because the same key is used for both encryption and decryption. Thus, in order for messages encrypted with a symmetric key cipher to remain secure, the key used must remain secret. Symmetric key ciphers can be further subdivided into stream ciphers and block ciphers.
186
Cryptographic software - Choosing encryption
Stream ciphers typically encrypt plaintext a bit or byte at a time, and are most commonly used to encipher real-time communications, such as audio and video information. The key is used to establish the initial state of a key-stream generator, and the output of that generator is used to encrypt the plaintext.
187
Cryptographic software - Choosing encryption
A common mistake made by amateur cryptographers is the assumption that because the method is secret, the cipher is secure. This is not usually true. Many home grown encryption algorithms reveal the key quite easily when fed a string of identical bytes (e.g., Null character|nulls).
188
Cryptographic software - Choosing encryption
The purpose of disseminating an encryption method is to allow the community to evaluate it. If it is indeed secure, then its power lies in the fact that its method has been subjected to scrutiny and found to be sound, not that it is secret.
189
IEEE P1363 - Encryption schemes
* 'DL/ECIES' (Discrete Logarithm/Elliptic Curve Integrated Encryption Scheme): Essentially the DHAES variant of ElGamal encryption.
190
User agent - Encryption strength notations
Following the lifting of export of cryptography in the United States#PC era|export restrictions, most vendors supported 256-bit encryption.
191
Authenticated encryption
'Authenticated Encryption (AE)' is a block cipher mode of operation which simultaneously provides confidentiality, data integrity|integrity and authentication|authenticity assurances on the data. These attributes are provided under single, easy to use Application programming interface|programming interface and decryption is combined in single step with integrity validation.
192
Authenticated encryption
The need for AE emerged from observation that securely compositing a Block cipher modes of operation|confidentiality mode with an Block cipher modes of operation|authentication mode could be error prone and difficult.people had been doing rather poorly when they tried to glue together a traditional (privacy-only) encryption scheme and a message authentication code (MAC), in: it is very easy to accidentally combine secure encryption schemes with secure MACs and still get insecure authenticated encryption schemes, in: This was confirmed by a number of practical attacks introduced into production protocols and applications by incorrect implementation, or lack of, authentication (including Transport Layer Security|SSL/TLS).
193
Authenticated encryption
Six different authenticated encryption modes (namely OCB mode|OCB 2.0, Key Wrap, CCM mode|CCM, EAX mode|EAX, Encrypt-then-MAC (EtM), and Galois/Counter Mode|GCM) have been standardized in ISO/IEC 19772:2009. More were developed in response to NIST solicitation. Sponge functions can be used in duplex mode to provide authenticated encryption.
194
Authenticated encryption
Typical Application programming interface|programming interface of AE mode implementation would provide the following functions:
195
Authenticated encryption
** Input: plaintext, key and optionally a header — in plaintext, that will not be encrypted, but will be covered by authenticity protection;
196
Authenticated encryption
** Output: ciphertext and authentication tag (Message Authentication Code)
197
Authenticated encryption
** Input: ciphertext, key, authentication tag and optionally header;
198
Authenticated encryption
** Output: plaintext or error, if authentication tag did not match supplied ciphertext and header
199
Authenticated encryption
The header part is intended to provide authenticity and integrity protection for metadata used for networking or storage purposes, which does not need to be confidential but its authenticity is desired.
200
Authenticated encryption
This in turn prevents the attacker from requesting the decryption of any ciphertext unless he generated it correctly using the encryption algorithm, which would imply that he already knows the plaintext
201
Authenticated encryption
However, authenticated encryption can be generically constructed by combining an encryption scheme and a Message Authentication Code (MAC), provided that the encryption scheme is semantic security|semantically secure under chosen plaintext attack and the MAC function is unforgeable under chosen message attack
202
Authenticated encryption
In 2013 a competition has been announced to encourage design of authenticated encryption modes.
203
Authenticated encryption - Approaches to Authenticated Encryption
* 'Encrypt-then-Mac (EtM)': The standard method according to ISO/IEC 19772:2009. This is the only method which can reach the highest definition of security in AE, this can only be achieved when the MAC used is Strongly Unforgeable
204
Authenticated encryption - Approaches to Authenticated Encryption
* 'Encrypt-and-Mac (EM)': Used in eg. SSH and Grain 128a. Even though the EM approach has not been proved to be strongly unforgeable in itself, it is possible to apply some minor modifications to SSH to make it strongly unforgeable despite the approach.
205
Authenticated encryption - Approaches to Authenticated Encryption
* 'Mac-then-Encrypt (MtE)': Used in eg. SSL/TLS. Even though the MtE approach has not been proven to be strongly unforgeable in itself, the SSL/TLS implementation has been proved to be strongly unforgeable by Krawczyk who showed that SSL/TLS was in fact secure because of the encoding used alongside the MtE mechanism.
206
Real Time Messaging Protocol - Encryption
RTMP sessions may be encrypted using either of two methods:
207
Real Time Messaging Protocol - Encryption
* Using industry standard Transport Layer Security|TLS/SSL mechanisms. The underlying RTMP session is simply wrapped inside a normal TLS/SSL session.
208
Real Time Messaging Protocol - Encryption
* Using RTMPE, which wraps the RTMP session in a lighter-weight encryption layer.
209
Real Time Messaging Protocol - Encryption
It is generally understood that the TLS/SSL handshake at the beginning of a session is very computationally intensive
210
Astro (Malaysian satellite television) - Encryption
Since its launch, Astro transmits programming with encryption to mitigate pirate decryption|signal piracy. The receiver (also known as an IRD, or integrated receiver-decoder) utilizes ISO/IEC 7816 smart cards which tell the receiver how to decrypt the programming for viewing. Astro is now utilizing a third generation of access smart cards.
211
Astro (Malaysian satellite television) - Encryption
* The first generation of smart cards were used until The encryption uses the Nagra France|SECA Mediaguard.
212
Astro (Malaysian satellite television) - Encryption
* The second generation of smart cards were introduced in 2004 and used until The encryption uses the improved version of Mediaguard.
213
Astro (Malaysian satellite television) - Encryption
* The third generation of smart cards were introduced in This is the current standard issue smart card. It uses the NDS Group|NDS VideoGuard encryption system.
214
BitLocker Drive Encryption
By default it uses the Advanced Encryption Standard|AES encryption algorithm in Cipher block chaining|CBC mode with a 128-bit or 256-bit key, combined with the Elephant diffuser for additional disk encryption-specific security not provided by AES
215
BitLocker Drive Encryption - Availability
Users of other versions of Windows that do not include BitLocker can use a third-party encryption program to satisfy the need for full disk encryption (see comparison of disk encryption software)
216
BitLocker Drive Encryption - Availability
The latest version of BitLocker, included in Windows 7, Windows 8, Windows Server 2008 R2 and Windows Server 2012, adds the ability to encrypt removable drives. These can be read, but not written to, by Windows XP using Microsoft BitLocker To Go Reader program if using the exFAT, FAT32 or FAT16 filesystems.
217
BitLocker Drive Encryption - Availability
While device encryption is offered on all versions of 8.1, unlike BitLocker, device encryption on x86-based devices requires that the device meet the Connected Standby specifications (which among other requirements, requires that the device use solid state drive|solid state storage and have RAM soldered directly to the motherboard to protect against cold boot attacks) and have a TPM 2.0 chip.
218
BitLocker Drive Encryption - Overview
There are three authentication mechanisms that can be used as building blocks to implement BitLocker encryption:
219
BitLocker Drive Encryption - Overview
The key used for disk encryption is sealed (encrypted) by the TPM chip and will only be released to the OS loader code if the early boot files appear to be unmodified
220
BitLocker Drive Encryption - Overview
*'User authentication mode': This mode requires that the user provide some authentication to the pre-boot environment in the form of a pre-boot Personal identification number|PIN. This mode is vulnerable to a bootkit attack.
221
BitLocker Drive Encryption - Overview
*'USB Key Mode': The user must insert a USB device that contains a startup key into the computer to be able to boot the protected OS. Note that this mode requires that the BIOS on the protected machine supports the reading of USB devices in the pre-OS environment. This mode is also vulnerable to a bootkit attack.
222
BitLocker Drive Encryption - Overview
*'Recovery password': A numerical key protector for recovery purposes
223
BitLocker Drive Encryption - Overview
*'Certificate': Adds a certificate-based public key protector for recovery purposes
224
BitLocker Drive Encryption - Overview
The following combinations of the above authentication mechanisms are supported, all with an optional Source code escrow|escrow recovery key:
225
BitLocker Drive Encryption - Operation
Contrary to the official name, BitLocker Drive Encryption is a logical volume (computing)|volume encryption system. A volume may or may not be an entire hard disk drive|drive, or it can span one or more physical drives. Also, when enabled, TPM and BitLocker can ensure the integrity of the trusted boot path (e.g. BIOS, boot sector, etc.), in order to prevent most offline physical attacks, boot sector malware, etc.
226
BitLocker Drive Encryption - Operation
In order for BitLocker to operate, at least two NTFS-formatted volume (computing)|volumes are required: one for the operating system (usually C:) and another with a minimum size of 100MB from which the operating system booting|boots
227
BitLocker Drive Encryption - Operation
Once an alternate boot partition has been created, the TPM module needs to be initialized (assuming that this feature is being used), after which the required disk encryption key protection mechanisms such as TPM, PIN or USB key are configured
228
BitLocker Drive Encryption - Operation
The Microsoft Encrypting File System (EFS) may be used in conjunction with BitLocker to provide protection once the kernel (computer science)|operating system kernel is running. Protection of the files from processes and users within the operating system can only be performed using encryption software that operates within Windows, such as EFS. BitLocker and EFS, therefore, offer protection against different classes of attacks.
229
BitLocker Drive Encryption - Operation
In Active Directory environments, BitLocker supports optional key escrow to Active Directory, although a schema update may be required for this to work (i.e. if the Active Directory Services are hosted on a Windows version previous to Windows Server 2008).
230
BitLocker Drive Encryption - Operation
BitLocker and other full disk encryption systems can be attacked by a bootkit|rogue bootmanager
231
BitLocker Drive Encryption - Security concerns
Microsoft engineers have said that FBI agents also put pressure on them in numerous meetings in order to add a back door, although no formal, written request was ever made; Microsoft engineers eventually suggested to the FBI that agents should look for the hard-copy of the key that the BitLocker program suggests its users to make.[ Did the FBI Lean On Microsoft for Access to Its Encryption Software?] Although the AES encryption algorithm used in BitLocker is in the public domain, its implementation in BitLocker, as well as other components of the software, are proprietary software|proprietary; however, the code is available for scrutiny by Microsoft partners and enterprises, subject to a non-disclosure agreement.
232
BitLocker Drive Encryption - Security concerns
The Transparent operation mode and User authentication mode of BitLocker use TPM hardware to detect if there are unauthorized changes to the pre-boot environment, including the BIOS and Master boot record|MBR. If any unauthorized changes are detected, BitLocker requests a recovery key (cryptography)|key on a USB device. This cryptographic secret is used to decrypt the Volume Master Key (VMK) and allow the booting|bootup process to continue.
233
BitLocker Drive Encryption - Security concerns
The authors recommend that computers be powered down when not in physical control of the owner (rather than be left in a power management|sleep state) and that the encryption software be configured to require a password to boot the machine.
234
BitLocker Drive Encryption - Security concerns
Once a BitLocker-protected machine is running, its keys are stored in memory where they may be susceptible to attack by a process that is able to access physical memory, for example, through a IEEE 1394|1394 or Thunderbolt (interface)|Thunderbolt Direct memory access|DMA channel. Any cryptographic material in memory is at risk from this attack, which therefore is not specific to BitLocker.
235
Galois/Counter Mode - Encryption and authentication
The authentication tag is constructed by feeding blocks of data into the GHASH function, and encrypting the result. This GHASH function is defined by
236
Galois/Counter Mode - Encryption and authentication
where H is a string of 128 zeros encrypted using the block cipher, A is data which is only authenticated (not encrypted), C is the ciphertext, m is the number of 128 bit blocks in A, n is the number of 128 bit blocks in C (the final blocks of A and C need not be exactly 128 bits), and the variable Xi for i=0,...,m+n+1 is defined as Note that there is a typo in the formulas in the article.
237
Galois/Counter Mode - Encryption and authentication
(X_ \oplus A_i) \cdot H \texti=1,\ldots, m-1 \\
238
Galois/Counter Mode - Encryption and authentication
(X_ \oplus (A^*_m\lVert0^)) \cdot H \texti=m \\
239
Galois/Counter Mode - Encryption and authentication
(X_ \oplus (\operatorname(A)\lVert \operatorname(C))) \cdot H \texti=m+n+1 \\
240
Galois/Counter Mode - Encryption and authentication
where v is the bit length of the final block of A, u is the bit length of the final block of C, and \lVert denotes concatenation of bit strings. Note that this is an iterative algorithm: each Xi depends on Xi-1, and only the final Xi is retained as output.
241
Galois/Counter Mode - Encryption and authentication
GCM mode was designed by John Viega and David A. McGrew as an improvement to Carter–Wegman Counter CWC mode.
242
Galois/Counter Mode - Encryption and authentication
On November 26, 2007 NIST announced the release of NIST Special Publication D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC making GCM and GMAC official standards.
243
Disk encryption 'Disk encryption' is a technology which protects information by converting it into unreadable code that cannot be deciphered easily by unauthorized people. 'Disk encryption' uses disk encryption software or disk encryption hardware|hardware to encryption|encrypt every bit of data that goes on a disk storage|disk or disk volume (computing)|volume. Disk encryption prevents unauthorized access to data storage.
244
Disk encryption Some hardware-based full disk encryption systems can truly encrypt an entire boot disk, including the MBR.
245
Disk encryption - Disk encryption vs. filesystem-level encryption
Conventional file and folder encryption instead allows different keys for different portions of the disk
246
Disk encryption - Disk encryption vs. filesystem-level encryption
Unlike disk encryption, filesystem-level encryption does not typically encrypt filesystem metadata, such as the directory structure, file names, modification timestamps or sizes.
247
Disk encryption - Disk encryption and Trusted Platform Module
Trusted Platform Module (TPM) is a secure cryptoprocessor embedded in the motherboard that can be used to authentication|authenticate a hardware device. Since each TPM chip is unique to a particular device, it is capable of performing platform authentication. It can be used to verify that the system seeking the access is the expected system.
248
Disk encryption - Disk encryption and Trusted Platform Module
A limited number of disk encryption solutions have support for TPM. These implementations can wrap the decryption key using the TPM, thus tying the hard disk drive (HDD) to a particular device. If the HDD is removed from that particular device and placed in another, the decryption process will fail. Recovery is possible with the decryption password or security token|token.
249
Disk encryption - Disk encryption and Trusted Platform Module
Although this has the advantage that the disk cannot be removed from the device, it might create a single point of failure in the encryption. For example, if something happens to the TPM or the motherboard, a user would not be able to access the data by connecting the Hard Drive to another computer, unless that user has a separate recovery key.
250
Disk encryption - Implementations
Furthermore the media-encryption key never leaves the device itself and is therefore not available to any virus in the Operating System
251
Disk encryption - Password/data recovery mechanism
Secure and safe recovery mechanisms are essential to the large-scale deployment of any disk encryption solutions in an enterprise. The solution must provide an easy but secure way to recover passwords (most importantly data) in case the user leaves the company without notice or forgets the password.
252
Disk encryption - Challenge/response password recovery mechanism
Challenge-response authentication|Challenge/Response password recovery mechanism allows the password to be recovered in a secure manner. It is offered by a limited number of disk encryption solutions.
253
Disk encryption - Challenge/response password recovery mechanism
# No need for the user to carry a disc with recovery encryption key.
254
Disk encryption - Challenge/response password recovery mechanism
# No secret data is exchanged during the recovery process.
255
Disk encryption - Challenge/response password recovery mechanism
# Does not require a network connection, i.e. it works for users that are at a remote location.
256
Disk encryption - Emergency Recovery Information (ERI) file password recovery mechanism
An Emergency Recovery Information (ERI) file provides an alternative for recovery if a challenge response mechanism is unfeasible due to the cost of helpdesk operatives for small companies or implementation challenges.
257
# Small companies can use it without implementation difficulties
Disk encryption - Emergency Recovery Information (ERI) file password recovery mechanism # Small companies can use it without implementation difficulties
258
Disk encryption - Security concerns
Most full disk encryption schemes are vulnerable to a cold boot attack, whereby encryption key (cryptography)|keys can be stolen by cold-booting a machine already running an Operating System, then dumping the contents of static random access memory|memory before the data disappears
259
Disk encryption - Security concerns
All software-based encryption systems are vulnerable to various side channel attacks such as acoustic cryptanalysis and hardware keyloggers.
260
Disk encryption - Security concerns
In contrast, self-encrypting drives are not vulnerable to these attacks since the hardware encryption key never leaves the disk controller.
261
Disk encryption - Benefits
Full disk encryption has several benefits compared to regular file or folder encryption, or encrypted vaults. The following are some benefits of disk encryption:
262
Disk encryption - Benefits
# Nearly everything including the swap space and the temporary files is encrypted. Encrypting these files is important, as they can reveal important confidential data. With a software implementation, the bootstrapping code cannot be encrypted however. (For example, BitLocker Drive Encryption leaves an unencrypted volume (computing)|volume to booting|boot from, while the volume containing the Operating System is fully encrypted.)
263
Disk encryption - Benefits
# With full disk encryption, the decision of which individual files to encrypt is not left up to users' discretion. This is important for situations in which users might not want or might forget to encrypt sensitive files.
264
Disk encryption - Benefits
# Immediate data destruction, as simply destroying the cryptography keys renders the contained data useless. However, if security towards future attacks is a concern, data remanence|purging or physical destruction is advised.
265
Disk encryption - The boot key problem
Some implementations such as BitLocker Drive Encryption can make use of hardware such as a Trusted Platform Module to ensure the integrity of the boot environment, and thereby frustrate attacks that rootkit#Boot loader level|target the boot loader by replacing it with a modified version
266
Disk encryption - The boot key problem
With a Pre-Boot Authentication environment, the key used to encrypt the data is not decrypted until an external key is input into the system.
267
Disk encryption - The boot key problem
Solutions for storing the external key include:
268
Disk encryption - The boot key problem
* Using a biometric authentication method such as a fingerprint
269
Disk encryption - The boot key problem
* Using a dongle to store the key, assuming that the user will not allow the dongle to be stolen with the laptop or that the dongle is encrypted as well.
270
Disk encryption - The boot key problem
* Using a boot-time driver that can ask for a password from the user
271
Disk encryption - The boot key problem
* Using a network interchange to recover the key, for instance as part of a Preboot Execution Environment|PXE boot
272
Disk encryption - The boot key problem
* Using a Trusted Platform Module|TPM to store the decryption key, preventing unauthorized access of the decryption key or subversion of the boot loader.
273
Disk encryption - The boot key problem
* Use a combination of the above
274
Disk encryption - The boot key problem
All these possibilities have varying degrees of security, however most are better than an unencrypted disk.
275
X10 (industry standard) - Interference and lack of encryption
The standard X10 power line and RF protocols lack support for encryption, and can only address 256 devices. Unfiltered power line signals from close neighbors using the same X10 device addresses may interfere with each other. Interfering RF wireless signals may similarly be received, with it being easy for anyone nearby with an X10 RF remote to wittingly or unwittingly cause mayhem if an RF to power line device is being used on a premises.
276
Comparison of disk encryption software
This is a technical feature 'comparison of different disk encryption software'.
277
Comparison of disk encryption software - Features
* 'Hidden containers': Whether hidden containers (an encrypted container (A) within another encrypted container (B) so the existence of container A can not be established)[ Hidden containers description from Jetico (BestCrypt) can be created for deniable encryption. Note that some Block cipher modes of operation|modes of operation like CBC with a plain IV can be more prone to watermarking attacks than others.
278
Comparison of disk encryption software - Features
* 'Pre-boot authentication': Whether authentication can be required before booting the computer, thus allowing one to encrypt the boot disk.
279
Comparison of disk encryption software - Features
* 'Custom authentication': Whether custom authentication mechanisms can be implemented with third-party applications.
280
Comparison of disk encryption software - Features
* 'Multiple keys': Whether an encrypted volume can have more than one active Key (cryptography)|key.
281
Comparison of disk encryption software - Features
* 'Passphrase strengthening': Whether key strengthening is used with plain text passwords to frustrate dictionary attacks, usually using PBKDF2.
282
Comparison of disk encryption software - Features
* 'Trusted Platform Module': Whether the implementation can use a TPM cryptoprocessor.
283
Comparison of disk encryption software - Features
* 'Filesystems': what filesystems are supported.
284
Comparison of disk encryption software - Features
* 'Two-factor authentication': Whether optional security tokens (Hardware Security Module|hardware security modules, such as Aladdin eToken and smart cards) are supported (for example using PKCS11|PKCS#11)
285
Comparison of disk encryption software - Layering
* 'Whole disk': Whether the whole physical disk or logical volume can be encrypted, including the partition tables and master boot record. Note that this does not imply that the encrypted disk can be used as the boot disk itself; refer to pre-boot authentication in the features comparison table.
286
Comparison of disk encryption software - Layering
* 'Partition': Whether individual disk partitions can be encrypted.
287
Comparison of disk encryption software - Layering
* 'File': Whether the encrypted container can be stored in a file (usually implemented as encrypted loop devices).
288
Comparison of disk encryption software - Layering
* 'Swap space': Whether the swap space (called a pagefile on Windows) can be encrypted individually/explicitly.
289
Comparison of disk encryption software - Layering
* 'Hibernation file': Whether the Hibernate (OS feature)|hibernation file is encrypted (if hibernation is supported).
290
Comparison of disk encryption software - Modes of operation
Different modes of operation supported by the software. Note that an encrypted volume can only use one mode of operation.
291
Comparison of disk encryption software - Modes of operation
* 'CBC with predictable IVs': The CBC (cipher block chaining) mode where initialization vectors are statically derived from the sector number and are not secret; this means that IVs are re-used when overwriting a sector and the vectors can easily be guessed by an attacker, leading to watermarking attacks.
292
Comparison of disk encryption software - Modes of operation
* 'CBC with secret IVs': The CBC mode where initialization vectors are statically derived from the encryption key and sector number. The IVs are secret, but they are re-used with overwrites. Methods for this include ESSIV and encrypted sector numbers (CGD).
293
Comparison of disk encryption software - Modes of operation
* 'CBC with random per-sector keys': The CBC mode where random keys are generated for each sector when it is written to, thus does not exhibit the typical weaknesses of CBC with re-used initialization vectors. The individual sector keys are stored on disk and encrypted with a master key. (See GBDE for details)
294
Comparison of disk encryption software - Modes of operation
* 'LRW': The Liskov-Rivest-Wagner tweakable narrow-block mode, a mode of operation specifically designed for disk encryption. Superseded by the more secure XTS mode due to security concerns.IEEE P1619#LRW issue|LRW_issue
295
IEEE 802.22 - Encryption, authentication, and authorization
Only the Advanced Encryption Standard|AES-Galois/Counter Mode|GCM authenticated encryption cipher algorithm is supported.IEEE § 8.4.1, p. 281
296
IEEE 802.22 - Encryption, authentication, and authorization
EAP-TLS or EAP-TTLS must be used for authentication and encryption key derivation.IEEE § 8.1.2, p
297
IEEE 802.22 - Encryption, authentication, and authorization
This could allow for a type of Vendor lock-in|customer lock-in where the network providers refuse network access to devices that have not been vetted by manufacturers of the network providers' choice (i.e. the device must possess a private key of a X.509 certificate with a chain of trust to a manufacturer certificate authority (CA) that the network provider will accept), not unlike the SIM lock in modern cellular networks and DOCSIS certification testers in cable Internet access|cable networks.
298
IEEE P1619 - Narrow-block vs. wide-block encryption
An encryption algorithm used for data storage has to support independent encryption and decryption of portions of data
299
IEEE P1619 - Narrow-block vs. wide-block encryption
For these reasons, the working group selected the narrow-block (128 bits) encryption with no authentication in the standard P1619, assuming that the added efficiency warrants the additional risk. But recognizing that wide-block encryption might be useful in some cases, another project P has been started to study the usage of wide-block encryption.
300
IEEE P1619 - Narrow-block vs. wide-block encryption
The project is maintained by the IEEE Security in Storage Working Group (SISWG). Both the disk storage standard P1619 (sometimes called P1619.0) and the tape storage standard P were standardized in December 2007.
301
IEEE P1619 - Narrow-block vs. wide-block encryption
A discussion was ongoing on standardization of the wide-block encryption for disk drives, like Disk encryption theory#CMC and EME|CMC and EME as P1619.2, and on key management as P
302
Diffie–Hellman key exchange - Explanation including encryption mathematics
The simplest and the original implementation of the protocol uses the Multiplicative group of integers modulo n|multiplicative group of integers modulo p, where p is prime number|prime and g is primitive root modulo n|primitive root mod p. Here is an example of the protocol, with non-secret values in blue, and secret values in' red'. Small integers are used for clarity, but actual implementations require using much larger numbers to achieve security. See key length.
303
# Alice and Bob agree to use a prime number p = 23 and base g = 5.
Diffie–Hellman key exchange - Explanation including encryption mathematics # Alice and Bob agree to use a prime number p = 23 and base g = 5.
304
# Alice computes 's' = B'a' mod p
Diffie–Hellman key exchange - Explanation including encryption mathematics # Alice computes 's' = B'a' mod p
305
Diffie–Hellman key exchange - Explanation including encryption mathematics
# Alice and Bob now share a secret (the number '2') because 6 × 15 is the same as 15 × 6.
306
Diffie–Hellman key exchange - Explanation including encryption mathematics
Both Alice and Bob have arrived at the same value, because (ga)b and (gb)a are equal mod p. Note that only a, b, and (gab = gba mod p) are kept secret. All the other values – p, g, ga mod p, and gb mod p – are sent in the clear. Once Alice and Bob compute the shared secret they can use it as an encryption key, known only to them, for sending messages across the same open communications channel.
307
Diffie–Hellman key exchange - Explanation including encryption mathematics
Of course, much larger values of a, b, and p would be needed to make this example secure, since there are only 23 possible results of n mod 23. However, if p is a prime of at least 300 digits, and a and b are at least 100 digits long, then even the fastest modern computers cannot find a given only g, p, gb mod p and ga mod p. The problem such a computer needs to solve is called the discrete logarithm problem.
308
Diffie–Hellman key exchange - Explanation including encryption mathematics
Note that g need not be large at all, and in practice is usually a small prime (like 2, 3, 5...) because primitive roots usually are quite numerous.
309
Diffie–Hellman key exchange - Explanation including encryption mathematics
Here's a more general description of the protocol, in which all the powers are computed modulo p:
310
Diffie–Hellman key exchange - Explanation including encryption mathematics
# Alice and Bob agree on a finite cyclic group G and a Generating set of a group|generating element g in G. (This is usually done long before the rest of the protocol; g is assumed to be known by all attackers.) We will write the group G multiplicatively.
311
# Alice picks a random natural number a and sends ga to Bob.
Diffie–Hellman key exchange - Explanation including encryption mathematics # Alice picks a random natural number a and sends ga to Bob.
312
# Bob picks a random natural number b and sends gb to Alice.
Diffie–Hellman key exchange - Explanation including encryption mathematics # Bob picks a random natural number b and sends gb to Alice.
313
Diffie–Hellman key exchange - Explanation including encryption mathematics
Both Alice and Bob are now in possession of the group element gab, which can serve as the shared secret key. The values of (gb)a and (ga)b are the same because groups are Power-associativity|power associative. (See also exponentiation.)
314
Diffie–Hellman key exchange - Explanation including encryption mathematics
In order to decrypt a message m, sent as mgab, Bob (or Alice) must first compute (gab)−1, as follows:
315
Diffie–Hellman key exchange - Explanation including encryption mathematics
Bob knows |G|, b, and ga. Lagrange's theorem (group theory)|Lagrange's theorem in group theory establishes that from the construction of G, x|G| = 1 for all x in G.
316
File hosting service - Data encryption
Key (cryptography)|Secret key encryption is sometimes referred to as Zero knowledge and means only the user has the encryption key needed to decrypt the data. Since data is encrypted using the secret key, identical files encrypted with different keys will be different. Secret key encryption is considered to offer the highest level of access security in cloud storage
317
File hosting service - Data encryption
Since secret key encryption results in unique files, it makes data deduplication impossible and therefore uses more storage space.Secure Data Deduplication, Mark W. Storer Kevin Greenan Darrell D. E. Long Ethan L. Miller
318
File hosting service - Data encryption
Convergent encryption derives the key from the file content itself and means an identical file encrypted on different computers result in identical encrypted files
319
File hosting service - Data encryption
By demonstrating to a court how applying the convergent encryption methodology to an unencrypted copyrighted file produces the same encrypted file as that possessed by the user would appear to make a strong case that the user is guilty of possessing the file in question and thus providing evidence of copyright infringement by the user.
320
File hosting service - Data encryption
There is, however, no easily accessible public record of this having being tried in court as of May 2013 and an argument could be made that, similar to the opinion expressed by Attorney Rick G
321
USB memory stick - Encryption and Security
As highly portable media, USB flash drives are easily lost or stolen. All USB flash drives can have their contents encrypted using third-party disk encryption software, which can often be run directly from the USB drive without installation (for example, FreeOTFE), although some, such as TrueCrypt, require the user to have administrative rights on every computer it's run on.
322
USB memory stick - Encryption and Security
Archiving software can achieve a similar result by creating encrypted ZIP (file format)|ZIP or RAR files.
323
USB memory stick - Encryption and Security
Some manufacturers have produced USB flash drives which use hardware-based encryption as part of the design,[ Hardware Encrypted Secure USB Flash Drive] removing the need for third-party encryption software. In limited circumstances these drives have been USB flash drive security#Compromised systems|shown to have security problems, and are typically more expensive than software-based systems, which are available for free.
324
USB memory stick - Encryption and Security
A minority of flash drives support biometric fingerprinting to confirm the user's identity
325
USB memory stick - Encryption and Security
Some manufacturers deploy Dongle|physical authentication tokens in the form of a flash drive. These are used to control access to a sensitive system by containing encryption keys or, more commonly, communicating with security software on the target machine. The system is designed so the target machine will not operate except when the flash drive device is plugged into it. Some of these PC lock devices also function as normal flash drives when plugged into other machines.
326
SMS Banking - Compensating controls for lack of encryption
The lack of encryption is inherent to the SMS banking channel and several banks that use it have overcome their fears by introducing compensating controls and limiting the scope of the SMS banking application to where it offers an advantage over other channels.
327
SMS Banking - Compensating controls for lack of encryption
Suppliers of SMS banking software solutions have found reliable means by which the security concerns can be addressed. Typically the methods employed are by pre-registration and using security tokens where the transaction risk is perceived to be high. Sometimes ATM type Personal identification number|PINs are also employed, but the usage of PINs in SMS banking makes the customer's task more cumbersome.
328
ISDB - Interfaces and Encryption
The ISDB specification describes a lot of (network) interfaces, but most importantly the Common Interface for Conditional Access System (CAS). While ISDB has examples of implementing various kinds of CASes, in Japan CAS called B-CAS is used. (ARIB STD-B25) defines the Common Scrambling Algorithm (CSA) system called MULTI2 required for (de-)scrambling television.
329
ISDB - Interfaces and Encryption
The ISDB CAS system in Japan is operated by a company named B-CAS; the CAS card is called B-CAS card. The Japanese ISDB signal is always encrypted by the B-CAS system even if it is a free television program. That is why it is commonly called Pay per view system without charge. An interface for mobile reception is under consideration.
330
ISDB - Interfaces and Encryption
ISDB supports RMP (Rights management and protection). Since all digital television (DTV) systems carry digital data content, a DVD or high-definition (HD) recorder could easily copy content losslessly.
331
ISDB - Interfaces and Encryption
Currently, the Japanese government is evaluating using the Digital Transmission Content Protection (DTCP) Encryption plus Non-Assertion mechanism, to allow making multiple copies of digital content between compliant devices.[ JEITA、地デジのコンテンツ保護策として暗号方式 EPN を提案:ニュース - CNET Japan]
332
Data encryption 'Cryptography' (or cryptology; from Ancient Greek|Greek , hidden, secret; and , graphein, writing, or , -logy|-logia, study, respectively)Liddell and Scott's Greek-English Lexicon
333
Data encryption Cryptography prior to the modern age was effectively synonymous with encryption, the conversion of information from a readable state to apparent nonsense
334
Data encryption Modern cryptography is heavily based on mathematical theory and computer science practice; cryptographic algorithms are designed around computational hardness assumptions, making such algorithms hard to break in practice by any adversary
335
Cryptology-related technology has raised a number of legal issues
Data encryption Cryptology-related technology has raised a number of legal issues
336
Data encryption - Terminology
Historically, ciphers were often used directly for encryption or decryption without additional procedures such as authentication or integrity checks.
337
Data encryption - Terminology
In colloquial use, the term code (cryptography)|code is often used to mean any method of encryption or concealment of meaning
338
Data encryption - Terminology
Cryptanalysis is the term used for the study of methods for obtaining the meaning of encrypted information without access to the key normally required to do so; i.e., it is the study of how to crack encryption algorithms or their implementations.
339
Data encryption - Terminology
Some use the terms cryptography and cryptology interchangeably in English, while others (including US military practice generally) use cryptography to refer specifically to the use and practice of cryptographic techniques and cryptology to refer to the combined study of cryptography and cryptanalysis.Oded Goldreich, Foundations of Cryptography, Volume 1: Basic Tools, Cambridge University Press, 2001, ISBN English is more flexible than several other languages in which cryptology (done by cryptologists) is always used in the second sense above
340
Data encryption - Terminology
The study of characteristics of languages which have some application in cryptography (or cryptology), i.e. frequency data, letter combinations, universal patterns, etc., is called cryptolinguistics.
341
Data encryption - Computer era
Cryptanalysis of the new mechanical devices proved to be both difficult and laborious
342
Data encryption - Computer era
Furthermore, computers allowed for the encryption of any kind of data representable in any binary format, unlike classical ciphers which only encrypted written language texts; this was new and significant
343
Data encryption - Computer era
In recent times, IBM personnel designed the algorithm that became the Federal (i.e., US) Data Encryption Standard; Whitfield Diffie and Martin Hellman published Diffie-Hellman|their key agreement algorithm;Whitfield Diffie and Martin Hellman, New Directions in Cryptography, IEEE Transactions on Information Theory, vol
344
Data encryption - Computer era
As well as being aware of cryptographic history, cryptographic algorithm and system designers must also sensibly consider probable future developments while working on their designs
345
Data encryption - Computer era
Essentially, prior to the early 20th century, cryptography was chiefly concerned with language|linguistic and lexicographic code|lexicographic patterns
346
Data encryption - Cryptanalysis
The goal of cryptanalysis is to find some weakness or insecurity in a cryptographic scheme, thus permitting its subversion or evasion.
347
Data encryption - Cryptanalysis
It is a common misconception that every encryption method can be broken
348
Data encryption - Cryptanalysis
There are a wide variety of cryptanalytic attacks, and they can be classified in any of several ways
349
Data encryption - Cryptanalysis
Cryptanalysis of symmetric-key ciphers typically involves looking for attacks against the block ciphers or stream ciphers that are more efficient than any attack that could be against a perfect cipher
350
Data encryption - Cryptanalysis
Thus, other things being equal, to achieve an equivalent strength of attack resistance, factoring-based encryption techniques must use larger keys than elliptic curve techniques
351
Data encryption - Cryptanalysis
While pure cryptanalysis uses weaknesses in the algorithms themselves, other attacks on cryptosystems are based on actual use of the algorithms in real devices, and are called side-channel attacks
352
Data encryption - Cryptographic primitives
Much of the theoretical work in cryptography concerns cryptographic primitive|cryptographic primitives—algorithms with basic cryptographic properties—and their relationship to other cryptographic problems
353
Data encryption - Prohibitions
Cryptography has long been of interest to intelligence gathering and law enforcement agency|law enforcement agencies
354
Data encryption - Prohibitions
In some countries, even the domestic use of cryptography is, or has been, restricted
355
Data encryption - Prohibitions
However, as the Internet grew and computers became more widely available, high quality encryption techniques became well-known around the globe
356
Data encryption - Export controls
After the source code for Philip Zimmermann's Pretty Good Privacy (PGP) encryption program found its way onto the Internet in June 1991, a complaint by RSA Security (then called RSA Data Security, Inc.), resulted in a lengthy criminal investigation of Zimmermann by the U.S
357
Data encryption - Export controls
Daniel J
358
Data encryption - Export controls
The treaty stipulated that the use of cryptography with short key-lengths (56-bit for symmetric encryption, 512-bit for RSA) would no longer be export-controlled
359
Data encryption - NSA involvement
The NSA was involved with the design of Data Encryption Standard|DES during its development at IBM and its consideration by the National Bureau of Standards as a possible Federal Standard for cryptography.[ The Data Encryption Standard (DES)] from Bruce Schneier's CryptoGram newsletter, June 15, 2000 DES was designed to be resistant to differential cryptanalysis,
360
Data encryption - NSA involvement
a powerful and general cryptanalytic technique known to the NSA and IBM, that became publicly known only when it was rediscovered in the late 1980s.Eli Biham|E
361
Data encryption - NSA involvement
Another instance of the NSA's involvement was the 1993 Clipper chip affair, an encryption microchip intended to be part of the Capstone (cryptography)|Capstone cryptography-control initiative
362
Data encryption - Digital rights management
Cryptography is central to digital rights management (DRM), a group of techniques for technologically controlling use of copyrighted material, being widely implemented and deployed at the behest of some copyright holders
363
Data encryption - Digital rights management
In 2007, the cryptographic keys responsible for Blu-ray and HD DVD content scrambling were AACS encryption key controversy|discovered and released onto the Internet
364
Encrypted - Symmetric key encryption
In Symmetric-key algorithm|Symmetric-key schemes, the encryption and decryption keys are the same. Thus communicating parties must agree on a secret key before they wish to communicate.
365
Encrypted - Public key encryption
Public-key encryption is a relatively recent invention: historically, all encryption schemes have been symmetric-key (also called private-key) schemes.
366
Encrypted - How encryption is used
Digital rights management systems which prevent unauthorized use or reproduction of copyrighted material and protect software against reverse engineering (see also copy protection) is another somewhat different example of using encryption on data at rest.
367
Encrypted - How encryption is used
Encryption is also used to protect data in transit, for example data being transferred via computer network|networks (e.g
368
History of cryptography - An encryption standard
First was the publication of the draft Data Encryption Standard in the U.S
369
History of cryptography - An encryption standard
However, its 56-bit key-size has been shown to be insufficient to guard against brute force attacks (one such attack, undertaken by the cyber civil-rights group Electronic Frontier Foundation in 1997, succeeded in 56 hours.Electronic Frontier Foundation, Cracking DES, O'Reilly, 1998.) As a result, use of straight DES encryption is now without doubt insecure for use in new cryptosystem designs, and messages protected by older cryptosystems using DES, and indeed all messages sent since 1976 using DES, are also at risk
370
ElGamal - Encryption The encryption algorithm works as follows: to encrypt a message m\, to Alice under her public key (G,q,g,h)\,,
371
ElGamal - Encryption Note that one can easily find h^y\, if one knows m'\,. Therefore, a new y\, is generated for every message to improve security. For this reason, y\, is also called an ephemeral key.
372
Public-key encryption
'Public-key cryptography', also known as 'asymmetric cryptography', refers to a cryptography|cryptographic algorithm which requires two separate cryptographic key|keys, one of which is secret (or private) and one of which is public
373
Public-key encryption
It is computationally easy for a user to generate their own public and private key-pair and to use them for encryption and decryption
374
Public-key encryption
Message authentication involves processing a message with a private key to produce a digital signature
375
Public-key encryption
Public-key algorithms are fundamental security ingredients in cryptosystems, applications and protocols. They underpin such Internet standards as Transport Layer Security| Transport Layer Security (TLS), Pretty Good Privacy|PGP, and GNU Privacy Guard|GPG. Some public key algorithms provide key distribution and secrecy (e.g., Diffie–Hellman key exchange), some provide digital signatures (e.g., Digital Signature Algorithm), and some provide both (e.g., RSA (algorithm)|RSA).
376
Public-key encryption - History
During the early history of cryptography, two parties would rely upon a key that they would exchange between themselves by means of a secure, but non-cryptographic, method
377
Public-key encryption - History
In 1874, a book by William Stanley JevonsJevons, William Stanley, [ The Principles of Science: A Treatise on Logic and Scientific Method] p
378
Public-key encryption - History
One example mentioned briefly is that enciphering (encryption) is easy while deciphering (decryption) is not
379
Public-key encryption - History
The GCHQ cryptographers referred to the technique as non-secret encryption
380
Public-key encryption - History
An asymmetric-key cryptosystem was published in 1976 by Whitfield Diffie and Martin Hellman who, influenced by Ralph Merkle's work on public-key distribution, disclosed a method of public-key agreement
381
Public-key encryption - History
RSA uses modular exponentiation|exponentiation modulo a product of two very large prime number|primes, to encrypt and decrypt, performing both public key encryption and public key digital signature
382
Public-key encryption - History
The ElGamal encryption|ElGamal cryptosystem, invented by Taher ElGamal relies on the similar and related high level of difficulty of the discrete logarithm problem, as does the closely related Digital Signature Algorithm|DSA, which was developed at the US National Security Agency (NSA) and published by NIST as a proposed standard
383
Public-key encryption - Security
Some encryption schemes can be proven secure on the basis of the presumed difficulty of a mathematical problem, such as Integer factorization|factoring the product of two large primes or computing discrete logarithms. Note that secure here has a precise mathematical meaning, and there are multiple different (meaningful) definitions of what it means for an encryption scheme to be secure. The right definition depends on the context in which the scheme will be deployed.
384
Public-key encryption - Security
The most obvious application of a public key encryption system is confidentiality - a message that a sender encrypts using the recipient's public key can be decrypted only by the recipient's paired private key. This assumes, of course, that no flaw is discovered in the basic algorithm used.
385
Public-key encryption - Security
Another type of application in public-key cryptography is that of digital signature schemes
386
Public-key encryption - Security
To achieve both authentication and confidentiality, the sender should include the recipient's name in the message, sign it using his private key, and then encrypt both the message and the signature using the recipient's public key.
387
Public-key encryption - Security
These characteristics can be used to construct many other (sometimes surprising) cryptographic protocols and applications, such as digital cash, password-authenticated key agreement, multi-party key agreement, Trusted timestamping|time-stamping services, non-repudiation protocols, etc.
388
Public-key encryption - Actual algorithms: two linked keys
Not all asymmetric key algorithms operate in precisely this fashion. The most common ones have the property that Alice and Bob each own two keys, one for encryption and one for decryption. In a secure asymmetric key encryption scheme, the private key should not be deducible from the public key. This is known as public-key encryption, since an encryption key can be published without compromising the security of messages encrypted with that key.
389
Public-key encryption - Actual algorithms: two linked keys
In the analogy above, Bob might publish instructions on how to make a lock (public key). However, the workings of the lock are such that it is impossible (so far as is known) to deduce from the instructions given just exactly how to make a key that will open that lock (e.g. a private key). Those wishing to send messages to Bob must use the public key to encrypt the message, then Bob can use his private key to decrypt it.
390
Public-key encryption - Actual algorithms: two linked keys
Another example has Alice and Bob each choosing a key at random, and then contacting each other to compare the depth of each notch on their keys. Having determined the difference, a locked box is built with a special lock that has each pin inside divided into 2 pins, matching the numbers of their keys. Now the box will be able to be opened with either key, and Alice and Bob can exchange messages inside the box in a secure fashion.
391
Public-key encryption - Relation to real world events
A public key will be known to a large and, in practice, unknown set of users. All events requiring revocation or replacement of a public key can take a long time to take full effect with all who must be informed (i.e. all those users who possess that key). For this reason, systems that must react to events in real time (e.g., safety-critical systems or national security systems) should not use public-key encryption without taking great care. There are four issues of interest:
392
Public-key encryption - Distribution of a new key
After a key has been revoked, or when a new user is added to a system, a new key must be distributed in some predetermined manner
393
Public-key encryption - Distribution of a new key
One could leave the power to create (and certify) keys (as well as to revoke them) in the hands of each user - the original PGP design did so - but this raises problems of user understanding and operation
394
Public-key encryption - Distribution of a new key
It is most likely a system-wide failure if the (possibly combined) principal that issues new keys fails by issuing keys improperly. This is an instance of a common mutual exclusion - a design can make the reliability of a system high, but only at the cost of system availability (and vice versa).
395
Ciphertext stealing - ECB encryption steps (see figure)
# En−1 = Encrypt (K, Pn−1). Encrypt Pn−1 to create En−1. This is equivalent to the behavior of standard ECB mode.
396
Ciphertext stealing - ECB encryption steps (see figure)
# Cn−1 = Encrypt (K, Dn). Encrypt Dn to create Cn−1. For the first M bits, this is equivalent to what would happen in ECB mode (other than the ciphertext ordering). For the last B−M bits, this is the second time that these data have been encrypted under this key (It was already encrypted in the production of En−1 in step 2).
397
Ciphertext stealing - CBC encryption steps
# Xn−1 = Pn−1 XOR Cn−2. Exclusive-OR Pn−1 with the previous ciphertext block, Cn−2, to create Xn−1. This is equivalent to the behavior of standard CBC mode.
398
Ciphertext stealing - CBC encryption steps
# En−1 = Encrypt (K, Xn−1). Encrypt Xn−1 to create En−1. This is equivalent to the behavior of standard CBC mode.
399
Ciphertext stealing - CBC encryption steps
# Dn = En−1 XOR P
400
Ciphertext stealing - CBC encryption steps
# Cn−1 = Encrypt (K, Dn). Encrypt Dn to create Cn−1. For the first M bits, this is equivalent to what would happen in CBC mode (other than the ciphertext ordering). For the last B−M bits, this is the second time that these data have been encrypted under this key (It was already encrypted in the production of En−1 in step 2).
401
# Encrypt the whole padded plaintext using the standard CBC mode.
Ciphertext stealing - CBC ciphertext stealing encryption using a standard CBC interface # Encrypt the whole padded plaintext using the standard CBC mode.
402
# Truncate the ciphertext to the length of the original plaintext.
Ciphertext stealing - CBC ciphertext stealing encryption using a standard CBC interface # Truncate the ciphertext to the length of the original plaintext.
403
Digital signing - Using separate key pairs for signing and encryption
If an encryption key is lost, a backup or key escrow should be utilized to continue viewing encrypted content
404
Internet Explorer 3 - Encryption
Internet Explorer 3 was the first version of the browser to support SSL The last patch versions of Internet Explorer 3 supported 40-bit and 128-bit encryption, using Server Gated Cryptography (SGC). 256-bit encryption would not become available in IE for nearly 10 years, with the Windows Vista version Internet Explorer 7.
405
Internet Explorer 3 - Encryption
128-bit encryption was available or included for these versions:
406
Internet Explorer 3 - Encryption
If it was not possible to upgrade to 128-bit, then 40-bit (SGC) was standard.
407
XML Encryption 'XML Encryption', also known as XML-Enc, is a specification, governed by a World Wide Web Consortium|W3C recommendation, that defines how to encrypt the contents of an XML element.
408
XML Encryption Although XML Encryption can be used to encrypt any kind of data, it is nonetheless known as XML Encryption because an XML element (either an EncryptedData or EncryptedKey element) contains or refers to the cipher text, keying information, and algorithms.
409
ZFS - Encryption A command to switch to a new data encryption key for the clone or at any time is provided— this does not re-encrypt already existing data, instead utilising an encrypted master-key mechanism.
410
Diffie-Hellman - Explanation including encryption mathematics
Both Alice and Bob have arrived at the same value, because (ga)b and (gb)a are equal mod p. Note that only a, b, and (gab mod p = gba mod p) are kept secret. All the other values – p, g, ga mod p, and gb mod p – are sent in the clear. Once Alice and Bob compute the shared secret they can use it as an encryption key, known only to them, for sending messages across the same open communications channel.
411
Transparent Data Encryption
'Transparent Data Encryption' (often abbreviated to 'TDE') is a technology employed by both Microsoft and Oracle Corporation|Oracle to encryption|encrypt database content. TDE offers encryption at a Column (database)|column, Table (database)|table, and tablespace level. TDE solves the problem of protecting data at rest, encrypting databases both on the Hard Drive and consequently on backup media. Enterprises typically employ TDE to solve compliance issues such as PCI DSS.
412
Transparent Data Encryption
Microsoft offers TDE as part of its Microsoft SQL Server 2008, SQL Server 2008 R2 and SQL Server TDE is only supported on the Evaluation, Developer, Enterprise and Datacenter versions of Microsoft SQL Server. SQL TDE is supported by Hardware Security Modules from Townsend Security and SafeNet, Inc.
413
Transparent Data Encryption
Oracle Advanced Security TDE tablespace encryption and support for Hardware Security Modules (HSM) were introduced with Oracle Database 11gR1
414
Transparent Data Encryption
The same key is used to encrypt columns in a table, regardless of the number of columns to be encrypted. These encryption keys are encrypted using the database server master key and are stored in a dictionary table in the database.
415
Features new to Windows 8 - Device encryption
Unlike BitLocker, device encryption on x86-based devices requires that the device meet the Connected Standby specifications (which among other requirements, requires that the device use solid state drive|solid state storage and have RAM soldered directly to the motherboard) and have a Trusted Platform Module (TPM) 2.0 chip.
416
Microsoft Office password protection - History of Microsoft Encryption password
In Excel and Word 95 and prior editions a weak protection algorithm is used that converts a password to a 16-bit Key (cryptography)|key. Currently hacking software are readily available to find a 16-bit key and decrypt the password-protected document instantly.
417
Microsoft Office password protection - History of Microsoft Encryption password
In Excel and Word 97 and 2000 the key length was increased to 40 bits. This protection algorithm is also currently considered to be weak and presents no difficulties to hacking software.
418
Microsoft Office password protection - History of Microsoft Encryption password
The default protection in Office XP and 2003 was not changed, but an opportunity to use a custom protection algorithm was added
419
Microsoft Office password protection - History of Microsoft Encryption password
In Office 2007 (Word, Excel and PowerPoint), protection was significantly enhanced since a modern protection algorithm named Advanced Encryption Standard was used. At present there is no software that can break this encryption. With the help of SHA-1 hash function, a password is converted into a 128-bit key 50,000 times before document opening, and because of that, password recovery speed was vastly reduced.
420
Microsoft Office password protection - History of Microsoft Encryption password
Excel and Word 2010 still employ AES and a 128-bit key, but the number of SHA-1 conversions has doubled to 100,000 further reducing password recovery speed.
421
Psi (instant messaging client) - Encryption
Psi has built in GNU Privacy Guard|GnuPG support for message encryption.
422
Interbase - Data controller friendly inbuilt encryption
The separation of the encryption also enables developers to just develop the application rather than worry about the data visible from a specific user login.
423
Cramer–Shoup cryptosystem - Encryption
To encrypt a message m to Alice under her public key (G,q,g_1,g_2,c,d,h),
424
Cramer–Shoup cryptosystem - Encryption
**\alpha = H(u_1, u_2, e) \,, where H() is a universal one-way hash function (or a collision resistant cryptographic hash function, which is a stronger requirement).
425
Cramer–Shoup cryptosystem - Encryption
* Bob sends the ciphertext (u_1, u_2, e, v) to Alice.
426
Public key encryption It is computationally easy for a user to generate their own public and private key-pair and to use them for encryption and decryption
427
Cipher disk - Methods of Encryption
The cipher disk can be used in one of two ways. The code can be a consistent monoalphabetic substitution for the entire cipher or the disks can be moved periodically throughout the cipher making it polyalphabetic. For a monoalphabetic use, the sender and the person receiving the messages would agree on a key (cryptography)|cipher key setting (e.g., the G in the regular alphabet would be positioned next to the Q in the cipher alphabet). The entire message is then encoded according to this key.
428
Cipher disk - Methods of Encryption
In addition to simple substitution ciphers, the cipher disk opened the way for convenient polyalphabetic ciphers. An easy way to do this is for the sender and the recipient to agree that a certain number of characters into the message, the scales would be shifted one character to the right, repeating the procedure every tenth letter. This would make it more difficult to crack, using statistical methods.
429
Information theoretic security - Physical layer encryption
A weaker notion of security defined by A. Wyner established a now flourishing area of research known as physical layer encryption. This exploits the physical wireless channel for its security by communications, signal processing, and coding techniques. The security is provable, unbreakable, and quantifiable (in bits/second/hertz).
430
Information theoretic security - Physical layer encryption
Wyner's initial physical layer encryption work in the 1970s posed the Alice – Bob – Eve problem in which Alice wants to send a message to Bob without Eve decoding it
431
Information theoretic security - Physical layer encryption
More recent theoretical results are concerned with determining the secrecy capacity and optimal power allocation in broadcast fading channels.
432
Information theoretic security - Physical layer encryption
There are caveats, as many capacities are not computable unless the assumption is made that Alice knows the channel to Eve. If this were known, Alice could simply place a null in Eve's direction. Secrecy capacity for MIMO and multiple colluding eavesdroppers is more recent and ongoing work, and these results still make the non-useful assumption about eavesdropper channel state information knowledge.
433
Information theoretic security - Physical layer encryption
Still other work is less theoretical and attempts to compare implementable schemes. One physical layer encryption scheme is to broadcast artificial noise in all directions except that of Bob's channel, basically jamming Eve. One paper by Negi and Goel details the implementation, and Khisti and Wornell computed the secrecy capacity when only statistics about Eve's channel are known.
434
Information theoretic security - Physical layer encryption
Parallel to this work in the information theory community is work in the antenna community that has been termed near-field direct antenna modulation or directional modulation.
435
Information theoretic security - Physical layer encryption
It was shown that by using a parasitic array, the transmitted modulation in different directions could be controlled independently.
436
Information theoretic security - Physical layer encryption
Secrecy could be realized by making the modulations in undesired directions difficult to decode. Directional modulation data transmission was experimentally demonstrated using a phased array.
437
Information theoretic security - Physical layer encryption
Others have demonstrated directional modulation with switched arrays and phase-conjugating lenses.
438
Information theoretic security - Physical layer encryption
This type of directional modulation is really a subset of Negi and Goel's additive artificial noise encryption scheme. Another scheme using pattern-reconfigurable transmit antennas for Alice called reconfigurable multiplicative noise (RMN) complements additive artificial noise.
439
Information theoretic security - Physical layer encryption
The two work well together in channel simulations in which nothing is assumed known to Alice or Bob about the eavesdroppers.
440
Information security audit - Encryption and IT audit
In assessing the need for a client to implement encryption policies for their organization, the Auditor should conduct an analysis of the client’s risk and data value. Companies with multiple external users, e-commerce applications, and sensitive customer/employee information should maintain rigid encryption policies aimed at encrypting the correct data at the appropriate stage in the data collection process.
441
Information security audit - Encryption and IT audit
Auditors should continually evaluate their client’s encryption policies and procedures
442
Information security audit - Encryption and IT audit
Finally the auditor should attain verification from management that the encryption system is strong, not attackable and compliant with all local and international laws and regulations.
443
FileVault - Manual encryption
Instead of using FileVault to encrypt a user's home directory, using Disk Utility a user can create an encrypted disk image themselves and store any subset of their home directory in there (for example, ~/Documents/private). This encrypted image behaves similar to a Filevault encrypted home directory, but is under the user's maintenance.
444
FileVault - Manual encryption
Encrypting only a part of a user's home directory might be problematic when applications need access to the encrypted files, which will not be available until the user mounts the encrypted image. This can be mitigated to a certain extent by making symbolic links for these specific files.
445
AACS encryption key controversy
A 'controversy surrounding the Advanced Access Content System|AACS cryptographic key' arose in April 2007 when the Motion Picture Association of America and the Advanced Access Content System Licensing Administrator, LLC (AACS LA) began issuing cease and desist letters to websites publishing a 128-bit (16-byte) number, represented in hexadecimal as '09 F D 74 E3 5B D C C0' (commonly referred to as '09 F9'), which is one of the cryptography|cryptographic Key (cryptography)|keys for HD DVDs and Blu-ray Discs
446
AACS encryption key controversy
In response to widespread Internet postings of the key, the AACS LA issued various press statements, praising those websites that complied with their requests as acting in a responsible manner, warning that legal and technical tools were adapting to the situation.
447
AACS encryption key controversy
The controversy was further escalated in early May 2007, when aggregate news site Digg received a DMCA cease and desist notice and then removed numerous articles on the matter and banhammer|banned users reposting the information.
448
AACS encryption key controversy
This sparked what some describe as a digital revolt or cyber-riot, in which users posted and spread the key on Digg, and throughout the Internet en masse, thereby leading to the Streisand effect. The AACS LA described this situation as an interesting new twist.
449
AACS encryption key controversy - Background
Hexadecimal is a base-16 numeral system used in the fields of computer programming and mathematics
450
AACS encryption key controversy - Background
Because the encryption key may be used as part of circumvention device|circumvention technology forbidden by the Digital Millennium Copyright Act|DMCA, its possession and distribution has been viewed as illegal by the Advanced Access Content System|AACS, as well as by some legal professionals
451
AACS encryption key controversy - Background
Commercial HD DVDs and Blu-ray Discs integrate copy protection technology specified by the AACS LA. There are several interlocking encryption mechanisms, such that cracking one part of the system does not necessarily crack other parts. Therefore, the 09 F9 key is only one of many parts that are needed to play a disc on an unlicensed player.
452
AACS encryption key controversy - Background
The compromised players can still be used to view old discs, but not newer releases without encryption keys for the compromised players
453
AACS encryption key controversy - 2006
On December 26, 2006, a person using the alias muslix64 published a utility named BackupHDDVD and its source code on the DVD decryption Internet forum|forum at the website Doom9. BackupHDDVD can be used to decrypt AACS protected content once one knows the encryption key. muslix64 claimed to have found title and volume keys in main memory while playing HD DVDs using a software player, and that finding them is not difficult.
454
AACS encryption key controversy - 2007
On January 1, 2007, muslix64 published a new version of the program, with volume key support. On January 12, 2007, other forum members detailed how to find other title and volume keys, stating they had also found the keys of several movies in random access memory|RAM while running WinDVD.
455
AACS encryption key controversy - 2007
On or about January 13, a title key was posted on pastebin.com in the form of a riddle, which was solved by entering terms into the Google search engine. By converting these results to hexadecimal, a correct key could be formed. Later that day, the first cracked HD DVD, Serenity (film)|Serenity, was uploaded on a private torrent tracker. The AACS LA confirmed on January 26 that the title keys on certain HD DVDs had been published without authorization.
456
AACS encryption key controversy - 2007
Doom9.org forum user arnezami found and published the 09 F9 AACS processing key on February 11:
457
AACS encryption key controversy - 2007
This key is not specific to any playback device or DVD title. Doom9.org forum user jx6bpm claimed on March 4 to have revealed CyberLink's PowerDVD's key, and that it was the key in use by AnyDVD.
458
AACS encryption key controversy - 2007
The AACS LA announced on April 16 that it had revoked the decryption keys associated with certain software high-definition DVD players, which will not be able to decrypt AACS encrypted disks mastered after April 23, without an update of the software.
459
AACS encryption key controversy - 2007
On May 17, one week before any discs with the updated processing key had reached retail, claims were reported of the new keys having been retrieved from a preview disc of The Matrix (series)|The Matrix Trilogy. On May 23, the key 45 5F E CA 29 C4 93 3F B 79 2A B2 was posted on Edward Felten's Freedom to Tinker Blog and confirmed a week later by arnezami on Doom9 as the new processing key (MKB v3).
460
AACS encryption key controversy - 2008
In August, two new processing keys were posted:
461
AACS encryption key controversy - 2009
While individual discs have been decrypted containing media key block version 17, processing keys for versions past 10 have not yet been released to the public.
462
AACS encryption key controversy - 2009
Many more later keys were discovered, but most were not released publicly, probably because that would make them easier to revoke.
463
AACS encryption key controversy - DMCA notices and Digg
As early as April 17, 2007, AACS LA had issued DMCA violation notices, sent by Charles S. Sims of Proskauer Rose. Following this, dozens of notices were sent to various websites hosted in the United States.
464
AACS encryption key controversy - DMCA notices and Digg
On May 1, 2007, in response to a DMCA demand letter, technology news site Digg began closing accounts and removing posts containing or alluding to the key
465
AACS encryption key controversy - DMCA notices and Digg
quote|But now, after seeing hundreds of stories and reading thousands of comments, you've made it clear. You'd rather see Digg go down fighting than bow down to a bigger company. We hear you, and effective immediately we won't delete stories or comments containing the code and will deal with whatever the consequences might be.
466
AACS encryption key controversy - Legal opinions
Lawyers and other representatives of the entertainment industry, including Michael Ayers, an attorney for Toshiba Corporation, expressed surprise at Digg's decision, but suggested that a suit aimed at Digg might merely Streisand effect|spread the information more widely.
467
AACS encryption key controversy - Legal opinions
The American Bar Association's eReport (ABA)|eReport published a discussion of the controversy, in which Eric Goldman at Santa Clara University's High Tech Law Institute noted that the illegality of putting the code up is questionable (that Section 230 of the Communications Decency Act may protect the provider when the material itself is not copyrighted), although continuing to allow posting of the key may be risky, and entertainment lawyer Carole Handler noted that even if the material is illegal, laws such as the DMCA may prove ineffective in a practical sense.
468
AACS encryption key controversy - Impact
In a response to the events occurring on Digg and the call to Spread this number, the key was rapidly posted to thousands of pages, blogs and wikis across the Internet. The reaction was an example of the Streisand effect; when attempts by Barbra Streisand to censor aerial photographs of her house led to their mass publication.
469
AACS encryption key controversy - Impact
Intellectual property lawyer Douglas J. Sorocco noted, People are getting creative. It shows the futility of trying to stop this. Once the information is out there, cease-and-desist letters are going to infuriate this community more. Outside of the Internet and the mass media, the key has appeared in or on T-shirts, poetry, songs and music videos, illustrations and other graphic artworks, tattoos and body art, and comic strips.
470
AACS encryption key controversy - Impact
On Tuesday afternoon, May 1, 2007, a Google search for the key returned 9,410 results, while the same search the next morning returned nearly 300,000 results. On Friday, the BBC reported that a search on Google shows almost 700,000 pages have published the key, despite the fact that on April 17, the AACS LA sent a DMCA notice to Google, demanding that Google stop returning any results for searches for the key.
471
AACS encryption key controversy - Impact
Widespread news coverage, [ CNet], [ BBC], [ Financial Times], [ Associated Press] included speculation on the development of user-driven websites, the legal liability of running a user-driven website, the perception of acceptance of digital rights management|DRM, the failure as a business model of secrecy based businesses ..
472
AACS encryption key controversy - Impact
In an opposing move, Carter Wood of the National Association of Manufacturers said they had removed the Digg It-link from their weblog.
473
AACS encryption key controversy - Impact
Media coverage initially avoided quoting the key itself. However, several US-based news sources have run stories containing the key, quoting its use on Digg,
474
AACS encryption key controversy - Impact
though none are known to have received DMCA notices as a result. Later reports have discussed this, quoting the key. Current TV broadcast the key during a Google Current story on the Digg incident on May3,2007, displaying it in full on screen for several seconds and placing the story on the station website.
475
AACS encryption key controversy - Impact
Wikipedia, on May 1, 2007, locked out the page named for the number to prevent the former secret from being posted again. The page on HD DVD was locked, too, to keep out The Number. This action was later reversed.
476
AACS encryption key controversy - AACS LA reaction
On May 7, 2007, the AACS LA announced on its website that it had requested the removal solely of illegal circumvention tools, including encryption keys, from a number of web sites, and that it had not requested the removal or deletion of any ..
477
Apple Remote Desktop - Encryption
Prior to version 3, ARD encrypted only passwords, mouse events and keystrokes; and not desktop graphics or file transfers. Apple therefore recommended that ARD traffic crossing a public network should be tunnelled through a VPN, to avoid the possibility of someone eavesdropping on ARD sessions.
478
Apple Remote Desktop - Encryption
ARD 3.0 has the option of using AES 128 bit, the same as a basic SSH server.
479
Apple Remote Desktop - Encryption
Apple retained VNC's 8 character limit on passwords, so ARD cannot use passwords considered to be of 'minimum' length by contemporary standards.
480
E-mail client - Encryption
With no encryption, much like for postcards, activity is plainly visible by any occasional eavesdropper. encryption enables privacy to be safeguarded by encrypting the mail sessions, the body of the message, or both. Without it, anyone with network access and the right tools can monitor and obtain login passwords. Examples of concern include the government censorship and surveillance and fellow wireless network users such as at an Internet cafe.
481
E-mail client - Encryption of mail sessions
At any further hop, messages may be transmitted with or without encryption, depending solely on the general configuration of the transmitting server and the capabilities of the receiving one.
482
E-mail client - Encryption of mail sessions
Encrypted mail sessions deliver messages in their original format, i.e. plain text or encrypted body, on a user's local mailbox and on the destination server's. The latter server is operated by an hosting service provider, possibly a different entity than the internet access provider currently at hand.
483
E-mail client - Encryption of the message body
There are two models for managing cryptographic keys. S/MIME employs a model based on a trusted certificate authority (CA) that signs users' public keys. OpenPGP employs a somewhat more flexible web of trust mechanism that allows users to sign one another's public keys. OpenPGP is also more flexible in the format of the messages, in that it still supports plain message encryption and signing as they used to work before MIME standardization.
484
E-mail client - Encryption of the message body
In both cases, only the message body is encrypted. Header fields, including originator, recipients, and subject, remain in plain text.
485
Cryptography standards - Encryption standards
* RSA (algorithm)|RSA the original public key algorithm
486
Key length - Key size and encryption system
Encryption systems are often grouped into families. Common families include symmetric systems (e.g. Advanced Encryption Standard|AES) and asymmetric systems (e.g. RSA (algorithm)|RSA); they may alternatively be grouped according to the central algorithm used (e.g. elliptic curve cryptography).
487
Key length - Key size and encryption system
For example , a 1039 bit integer was factored with the special number field sieve using 400 computers over 11 months.[ Researcher: RSA 1024-bit Encryption not Enough] The factored number was of a special form; the special number field sieve cannot be used on RSA keys
488
Signals intelligence - Strong and well-managed encryption
Encryption is central to the defense. The encryption process is vulnerable if the Key (cryptography)|cryptographic keys are not strong and protected, and, on computers, if the cleartext is not deleted when not needed.
489
James H. Ellis - Invention of non-secret encryption
Ellis said that the idea first occurred to him after reading a paper from World War II by someone at Bell Labs describing a way to protect voice communications by the receiver adding (and then later subtracting) random noise (possibly this 1944 paper or the 1945 paper co-authored by Claude Shannon). He realised that 'noise' could be applied mathematically but was unable to devise a way to implement the idea.
490
James H. Ellis - Invention of non-secret encryption
He went home, thought about it, and returned with the basic idea for what has become known as the RSA (algorithm)|RSA asymmetric key encryption algorithm
491
James H. Ellis - Invention of non-secret encryption
Not long thereafter, Cocks' friend and fellow mathematician, Malcolm Williamson (cryptographer)|Malcolm Williamson, now also working at GCHQ, after being told of Cocks' and Ellis' work, thought about the problem of key distribution and developed what has since become known as Diffie–Hellman key exchange. Again, this discovery was classified information and it was therefore kept secret.
492
James H. Ellis - Invention of non-secret encryption
When, a few years later, Whitfield Diffie|Diffie and Martin Hellman|Hellman published their 1976 paper, and shortly after that Ron Rivest|Rivest, Adi Shamir|Shamir, and Leonard Adleman|Adleman announced their algorithm, Cocks, Ellis, and Williamson suggested that GCHQ announce that they had previously developed both. GCHQ decided against publication at the time.
493
James H. Ellis - Invention of non-secret encryption
At this point, only GCHQ and the National Security Agency (NSA) in the USA knew about the work of Ellis, Cocks and Williamson. Whitfield Diffie heard a rumour, probably from the NSA, and travelled to see James Ellis. The two men talked about a range of subjects until, at the end, Diffie asked Ellis Tell me how you invented public-key cryptography. After a long pause, Ellis replied Well, I don't know how much I should say. Let me just say that you people made much more of it than we did.
494
James H. Ellis - Invention of non-secret encryption
On 18 December 1997, Clifford Cocks delivered a public talk which contained a brief history of GCHQ's contribution so that Ellis, Cocks and Williamson received some acknowledgment after nearly three decades of secrecy. James Ellis died on 25 November 1997, a month before the public announcement was made.
495
Triple-DES - Encryption of more than one block
As with all block ciphers, encryption and decryption of multiple blocks of data may be performed using a variety of modes of operation, which can generally be defined independently of the block cipher algorithm
496
List of important publications in cryptography - Data Encryption Standard
Description: Data Encryption Standard|DES is not only one of the most widely deployed ciphers in the world but has had a profound impact on the development of cryptography. Roughly a generation of cryptographers devoted much of their time to attacking and improving DES.
497
List of important publications in cryptography - Using encryption for authentication in large networks of computers Description: This paper introduced the basic ideas of cryptographic protocols and showed how both secret-key and public-key encryption could be used to achieve authentication.
498
List of important publications in cryptography - Probabilistic Encryption
Description: The paper provides a rigorous basis to encryption (e.g., partial information) and shows that it possible to equate the slightest cryptanalysis to solve a pure math problem.
499
List of important publications in cryptography - Probabilistic Encryption
Second, it introduces the notion of computational indistinguishability.
500
International Data Encryption Algorithm
In cryptography, the 'International Data Encryption Algorithm' ('IDEA'), originally called 'Improved Proposed Encryption Standard' ('IPES'), is a Symmetric-key algorithm|symmetric-key block cipher designed by James Massey of ETH Zurich and Xuejia Lai and was first described in The algorithm was intended as a replacement for the Data Encryption Standard (DES). IDEA is a minor revision of an earlier cipher, Proposed Encryption Standard (PES).
501
International Data Encryption Algorithm
The cipher was designed under a research contract with the Hasler Foundation, which became part of Ascom-Tech AG. The cipher was patented in a number of countries but was freely available for non-commercial use. The name “IDEA” is also a trademark. The last patents expired in 2012 and IDEA is now patent-free and thus free to use.
502
International Data Encryption Algorithm
IDEA was used in Pretty Good Privacy (PGP) v2.0, and was incorporated after the original cipher used in v1.0, BassOmatic, was found to be insecure. IDEA is an optional algorithm in the OpenPGP standard.
503
International Data Encryption Algorithm - Operation
The processes for encryption and decryption are similar
504
International Data Encryption Algorithm - Operation
* Bitwise XOR|eXclusive OR (denoted with a blue circled plus ).
505
International Data Encryption Algorithm - Operation
* Addition modulo 216 (denoted with a green boxed plus ).
506
International Data Encryption Algorithm - Operation
* Multiplication modulo 216+1, where the all-zero word (0x0000) in inputs is interpreted as 216 and 216 in output is interpreted as the all-zero word (0x0000) (denoted by a red circled dot ).
507
International Data Encryption Algorithm - Operation
After the eight rounds comes a final “half round”, the output transformation illustrated below:
508
International Data Encryption Algorithm - Structure
The overall structure of IDEA follows the Lai-Massey scheme. XOR is used for both subtraction and addition. IDEA uses a key-dependent half-round function. To work with 16 bit words (meaning four inputs instead of two for the 64 bit block size), IDEA uses the Lai-Massey scheme twice in parallel, with the two parallel round functions being interwoven with each other. To ensure sufficient diffusion, two of the sub-blocks are swapped after each round.
509
International Data Encryption Algorithm - Key schedule
Each round uses six 16-bit sub-keys, while the half-round uses four, a total of 52 for 8.5 rounds. The first eight sub-keys are extracted directly from the key, with K1 from the first round being the lower sixteen bits; further groups of eight keys are created by rotating the main key left 25 bits between each group of eight. This means that it is rotated less than once per round, on average, for a total of six rotations.
510
International Data Encryption Algorithm - Decryption
Decryption works like encryption, but the order of the round keys is inverted, and each value of each subkey is replaced by its inverse for the respective group operation.
511
International Data Encryption Algorithm - Security
The designers analysed IDEA to measure its strength against differential cryptanalysis and concluded that it is immune under certain assumptions. No successful linear cryptanalysis|linear or algebraic weaknesses have been reported. , the best attack which applied to all keys could break IDEA reduced to 6 rounds (the full IDEA cipher uses 8.5 rounds).
512
International Data Encryption Algorithm - Security
Note that a break is any attack which requires less than 2128 operations; the 6-round attack requires 264 known plaintexts and operations.
513
International Data Encryption Algorithm - Security
Bruce Schneier thought highly of IDEA in 1996, writing, In my opinion, it is the best and most secure block algorithm available to the public at this time. (Applied Cryptography, 2nd ed.) However, by 1999 he was no longer recommending IDEA due to the availability of faster algorithms, some progress in its cryptanalysis, and the issue of patents.
514
International Data Encryption Algorithm - Security
In 2012, full 8.5 round IDEA was finally broken, using a narrow-bicliques attack, with a reduction of cryptographic strength of about two bits, similar to the effect of the previous bicliques attack on AES.
515
International Data Encryption Algorithm - Weak keys
The very simple key schedule makes IDEA subject to a class of weak keys; some keys containing a large number of 0 bits produce weak encryption. These are of little concern in practice, being sufficiently rare that they are unnecessary to avoid explicitly when generating keys randomly. A simple fix was proposed: exclusive-ORing each subkey with a 16-bit constant, such as 0x0DAE.
516
International Data Encryption Algorithm - Weak keys
Larger classes of weak keys were found in 2002.
517
International Data Encryption Algorithm - Weak keys
This is still of negligible probability to be a concern to a randomly chosen key, and some of the problems are fixed by the constant XOR proposed earlier, but the paper is not certain if all of them are. A more comprehensive redesign of the IDEA key schedule may be desirable.
518
International Data Encryption Algorithm - Availability
A patent application for IDEA was first filed in Switzerland (CH A 1690/90) on May 18, 1990, then an international patent application was filed under the Patent Cooperation Treaty on May 16, 1991
519
International Data Encryption Algorithm - Availability
MediaCrypt AG is now offering a successor to IDEA and focuses on its new cipher (official release on May 2005) IDEA NXT, which was previously called FOX.
520
International Data Encryption Algorithm - Literature
* Hüseyin Demirci, Erkan Türe, Ali Aydin Selçuk, A New Meet in the Middle Attack on The IDEA Block Cipher, 10th Annual Workshop on Selected Areas in Cryptography, 2004.
521
International Data Encryption Algorithm - Literature
* Xuejia Lai and James L. Massey, [ A Proposal for a New Block Encryption Standard], EUROCRYPT 1990, pp
522
International Data Encryption Algorithm - Literature
* Xuejia Lai and James L. Massey and S. Murphy, Markov ciphers and differential cryptanalysis, Advances in Cryptology mdash; Eurocrypt '91, Springer-Verlag (1992), pp17-38.
523
Clandestine HUMINT operational techniques - Encryption
Encryption, especially using a theoretically secure method, when properly executed, such as the one-time pad
524
Clandestine HUMINT operational techniques - Encryption
, is highly secure, but a counterintelligence agent seeing nonsense characters will immediately become suspicious of the message that has been captured. The very knowledge that a dead drop exists can cause it to be trapped or put under surveillance, and the member of a brush pass that carries it will be hard-pressed to explain it.
525
Clandestine HUMINT operational techniques - Encryption
One-time pad encryption has the absolute requirement that the cryptographic key is used only once. Failure to follow this rule caused a serious penetration into Soviet espionage communications, through the Venona project|VENONA analysis
526
Clandestine HUMINT operational techniques - Encryption
It is extremely difficult for a nonprofessional to develop a cryptosystem, especially without computer support, that is impervious to the attack by a professional cryptanalyst, working for an agency with government resources, such as the US NSA or Russian Special Communications Service of Russia|Spetssvyaz
527
NTFS - Encryption Encrypting File System (EFS) provides strong and user-transparent encryption of any file or folder on an NTFS volume. EFS works in conjunction with the EFS service, Microsoft's Cryptographic Application Programming Interface|CryptoAPI and the EFS File System Run-Time Library (FSRTL).
528
NTFS - Encryption NTFS-provided encryption and NTFS-provided compression are mutually exclusive; however, NTFS can be used for one and a third-party tool for the other.
529
NTFS - Encryption The support of EFS is not available in Basic, Home and MediaCenter versions of Windows, and must be activated after installation of Professional, Ultimate and Server versions of Windows or by using enterprise deployment tools within Windows domains.
530
ElGamal encryption The Digital Signature Algorithm is a variant of the ElGamal signature scheme, which should not be confused with ElGamal encryption.
531
ElGamal encryption ElGamal encryption can be defined over any cyclic group G. Its security depends upon the difficulty of a certain problem in G related to computing discrete logarithms (see below).
532
ElGamal encryption - Key generation
* Alice generates an efficient description of a multiplicative cyclic group G\, of order q\, with generating set of a group|generator g\,. See below for a discussion on the required properties of this group.
533
ElGamal encryption - Key generation
* Alice computes h = g^x\,.
534
ElGamal encryption - Key generation
* Alice publishes h\,, along with the description of G, q, g\,, as her 'public key'. Alice retains x\, as her 'private key' which must be kept secret.
535
ElGamal encryption - Decryption
* and then computes m'=c_2 \cdot s^\, which she then converts back into the plaintext message m\,, where s^ is the inverse of s in the group G. (E.g. modular multiplicative inverse if G is a subgroup of a multiplicative group of integers modulo n).
536
ElGamal encryption - Decryption
The decryption algorithm produces the intended message, since
537
ElGamal encryption - Practical use
The ElGamal cryptosystem is usually used in a hybrid cryptosystem. I.e., the message itself is encrypted using a symmetric cryptosystem and ElGamal is then used
538
ElGamal encryption - Practical use
to encrypt the key used for the symmetric cryptosystem. This is because asymmetric cryptosystems like Elgamal are usually slower than symmetric ones, so it is faster to encrypt the symmetric key (which most of the time is quite small if compared to the size of the message) with Elgamal and the message (which can be arbitrarily large) with a symmetric cypher.
539
ElGamal encryption - Security
The security of the ElGamal scheme depends on the properties of the underlying group G as well as any padding scheme used on the messages.
540
ElGamal encryption - Security
If the computational Diffie–Hellman assumption (CDH) holds in the underlying cyclic group G, then the encryption function is one-way function|one-way.CRYPTUTOR, [ Elgamal encryption scheme]
541
ElGamal encryption - Security
If the decisional Diffie–Hellman assumption (DDH) holds in G, then
542
ElGamal encryption - Security
ElGamal achieves semantic security. Semantic security is not implied by the computational Diffie–Hellman assumption alone.M. Abdalla, M. Bellare, P. Rogaway, DHAES, An encryption scheme based on the Diffie–Hellman Problem (Appendix A) See decisional Diffie–Hellman assumption for a discussion of groups where the assumption is believed to hold.
543
ElGamal encryption - Security
ElGamal encryption is unconditionally malleability (cryptography)|malleable, and therefore is not secure under chosen ciphertext attack. For example, given an encryption (c_1, c_2) of some (possibly unknown) message m, one can easily construct a valid encryption (c_1, 2 c_2) of the message 2m.
544
ElGamal encryption - Security
To achieve chosen-ciphertext security, the scheme must be further modified, or an appropriate padding scheme must be used. Depending on the modification, the DDH assumption may or may not be necessary.
545
ElGamal encryption - Security
Other schemes related to ElGamal which achieve security against chosen ciphertext attacks have also been proposed.
546
ElGamal encryption - Security
The Cramer–Shoup cryptosystem is secure under chosen ciphertext attack assuming DDH holds for G. Its proof does not use the random oracle model. Another proposed scheme is DHAES, whose proof requires an assumption that is weaker than the DDH assumption.
547
ElGamal encryption - Decryption
The division by s\, can be avoided by using an alternative method for decryption.
548
ElGamal encryption - Decryption
s'\, is the inverse of s\,. This is a consequence of Lagrange's theorem (group theory)|Lagrange's theorem, because
549
ElGamal encryption - Decryption
in the exponent are computed modulo (q-1), rather than q.
550
ElGamal encryption - Decryption
* Alice then computes m'= c_2 \cdot s', which she then converts back into the plaintext message m\,.
551
FTPS - Reasons to disable encryption
It may not be advantageous to use data channel encryption when performing transfers under the following scenarios:
552
FTPS - Reasons to disable encryption
* Files being transferred are of a non-sensitive nature, making encryption unnecessary,
553
FTPS - Reasons to disable encryption
* Files being transferred are already encrypted at the file level or are passing over an encrypted VPN, making encryption redundant,
554
FTPS - Reasons to disable encryption
* Available TLS or SSL encryption modes do not meet desired level of encryption. This is common with older FTPS clients or servers that may have been Transport Layer Security#Government-imposed protocol limitations|limited to 40-bit SSL due to previous United States high-encryption export laws.
555
FTPS - Reasons to disable encryption
It may not be advantageous to use control channel encryption under the following scenarios:
556
FTPS - Reasons to disable encryption
* Use of FTPS when the client and/or server resides behind a network firewall or network address translation (NAT) device. (See FTPS#Firewall incompatibilities|Firewall Incompatibilities below.)
557
FTPS - Reasons to disable encryption
* Repeated use of AUTH and CCC/CDC commands by anonymous FTP clients within the same session. Such behavior can be utilized as a resource-based denial of service attack as the TLS/SSL session must be regenerated each time, utilizing server processor time.
558
Secure communication - Encryption
The article on key size examines the key requirements for certain degrees of encryption security.
559
Secure communication - Encryption
Opportunistic encryption is a lower security method to generally increase the percentage of generic traffic which is encrypted
560
Secure communication - Encryption
An Information-theoretic security technique known as Information-theoretic security#Physical Layer Encryption|physical layer encryption ensures that a wireless communication link is provably secure with communications and coding techniques.
561
End-to-end encryption
End-to-end encryption generally includes protections of both confidentiality and data integrity|integrity.
562
End-to-end encryption - Example: TETRA
A classic deployment of E2EE is demonstrated by its use within the Terrestrial Trunked Radio (TETRA) standard, as defined by the Security Fraud Prevention Group (SFPG) of the Tetra MoU
563
End-to-end encryption - Example: TETRA
.[ A presentation by Brian Murgatroyd to the SFPG
564
End-to-end encryption - Example: TETRA
Unlike TETRA air-interface encryption (an example of Link encryption) users do not have to share key-variables with network operators (e.g
565
End-to-end encryption - Example: TETRA
If only air-interface encryption were used, interception of the user traffic would be possible at any point after the air-interface encryption had been removed (i.e
566
End-to-end encryption - Example: TETRA
In the TETRA deployment of E2EE the management, distribution and updating of encryption key-variables and crypto-associations (links between network address and key-variables) is facilitated by use of a Key management|Key Management Centre (KMC)
567
End-to-end encryption - Example: TETRA
The key-variables and crypto-associations allows the user (by use of the KMC) to partition the trunked-network address space into 'encrypted' and 'non-encrypted' channels. It is possible to define sets of key-variables called crypto-groups, and it is further possible to define which crypto-group any particular encrypted channel uses. Furthermore, it is possible for the operator of the KMC to partition their user-fleet into user-groups (groups of users who receive the same crypto material).
568
End-to-end encryption - Example: TETRA
This lets the KMC user determine which parts of their user-fleet can communicate with one another and allows the user organisation to achieve crypto-separation between different groups of users.
569
Trusted platform module - Disk encryption
Full disk encryption applications, such as SecureDoc, the dm-crypt feature of modern Linux kernels, and the BitLocker Drive Encryption feature of some Microsoft operating systems, can use this technology to protect the keys used to encrypt the computer's hard disks and provide integrity authentication for a trusted boot pathway (for example BIOS, boot sector, etc.) A number of third party full disk encryption products also support the TPM chip. TrueCrypt however decided not to use it..
570
Pre-boot authentication - Combinations with Full Disk Encryption
Pre-Boot Authentication is generally provided by a variety of full disk encryption vendors, but can be installed separately. Some FDE solutions can function without Pre-Boot Authentication, such as hardware-based full disk encryption. However, without some form of authentication, encryption provides little protection.
571
Disk encryption software
'Disk encryption software' is computer security software that protects the confidentiality of data stored on computer media (e.g., a hard disk, floppy disk, or USB device) by using disk encryption.
572
Disk encryption software
Disk encryption usually includes all aspects of the disk, including directories, so that an adversary cannot determine content, name or size of any file
573
Disk encryption software
The disk's data is protected using Symmetric-key algorithm|symmetric cryptography with the key randomly generated when a disk's encryption is first established. This key is itself encrypted in some way using a password or pass-phrase known (ideally) only to the user. Thereafter, in order to access the disk's data, the user must supply the password to make the key available to the software. This must be done sometime after each operating system start-up before the encrypted data can be used.
574
Disk encryption software
Done in software, disk encryption typically operates at a level between all applications and most system programs and the low-level device drivers by transparently (from a user's point of view) encrypting data after it is produced by a program but before it is physically written to the disk. Conversely it decrypts data immediately after being read but before it is presented to a program. Properly done, programs are unaware of these cryptographic operations.
575
Disk encryption software
Some disk encryption software (e.g., TrueCrypt or BestCrypt) provide features that generally cannot be accomplished with Disk encryption hardware|disk hardware encryption: the ability to mount container files as encrypted logical disks with their own file system; and encrypted logical inner volumes which are secretly hidden within the free space of the more obvious outer volumes. Such strategies provide plausible deniability.
576
Disk encryption software
Well-known examples of disk encryption software include: BitLocker Drive Encryption|BitLocker for Windows; FileVault for Apple OS/X; and TrueCrypt, a non-commercial open source product, for Windows, OS/X and Linux.
577
Disk encryption software
The study authors were able to demonstrate a cold boot attack to recover cryptographic keys for several popular disk encryption systems despite some memory degradation, by taking advantage of redundancy in the way keys are stored after they have been expanded for efficient use
578
Disk encryption software - Plausible deniability
Some disk encryption systems, such as TrueCrypt, offers levels of plausible deniability#Use_in_cryptography|Plausible Deniability, which might be useful if a user is compelled to reveal the password of an encrypted volume.
579
Disk encryption software - Hidden volumes
Hidden volumes are a steganographic feature that allows a second, hidden, volume to reside within the apparent free space of a visible container volume (sometimes known as outer volume). The hidden volume has its own separate file system, password, and encryption key distinct from the container volume.
580
Disk encryption software - Hidden volumes
When the outer container is brought online thorough the disk encryption software, whether the inner or outer volume is Mount (computing)|mounted depends on the password provided
581
Disk encryption software - Hidden volumes
Once a hidden volume has been created inside the visible container volume, the user will store important-looking information (but which the user does not actually mind revealing) on the outer volume, whereas more sensitive information is stored within the hidden volume.
582
Disk encryption software - Hidden volumes
If the user is forced to reveal a password, the user can reveal the password to the outer volume, without disclosing the existence of the hidden volume. The hidden volume will not be compromised, if the user takes certain precautions in overwriting the free areas of the host disk.[ Plausible Deniability] - FreeOTFE instructions for initializing an encrypted disk such that the presence of a hidden disk cannot be detected
583
Disk encryption software - No identifying features
Volumes, be they stored in a file or a device/partition, may intentionally not contain any discernible signatures or unencrypted headers
584
Disk encryption software - No identifying features
A file hosted volume (as opposed to partitions) may look out of place in some cases since it will be entirely random data placed in a file intentionally. However, a partition or device hosted volume will look no different than a partition or device that has been wiped with a common disk wiping tool such as Darik's Boot and Nuke. One can plausibly claim that such a device or partition has been wiped to clear personal data.
585
Disk encryption software - No identifying features
Portable or traveller mode means the encryption software can be run without installation to the system hard drive. In this mode, the software typically installs a temporary device driver|driver from the portable media. Since it is installing a driver (albeit temporarily), administrative privileges are still required.
586
Disk encryption software - Resizable volumes
Some disk encryption software allows encrypted volumes to be resized. Not many systems implement this fully, and resort to using sparse files to achieve this.
587
Disk encryption software - Backups
Encrypted volumes contain header (or CDB) data, which may be backed up. Overwriting these data will destroy the volume, so the ability to back them up is useful.
588
Disk encryption software - Backups
Restoring the backup copy of these data may reset the volume's password to what it was when the backup was taken.
589
encryption ' encryption' refers to encryption, and often authentication, of messages, to protect the content from being read by any but the intended recipients.
590
encryption encryption can rely on public-key cryptography, in which users can each publish a public key that others can use to encrypt messages to them, while keeping secret a Public-key cryptography|private key they can use to decrypt such messages or to digitally encrypt and sign messages they send.
591
For More Information, Visit:
The Art of Service
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.