Encryption https://store.theartofservice.com/the-encryption-toolkit.html.

Encryption

Advanced Encryption Standard
The SubBytes step, one of four stages in a round of AES

Derived from Square

Successors Anubis, Grand Cru

Structure Substitution-permutation network

Attacks have been published that are computationally faster than a full brute force attack, though none as of 2013 are computationally feasible:

For AES-128, the key can be recovered with a computational complexity of using bicliques. For biclique attacks on AES-192 and AES-256, the computational complexities of and respectively apply. Related-key attacks can break AES-192 and AES-256 with complexities 2176 and 299.5, respectively.

The Advanced Encryption Standard (AES) is a specification for the encryption of electronic data established by the U.S

AES has been adopted by the U.S. government and is now used worldwide. It supersedes the Data Encryption Standard (DES), which was published in The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data.

AES is available in many different encryption packages, and is the first publicly accessible and open cipher approved by the National Security Agency (NSA) for top secret information when used in an NSA approved cryptographic module (see Security of AES, below).

The name Rijndael (Dutch pronunciation: [ˈrɛindaːl]) is a play on the names of the two inventors (Joan Daemen and Vincent Rijmen).

Advanced Encryption Standard Description of the cipher
AES is based on a design principle known as a substitution-permutation network, and is fast in both software and hardware. Unlike its predecessor DES, AES does not use a Feistel network. AES is a variant of Rijndael which has a fixed block size of 128 bits, and a key size of 128, 192, or 256 bits. By contrast, the Rijndael specification per se is specified with block and key sizes that may be any multiple of 32 bits, both with a minimum of 128 and a maximum of 256 bits.

AES operates on a 4×4 column-major order matrix of bytes, termed the state, although some versions of Rijndael have a larger block size and have additional columns in the state. Most AES calculations are done in a special finite field.

The key size used for an AES cipher specifies the number of repetitions of transformation rounds that convert the input, called the plaintext, into the final output, called the ciphertext. The number of cycles of repetition are as follows:

Each round consists of several processing steps, each containing five similar but different stages, including one that depends on the encryption key itself. A set of reverse rounds are applied to transform ciphertext back into the original plaintext using the same encryption key.

Advanced Encryption Standard High-level description of the algorithm
KeyExpansion—round keys are derived from the cipher key using Rijndael's key schedule. AES requires a separate 128-bit round key block for each round plus one more.

AddRoundKey—each byte of the state is combined with a block of the round key using bitwise xor.

SubBytes—a non-linear substitution step where each byte is replaced with another according to a lookup table.

ShiftRows—a transposition step where each row of the state is shifted cyclically a certain number of steps.

MixColumns—a mixing operation which operates on the columns of the state, combining the four bytes in each column.

Advanced Encryption Standard The SubBytes step
In the SubBytes step, each byte in the state matrix is replaced with a SubByte using an 8-bit substitution box, the Rijndael S-box

Advanced Encryption Standard The ShiftRows step
The ShiftRows step operates on the rows of the state; it cyclically shifts the bytes in each row by a certain offset

Advanced Encryption Standard The MixColumns step
In the MixColumns step, the four bytes of each column of the state are combined using an invertible linear transformation. The MixColumns function takes four bytes as input and outputs four bytes, where each input byte affects all four output bytes. Together with ShiftRows, MixColumns provides diffusion in the cipher.

During this operation, each column is multiplied by the known matrix that for the 128-bit key is:

The multiplication operation is defined as: multiplication by 1 means no change, multiplication by 2 means shifting to the left, and multiplication by 3 means shifting to the left and then performing XOR with the initial unshifted value. After shifting, a conditional XOR with 0x1B should be performed if the shifted value is larger than 0xFF.

In more general sense, each column is treated as a polynomial over GF(28) and is then multiplied modulo x4+1 with a fixed polynomial c(x) = 0x03 · x3 + x2 + x + 0x02. The coefficients are displayed in their hexadecimal equivalent of the binary representation of bit polynomials from GF(2)[x]. The MixColumns step can also be viewed as a multiplication by a particular MDS matrix in a finite field. This process is described further in the article Rijndael mix columns.

Advanced Encryption Standard The AddRoundKey step
In the AddRoundKey step, the subkey is combined with the state. For each round, a subkey is derived from the main key using Rijndael's key schedule; each subkey is the same size as the state. The subkey is added by combining each byte of the state with the corresponding byte of the subkey using bitwise XOR.

Advanced Encryption Standard Optimization of the cipher
On systems with 32-bit or larger words, it is possible to speed up execution of this cipher by combining the SubBytes and ShiftRows steps with the MixColumns step by transforming them into a sequence of table lookups

If the resulting four-kilobyte table size is too large for a given target platform, the table lookup operation can be performed with a single 256-entry 32-bit (i.e. 1 kilobyte) table by the use of circular rotates.

Using a byte-oriented approach, it is possible to combine the SubBytes, ShiftRows, and MixColumns steps into a single round operation.

Advanced Encryption Standard Security
Until May 2009, the only successful published attacks against the full AES were side-channel attacks on some specific implementations. The National Security Agency (NSA) reviewed all the AES finalists, including Rijndael, and stated that all of them were secure enough for U.S. Government non-classified data. In June 2003, the U.S. Government announced that AES could be used to protect classified information:

The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use.

AES has 10 rounds for 128-bit keys, 12 rounds for 192-bit keys, and 14 rounds for 256-bit keys. By 2006, the best were on 7 rounds for 128-bit keys, 8 rounds for 192-bit keys, and 9 rounds for 256-bit keys.

Advanced Encryption Standard Known attacks
For cryptographers, a cryptographic "break" is anything faster than a brute force—performing one trial decryption for each key (see Cryptanalysis). This includes results that are infeasible with current technology. The largest successful publicly known brute force attack against any block-cipher encryption was against a 64-bit RC5 key by distributed.net in 2006.

AES has a fairly simple algebraic description. In 2002, a theoretical attack, termed the "XSL attack", was announced by Nicolas Courtois and Josef Pieprzyk, purporting to show a weakness in the AES algorithm due to its simple description. Since then, other papers have shown that the attack as originally presented is unworkable; see XSL attack on block ciphers.

During the AES process, developers of competing algorithms wrote of Rijndael, "...we are concerned about [its] use...in security-critical applications." However, in October 2000 at the end of the AES selection process, Bruce Schneier, a developer of the competing algorithm Twofish, wrote that while he thought successful academic attacks on Rijndael would be developed someday, "I do not believe that anyone will ever discover an attack that will allow someone to read Rijndael traffic."

On July 1, 2009, Bruce Schneier blogged about a related-key attack on the 192-bit and 256-bit versions of AES, discovered by Alex Biryukov and Dmitry Khovratovich, which exploits AES's somewhat simple key schedule and has a complexity of In December 2009 it was improved to This is a follow-up to an attack discovered earlier in 2009 by Alex Biryukov, Dmitry Khovratovich, and Ivica Nikolić, with a complexity of 296 for one out of every 235 keys.

Another attack was blogged by Bruce Schneier on July 30, 2009 and released as a preprint on August 3, 2009

In November 2009, the first known-key distinguishing attack against a reduced 8-round version of AES-128 was released as a preprint. This known-key distinguishing attack is an improvement of the rebound or the start-from-the-middle attacks for AES-like permutations, which view two consecutive rounds of permutation as the application of a so-called Super-Sbox. It works on the 8-round version of AES-128, with a time complexity of 248, and a memory complexity of 232.

In July 2010 Vincent Rijmen published an ironic paper on "chosen-key-relations-in-the-middle" attacks on AES-128.

The first key-recovery attacks on full AES were due to Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger, and were published in The attack is based on bicliques and is faster than brute force by a factor of about four. It requires operations to recover an AES-128 key. For AES-192 and AES-256, and operations are needed, respectively.

Advanced Encryption Standard Side-channel attacks
Side-channel attacks do not attack the underlying cipher thus don't relate to how security is described here, but rather attack implementations of the cipher on systems which inadvertently leak data. There are several such known attacks on certain implementations of AES.

The custom server was designed to give out as much timing information as possible (the server reports back the number of machine cycles taken by the encryption operation); however, as Bernstein pointed out, "reducing the precision of the server's timestamps, or eliminating them from the server's responses, does not stop the attack: the client simply uses round-trip timings based on its local clock, and compensates for the increased noise by averaging over a larger number of samples."

In October 2005, Dag Arne Osvik, Adi Shamir and Eran Tromer presented a paper demonstrating several cache-timing attacks against AES. One attack was able to obtain an entire AES key after only 800 operations triggering encryptions, in a total of 65 milliseconds. This attack requires the attacker to be able to run programs on the same system or platform that is performing AES.

In December 2009 an attack on some hardware implementations was published that used differential fault analysis and allows recovery of a key with a complexity of 232.

Like some earlier attacks this one requires the ability to run unprivileged code on the system performing the AES encryption, which may be achieved by malware infection far more easily than commandeering the root account.

Advanced Encryption Standard NIST/CSEC validation
From NSTISSP #11, National Policy Governing the Acquisition of Information Assurance: "Encryption products for protecting classified information will be certified by NSA, and encryption products intended for protecting sensitive information will be certified in accordance with NIST FIPS "

The Government of Canada also recommends the use of FIPS 140 validated cryptographic modules in unclassified applications of its departments.

Although NIST publication 197 ("FIPS 197") is the unique document that covers the AES algorithm, vendors typically approach the CMVP under FIPS 140 and ask to have several algorithms (such as Triple DES or SHA1) validated at the same time

The Cryptographic Algorithm Validation Program (CAVP) allows for independent validation of the correct implementation of the AES algorithm at a reasonable cost

FIPS validation is challenging to achieve both technically and fiscally

Advanced Encryption Standard Test vectors
Test vectors are a set of known ciphers for a given input and key. NIST distributes the reference of AES test vectors as AES Known Answer Test (KAT) Vectors (in ZIP format).

Advanced Encryption Standard Performance
High speed and low RAM requirements were criteria of the AES selection process. Thus AES performs well on a wide variety of hardware, from 8-bit smart cards to high-performance computers.

On a Pentium Pro, AES encryption requires 18 clock cycles per byte, equivalent to a throughput of about 11 MB/s for a 200 MHz processor. On a 1.7 GHz Pentium M throughput is about 60 MB/s.

On Intel Core i3/i5/i7 CPUs supporting AES-NI instruction set extensions, throughput can be over 700 MB/s per thread.

BitTorrent Throttling and encryption
Since BitTorrent makes up a large proportion of total traffic, some ISPs have chosen to throttle (slow down) BitTorrent transfers. For this reason, methods have been developed to disguise BitTorrent traffic in an attempt to thwart these efforts.

Protocol header encrypt (PHE) and Message stream encryption/Protocol encryption (MSE/PE) are features of some BitTorrent clients that attempt to make BitTorrent hard to detect and throttle. At the moment Vuze, Bitcomet, KTorrent, Transmission, Deluge, µTorrent, MooPolice, Halite, rTorrent and the latest official BitTorrent client (v6) support MSE/PE encryption.

In September 2006 it was reported that some software could detect and throttle BitTorrent traffic masquerading as HTTP traffic.

Reports in August 2007 indicated that Comcast was preventing BitTorrent seeding by monitoring and interfering with the communication between peers

In general, although encryption can make it difficult to determine what is being shared, BitTorrent is vulnerable to traffic analysis. Thus, even with MSE/PE, it may be possible for an ISP to recognize BitTorrent and also to determine that a system is no longer downloading but only uploading data, and terminate its connection by injecting TCP RST (reset flag) packets.

Electronic business Encryption
The level of the actual encryption can be adjusted and should be based on the information

Digital Video Broadcasting - Encryption and metadata
The conditional access system (DVB-CA) defines a Common Scrambling Algorithm (DVB-CSA) and a physical Common Interface (DVB-CI) for accessing scrambled content. DVB-CA providers develop their wholly proprietary conditional access systems with reference to these specifications. Multiple simultaneous CA systems can be assigned to a scrambled DVB program stream providing operational and commercial flexibility for the service provider.

DVB is also developing a Content Protection and Copy Management system for protecting content after it has been received (DVB-CPCM), which is intended to allow flexible use of recorded content on a home network or beyond, while preventing unconstrained sharing on the Internet. DVB-CPCM has been the source of much controversy in the popular press and It is said that CPCM is the DVB's answer to the failed American Broadcast Flag.

DVB transports include metadata called Service Information (DVB-SI, ETSI EN , ETSI TR ) that links the various elementary streams into coherent programs and provides human-readable descriptions for electronic program guides as well as for automatic searching and filtering

Recently, DVB has adopted a profile of the metadata defined by the TV-Anytime Forum (DVB-TVA, ETSI TS ). This is an XML Schema based technology and the DVB profile is tailored for enhanced Personal Digital Recorders. DVB lately also started an activity to develop a service for IPTV (DVB-IPI, ETSI TR , ETSI TS , ETSI TS ) which also includes metadata definitions for a broadband content guide (DVB-BCG, ETSI TS ).

XML Encryption Although XML Encryption can be used to encrypt any kind of data, it is nonetheless known as "XML Encryption" because an XML element (either an EncryptedData or EncryptedKey element) contains or refers to the cipher text, keying information, and algorithms.

XML Encryption Both XML Signature and XML Encryption use the KeyInfo element, which appears as the child of a SignedInfo, EncryptedData, or EncryptedKey element and provides information to a recipient about what keying material to use in validating a signature or decrypting encrypted data.

XML Encryption The KeyInfo element is optional: it can be attached in the message, or be delivered through a secure channel.

XML Encryption XML Encryption is different from and unrelated to Transport Layer Security, which is used to send encrypted messages (including xml content, both encrypted and otherwise) over the internet.

XML Encryption It has been reported that this specification has severe security concerns.

XML Encryption - Notes ^ "RUB Researchers break W3C standard". Ruhr University Bochum. 19 October Retrieved 29 June 2012.

OpenVPN - Encryption It can also use hardware acceleration to get better encryption performance

Btrfs - Encryption The current recommendation for encryption with Btrfs is to use a full-disk encryption mechanism such as dm-crypt/LUKS on the underlying devices, and to create the Btrfs filesystem on top of that layer (and that if a RAID is to be used with encryption, encrypting a dm-raid device or a hardware-RAID device gives much faster disk performance than dm-crypt overlaid by Btrfs' own filesystem-level RAID features).

ISO PIN encryption To protect the PIN during transmission from the PIN entry device to the verifier, the standard requires that the PIN be encrypted, and specifies several formats that may be used. In each case, the PIN is encoded into a 64-bit PIN block, which is then encrypted by an "approved algorithm" (currently TDEA, according to part 2 of the standard).

Encryption For technical reasons, an encryption scheme usually needs a key-generation algorithm to randomly produce keys.

Encryption - Symmetric key encryption
In Symmetric-key schemes, the encryption and decryption keys are the same. Thus communicating parties must agree on a secret key before they wish to communicate.

Encryption - Public key encryption
In public-key encryption schemes, the encryption key is published for anyone to use and encrypt messages. However, only the receiving party has access to the decryption key and is capable of reading the encrypted messages. Public-key encryption is a relatively recent invention: historically, all encryption schemes have been symmetric-key (also called private-key) schemes.:478

Encryption - Public key encryption
One of the earliest public key encryption applications was called Pretty Good Privacy (PGP). It was written in 1991 by Phil Zimmermann and was purchased by Symantec in 2010.

Encryption - How encryption is used
Digital rights management systems which prevent unauthorized use or reproduction of copyrighted material and protect software against reverse engineering (see also copy protection) is another somewhat different example of using encryption on data at rest.

Encryption - How encryption is used
Encryption is also used to protect data in transit, for example data being transferred via networks (e.g. the Internet, e-commerce), mobile telephones, wireless microphones, wireless intercom systems, Bluetooth devices and bank automatic teller machines. There have been numerous reports of data in transit being intercepted in recent years. Encrypting data in transit also helps to secure it as it is often difficult to physically secure all access to networks.

Encryption - Message verification
Sometimes an adversary can obtain unencrypted information without directly undoing the encryption

Encryption - Message verification
Digital signature and encryption must be applied at message creation time (i.e. on the same device it has been composed) to avoid tampering. Otherwise any node between the sender and the encryption agent could potentially tamper it. It should be noted that encrypting at the time of creation only adds security if the encryption device itself has not been tampered with.

Encryption - Further reading
Fouché Gaines, Helen (1939), Cryptanalysis: A Study of Ciphers and Their Solution, New York: Dover Publications Inc, ISBN

Encryption - Further reading
Preneel, Bart, "Advances in Cryptology — EUROCRYPT 2000", Springer Berlin Heidelberg, 2000, ISBN

UT-VPN uses the OpenSSL library to provide encryption to packets.
UT-VPN - Encryption UT-VPN uses the OpenSSL library to provide encryption to packets.

Digital signature - Using separate key pairs for signing and encryption
If an encryption key is lost, a backup or key escrow should be utilized to continue viewing encrypted content

Opportunistic encryption
Opportunistic encryption (OE) refers to any system that, when connecting to another system, attempts to encrypt the communications channel otherwise falling back to unencrypted communications. This method requires no pre-arrangement between the two systems.

Opportunistic encryption
Opportunistic encryption can be used to combat passive wiretapping. (An active wiretapper, on the other hand, can disrupt encryption negotiation to force an unencrypted channel.) It does not provide a strong level of security as authentication may be difficult to establish and secure communications are not mandatory. Yet, it does make the encryption of most internet traffic easy to implement, which removes a significant impediment to the mass adoption of Internet traffic security.

Opportunistic encryption - Routers
The FreeS/WAN project was one of the early proponents of OE. Openswan has also been ported to the OpenWrt project. Openswan uses DNS records to facilitate the key exchange between the systems.

Opportunistic encryption - Routers
It is possible to use OpenVPN and networking protocols to set up dynamic VPN links which act similar to OE for specific domains.

Opportunistic encryption - Unix and unix-like systems
The FreeS/WAN and forks such as Openswan and strongSwan offer VPNs which can also operate in OE mode using IPsec based technology. Obfuscated TCP is another method of implementing OE.

Opportunistic encryption - Windows OS
Windows platforms have an implementation of OE installed by default. This method uses IPsec to secure the traffic and is a simple procedure to turn on. It is accessed via the MMC and "Ip Security Policies on Local Computer" and then edit the properties to assign the "(Request Security)" policy. This will turn on optional IPsec in a Kerberos environment.

In a non-Kerberos environment, a certificate from a Certificate Authority (CA) which is common to any system with which you communicate securely is required.

Many systems also have problems when either side is behind a NAT. This problem is addressed by NAT Traversal (NAT-T) and is accomplished by adding a DWORD of 2 to the registry: HKLM\SYSTEM\CurrentControlSet\Services\IPsec\AssumeUDPEncapsulationContextOnSendRule Using the filtering options provided in MMC, it is possible to tailor the networking to require, request or permit traffic to various domains and protocols to use encryption.

Opportunistic encryption - E-mail
Opportunistic encryption can also be used for specific traffic like using the SMTP STARTTLS extension for relaying messages across the Internet, or the Internet Message Access Protocol (IMAP) STARTTLS extension for reading . With this implementation, it is not necessary to obtain a certificate from a certificate authority, as a self-signed certificate can be used.

Opportunistic encryption - E-mail
Many systems employ a variant with third-party add-ons to traditional packages by first attempting to obtain an encryption key and if unsuccessful, then sending the in the clear. PGP, Hushmail, and Ciphire, among others can all be set up to work in this mode.

Opportunistic encryption - VoIP
Phil Zimmermann, Alan Johnston, and Jon Callas have proposed a new VoIP encryption protocol called ZRTP

Opportunistic encryption - Websites
For encrypting WWW/HTTP connections, typically HTTPS is used. This can also be used for opportunistic website encryption. Most browsers verify the webserver's identity to make sure that an SSL certificate is signed by a trusted certificate authority. The easiest way to enable opportunistic website encryption is by using self-signed certificates, but this causes browsers to display a warning each time the website is visited unless the user imports the website's certificate into their browser.

Opportunistic encryption - Websites
There are add-ons for Firefox called HTTPS Everywhere by EFF and HTTPSfinder. These addons find and automatically switch the connection to HTTPS when possible.

Cryptography - Forced disclosure of encryption keys
Key disclosure law

In the United Kingdom, the Regulation of Investigatory Powers Act gives UK police the powers to force suspects to decrypt files or hand over passwords that protect encryption keys. Failure to comply is an offence in its own right, punishable on conviction by a two-year jail sentence or up to five years in cases involving national security. Successful prosecutions have occurred under the Act; the first in 2009, resulting in a term of 13 months' imprisonment.

Similar forced disclosure laws in Australia, Finland, France, and India compel individual suspects under investigation to hand over encryption keys or passwords during a criminal investigation (see Key disclosure law).

In the United States, the federal criminal case of United States v. Fricosu addressed whether a person can be compelled to reveal his or her encryption passphrase or password, despite the U.S. Constitution's Fifth Amendment protection against self-incrimination. In 2012, the court ruled that under the All Writs Act, the defendant was required to produce an unencrypted Hard Drive.

In many jurisdictions, the legal status of forced disclosure remains unclear.

Microsoft Point-to-Point Encryption
Microsoft Point-to-Point Encryption (MPPE) is a protocol for encrypting data across Point-to-Point Protocol (PPP) and virtual private network (VPN) links. It uses the RSA RC4 encryption algorithm. MPPE supports 40-bit, 56-bit and 128-bit session keys, which are changed frequently to improve security. The exact frequency that the keys are changed is negotiated, but may be as frequent as every packet.

MPPE alone does not compress or expand data, but the protocol is often used in conjunction with Microsoft Point-to-Point Compression which compresses data across PPP or VPN links.

Negotiation of MPPE happens within the Compression Control Protocol (CCP), a subprotocol of PPP. This can lead to incorrect belief that it is a compression protocol.

Data masking - Encryption
The encryption algorithm often requires that a "key" be applied to view the data based on user rights

The data encryption method of masking requires extensive design and testing to ensure that the method is fit for purpose for your data type and application

Recently, the problem of encrypting data while preserving the properties of the entities got a recognition and newly acquired interest among the vendors and academia. New challenge gave birth to algorithms called FPE ( format preserving encryption). They are based on the accepted AES algorithmic mode that makes them being recognized by NIST.

Session Initiation Protocol - Encryption
The increasing concerns about security of calls that run over the public Internet has made SIP encryption more popular

Wi-Fi Protected Access - Encryption protocol
The RC4 stream cipher is used with a 128-bit per-packet key, meaning that it dynamically generates a new key for each packet. Used by WPA.

CCMP (Counter Cipher Mode with block chaining message authentication code Protocol)

An AES-based encryption mechanism that is stronger than TKIP. Used by WPA2. Among informal names are "AES" and "AES-CCMP". According to the n specification, this encryption protocol must be used to achieve the fast n high bitrate schemes, though not all implementations enforce this. Otherwise, the data rate will not exceed 54 MBit/s.

Wired Equivalent Privacy - Encryption details
WEP was included as the privacy component of the original IEEE standard ratified in September WEP uses the stream cipher RC4 for confidentiality, and the CRC-32 checksum for integrity. It was deprecated in 2004 and is documented in the current standard.

Standard 64-bit WEP uses a 40 bit key (also known as WEP-40), which is concatenated with a 24-bit initialization vector (IV) to form the RC4 key. At the time that the original WEP standard was drafted, the U.S. Government's export restrictions on cryptographic technology limited the key size. Once the restrictions were lifted, manufacturers of access points implemented an extended 128-bit WEP protocol using a 104-bit key size (WEP-104).

A 64-bit WEP key is usually entered as a string of 10 hexadecimal (base 16) characters (0-9 and A-F)

A 128-bit WEP key is usually entered as a string of 26 hexadecimal characters. Twenty-six digits of four bits each gives 104 bits; adding the 24-bit IV produces the complete 128-bit WEP key. Most devices also allow the user to enter it as 13 ASCII characters.

A 256-bit WEP system is available from some vendors. As with the other WEP-variants 24 bits of that is for the IV, leaving 232 bits for actual protection. These 232 bits are typically entered as 58 hexadecimal characters. ((58 × 4 bits =) 232 bits) + 24 IV bits = 256-bit WEP key.

Key size - Key size and encryption system
Encryption systems are often grouped into families. Common families include symmetric systems (e.g. AES) and asymmetric systems (e.g. RSA); they may alternatively be grouped according to the central algorithm used (e.g. elliptic curve cryptography).

As each of these is of a different level of cryptographic complexity, it is usual to have different key sizes for the same level of security, depending upon the algorithm used. For example, the security available with a 1024-bit key using asymmetric RSA is considered approximately equal in security to an 80-bit key in a symmetric algorithm (Source: RSA Security).

The actual degree of security achieved over time varies, as more computational power and more powerful mathematical analytic methods become available

McEliece cryptosystem - Message encryption
Suppose Bob wishes to send a message m to Alice whose public key is :

McEliece cryptosystem - Message encryption
Bob computes the ciphertext as .

Google Talk - Encryption
It is possible to have end-to-end encryption over the Google Talk network using Off-the-Record Messaging|OTR (off-the-record) encryption using other chat clients like Adium (for Mac) or Pidgin (software)|Pidgin (for Linux and Windows).

Google Talk - Encryption
Google's version of Off the Record is not Off-the-Record Messaging|OTR (off-the-record) encryption. Enabling Off the record inside Gmail's Chat turns off logging of messages, but does not enable encryption.

BlackBerry PlayBook - Encryption
Because BlackBerry Bridge accesses mail, calendar, and contacts directly from a tethered BlackBerry phone, the PlayBook meets the same encryption standards as the BlackBerry phone. Some cryptographic components of the BlackBerry OS (kernels, cryptography-related OS and Java modules) are certified under FIPS 140-2, which makes the tablet eligible for use by U.S. federal government agencies.

BlackBerry PlayBook - Encryption
The BlackBerry PlayBook OS2.1 update in September 2012 enabled full-disk encryption on the device, using the same algorithm as previously used that had been limited to the Enterprise kernel handling the tethered content from a paired BlackBerry phone.

Digg - AACS encryption key controversy
Although some users defended Digg's actions, as a whole the community staged a widespread revolt with numerous articles and comments being made using the encryption key

Government Communications Headquarters - Public key encryption
Early in the 1970s, the asymmetric key algorithm was invented by staff member Clifford Cocks, a mathematics graduate. This fact was kept secret until (originally published in The Sunday Telegraph)

Verifiable computing - An example scheme based on Fully homomorphic encryption
Gennaro et al. defined a verifiable computation scheme for any function F using Yao’s Garbled CircuitA. Yao (1982). Protocols for secure computations. In Proceedings of the IEEE Symposium on Foundations of Computer Science, pp A. Yao (1986). How to generate and exchange secrets. In Proceedings of the IEEE Symposium on Foundations of Computer Science, pp combined with a Fully homomorphic encryption|fully homomorphic encryption system.

This verifiable computation scheme 'VC' is defined as follows:
Verifiable computing - An example scheme based on Fully homomorphic encryption This verifiable computation scheme 'VC' is defined as follows:

'VC = (KeyGen, ProbGen, Compute, Verify)' consists of four algorithms as follows:

# 'KeyGen(F, λ) → (PK, SK)': The randomized Key generation|key generation algorithm generates two keys, public and private, based on the security parameter λ. The public key encodes the target function F and is sent to the worker to compute F. On the other hand, the secret key is kept private by the client.

# 'ProbGenSK(x) → (σx, τx)': The problem generation algorithm encodes the function input x into two values, public and private, using the secret key SK. The public value σx is given to the worker to compute F(x) with, while the secret value τx is kept private by the client.

# 'ComputePK(σx) → σy': The worker computes an encoded value σy of the function’s output y = F(x) using the client’s public key PK and the encoded input σx.

# 'VerifySK(τx,σy) → y ∪ ⊥': The verification algorithm converts the worker’s encoded output σy into the actual output of the function F using both the secret key SK and the secret “decoding” τx. It outputs y = F(x) if the σy represents a valid output of F on x, or outputs ⊥ otherwise.

The protocol of the verifiable computations scheme defined by Gennaro et al. works as follows:

The homomorphic properties of the encryption scheme enable the worker to obtain an encryption of the correct output wire

The definition of the verifiable computation scheme states that the scheme should be both correct and secure

RSA (algorithm) - Encryption
Alice and Bob|Alice transmits her public key to Alice and Bob|Bob and keeps the private key secret. Bob then wishes to send message to Alice.

He first turns into an integer , such that mvar|0≤m c \equiv m^e \pmod .

This can be done quickly using the method of exponentiation by squaring. Bob then transmits to Alice.

Note that at least nine values of will yield a ciphertext equal to ,

Namely, the values of m which are equal to -1, 0, or 1 modulo p while also equal to -1, 0, or 1 modulo q. There will be more values of m having c=m if p-1 or q-1 has other divisors in common with e-1 besides 2 because this gives more values of m such that m^\textp\text=1 or m^\textq\text=1 respectively.

but this is very unlikely to occur in practice.

In the United Kingdom, the Regulation of Investigatory Powers Act 2000|Regulation of Investigatory Powers Act gives UK police the powers to force suspects to decrypt files or hand over passwords that protect encryption keys

In the United States, the federal criminal case of United States v. Fricosu addressed whether a person can be compelled to reveal his or her encryption passphrase or password, despite the U.S. Constitution's Fifth Amendment to the United States Constitution|Fifth Amendment protection against self-incrimination. In 2012, the court ruled that under the All Writs Act, the defendant was required to produce an unencrypted Hard Drive.

QR code - Encryption Encrypted QR codes, which are not very common, have a few implementations. An Android (Operating System)|Android app, for example, manages encryption and decryption of QR codes using the Data Encryption Standard|DES algorithm (56 bits). The Japanese immigration system uses encrypted QR codes when issuing visa in passports as shown in the figure here.

BitTorrent (protocol) - Throttling and encryption
Protocol header encrypt (PHE) and BitTorrent protocol encryption|Message stream encryption/Protocol encryption (MSE/PE) are features of some BitTorrent clients that attempt to make BitTorrent hard to detect and throttle. At the moment Vuze, Bitcomet, KTorrent, Transmission (BitTorrent client)|Transmission, Deluge (BitTorrent client)|Deluge, µTorrent, MooPolice, Halite, rTorrent and the latest official BitTorrent client (v6) support MSE/PE encryption.

BitTorrent (protocol) - Throttling and encryption
Reports in August 2007 indicated that Comcast was preventing BitTorrent seeding by monitoring and interfering with the communication between peers

Computer networks - End to end encryption
End-to-end encryption generally includes protections of both confidentiality and data integrity|integrity.

Examples of end-to-end encryption include Pretty Good Privacy|PGP for , Off-the-Record Messaging|OTR for instant messaging, ZRTP for telephony, and Terrestrial Trunked Radio|TETRA for radio.

Some systems which normally offer end-to-end encryption have been discovered to contain a Backdoor (computing)|back door, which causes negotiation of the encryption key between the communicating parties to be subverted, for example Skype.

The end-to-end encryption paradigm does not directly address risks at the communications endpoints themselves, such as the Exploit (computer security)|technical exploitation of Client (computing)|clients, poor quality random number generators, or key escrow. E2EE also does not address traffic analysis which relates to things such as the identities of the end points and the times and quantities of messages that are sent.

Namely, the values of m which are equal to −1, 0, or 1 modulo p while also equal to −1, 0, or 1 modulo q. There will be more values of m having c = m if p − 1 or q − 1 has other divisors in common with e − 1 besides 2 because this gives more values of m such that m^\textp\text = 1 or m^\textq\text = 1 respectively.

Data Encryption Standard
The publication of an NSA-approved encryption standard simultaneously resulted in its quick international adoption and widespread academic scrutiny

In recent years, the cipher has been superseded by the Advanced Encryption Standard (AES)

Some documentation makes a distinction between DES as a standard and DES as an algorithm, referring to the algorithm as the 'DEA' ('Data Encryption Algorithm').

Data Encryption Standard - History of DES
The origins of DES go back to the early 1970s

Data Encryption Standard - NSA's involvement in the design
On 17 March 1975, the proposed DES was published in the Federal Register

where \overline is the bitwise complement of x. E_K denotes encryption with key K. P and C denote plaintext and ciphertext blocks respectively. The complementation property means that the work for a brute force attack could be reduced by a factor of 2 (or a single bit) under a chosen-plaintext attack|chosen-plaintext assumption. By definition, this property also applies also to TDES cipher.

DES also has four so-called Weak key#Weak_keys_in_DES|weak keys. Encryption (E) and decryption (D) under a weak key have the same effect (see involution (mathematics)|involution):

:E_K(E_K(P)) = P or equivalently, E_K = D_K.

:E_(E_(P)) = P or equivalently, E_ = D_.

It is easy enough to avoid the weak and semiweak keys in an implementation, either by testing for them explicitly, or simply by choosing keys randomly; the odds of picking a weak or semiweak key by chance are negligible. The keys are not really any weaker than any other keys anyway, as they do not give an attack any advantage.

DES has also been proved not to be a group (mathematics)|group, or more precisely, the set \ (for all possible keys K) under functional composition is not a group, nor close to being a group.[ Campbell and Wiener, 1992] This was an open question for some time, and if it had been the case, it would have been possible to break DES, and multiple encryption modes such as Triple DES would not increase the security.

It is known that the maximum cryptographic security of DES is limited to about 64 bits, even when independently choosing all round subkeys instead of deriving them from a key, which would otherwise permit a security of 768 bits.

Data Encryption Standard - Replacement algorithms
Concerns about security and the relatively slow operation of DES in software motivated researchers to propose a variety of alternative block cipher designs, which started to appear in the late 1980s and early 1990s: examples include RC5, Blowfish (cipher)|Blowfish, International Data Encryption Algorithm|IDEA, NewDES, SAFER, CAST5 and FEAL

GDES was a DES variant proposed as a way to speed up encryption, but it was shown to be susceptible to differential cryptanalysis.

In 2001, after an international competition, NIST selected a new cipher, the Advanced Encryption Standard (AES), as a replacement

Pretty Good Privacy - PGP Corporation encryption applications
PGP encryption applications include and attachments, digital signatures, laptop full disk encryption, file and folder security, protection for IM sessions, batch file transfer encryption, and protection for files and folders stored on network servers and, more recently, encrypted and/or signed HTTP request/responses by means of a client side (Enigform) and a server side (mod openpgp) module

The PGP Desktop 9.x family includes PGP Desktop , PGP Whole Disk Encryption, and PGP NetShare. Additionally, a number of Desktop bundles are also available. Depending on application, the products feature desktop , digital signatures, IM security, whole disk encryption, file and folder security, Self-Decrypting Archive|self decrypting archives, and secure shredding of deleted files. Capabilities are licensed in different ways depending on features required.

It is used for automated encryption in the gateway and manages PGP Desktop 9.x clients

The PGP Universal server automates the creation, management, and expiration of keys, sharing these keys among all PGP encryption applications.

The Symantec PGP platform has now undergone a rename. PGP Desktop is now known as Symantec Encryption Desktop, and the PGP Universal Server is now known as Symantec Encryption Server. The current shipping versions are Symantec Encryption Desktop (Windows and Mac OS platforms) and Symantec Encryption Server

Also available are PGP Command Line, which enables command line-based encryption and signing of information for storage, transfer, and backup, as well as the PGP Support Package for BlackBerry which enables RIM BlackBerry devices to enjoy sender-to-recipient messaging encryption.

New versions of PGP applications use both OpenPGP and the S/MIME, allowing communications with any user of a NIST specified standard.

Cryptographic software - Encryption
Encryption software executes an algorithm that is designed to encrypt computer data in such a way that it cannot be recovered without access to the key. Software encryption is a fundamental part of all aspects of modern computer communication and file protection and may include features like file shredding.

Cryptographic software - Encryption
The purpose of encryption is to prevent third parties from recovering the original information. This is particularly important for sensitive data like Creditcard numbers.

Cryptographic software - Encryption choices
The more popular options were submitted to the National Institute of Standards and Technology or NIST for the 'Advanced Encryption Standard' (Advanced Encryption Standard|AES) competition

Cryptographic software - Choosing encryption
There are several factors that affect the choice of an encryption algorithm including speed and security. The simplest method would be an XOR operation, with a constant value k, of each byte of plain text b, to produce a cipher value c.

Ciphers can be categorized into two general types: Public-key cryptography|public key ciphers and symmetric key algorithm|symmetric key ciphers.

That is, encryption with one member of a key pair is only easily reversed (decrypted) using the other member of the pair

Symmetric key ciphers (also referred to as secret key ciphers) are called such because the same key is used for both encryption and decryption. Thus, in order for messages encrypted with a symmetric key cipher to remain secure, the key used must remain secret. Symmetric key ciphers can be further subdivided into stream ciphers and block ciphers.

Stream ciphers typically encrypt plaintext a bit or byte at a time, and are most commonly used to encipher real-time communications, such as audio and video information. The key is used to establish the initial state of a key-stream generator, and the output of that generator is used to encrypt the plaintext.

A common mistake made by amateur cryptographers is the assumption that because the method is secret, the cipher is secure. This is not usually true. Many home grown encryption algorithms reveal the key quite easily when fed a string of identical bytes (e.g., Null character|nulls).

The purpose of disseminating an encryption method is to allow the community to evaluate it. If it is indeed secure, then its power lies in the fact that its method has been subjected to scrutiny and found to be sound, not that it is secret.

IEEE P1363 - Encryption schemes
* 'DL/ECIES' (Discrete Logarithm/Elliptic Curve Integrated Encryption Scheme): Essentially the DHAES variant of ElGamal encryption.

User agent - Encryption strength notations
Following the lifting of export of cryptography in the United States#PC era|export restrictions, most vendors supported 256-bit encryption.

Authenticated encryption
'Authenticated Encryption (AE)' is a block cipher mode of operation which simultaneously provides confidentiality, data integrity|integrity and authentication|authenticity assurances on the data. These attributes are provided under single, easy to use Application programming interface|programming interface and decryption is combined in single step with integrity validation.

The need for AE emerged from observation that securely compositing a Block cipher modes of operation|confidentiality mode with an Block cipher modes of operation|authentication mode could be error prone and difficult.people had been doing rather poorly when they tried to glue together a traditional (privacy-only) encryption scheme and a message authentication code (MAC), in: it is very easy to accidentally combine secure encryption schemes with secure MACs and still get insecure authenticated encryption schemes, in: This was confirmed by a number of practical attacks introduced into production protocols and applications by incorrect implementation, or lack of, authentication (including Transport Layer Security|SSL/TLS).

Six different authenticated encryption modes (namely OCB mode|OCB 2.0, Key Wrap, CCM mode|CCM, EAX mode|EAX, Encrypt-then-MAC (EtM), and Galois/Counter Mode|GCM) have been standardized in ISO/IEC 19772:2009. More were developed in response to NIST solicitation. Sponge functions can be used in duplex mode to provide authenticated encryption.

Typical Application programming interface|programming interface of AE mode implementation would provide the following functions:

** Input: plaintext, key and optionally a header — in plaintext, that will not be encrypted, but will be covered by authenticity protection;

** Output: ciphertext and authentication tag (Message Authentication Code)

** Input: ciphertext, key, authentication tag and optionally header;

** Output: plaintext or error, if authentication tag did not match supplied ciphertext and header

The header part is intended to provide authenticity and integrity protection for metadata used for networking or storage purposes, which does not need to be confidential but its authenticity is desired.

This in turn prevents the attacker from requesting the decryption of any ciphertext unless he generated it correctly using the encryption algorithm, which would imply that he already knows the plaintext

However, authenticated encryption can be generically constructed by combining an encryption scheme and a Message Authentication Code (MAC), provided that the encryption scheme is semantic security|semantically secure under chosen plaintext attack and the MAC function is unforgeable under chosen message attack

In 2013 a competition has been announced to encourage design of authenticated encryption modes.

Authenticated encryption - Approaches to Authenticated Encryption
* 'Encrypt-then-Mac (EtM)': The standard method according to ISO/IEC 19772:2009. This is the only method which can reach the highest definition of security in AE, this can only be achieved when the MAC used is Strongly Unforgeable

* 'Encrypt-and-Mac (EM)': Used in eg. SSH and Grain 128a. Even though the EM approach has not been proved to be strongly unforgeable in itself, it is possible to apply some minor modifications to SSH to make it strongly unforgeable despite the approach.

* 'Mac-then-Encrypt (MtE)': Used in eg. SSL/TLS. Even though the MtE approach has not been proven to be strongly unforgeable in itself, the SSL/TLS implementation has been proved to be strongly unforgeable by Krawczyk who showed that SSL/TLS was in fact secure because of the encoding used alongside the MtE mechanism.

Real Time Messaging Protocol - Encryption
RTMP sessions may be encrypted using either of two methods:

* Using industry standard Transport Layer Security|TLS/SSL mechanisms. The underlying RTMP session is simply wrapped inside a normal TLS/SSL session.

* Using RTMPE, which wraps the RTMP session in a lighter-weight encryption layer.

It is generally understood that the TLS/SSL handshake at the beginning of a session is very computationally intensive

Astro (Malaysian satellite television) - Encryption
Since its launch, Astro transmits programming with encryption to mitigate pirate decryption|signal piracy. The receiver (also known as an IRD, or integrated receiver-decoder) utilizes ISO/IEC 7816 smart cards which tell the receiver how to decrypt the programming for viewing. Astro is now utilizing a third generation of access smart cards.

* The first generation of smart cards were used until The encryption uses the Nagra France|SECA Mediaguard.

* The second generation of smart cards were introduced in 2004 and used until The encryption uses the improved version of Mediaguard.

* The third generation of smart cards were introduced in This is the current standard issue smart card. It uses the NDS Group|NDS VideoGuard encryption system.

BitLocker Drive Encryption
By default it uses the Advanced Encryption Standard|AES encryption algorithm in Cipher block chaining|CBC mode with a 128-bit or 256-bit key, combined with the Elephant diffuser for additional disk encryption-specific security not provided by AES

BitLocker Drive Encryption - Availability
Users of other versions of Windows that do not include BitLocker can use a third-party encryption program to satisfy the need for full disk encryption (see comparison of disk encryption software)

The latest version of BitLocker, included in Windows 7, Windows 8, Windows Server 2008 R2 and Windows Server 2012, adds the ability to encrypt removable drives. These can be read, but not written to, by Windows XP using Microsoft BitLocker To Go Reader program if using the exFAT, FAT32 or FAT16 filesystems.

While device encryption is offered on all versions of 8.1, unlike BitLocker, device encryption on x86-based devices requires that the device meet the Connected Standby specifications (which among other requirements, requires that the device use solid state drive|solid state storage and have RAM soldered directly to the motherboard to protect against cold boot attacks) and have a TPM 2.0 chip.

BitLocker Drive Encryption - Overview
There are three authentication mechanisms that can be used as building blocks to implement BitLocker encryption:

The key used for disk encryption is sealed (encrypted) by the TPM chip and will only be released to the OS loader code if the early boot files appear to be unmodified

*'User authentication mode': This mode requires that the user provide some authentication to the pre-boot environment in the form of a pre-boot Personal identification number|PIN. This mode is vulnerable to a bootkit attack.

*'USB Key Mode': The user must insert a USB device that contains a startup key into the computer to be able to boot the protected OS. Note that this mode requires that the BIOS on the protected machine supports the reading of USB devices in the pre-OS environment. This mode is also vulnerable to a bootkit attack.

*'Recovery password': A numerical key protector for recovery purposes

*'Certificate': Adds a certificate-based public key protector for recovery purposes

The following combinations of the above authentication mechanisms are supported, all with an optional Source code escrow|escrow recovery key:

BitLocker Drive Encryption - Operation
Contrary to the official name, BitLocker Drive Encryption is a logical volume (computing)|volume encryption system. A volume may or may not be an entire hard disk drive|drive, or it can span one or more physical drives. Also, when enabled, TPM and BitLocker can ensure the integrity of the trusted boot path (e.g. BIOS, boot sector, etc.), in order to prevent most offline physical attacks, boot sector malware, etc.

In order for BitLocker to operate, at least two NTFS-formatted volume (computing)|volumes are required: one for the operating system (usually C:) and another with a minimum size of 100MB from which the operating system booting|boots

Once an alternate boot partition has been created, the TPM module needs to be initialized (assuming that this feature is being used), after which the required disk encryption key protection mechanisms such as TPM, PIN or USB key are configured

The Microsoft Encrypting File System (EFS) may be used in conjunction with BitLocker to provide protection once the kernel (computer science)|operating system kernel is running. Protection of the files from processes and users within the operating system can only be performed using encryption software that operates within Windows, such as EFS. BitLocker and EFS, therefore, offer protection against different classes of attacks.

In Active Directory environments, BitLocker supports optional key escrow to Active Directory, although a schema update may be required for this to work (i.e. if the Active Directory Services are hosted on a Windows version previous to Windows Server 2008).

BitLocker and other full disk encryption systems can be attacked by a bootkit|rogue bootmanager

BitLocker Drive Encryption - Security concerns
Microsoft engineers have said that FBI agents also put pressure on them in numerous meetings in order to add a back door, although no formal, written request was ever made; Microsoft engineers eventually suggested to the FBI that agents should look for the hard-copy of the key that the BitLocker program suggests its users to make.[ Did the FBI Lean On Microsoft for Access to Its Encryption Software?] Although the AES encryption algorithm used in BitLocker is in the public domain, its implementation in BitLocker, as well as other components of the software, are proprietary software|proprietary; however, the code is available for scrutiny by Microsoft partners and enterprises, subject to a non-disclosure agreement.

The Transparent operation mode and User authentication mode of BitLocker use TPM hardware to detect if there are unauthorized changes to the pre-boot environment, including the BIOS and Master boot record|MBR. If any unauthorized changes are detected, BitLocker requests a recovery key (cryptography)|key on a USB device. This cryptographic secret is used to decrypt the Volume Master Key (VMK) and allow the booting|bootup process to continue.

The authors recommend that computers be powered down when not in physical control of the owner (rather than be left in a power management|sleep state) and that the encryption software be configured to require a password to boot the machine.

Once a BitLocker-protected machine is running, its keys are stored in memory where they may be susceptible to attack by a process that is able to access physical memory, for example, through a IEEE 1394|1394 or Thunderbolt (interface)|Thunderbolt Direct memory access|DMA channel. Any cryptographic material in memory is at risk from this attack, which therefore is not specific to BitLocker.

Galois/Counter Mode - Encryption and authentication
The authentication tag is constructed by feeding blocks of data into the GHASH function, and encrypting the result. This GHASH function is defined by

where H is a string of 128 zeros encrypted using the block cipher, A is data which is only authenticated (not encrypted), C is the ciphertext, m is the number of 128 bit blocks in A, n is the number of 128 bit blocks in C (the final blocks of A and C need not be exactly 128 bits), and the variable Xi for i=0,...,m+n+1 is defined as Note that there is a typo in the formulas in the article.

(X_ \oplus A_i) \cdot H \texti=1,\ldots, m-1 \\

(X_ \oplus (A^*_m\lVert0^)) \cdot H \texti=m \\

(X_ \oplus (\operatorname(A)\lVert \operatorname(C))) \cdot H \texti=m+n+1 \\

where v is the bit length of the final block of A, u is the bit length of the final block of C, and \lVert denotes concatenation of bit strings. Note that this is an iterative algorithm: each Xi depends on Xi-1, and only the final Xi is retained as output.

GCM mode was designed by John Viega and David A. McGrew as an improvement to Carter–Wegman Counter CWC mode.

On November 26, 2007 NIST announced the release of NIST Special Publication D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC making GCM and GMAC official standards.

Disk encryption 'Disk encryption' is a technology which protects information by converting it into unreadable code that cannot be deciphered easily by unauthorized people. 'Disk encryption' uses disk encryption software or disk encryption hardware|hardware to encryption|encrypt every bit of data that goes on a disk storage|disk or disk volume (computing)|volume. Disk encryption prevents unauthorized access to data storage.

Disk encryption Some hardware-based full disk encryption systems can truly encrypt an entire boot disk, including the MBR.

Disk encryption - Disk encryption vs. filesystem-level encryption
Conventional file and folder encryption instead allows different keys for different portions of the disk

Disk encryption - Disk encryption vs. filesystem-level encryption
Unlike disk encryption, filesystem-level encryption does not typically encrypt filesystem metadata, such as the directory structure, file names, modification timestamps or sizes.

Disk encryption - Disk encryption and Trusted Platform Module
Trusted Platform Module (TPM) is a secure cryptoprocessor embedded in the motherboard that can be used to authentication|authenticate a hardware device. Since each TPM chip is unique to a particular device, it is capable of performing platform authentication. It can be used to verify that the system seeking the access is the expected system.

A limited number of disk encryption solutions have support for TPM. These implementations can wrap the decryption key using the TPM, thus tying the hard disk drive (HDD) to a particular device. If the HDD is removed from that particular device and placed in another, the decryption process will fail. Recovery is possible with the decryption password or security token|token.

Although this has the advantage that the disk cannot be removed from the device, it might create a single point of failure in the encryption. For example, if something happens to the TPM or the motherboard, a user would not be able to access the data by connecting the Hard Drive to another computer, unless that user has a separate recovery key.

Disk encryption - Implementations
Furthermore the media-encryption key never leaves the device itself and is therefore not available to any virus in the Operating System

Disk encryption - Password/data recovery mechanism
Secure and safe recovery mechanisms are essential to the large-scale deployment of any disk encryption solutions in an enterprise. The solution must provide an easy but secure way to recover passwords (most importantly data) in case the user leaves the company without notice or forgets the password.

Disk encryption - Challenge/response password recovery mechanism
Challenge-response authentication|Challenge/Response password recovery mechanism allows the password to be recovered in a secure manner. It is offered by a limited number of disk encryption solutions.

# No need for the user to carry a disc with recovery encryption key.

# No secret data is exchanged during the recovery process.

# Does not require a network connection, i.e. it works for users that are at a remote location.

Disk encryption - Emergency Recovery Information (ERI) file password recovery mechanism
An Emergency Recovery Information (ERI) file provides an alternative for recovery if a challenge response mechanism is unfeasible due to the cost of helpdesk operatives for small companies or implementation challenges.

# Small companies can use it without implementation difficulties
Disk encryption - Emergency Recovery Information (ERI) file password recovery mechanism # Small companies can use it without implementation difficulties

Disk encryption - Security concerns
Most full disk encryption schemes are vulnerable to a cold boot attack, whereby encryption key (cryptography)|keys can be stolen by cold-booting a machine already running an Operating System, then dumping the contents of static random access memory|memory before the data disappears

All software-based encryption systems are vulnerable to various side channel attacks such as acoustic cryptanalysis and hardware keyloggers.

In contrast, self-encrypting drives are not vulnerable to these attacks since the hardware encryption key never leaves the disk controller.

Disk encryption - Benefits
Full disk encryption has several benefits compared to regular file or folder encryption, or encrypted vaults. The following are some benefits of disk encryption:

# Nearly everything including the swap space and the temporary files is encrypted. Encrypting these files is important, as they can reveal important confidential data. With a software implementation, the bootstrapping code cannot be encrypted however. (For example, BitLocker Drive Encryption leaves an unencrypted volume (computing)|volume to booting|boot from, while the volume containing the Operating System is fully encrypted.)

# With full disk encryption, the decision of which individual files to encrypt is not left up to users' discretion. This is important for situations in which users might not want or might forget to encrypt sensitive files.

# Immediate data destruction, as simply destroying the cryptography keys renders the contained data useless. However, if security towards future attacks is a concern, data remanence|purging or physical destruction is advised.

Disk encryption - The boot key problem
Some implementations such as BitLocker Drive Encryption can make use of hardware such as a Trusted Platform Module to ensure the integrity of the boot environment, and thereby frustrate attacks that rootkit#Boot loader level|target the boot loader by replacing it with a modified version

With a Pre-Boot Authentication environment, the key used to encrypt the data is not decrypted until an external key is input into the system.

Solutions for storing the external key include:

* Using a biometric authentication method such as a fingerprint

* Using a dongle to store the key, assuming that the user will not allow the dongle to be stolen with the laptop or that the dongle is encrypted as well.

* Using a boot-time driver that can ask for a password from the user

* Using a network interchange to recover the key, for instance as part of a Preboot Execution Environment|PXE boot

* Using a Trusted Platform Module|TPM to store the decryption key, preventing unauthorized access of the decryption key or subversion of the boot loader.

* Use a combination of the above

All these possibilities have varying degrees of security, however most are better than an unencrypted disk.

X10 (industry standard) - Interference and lack of encryption
The standard X10 power line and RF protocols lack support for encryption, and can only address 256 devices. Unfiltered power line signals from close neighbors using the same X10 device addresses may interfere with each other. Interfering RF wireless signals may similarly be received, with it being easy for anyone nearby with an X10 RF remote to wittingly or unwittingly cause mayhem if an RF to power line device is being used on a premises.

Comparison of disk encryption software
This is a technical feature 'comparison of different disk encryption software'.

Comparison of disk encryption software - Features
* 'Hidden containers': Whether hidden containers (an encrypted container (A) within another encrypted container (B) so the existence of container A can not be established)[ Hidden containers description from Jetico (BestCrypt) can be created for deniable encryption. Note that some Block cipher modes of operation|modes of operation like CBC with a plain IV can be more prone to watermarking attacks than others.

* 'Pre-boot authentication': Whether authentication can be required before booting the computer, thus allowing one to encrypt the boot disk.

* 'Custom authentication': Whether custom authentication mechanisms can be implemented with third-party applications.

* 'Multiple keys': Whether an encrypted volume can have more than one active Key (cryptography)|key.

* 'Passphrase strengthening': Whether key strengthening is used with plain text passwords to frustrate dictionary attacks, usually using PBKDF2.

* 'Trusted Platform Module': Whether the implementation can use a TPM cryptoprocessor.

* 'Filesystems': what filesystems are supported.

* 'Two-factor authentication': Whether optional security tokens (Hardware Security Module|hardware security modules, such as Aladdin eToken and smart cards) are supported (for example using PKCS11|PKCS#11)

Comparison of disk encryption software - Layering
* 'Whole disk': Whether the whole physical disk or logical volume can be encrypted, including the partition tables and master boot record. Note that this does not imply that the encrypted disk can be used as the boot disk itself; refer to pre-boot authentication in the features comparison table.

* 'Partition': Whether individual disk partitions can be encrypted.

* 'File': Whether the encrypted container can be stored in a file (usually implemented as encrypted loop devices).

* 'Swap space': Whether the swap space (called a pagefile on Windows) can be encrypted individually/explicitly.

* 'Hibernation file': Whether the Hibernate (OS feature)|hibernation file is encrypted (if hibernation is supported).

Comparison of disk encryption software - Modes of operation
Different modes of operation supported by the software. Note that an encrypted volume can only use one mode of operation.

* 'CBC with predictable IVs': The CBC (cipher block chaining) mode where initialization vectors are statically derived from the sector number and are not secret; this means that IVs are re-used when overwriting a sector and the vectors can easily be guessed by an attacker, leading to watermarking attacks.

* 'CBC with secret IVs': The CBC mode where initialization vectors are statically derived from the encryption key and sector number. The IVs are secret, but they are re-used with overwrites. Methods for this include ESSIV and encrypted sector numbers (CGD).

* 'CBC with random per-sector keys': The CBC mode where random keys are generated for each sector when it is written to, thus does not exhibit the typical weaknesses of CBC with re-used initialization vectors. The individual sector keys are stored on disk and encrypted with a master key. (See GBDE for details)

* 'LRW': The Liskov-Rivest-Wagner tweakable narrow-block mode, a mode of operation specifically designed for disk encryption. Superseded by the more secure XTS mode due to security concerns.IEEE P1619#LRW issue|LRW_issue

IEEE 802.22 - Encryption, authentication, and authorization
Only the Advanced Encryption Standard|AES-Galois/Counter Mode|GCM authenticated encryption cipher algorithm is supported.IEEE § 8.4.1, p. 281

EAP-TLS or EAP-TTLS must be used for authentication and encryption key derivation.IEEE § 8.1.2, p

This could allow for a type of Vendor lock-in|customer lock-in where the network providers refuse network access to devices that have not been vetted by manufacturers of the network providers' choice (i.e. the device must possess a private key of a X.509 certificate with a chain of trust to a manufacturer certificate authority (CA) that the network provider will accept), not unlike the SIM lock in modern cellular networks and DOCSIS certification testers in cable Internet access|cable networks.

IEEE P1619 - Narrow-block vs. wide-block encryption
An encryption algorithm used for data storage has to support independent encryption and decryption of portions of data

For these reasons, the working group selected the narrow-block (128 bits) encryption with no authentication in the standard P1619, assuming that the added efficiency warrants the additional risk. But recognizing that wide-block encryption might be useful in some cases, another project P has been started to study the usage of wide-block encryption.

The project is maintained by the IEEE Security in Storage Working Group (SISWG). Both the disk storage standard P1619 (sometimes called P1619.0) and the tape storage standard P were standardized in December 2007.

A discussion was ongoing on standardization of the wide-block encryption for disk drives, like Disk encryption theory#CMC and EME|CMC and EME as P1619.2, and on key management as P

Diffie–Hellman key exchange - Explanation including encryption mathematics
The simplest and the original implementation of the protocol uses the Multiplicative group of integers modulo n|multiplicative group of integers modulo p, where p is prime number|prime and g is primitive root modulo n|primitive root mod p. Here is an example of the protocol, with non-secret values in blue, and secret values in' red'. Small integers are used for clarity, but actual implementations require using much larger numbers to achieve security. See key length.

# Alice and Bob agree to use a prime number p = 23 and base g = 5.
Diffie–Hellman key exchange - Explanation including encryption mathematics # Alice and Bob agree to use a prime number p = 23 and base g = 5.

# Alice computes 's' = B'a' mod p
Diffie–Hellman key exchange - Explanation including encryption mathematics # Alice computes 's' = B'a' mod p

# Alice and Bob now share a secret (the number '2') because 6 × 15 is the same as 15 × 6.

Both Alice and Bob have arrived at the same value, because (ga)b and (gb)a are equal mod p. Note that only a, b, and (gab = gba mod p) are kept secret. All the other values – p, g, ga mod p, and gb mod p – are sent in the clear. Once Alice and Bob compute the shared secret they can use it as an encryption key, known only to them, for sending messages across the same open communications channel.

Of course, much larger values of a, b, and p would be needed to make this example secure, since there are only 23 possible results of n mod 23. However, if p is a prime of at least 300 digits, and a and b are at least 100 digits long, then even the fastest modern computers cannot find a given only g, p, gb mod p and ga mod p. The problem such a computer needs to solve is called the discrete logarithm problem.

Note that g need not be large at all, and in practice is usually a small prime (like 2, 3, 5...) because primitive roots usually are quite numerous.

Here's a more general description of the protocol, in which all the powers are computed modulo p:

# Alice and Bob agree on a finite cyclic group G and a Generating set of a group|generating element g in G. (This is usually done long before the rest of the protocol; g is assumed to be known by all attackers.) We will write the group G multiplicatively.

# Alice picks a random natural number a and sends ga to Bob.
Diffie–Hellman key exchange - Explanation including encryption mathematics # Alice picks a random natural number a and sends ga to Bob.

# Bob picks a random natural number b and sends gb to Alice.
Diffie–Hellman key exchange - Explanation including encryption mathematics # Bob picks a random natural number b and sends gb to Alice.

Both Alice and Bob are now in possession of the group element gab, which can serve as the shared secret key. The values of (gb)a and (ga)b are the same because groups are Power-associativity|power associative. (See also exponentiation.)

In order to decrypt a message m, sent as mgab, Bob (or Alice) must first compute (gab)−1, as follows:

File hosting service - Data encryption
Key (cryptography)|Secret key encryption is sometimes referred to as Zero knowledge and means only the user has the encryption key needed to decrypt the data. Since data is encrypted using the secret key, identical files encrypted with different keys will be different. Secret key encryption is considered to offer the highest level of access security in cloud storage

Since secret key encryption results in unique files, it makes data deduplication impossible and therefore uses more storage space.Secure Data Deduplication, Mark W. Storer Kevin Greenan Darrell D. E. Long Ethan L. Miller

Convergent encryption derives the key from the file content itself and means an identical file encrypted on different computers result in identical encrypted files

By demonstrating to a court how applying the convergent encryption methodology to an unencrypted copyrighted file produces the same encrypted file as that possessed by the user would appear to make a strong case that the user is guilty of possessing the file in question and thus providing evidence of copyright infringement by the user.

There is, however, no easily accessible public record of this having being tried in court as of May 2013 and an argument could be made that, similar to the opinion expressed by Attorney Rick G

USB memory stick - Encryption and Security
As highly portable media, USB flash drives are easily lost or stolen. All USB flash drives can have their contents encrypted using third-party disk encryption software, which can often be run directly from the USB drive without installation (for example, FreeOTFE), although some, such as TrueCrypt, require the user to have administrative rights on every computer it's run on.

Archiving software can achieve a similar result by creating encrypted ZIP (file format)|ZIP or RAR files.

Some manufacturers have produced USB flash drives which use hardware-based encryption as part of the design,[ Hardware Encrypted Secure USB Flash Drive] removing the need for third-party encryption software. In limited circumstances these drives have been USB flash drive security#Compromised systems|shown to have security problems, and are typically more expensive than software-based systems, which are available for free.

A minority of flash drives support biometric fingerprinting to confirm the user's identity

Some manufacturers deploy Dongle|physical authentication tokens in the form of a flash drive. These are used to control access to a sensitive system by containing encryption keys or, more commonly, communicating with security software on the target machine. The system is designed so the target machine will not operate except when the flash drive device is plugged into it. Some of these PC lock devices also function as normal flash drives when plugged into other machines.

SMS Banking - Compensating controls for lack of encryption
The lack of encryption is inherent to the SMS banking channel and several banks that use it have overcome their fears by introducing compensating controls and limiting the scope of the SMS banking application to where it offers an advantage over other channels.

SMS Banking - Compensating controls for lack of encryption
Suppliers of SMS banking software solutions have found reliable means by which the security concerns can be addressed. Typically the methods employed are by pre-registration and using security tokens where the transaction risk is perceived to be high. Sometimes ATM type Personal identification number|PINs are also employed, but the usage of PINs in SMS banking makes the customer's task more cumbersome.

ISDB - Interfaces and Encryption
The ISDB specification describes a lot of (network) interfaces, but most importantly the Common Interface for Conditional Access System (CAS). While ISDB has examples of implementing various kinds of CASes, in Japan CAS called B-CAS is used. (ARIB STD-B25) defines the Common Scrambling Algorithm (CSA) system called MULTI2 required for (de-)scrambling television.

The ISDB CAS system in Japan is operated by a company named B-CAS; the CAS card is called B-CAS card. The Japanese ISDB signal is always encrypted by the B-CAS system even if it is a free television program. That is why it is commonly called Pay per view system without charge. An interface for mobile reception is under consideration.

ISDB supports RMP (Rights management and protection). Since all digital television (DTV) systems carry digital data content, a DVD or high-definition (HD) recorder could easily copy content losslessly.

Currently, the Japanese government is evaluating using the Digital Transmission Content Protection (DTCP) Encryption plus Non-Assertion mechanism, to allow making multiple copies of digital content between compliant devices.[ JEITA、地デジのコンテンツ保護策として暗号方式 EPN を提案:ニュース - CNET Japan]

Data encryption 'Cryptography' (or cryptology; from Ancient Greek|Greek , hidden, secret; and , graphein, writing, or , -logy|-logia, study, respectively)Liddell and Scott's Greek-English Lexicon

Data encryption Cryptography prior to the modern age was effectively synonymous with encryption, the conversion of information from a readable state to apparent nonsense

Data encryption Modern cryptography is heavily based on mathematical theory and computer science practice; cryptographic algorithms are designed around computational hardness assumptions, making such algorithms hard to break in practice by any adversary

Cryptology-related technology has raised a number of legal issues
Data encryption Cryptology-related technology has raised a number of legal issues

Data encryption - Terminology
Historically, ciphers were often used directly for encryption or decryption without additional procedures such as authentication or integrity checks.

In colloquial use, the term code (cryptography)|code is often used to mean any method of encryption or concealment of meaning

Cryptanalysis is the term used for the study of methods for obtaining the meaning of encrypted information without access to the key normally required to do so; i.e., it is the study of how to crack encryption algorithms or their implementations.

Some use the terms cryptography and cryptology interchangeably in English, while others (including US military practice generally) use cryptography to refer specifically to the use and practice of cryptographic techniques and cryptology to refer to the combined study of cryptography and cryptanalysis.Oded Goldreich, Foundations of Cryptography, Volume 1: Basic Tools, Cambridge University Press, 2001, ISBN English is more flexible than several other languages in which cryptology (done by cryptologists) is always used in the second sense above

The study of characteristics of languages which have some application in cryptography (or cryptology), i.e. frequency data, letter combinations, universal patterns, etc., is called cryptolinguistics.

Data encryption - Computer era
Cryptanalysis of the new mechanical devices proved to be both difficult and laborious

Furthermore, computers allowed for the encryption of any kind of data representable in any binary format, unlike classical ciphers which only encrypted written language texts; this was new and significant

In recent times, IBM personnel designed the algorithm that became the Federal (i.e., US) Data Encryption Standard; Whitfield Diffie and Martin Hellman published Diffie-Hellman|their key agreement algorithm;Whitfield Diffie and Martin Hellman, New Directions in Cryptography, IEEE Transactions on Information Theory, vol

As well as being aware of cryptographic history, cryptographic algorithm and system designers must also sensibly consider probable future developments while working on their designs

Essentially, prior to the early 20th century, cryptography was chiefly concerned with language|linguistic and lexicographic code|lexicographic patterns

Data encryption - Cryptanalysis
The goal of cryptanalysis is to find some weakness or insecurity in a cryptographic scheme, thus permitting its subversion or evasion.

It is a common misconception that every encryption method can be broken

There are a wide variety of cryptanalytic attacks, and they can be classified in any of several ways

Cryptanalysis of symmetric-key ciphers typically involves looking for attacks against the block ciphers or stream ciphers that are more efficient than any attack that could be against a perfect cipher

Thus, other things being equal, to achieve an equivalent strength of attack resistance, factoring-based encryption techniques must use larger keys than elliptic curve techniques

While pure cryptanalysis uses weaknesses in the algorithms themselves, other attacks on cryptosystems are based on actual use of the algorithms in real devices, and are called side-channel attacks

Data encryption - Cryptographic primitives
Much of the theoretical work in cryptography concerns cryptographic primitive|cryptographic primitives—algorithms with basic cryptographic properties—and their relationship to other cryptographic problems

Data encryption - Prohibitions
Cryptography has long been of interest to intelligence gathering and law enforcement agency|law enforcement agencies

In some countries, even the domestic use of cryptography is, or has been, restricted

However, as the Internet grew and computers became more widely available, high quality encryption techniques became well-known around the globe

Data encryption - Export controls
After the source code for Philip Zimmermann's Pretty Good Privacy (PGP) encryption program found its way onto the Internet in June 1991, a complaint by RSA Security (then called RSA Data Security, Inc.), resulted in a lengthy criminal investigation of Zimmermann by the U.S

Daniel J

The treaty stipulated that the use of cryptography with short key-lengths (56-bit for symmetric encryption, 512-bit for RSA) would no longer be export-controlled

Data encryption - NSA involvement
The NSA was involved with the design of Data Encryption Standard|DES during its development at IBM and its consideration by the National Bureau of Standards as a possible Federal Standard for cryptography.[ The Data Encryption Standard (DES)] from Bruce Schneier's CryptoGram newsletter, June 15, 2000 DES was designed to be resistant to differential cryptanalysis,

a powerful and general cryptanalytic technique known to the NSA and IBM, that became publicly known only when it was rediscovered in the late 1980s.Eli Biham|E

Another instance of the NSA's involvement was the 1993 Clipper chip affair, an encryption microchip intended to be part of the Capstone (cryptography)|Capstone cryptography-control initiative

Data encryption - Digital rights management
Cryptography is central to digital rights management (DRM), a group of techniques for technologically controlling use of copyrighted material, being widely implemented and deployed at the behest of some copyright holders

Data encryption - Digital rights management
In 2007, the cryptographic keys responsible for Blu-ray and HD DVD content scrambling were AACS encryption key controversy|discovered and released onto the Internet

Encrypted - Symmetric key encryption
In Symmetric-key algorithm|Symmetric-key schemes, the encryption and decryption keys are the same. Thus communicating parties must agree on a secret key before they wish to communicate.

Encrypted - Public key encryption
Public-key encryption is a relatively recent invention: historically, all encryption schemes have been symmetric-key (also called private-key) schemes.

Encrypted - How encryption is used
Digital rights management systems which prevent unauthorized use or reproduction of copyrighted material and protect software against reverse engineering (see also copy protection) is another somewhat different example of using encryption on data at rest.

Encrypted - How encryption is used
Encryption is also used to protect data in transit, for example data being transferred via computer network|networks (e.g

History of cryptography - An encryption standard
First was the publication of the draft Data Encryption Standard in the U.S

History of cryptography - An encryption standard
However, its 56-bit key-size has been shown to be insufficient to guard against brute force attacks (one such attack, undertaken by the cyber civil-rights group Electronic Frontier Foundation in 1997, succeeded in 56 hours.Electronic Frontier Foundation, Cracking DES, O'Reilly, 1998.) As a result, use of straight DES encryption is now without doubt insecure for use in new cryptosystem designs, and messages protected by older cryptosystems using DES, and indeed all messages sent since 1976 using DES, are also at risk

ElGamal - Encryption The encryption algorithm works as follows: to encrypt a message m\, to Alice under her public key (G,q,g,h)\,,

ElGamal - Encryption Note that one can easily find h^y\, if one knows m'\,. Therefore, a new y\, is generated for every message to improve security. For this reason, y\, is also called an ephemeral key.

Public-key encryption
'Public-key cryptography', also known as 'asymmetric cryptography', refers to a cryptography|cryptographic algorithm which requires two separate cryptographic key|keys, one of which is secret (or private) and one of which is public

It is computationally easy for a user to generate their own public and private key-pair and to use them for encryption and decryption

Message authentication involves processing a message with a private key to produce a digital signature

Public-key algorithms are fundamental security ingredients in cryptosystems, applications and protocols. They underpin such Internet standards as Transport Layer Security| Transport Layer Security (TLS), Pretty Good Privacy|PGP, and GNU Privacy Guard|GPG. Some public key algorithms provide key distribution and secrecy (e.g., Diffie–Hellman key exchange), some provide digital signatures (e.g., Digital Signature Algorithm), and some provide both (e.g., RSA (algorithm)|RSA).

Public-key encryption - History
During the early history of cryptography, two parties would rely upon a key that they would exchange between themselves by means of a secure, but non-cryptographic, method

In 1874, a book by William Stanley JevonsJevons, William Stanley, [ The Principles of Science: A Treatise on Logic and Scientific Method] p

One example mentioned briefly is that enciphering (encryption) is easy while deciphering (decryption) is not

The GCHQ cryptographers referred to the technique as non-secret encryption

An asymmetric-key cryptosystem was published in 1976 by Whitfield Diffie and Martin Hellman who, influenced by Ralph Merkle's work on public-key distribution, disclosed a method of public-key agreement

RSA uses modular exponentiation|exponentiation modulo a product of two very large prime number|primes, to encrypt and decrypt, performing both public key encryption and public key digital signature

The ElGamal encryption|ElGamal cryptosystem, invented by Taher ElGamal relies on the similar and related high level of difficulty of the discrete logarithm problem, as does the closely related Digital Signature Algorithm|DSA, which was developed at the US National Security Agency (NSA) and published by NIST as a proposed standard

Public-key encryption - Security
Some encryption schemes can be proven secure on the basis of the presumed difficulty of a mathematical problem, such as Integer factorization|factoring the product of two large primes or computing discrete logarithms. Note that secure here has a precise mathematical meaning, and there are multiple different (meaningful) definitions of what it means for an encryption scheme to be secure. The right definition depends on the context in which the scheme will be deployed.

The most obvious application of a public key encryption system is confidentiality - a message that a sender encrypts using the recipient's public key can be decrypted only by the recipient's paired private key. This assumes, of course, that no flaw is discovered in the basic algorithm used.

Another type of application in public-key cryptography is that of digital signature schemes

To achieve both authentication and confidentiality, the sender should include the recipient's name in the message, sign it using his private key, and then encrypt both the message and the signature using the recipient's public key.

These characteristics can be used to construct many other (sometimes surprising) cryptographic protocols and applications, such as digital cash, password-authenticated key agreement, multi-party key agreement, Trusted timestamping|time-stamping services, non-repudiation protocols, etc.

Public-key encryption - Actual algorithms: two linked keys
Not all asymmetric key algorithms operate in precisely this fashion. The most common ones have the property that Alice and Bob each own two keys, one for encryption and one for decryption. In a secure asymmetric key encryption scheme, the private key should not be deducible from the public key. This is known as public-key encryption, since an encryption key can be published without compromising the security of messages encrypted with that key.

In the analogy above, Bob might publish instructions on how to make a lock (public key). However, the workings of the lock are such that it is impossible (so far as is known) to deduce from the instructions given just exactly how to make a key that will open that lock (e.g. a private key). Those wishing to send messages to Bob must use the public key to encrypt the message, then Bob can use his private key to decrypt it.

Another example has Alice and Bob each choosing a key at random, and then contacting each other to compare the depth of each notch on their keys. Having determined the difference, a locked box is built with a special lock that has each pin inside divided into 2 pins, matching the numbers of their keys. Now the box will be able to be opened with either key, and Alice and Bob can exchange messages inside the box in a secure fashion.

Public-key encryption - Relation to real world events
A public key will be known to a large and, in practice, unknown set of users. All events requiring revocation or replacement of a public key can take a long time to take full effect with all who must be informed (i.e. all those users who possess that key). For this reason, systems that must react to events in real time (e.g., safety-critical systems or national security systems) should not use public-key encryption without taking great care. There are four issues of interest:

Public-key encryption - Distribution of a new key
After a key has been revoked, or when a new user is added to a system, a new key must be distributed in some predetermined manner

One could leave the power to create (and certify) keys (as well as to revoke them) in the hands of each user - the original PGP design did so - but this raises problems of user understanding and operation

It is most likely a system-wide failure if the (possibly combined) principal that issues new keys fails by issuing keys improperly. This is an instance of a common mutual exclusion - a design can make the reliability of a system high, but only at the cost of system availability (and vice versa).

Ciphertext stealing - ECB encryption steps (see figure)
# En−1 = Encrypt (K, Pn−1). Encrypt Pn−1 to create En−1. This is equivalent to the behavior of standard ECB mode.

Ciphertext stealing - ECB encryption steps (see figure)
# Cn−1 = Encrypt (K, Dn). Encrypt Dn to create Cn−1. For the first M bits, this is equivalent to what would happen in ECB mode (other than the ciphertext ordering). For the last B−M bits, this is the second time that these data have been encrypted under this key (It was already encrypted in the production of En−1 in step 2).

Ciphertext stealing - CBC encryption steps
# Xn−1 = Pn−1 XOR Cn−2. Exclusive-OR Pn−1 with the previous ciphertext block, Cn−2, to create Xn−1. This is equivalent to the behavior of standard CBC mode.

# En−1 = Encrypt (K, Xn−1). Encrypt Xn−1 to create En−1. This is equivalent to the behavior of standard CBC mode.

# Dn = En−1 XOR P

# Cn−1 = Encrypt (K, Dn). Encrypt Dn to create Cn−1. For the first M bits, this is equivalent to what would happen in CBC mode (other than the ciphertext ordering). For the last B−M bits, this is the second time that these data have been encrypted under this key (It was already encrypted in the production of En−1 in step 2).

# Encrypt the whole padded plaintext using the standard CBC mode.
Ciphertext stealing - CBC ciphertext stealing encryption using a standard CBC interface # Encrypt the whole padded plaintext using the standard CBC mode.

# Truncate the ciphertext to the length of the original plaintext.
Ciphertext stealing - CBC ciphertext stealing encryption using a standard CBC interface # Truncate the ciphertext to the length of the original plaintext.

Digital signing - Using separate key pairs for signing and encryption
If an encryption key is lost, a backup or key escrow should be utilized to continue viewing encrypted content

Internet Explorer 3 - Encryption
Internet Explorer 3 was the first version of the browser to support SSL The last patch versions of Internet Explorer 3 supported 40-bit and 128-bit encryption, using Server Gated Cryptography (SGC). 256-bit encryption would not become available in IE for nearly 10 years, with the Windows Vista version Internet Explorer 7.

128-bit encryption was available or included for these versions:

If it was not possible to upgrade to 128-bit, then 40-bit (SGC) was standard.

XML Encryption 'XML Encryption', also known as XML-Enc, is a specification, governed by a World Wide Web Consortium|W3C recommendation, that defines how to encrypt the contents of an XML element.

XML Encryption Although XML Encryption can be used to encrypt any kind of data, it is nonetheless known as XML Encryption because an XML element (either an EncryptedData or EncryptedKey element) contains or refers to the cipher text, keying information, and algorithms.

ZFS - Encryption A command to switch to a new data encryption key for the clone or at any time is provided— this does not re-encrypt already existing data, instead utilising an encrypted master-key mechanism.

Diffie-Hellman - Explanation including encryption mathematics
Both Alice and Bob have arrived at the same value, because (ga)b and (gb)a are equal mod p. Note that only a, b, and (gab mod p = gba mod p) are kept secret. All the other values – p, g, ga mod p, and gb mod p – are sent in the clear. Once Alice and Bob compute the shared secret they can use it as an encryption key, known only to them, for sending messages across the same open communications channel.

Transparent Data Encryption
'Transparent Data Encryption' (often abbreviated to 'TDE') is a technology employed by both Microsoft and Oracle Corporation|Oracle to encryption|encrypt database content. TDE offers encryption at a Column (database)|column, Table (database)|table, and tablespace level. TDE solves the problem of protecting data at rest, encrypting databases both on the Hard Drive and consequently on backup media. Enterprises typically employ TDE to solve compliance issues such as PCI DSS.

Microsoft offers TDE as part of its Microsoft SQL Server 2008, SQL Server 2008 R2 and SQL Server TDE is only supported on the Evaluation, Developer, Enterprise and Datacenter versions of Microsoft SQL Server. SQL TDE is supported by Hardware Security Modules from Townsend Security and SafeNet, Inc.

Oracle Advanced Security TDE tablespace encryption and support for Hardware Security Modules (HSM) were introduced with Oracle Database 11gR1

The same key is used to encrypt columns in a table, regardless of the number of columns to be encrypted. These encryption keys are encrypted using the database server master key and are stored in a dictionary table in the database.

Features new to Windows 8 - Device encryption
Unlike BitLocker, device encryption on x86-based devices requires that the device meet the Connected Standby specifications (which among other requirements, requires that the device use solid state drive|solid state storage and have RAM soldered directly to the motherboard) and have a Trusted Platform Module (TPM) 2.0 chip.

Microsoft Office password protection - History of Microsoft Encryption password
In Excel and Word 95 and prior editions a weak protection algorithm is used that converts a password to a 16-bit Key (cryptography)|key. Currently hacking software are readily available to find a 16-bit key and decrypt the password-protected document instantly.

In Excel and Word 97 and 2000 the key length was increased to 40 bits. This protection algorithm is also currently considered to be weak and presents no difficulties to hacking software.

The default protection in Office XP and 2003 was not changed, but an opportunity to use a custom protection algorithm was added

In Office 2007 (Word, Excel and PowerPoint), protection was significantly enhanced since a modern protection algorithm named Advanced Encryption Standard was used. At present there is no software that can break this encryption. With the help of SHA-1 hash function, a password is converted into a 128-bit key 50,000 times before document opening, and because of that, password recovery speed was vastly reduced.

Excel and Word 2010 still employ AES and a 128-bit key, but the number of SHA-1 conversions has doubled to 100,000 further reducing password recovery speed.

Psi (instant messaging client) - Encryption
Psi has built in GNU Privacy Guard|GnuPG support for message encryption.

Interbase - Data controller friendly inbuilt encryption
The separation of the encryption also enables developers to just develop the application rather than worry about the data visible from a specific user login.

Cramer–Shoup cryptosystem - Encryption
To encrypt a message m to Alice under her public key (G,q,g_1,g_2,c,d,h),

**\alpha = H(u_1, u_2, e) \,, where H() is a universal one-way hash function (or a collision resistant cryptographic hash function, which is a stronger requirement).

* Bob sends the ciphertext (u_1, u_2, e, v) to Alice.

Public key encryption It is computationally easy for a user to generate their own public and private key-pair and to use them for encryption and decryption

Cipher disk - Methods of Encryption
The cipher disk can be used in one of two ways. The code can be a consistent monoalphabetic substitution for the entire cipher or the disks can be moved periodically throughout the cipher making it polyalphabetic. For a monoalphabetic use, the sender and the person receiving the messages would agree on a key (cryptography)|cipher key setting (e.g., the G in the regular alphabet would be positioned next to the Q in the cipher alphabet). The entire message is then encoded according to this key.

Cipher disk - Methods of Encryption
In addition to simple substitution ciphers, the cipher disk opened the way for convenient polyalphabetic ciphers. An easy way to do this is for the sender and the recipient to agree that a certain number of characters into the message, the scales would be shifted one character to the right, repeating the procedure every tenth letter. This would make it more difficult to crack, using statistical methods.

Information theoretic security - Physical layer encryption
A weaker notion of security defined by A. Wyner established a now flourishing area of research known as physical layer encryption. This exploits the physical wireless channel for its security by communications, signal processing, and coding techniques. The security is provable, unbreakable, and quantifiable (in bits/second/hertz).

Wyner's initial physical layer encryption work in the 1970s posed the Alice – Bob – Eve problem in which Alice wants to send a message to Bob without Eve decoding it

More recent theoretical results are concerned with determining the secrecy capacity and optimal power allocation in broadcast fading channels.

There are caveats, as many capacities are not computable unless the assumption is made that Alice knows the channel to Eve. If this were known, Alice could simply place a null in Eve's direction. Secrecy capacity for MIMO and multiple colluding eavesdroppers is more recent and ongoing work, and these results still make the non-useful assumption about eavesdropper channel state information knowledge.

Still other work is less theoretical and attempts to compare implementable schemes. One physical layer encryption scheme is to broadcast artificial noise in all directions except that of Bob's channel, basically jamming Eve. One paper by Negi and Goel details the implementation, and Khisti and Wornell computed the secrecy capacity when only statistics about Eve's channel are known.

Parallel to this work in the information theory community is work in the antenna community that has been termed near-field direct antenna modulation or directional modulation.

It was shown that by using a parasitic array, the transmitted modulation in different directions could be controlled independently.

Secrecy could be realized by making the modulations in undesired directions difficult to decode. Directional modulation data transmission was experimentally demonstrated using a phased array.

Others have demonstrated directional modulation with switched arrays and phase-conjugating lenses.

This type of directional modulation is really a subset of Negi and Goel's additive artificial noise encryption scheme. Another scheme using pattern-reconfigurable transmit antennas for Alice called reconfigurable multiplicative noise (RMN) complements additive artificial noise.

The two work well together in channel simulations in which nothing is assumed known to Alice or Bob about the eavesdroppers.

Information security audit - Encryption and IT audit
In assessing the need for a client to implement encryption policies for their organization, the Auditor should conduct an analysis of the client’s risk and data value. Companies with multiple external users, e-commerce applications, and sensitive customer/employee information should maintain rigid encryption policies aimed at encrypting the correct data at the appropriate stage in the data collection process.

Auditors should continually evaluate their client’s encryption policies and procedures

Finally the auditor should attain verification from management that the encryption system is strong, not attackable and compliant with all local and international laws and regulations.

FileVault - Manual encryption
Instead of using FileVault to encrypt a user's home directory, using Disk Utility a user can create an encrypted disk image themselves and store any subset of their home directory in there (for example, ~/Documents/private). This encrypted image behaves similar to a Filevault encrypted home directory, but is under the user's maintenance.

FileVault - Manual encryption
Encrypting only a part of a user's home directory might be problematic when applications need access to the encrypted files, which will not be available until the user mounts the encrypted image. This can be mitigated to a certain extent by making symbolic links for these specific files.

AACS encryption key controversy
A 'controversy surrounding the Advanced Access Content System|AACS cryptographic key' arose in April 2007 when the Motion Picture Association of America and the Advanced Access Content System Licensing Administrator, LLC (AACS LA) began issuing cease and desist letters to websites publishing a 128-bit (16-byte) number, represented in hexadecimal as '09 F D 74 E3 5B D C C0' (commonly referred to as '09 F9'), which is one of the cryptography|cryptographic Key (cryptography)|keys for HD DVDs and Blu-ray Discs

In response to widespread Internet postings of the key, the AACS LA issued various press statements, praising those websites that complied with their requests as acting in a responsible manner, warning that legal and technical tools were adapting to the situation.

The controversy was further escalated in early May 2007, when aggregate news site Digg received a DMCA cease and desist notice and then removed numerous articles on the matter and banhammer|banned users reposting the information.

This sparked what some describe as a digital revolt or cyber-riot, in which users posted and spread the key on Digg, and throughout the Internet en masse, thereby leading to the Streisand effect. The AACS LA described this situation as an interesting new twist.

AACS encryption key controversy - Background
Hexadecimal is a base-16 numeral system used in the fields of computer programming and mathematics

Because the encryption key may be used as part of circumvention device|circumvention technology forbidden by the Digital Millennium Copyright Act|DMCA, its possession and distribution has been viewed as illegal by the Advanced Access Content System|AACS, as well as by some legal professionals

Commercial HD DVDs and Blu-ray Discs integrate copy protection technology specified by the AACS LA. There are several interlocking encryption mechanisms, such that cracking one part of the system does not necessarily crack other parts. Therefore, the 09 F9 key is only one of many parts that are needed to play a disc on an unlicensed player.

The compromised players can still be used to view old discs, but not newer releases without encryption keys for the compromised players

AACS encryption key controversy - 2006
On December 26, 2006, a person using the alias muslix64 published a utility named BackupHDDVD and its source code on the DVD decryption Internet forum|forum at the website Doom9. BackupHDDVD can be used to decrypt AACS protected content once one knows the encryption key. muslix64 claimed to have found title and volume keys in main memory while playing HD DVDs using a software player, and that finding them is not difficult.

On January 1, 2007, muslix64 published a new version of the program, with volume key support. On January 12, 2007, other forum members detailed how to find other title and volume keys, stating they had also found the keys of several movies in random access memory|RAM while running WinDVD.

On or about January 13, a title key was posted on pastebin.com in the form of a riddle, which was solved by entering terms into the Google search engine. By converting these results to hexadecimal, a correct key could be formed. Later that day, the first cracked HD DVD, Serenity (film)|Serenity, was uploaded on a private torrent tracker. The AACS LA confirmed on January 26 that the title keys on certain HD DVDs had been published without authorization.

Doom9.org forum user arnezami found and published the 09 F9 AACS processing key on February 11:

This key is not specific to any playback device or DVD title. Doom9.org forum user jx6bpm claimed on March 4 to have revealed CyberLink's PowerDVD's key, and that it was the key in use by AnyDVD.

The AACS LA announced on April 16 that it had revoked the decryption keys associated with certain software high-definition DVD players, which will not be able to decrypt AACS encrypted disks mastered after April 23, without an update of the software.

On May 17, one week before any discs with the updated processing key had reached retail, claims were reported of the new keys having been retrieved from a preview disc of The Matrix (series)|The Matrix Trilogy. On May 23, the key 45 5F E CA 29 C4 93 3F B 79 2A B2 was posted on Edward Felten's Freedom to Tinker Blog and confirmed a week later by arnezami on Doom9 as the new processing key (MKB v3).

In August, two new processing keys were posted:

While individual discs have been decrypted containing media key block version 17, processing keys for versions past 10 have not yet been released to the public.

Many more later keys were discovered, but most were not released publicly, probably because that would make them easier to revoke.

AACS encryption key controversy - DMCA notices and Digg
As early as April 17, 2007, AACS LA had issued DMCA violation notices, sent by Charles S. Sims of Proskauer Rose. Following this, dozens of notices were sent to various websites hosted in the United States.

On May 1, 2007, in response to a DMCA demand letter, technology news site Digg began closing accounts and removing posts containing or alluding to the key

quote|But now, after seeing hundreds of stories and reading thousands of comments, you've made it clear. You'd rather see Digg go down fighting than bow down to a bigger company. We hear you, and effective immediately we won't delete stories or comments containing the code and will deal with whatever the consequences might be.

AACS encryption key controversy - Legal opinions
Lawyers and other representatives of the entertainment industry, including Michael Ayers, an attorney for Toshiba Corporation, expressed surprise at Digg's decision, but suggested that a suit aimed at Digg might merely Streisand effect|spread the information more widely.

AACS encryption key controversy - Legal opinions
The American Bar Association's eReport (ABA)|eReport published a discussion of the controversy, in which Eric Goldman at Santa Clara University's High Tech Law Institute noted that the illegality of putting the code up is questionable (that Section 230 of the Communications Decency Act may protect the provider when the material itself is not copyrighted), although continuing to allow posting of the key may be risky, and entertainment lawyer Carole Handler noted that even if the material is illegal, laws such as the DMCA may prove ineffective in a practical sense.

AACS encryption key controversy - Impact
In a response to the events occurring on Digg and the call to Spread this number, the key was rapidly posted to thousands of pages, blogs and wikis across the Internet. The reaction was an example of the Streisand effect; when attempts by Barbra Streisand to censor aerial photographs of her house led to their mass publication.

Intellectual property lawyer Douglas J. Sorocco noted, People are getting creative. It shows the futility of trying to stop this. Once the information is out there, cease-and-desist letters are going to infuriate this community more. Outside of the Internet and the mass media, the key has appeared in or on T-shirts, poetry, songs and music videos, illustrations and other graphic artworks, tattoos and body art, and comic strips.

On Tuesday afternoon, May 1, 2007, a Google search for the key returned 9,410 results, while the same search the next morning returned nearly 300,000 results. On Friday, the BBC reported that a search on Google shows almost 700,000 pages have published the key, despite the fact that on April 17, the AACS LA sent a DMCA notice to Google, demanding that Google stop returning any results for searches for the key.

Widespread news coverage, [ CNet], [ BBC], [ Financial Times], [ Associated Press] included speculation on the development of user-driven websites, the legal liability of running a user-driven website, the perception of acceptance of digital rights management|DRM, the failure as a business model of secrecy based businesses ..

In an opposing move, Carter Wood of the National Association of Manufacturers said they had removed the Digg It-link from their weblog.

Media coverage initially avoided quoting the key itself. However, several US-based news sources have run stories containing the key, quoting its use on Digg,

though none are known to have received DMCA notices as a result. Later reports have discussed this, quoting the key. Current TV broadcast the key during a Google Current story on the Digg incident on May3,2007, displaying it in full on screen for several seconds and placing the story on the station website.

Wikipedia, on May 1, 2007, locked out the page named for the number to prevent the former secret from being posted again. The page on HD DVD was locked, too, to keep out The Number. This action was later reversed.

AACS encryption key controversy - AACS LA reaction
On May 7, 2007, the AACS LA announced on its website that it had requested the removal solely of illegal circumvention tools, including encryption keys, from a number of web sites, and that it had not requested the removal or deletion of any ..

Apple Remote Desktop - Encryption
Prior to version 3, ARD encrypted only passwords, mouse events and keystrokes; and not desktop graphics or file transfers. Apple therefore recommended that ARD traffic crossing a public network should be tunnelled through a VPN, to avoid the possibility of someone eavesdropping on ARD sessions.

ARD 3.0 has the option of using AES 128 bit, the same as a basic SSH server.

Apple retained VNC's 8 character limit on passwords, so ARD cannot use passwords considered to be of 'minimum' length by contemporary standards.

E-mail client - Encryption
With no encryption, much like for postcards, activity is plainly visible by any occasional eavesdropper. encryption enables privacy to be safeguarded by encrypting the mail sessions, the body of the message, or both. Without it, anyone with network access and the right tools can monitor and obtain login passwords. Examples of concern include the government censorship and surveillance and fellow wireless network users such as at an Internet cafe.

E-mail client - Encryption of mail sessions
At any further hop, messages may be transmitted with or without encryption, depending solely on the general configuration of the transmitting server and the capabilities of the receiving one.

E-mail client - Encryption of mail sessions
Encrypted mail sessions deliver messages in their original format, i.e. plain text or encrypted body, on a user's local mailbox and on the destination server's. The latter server is operated by an hosting service provider, possibly a different entity than the internet access provider currently at hand.

E-mail client - Encryption of the message body
There are two models for managing cryptographic keys. S/MIME employs a model based on a trusted certificate authority (CA) that signs users' public keys. OpenPGP employs a somewhat more flexible web of trust mechanism that allows users to sign one another's public keys. OpenPGP is also more flexible in the format of the messages, in that it still supports plain message encryption and signing as they used to work before MIME standardization.

E-mail client - Encryption of the message body
In both cases, only the message body is encrypted. Header fields, including originator, recipients, and subject, remain in plain text.

Cryptography standards - Encryption standards
* RSA (algorithm)|RSA the original public key algorithm

Key length - Key size and encryption system
Encryption systems are often grouped into families. Common families include symmetric systems (e.g. Advanced Encryption Standard|AES) and asymmetric systems (e.g. RSA (algorithm)|RSA); they may alternatively be grouped according to the central algorithm used (e.g. elliptic curve cryptography).

Key length - Key size and encryption system
For example , a 1039 bit integer was factored with the special number field sieve using 400 computers over 11 months.[ Researcher: RSA 1024-bit Encryption not Enough] The factored number was of a special form; the special number field sieve cannot be used on RSA keys

Signals intelligence - Strong and well-managed encryption
Encryption is central to the defense. The encryption process is vulnerable if the Key (cryptography)|cryptographic keys are not strong and protected, and, on computers, if the cleartext is not deleted when not needed.

James H. Ellis - Invention of non-secret encryption
Ellis said that the idea first occurred to him after reading a paper from World War II by someone at Bell Labs describing a way to protect voice communications by the receiver adding (and then later subtracting) random noise (possibly this 1944 paper or the 1945 paper co-authored by Claude Shannon). He realised that 'noise' could be applied mathematically but was unable to devise a way to implement the idea.

He went home, thought about it, and returned with the basic idea for what has become known as the RSA (algorithm)|RSA asymmetric key encryption algorithm

Not long thereafter, Cocks' friend and fellow mathematician, Malcolm Williamson (cryptographer)|Malcolm Williamson, now also working at GCHQ, after being told of Cocks' and Ellis' work, thought about the problem of key distribution and developed what has since become known as Diffie–Hellman key exchange. Again, this discovery was classified information and it was therefore kept secret.

When, a few years later, Whitfield Diffie|Diffie and Martin Hellman|Hellman published their 1976 paper, and shortly after that Ron Rivest|Rivest, Adi Shamir|Shamir, and Leonard Adleman|Adleman announced their algorithm, Cocks, Ellis, and Williamson suggested that GCHQ announce that they had previously developed both. GCHQ decided against publication at the time.

At this point, only GCHQ and the National Security Agency (NSA) in the USA knew about the work of Ellis, Cocks and Williamson. Whitfield Diffie heard a rumour, probably from the NSA, and travelled to see James Ellis. The two men talked about a range of subjects until, at the end, Diffie asked Ellis Tell me how you invented public-key cryptography. After a long pause, Ellis replied Well, I don't know how much I should say. Let me just say that you people made much more of it than we did.

On 18 December 1997, Clifford Cocks delivered a public talk which contained a brief history of GCHQ's contribution so that Ellis, Cocks and Williamson received some acknowledgment after nearly three decades of secrecy. James Ellis died on 25 November 1997, a month before the public announcement was made.

Triple-DES - Encryption of more than one block
As with all block ciphers, encryption and decryption of multiple blocks of data may be performed using a variety of modes of operation, which can generally be defined independently of the block cipher algorithm

List of important publications in cryptography - Data Encryption Standard
Description: Data Encryption Standard|DES is not only one of the most widely deployed ciphers in the world but has had a profound impact on the development of cryptography. Roughly a generation of cryptographers devoted much of their time to attacking and improving DES.

List of important publications in cryptography - Using encryption for authentication in large networks of computers Description: This paper introduced the basic ideas of cryptographic protocols and showed how both secret-key and public-key encryption could be used to achieve authentication.

List of important publications in cryptography - Probabilistic Encryption
Description: The paper provides a rigorous basis to encryption (e.g., partial information) and shows that it possible to equate the slightest cryptanalysis to solve a pure math problem.

List of important publications in cryptography - Probabilistic Encryption
Second, it introduces the notion of computational indistinguishability.

International Data Encryption Algorithm
In cryptography, the 'International Data Encryption Algorithm' ('IDEA'), originally called 'Improved Proposed Encryption Standard' ('IPES'), is a Symmetric-key algorithm|symmetric-key block cipher designed by James Massey of ETH Zurich and Xuejia Lai and was first described in The algorithm was intended as a replacement for the Data Encryption Standard (DES). IDEA is a minor revision of an earlier cipher, Proposed Encryption Standard (PES).

The cipher was designed under a research contract with the Hasler Foundation, which became part of Ascom-Tech AG. The cipher was patented in a number of countries but was freely available for non-commercial use. The name “IDEA” is also a trademark. The last patents expired in 2012 and IDEA is now patent-free and thus free to use.

IDEA was used in Pretty Good Privacy (PGP) v2.0, and was incorporated after the original cipher used in v1.0, BassOmatic, was found to be insecure. IDEA is an optional algorithm in the OpenPGP standard.

International Data Encryption Algorithm - Operation
The processes for encryption and decryption are similar

* Bitwise XOR|eXclusive OR (denoted with a blue circled plus ).

* Addition modulo 216 (denoted with a green boxed plus ).

* Multiplication modulo 216+1, where the all-zero word (0x0000) in inputs is interpreted as 216 and 216 in output is interpreted as the all-zero word (0x0000) (denoted by a red circled dot ).

After the eight rounds comes a final “half round”, the output transformation illustrated below:

International Data Encryption Algorithm - Structure
The overall structure of IDEA follows the Lai-Massey scheme. XOR is used for both subtraction and addition. IDEA uses a key-dependent half-round function. To work with 16 bit words (meaning four inputs instead of two for the 64 bit block size), IDEA uses the Lai-Massey scheme twice in parallel, with the two parallel round functions being interwoven with each other. To ensure sufficient diffusion, two of the sub-blocks are swapped after each round.

International Data Encryption Algorithm - Key schedule
Each round uses six 16-bit sub-keys, while the half-round uses four, a total of 52 for 8.5 rounds. The first eight sub-keys are extracted directly from the key, with K1 from the first round being the lower sixteen bits; further groups of eight keys are created by rotating the main key left 25 bits between each group of eight. This means that it is rotated less than once per round, on average, for a total of six rotations.

International Data Encryption Algorithm - Decryption
Decryption works like encryption, but the order of the round keys is inverted, and each value of each subkey is replaced by its inverse for the respective group operation.

International Data Encryption Algorithm - Security
The designers analysed IDEA to measure its strength against differential cryptanalysis and concluded that it is immune under certain assumptions. No successful linear cryptanalysis|linear or algebraic weaknesses have been reported. , the best attack which applied to all keys could break IDEA reduced to 6 rounds (the full IDEA cipher uses 8.5 rounds).

Note that a break is any attack which requires less than 2128 operations; the 6-round attack requires 264 known plaintexts and operations.

Bruce Schneier thought highly of IDEA in 1996, writing, In my opinion, it is the best and most secure block algorithm available to the public at this time. (Applied Cryptography, 2nd ed.) However, by 1999 he was no longer recommending IDEA due to the availability of faster algorithms, some progress in its cryptanalysis, and the issue of patents.

In 2012, full 8.5 round IDEA was finally broken, using a narrow-bicliques attack, with a reduction of cryptographic strength of about two bits, similar to the effect of the previous bicliques attack on AES.

International Data Encryption Algorithm - Weak keys
The very simple key schedule makes IDEA subject to a class of weak keys; some keys containing a large number of 0 bits produce weak encryption. These are of little concern in practice, being sufficiently rare that they are unnecessary to avoid explicitly when generating keys randomly. A simple fix was proposed: exclusive-ORing each subkey with a 16-bit constant, such as 0x0DAE.

Larger classes of weak keys were found in 2002.

This is still of negligible probability to be a concern to a randomly chosen key, and some of the problems are fixed by the constant XOR proposed earlier, but the paper is not certain if all of them are. A more comprehensive redesign of the IDEA key schedule may be desirable.

International Data Encryption Algorithm - Availability
A patent application for IDEA was first filed in Switzerland (CH A 1690/90) on May 18, 1990, then an international patent application was filed under the Patent Cooperation Treaty on May 16, 1991

International Data Encryption Algorithm - Availability
MediaCrypt AG is now offering a successor to IDEA and focuses on its new cipher (official release on May 2005) IDEA NXT, which was previously called FOX.

International Data Encryption Algorithm - Literature
* Hüseyin Demirci, Erkan Türe, Ali Aydin Selçuk, A New Meet in the Middle Attack on The IDEA Block Cipher, 10th Annual Workshop on Selected Areas in Cryptography, 2004.

* Xuejia Lai and James L. Massey, [ A Proposal for a New Block Encryption Standard], EUROCRYPT 1990, pp

* Xuejia Lai and James L. Massey and S. Murphy, Markov ciphers and differential cryptanalysis, Advances in Cryptology mdash; Eurocrypt '91, Springer-Verlag (1992), pp17-38.

Clandestine HUMINT operational techniques - Encryption
Encryption, especially using a theoretically secure method, when properly executed, such as the one-time pad

, is highly secure, but a counterintelligence agent seeing nonsense characters will immediately become suspicious of the message that has been captured. The very knowledge that a dead drop exists can cause it to be trapped or put under surveillance, and the member of a brush pass that carries it will be hard-pressed to explain it.

One-time pad encryption has the absolute requirement that the cryptographic key is used only once. Failure to follow this rule caused a serious penetration into Soviet espionage communications, through the Venona project|VENONA analysis

It is extremely difficult for a nonprofessional to develop a cryptosystem, especially without computer support, that is impervious to the attack by a professional cryptanalyst, working for an agency with government resources, such as the US NSA or Russian Special Communications Service of Russia|Spetssvyaz

NTFS - Encryption Encrypting File System (EFS) provides strong and user-transparent encryption of any file or folder on an NTFS volume. EFS works in conjunction with the EFS service, Microsoft's Cryptographic Application Programming Interface|CryptoAPI and the EFS File System Run-Time Library (FSRTL).

NTFS - Encryption NTFS-provided encryption and NTFS-provided compression are mutually exclusive; however, NTFS can be used for one and a third-party tool for the other.

NTFS - Encryption The support of EFS is not available in Basic, Home and MediaCenter versions of Windows, and must be activated after installation of Professional, Ultimate and Server versions of Windows or by using enterprise deployment tools within Windows domains.

ElGamal encryption The Digital Signature Algorithm is a variant of the ElGamal signature scheme, which should not be confused with ElGamal encryption.

ElGamal encryption ElGamal encryption can be defined over any cyclic group G. Its security depends upon the difficulty of a certain problem in G related to computing discrete logarithms (see below).

ElGamal encryption - Key generation
* Alice generates an efficient description of a multiplicative cyclic group G\, of order q\, with generating set of a group|generator g\,. See below for a discussion on the required properties of this group.

* Alice computes h = g^x\,.

* Alice publishes h\,, along with the description of G, q, g\,, as her 'public key'. Alice retains x\, as her 'private key' which must be kept secret.

ElGamal encryption - Decryption
* and then computes m'=c_2 \cdot s^\, which she then converts back into the plaintext message m\,, where s^ is the inverse of s in the group G. (E.g. modular multiplicative inverse if G is a subgroup of a multiplicative group of integers modulo n).

The decryption algorithm produces the intended message, since

ElGamal encryption - Practical use
The ElGamal cryptosystem is usually used in a hybrid cryptosystem. I.e., the message itself is encrypted using a symmetric cryptosystem and ElGamal is then used

ElGamal encryption - Practical use
to encrypt the key used for the symmetric cryptosystem. This is because asymmetric cryptosystems like Elgamal are usually slower than symmetric ones, so it is faster to encrypt the symmetric key (which most of the time is quite small if compared to the size of the message) with Elgamal and the message (which can be arbitrarily large) with a symmetric cypher.

ElGamal encryption - Security
The security of the ElGamal scheme depends on the properties of the underlying group G as well as any padding scheme used on the messages.

If the computational Diffie–Hellman assumption (CDH) holds in the underlying cyclic group G, then the encryption function is one-way function|one-way.CRYPTUTOR, [ Elgamal encryption scheme]

If the decisional Diffie–Hellman assumption (DDH) holds in G, then

ElGamal achieves semantic security. Semantic security is not implied by the computational Diffie–Hellman assumption alone.M. Abdalla, M. Bellare, P. Rogaway, DHAES, An encryption scheme based on the Diffie–Hellman Problem (Appendix A) See decisional Diffie–Hellman assumption for a discussion of groups where the assumption is believed to hold.

ElGamal encryption is unconditionally malleability (cryptography)|malleable, and therefore is not secure under chosen ciphertext attack. For example, given an encryption (c_1, c_2) of some (possibly unknown) message m, one can easily construct a valid encryption (c_1, 2 c_2) of the message 2m.

To achieve chosen-ciphertext security, the scheme must be further modified, or an appropriate padding scheme must be used. Depending on the modification, the DDH assumption may or may not be necessary.

Other schemes related to ElGamal which achieve security against chosen ciphertext attacks have also been proposed.

The Cramer–Shoup cryptosystem is secure under chosen ciphertext attack assuming DDH holds for G. Its proof does not use the random oracle model. Another proposed scheme is DHAES, whose proof requires an assumption that is weaker than the DDH assumption.

The division by s\, can be avoided by using an alternative method for decryption.

s'\, is the inverse of s\,. This is a consequence of Lagrange's theorem (group theory)|Lagrange's theorem, because

in the exponent are computed modulo (q-1), rather than q.

* Alice then computes m'= c_2 \cdot s', which she then converts back into the plaintext message m\,.

FTPS - Reasons to disable encryption
It may not be advantageous to use data channel encryption when performing transfers under the following scenarios:

* Files being transferred are of a non-sensitive nature, making encryption unnecessary,

* Files being transferred are already encrypted at the file level or are passing over an encrypted VPN, making encryption redundant,

* Available TLS or SSL encryption modes do not meet desired level of encryption. This is common with older FTPS clients or servers that may have been Transport Layer Security#Government-imposed protocol limitations|limited to 40-bit SSL due to previous United States high-encryption export laws.

It may not be advantageous to use control channel encryption under the following scenarios:

* Use of FTPS when the client and/or server resides behind a network firewall or network address translation (NAT) device. (See FTPS#Firewall incompatibilities|Firewall Incompatibilities below.)

* Repeated use of AUTH and CCC/CDC commands by anonymous FTP clients within the same session. Such behavior can be utilized as a resource-based denial of service attack as the TLS/SSL session must be regenerated each time, utilizing server processor time.

Secure communication - Encryption
The article on key size examines the key requirements for certain degrees of encryption security.

Opportunistic encryption is a lower security method to generally increase the percentage of generic traffic which is encrypted

An Information-theoretic security technique known as Information-theoretic security#Physical Layer Encryption|physical layer encryption ensures that a wireless communication link is provably secure with communications and coding techniques.

End-to-end encryption
End-to-end encryption generally includes protections of both confidentiality and data integrity|integrity.

End-to-end encryption - Example: TETRA
A classic deployment of E2EE is demonstrated by its use within the Terrestrial Trunked Radio (TETRA) standard, as defined by the Security Fraud Prevention Group (SFPG) of the Tetra MoU

.[ A presentation by Brian Murgatroyd to the SFPG

Unlike TETRA air-interface encryption (an example of Link encryption) users do not have to share key-variables with network operators (e.g

If only air-interface encryption were used, interception of the user traffic would be possible at any point after the air-interface encryption had been removed (i.e

In the TETRA deployment of E2EE the management, distribution and updating of encryption key-variables and crypto-associations (links between network address and key-variables) is facilitated by use of a Key management|Key Management Centre (KMC)

The key-variables and crypto-associations allows the user (by use of the KMC) to partition the trunked-network address space into 'encrypted' and 'non-encrypted' channels. It is possible to define sets of key-variables called crypto-groups, and it is further possible to define which crypto-group any particular encrypted channel uses. Furthermore, it is possible for the operator of the KMC to partition their user-fleet into user-groups (groups of users who receive the same crypto material).

This lets the KMC user determine which parts of their user-fleet can communicate with one another and allows the user organisation to achieve crypto-separation between different groups of users.

Trusted platform module - Disk encryption
Full disk encryption applications, such as SecureDoc, the dm-crypt feature of modern Linux kernels, and the BitLocker Drive Encryption feature of some Microsoft operating systems, can use this technology to protect the keys used to encrypt the computer's hard disks and provide integrity authentication for a trusted boot pathway (for example BIOS, boot sector, etc.) A number of third party full disk encryption products also support the TPM chip. TrueCrypt however decided not to use it..

Pre-boot authentication - Combinations with Full Disk Encryption
Pre-Boot Authentication is generally provided by a variety of full disk encryption vendors, but can be installed separately. Some FDE solutions can function without Pre-Boot Authentication, such as hardware-based full disk encryption. However, without some form of authentication, encryption provides little protection.

Disk encryption software
'Disk encryption software' is computer security software that protects the confidentiality of data stored on computer media (e.g., a hard disk, floppy disk, or USB device) by using disk encryption.

Disk encryption usually includes all aspects of the disk, including directories, so that an adversary cannot determine content, name or size of any file

The disk's data is protected using Symmetric-key algorithm|symmetric cryptography with the key randomly generated when a disk's encryption is first established. This key is itself encrypted in some way using a password or pass-phrase known (ideally) only to the user. Thereafter, in order to access the disk's data, the user must supply the password to make the key available to the software. This must be done sometime after each operating system start-up before the encrypted data can be used.

Done in software, disk encryption typically operates at a level between all applications and most system programs and the low-level device drivers by transparently (from a user's point of view) encrypting data after it is produced by a program but before it is physically written to the disk. Conversely it decrypts data immediately after being read but before it is presented to a program. Properly done, programs are unaware of these cryptographic operations.

Some disk encryption software (e.g., TrueCrypt or BestCrypt) provide features that generally cannot be accomplished with Disk encryption hardware|disk hardware encryption: the ability to mount container files as encrypted logical disks with their own file system; and encrypted logical inner volumes which are secretly hidden within the free space of the more obvious outer volumes. Such strategies provide plausible deniability.

Well-known examples of disk encryption software include: BitLocker Drive Encryption|BitLocker for Windows; FileVault for Apple OS/X; and TrueCrypt, a non-commercial open source product, for Windows, OS/X and Linux.

The study authors were able to demonstrate a cold boot attack to recover cryptographic keys for several popular disk encryption systems despite some memory degradation, by taking advantage of redundancy in the way keys are stored after they have been expanded for efficient use

Disk encryption software - Plausible deniability
Some disk encryption systems, such as TrueCrypt, offers levels of plausible deniability#Use_in_cryptography|Plausible Deniability, which might be useful if a user is compelled to reveal the password of an encrypted volume.

Disk encryption software - Hidden volumes
Hidden volumes are a steganographic feature that allows a second, hidden, volume to reside within the apparent free space of a visible container volume (sometimes known as outer volume). The hidden volume has its own separate file system, password, and encryption key distinct from the container volume.

When the outer container is brought online thorough the disk encryption software, whether the inner or outer volume is Mount (computing)|mounted depends on the password provided

Once a hidden volume has been created inside the visible container volume, the user will store important-looking information (but which the user does not actually mind revealing) on the outer volume, whereas more sensitive information is stored within the hidden volume.

If the user is forced to reveal a password, the user can reveal the password to the outer volume, without disclosing the existence of the hidden volume. The hidden volume will not be compromised, if the user takes certain precautions in overwriting the free areas of the host disk.[ Plausible Deniability] - FreeOTFE instructions for initializing an encrypted disk such that the presence of a hidden disk cannot be detected

Disk encryption software - No identifying features
Volumes, be they stored in a file or a device/partition, may intentionally not contain any discernible signatures or unencrypted headers

A file hosted volume (as opposed to partitions) may look out of place in some cases since it will be entirely random data placed in a file intentionally. However, a partition or device hosted volume will look no different than a partition or device that has been wiped with a common disk wiping tool such as Darik's Boot and Nuke. One can plausibly claim that such a device or partition has been wiped to clear personal data.

Portable or traveller mode means the encryption software can be run without installation to the system hard drive. In this mode, the software typically installs a temporary device driver|driver from the portable media. Since it is installing a driver (albeit temporarily), administrative privileges are still required.

Disk encryption software - Resizable volumes
Some disk encryption software allows encrypted volumes to be resized. Not many systems implement this fully, and resort to using sparse files to achieve this.

Disk encryption software - Backups
Encrypted volumes contain header (or CDB) data, which may be backed up. Overwriting these data will destroy the volume, so the ability to back them up is useful.

Disk encryption software - Backups
Restoring the backup copy of these data may reset the volume's password to what it was when the backup was taken.

encryption ' encryption' refers to encryption, and often authentication, of messages, to protect the content from being read by any but the intended recipients.

encryption encryption can rely on public-key cryptography, in which users can each publish a public key that others can use to encrypt messages to them, while keeping secret a Public-key cryptography|private key they can use to decrypt such messages or to digitally encrypt and sign messages they send.

For More Information, Visit:
The Art of Service

Encryption https://store.theartofservice.com/the-encryption-toolkit.html.

Similar presentations

Presentation on theme: "Encryption https://store.theartofservice.com/the-encryption-toolkit.html."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Encryption https://store.theartofservice.com/the-encryption-toolkit.html.

Similar presentations

Presentation on theme: "Encryption https://store.theartofservice.com/the-encryption-toolkit.html."— Presentation transcript:

Similar presentations

About project

Feedback