Encrypt Everything!

Did you ever pass secret, coded messages as a kid? There's a certain thrill in knowing that nobody else can read your communication, even if the content is as banal as "Johnny love Jane." That's just fun, but when the content is significant, like a contract or a patent application, keeping unauthorized types from seeing it is essential. That's where encryption comes in. When you keep all your sensitive documents encrypted, they're inaccessible to hackers and snoops. To share those documents with the right people, you simply supply them the decryption password. Just which encryption product is best for you depends on your needs, so we've rounded up a varied collection of encryption products to help you choose.

In this roundup, I'm specifically looking at products that encrypt files, not at whole-disk solutions like Microsoft's Bitlocker. Whole-disk encryption is an effective line of defense for a single device, but it doesn't help when you need to share encrypted data.

You can use a Virtual Private Network, or VPN, to encrypt your own internet traffic. From your PC to the VPN company's server, all your data is encrypted, and that's a great thing. However, unless you're connected to a secure HTTPS website, your traffic is not encrypted between the VPN server and the site. And of course the VPN's encryption doesn't just magically rub off on files you share. Using a VPN is a great way to protect your internet traffic when you're traveling, but it's not a solution for encrypting your local files.

When the FBI needed information from the San Bernardino shooter's iPhone, they asked Apple for a back door to get past the encryption. But no such back door existed, and Apple refused to create one. The FBI had to hire hackers to get into the phone.

Why wouldn't Apple help? Because the moment a back door or similar hack exists, it becomes a target, a prize for the bad guys. It will leak sooner or later. In a talk at Black Hat this past summer, Apple's Ivan Krstic revealed that the company has done something similar in their cryptographic servers. Once the fleet of servers is up and running, they physically destroy the keys that would permit modification. Apple can't update them, but the bad guys can't get in either.

All of the products in this roundup explicitly state that they have no back door, and that's as it should be. It does mean that if you encrypt an essential document and then forget the encryption password, you've lost it for good.

Back in the day, if you wanted to keep a document secret you could use a cipher to encrypt it and then burn the original. Or you could lock it up in a safe. The two main approaches in encryption utilities parallel these options.

One type of product simply processes files and folders, turning them into impenetrable encrypted versions of themselves. The other creates a virtual disk drive that, when open, acts like any other drive on your system. When you lock the virtual drive, all of the files you put into it are completely inaccessible.

Similar to the virtual drive solution, some products store your encrypted data in the cloud. This approach requires extreme care, obviously. Encrypted data in the cloud has a much bigger attack surface than encrypted data on your own PC.

Which is better? It really depends on how you plan to use encryption. If you're not sure, take advantage of the 30-day free trial offered by each of these products to get a feel for the different options.

After you copy a file into secure storage, or create an encrypted version of it, you absolutely need to wipe the unencrypted original. Just deleting it isn't sufficient, even if you bypass the Recycle Bin, because the data still exists on disk, and data recovery utilities can often get it back.

Some encryption products avoid this problem by encrypting the file in place, literally overwriting it on disk with an encrypted version. It's more common, though, to offer secure deletion as an option. If you choose a product that lacks this feature, you should find a free secure deletion tool to use along with it.

Overwriting data before deletion is sufficient to balk software-based recovery tools. Hardware-based forensic recovery works because the magnetic recording of data on a hard drive isn't actually digital. It's more of a waveform. In simple terms, the process involves nulling out the known data and reading around the edges of what's left. If you really think someone (the feds?) might use this technique to recover your incriminating files, you can set your secure deletion tool to make more passes, overwriting the data beyond what even these techniques can recover.

An encryption algorithm is like a black box. Dump a document, image, or other file into it, and you get back what seems like gibberish. Run that gibberish back through the box, with the same password, and you get back the original.

The U.S. government has settled on Advanced Encryption Standard (AES) as a standard, and all of the products gathered here support AES. Even those that support other algorithms tend to recommend using AES.

If you're an encryption expert, you may prefer another algorithm, Blowfish, perhaps, or the Soviet government's GOST. For the average user, however, AES is just fine.

Passwords are important, and you have to keep them secret, right? Well, not when you use Public Key Infrastructure (PKI) cryptography.

With PKI, you get two keys. One is public; you can share it with anyone, register it in a key exchange, tattoo it on your foreheadwhatever you like. The other is private, and should be closely guarded. If I want to send you a secret document, I simply encrypt it with your public key. When you receive it, your private key decrypts it. Simple!

Using this system in reverse, you can create a digital signature that proves your document came from you and hasn't been modified. How? Just encrypt it with your private key. The fact that your public key decrypts it is all the proof you need. PKI support is less common than support for traditional symmetric algorithms.

If you want to share a file with someone and your encryption tool doesn't support PKI, there are other options for sharing. Many products allow creation of a self-decrypting executable file. You may also find that the recipient can use a free, decryption-only tool.

Right now there are three Editors' Choice products in the consumer-accessible encryption field. The first is the easiest to use of the bunch, the next is the most secure, and the third is the most comprehensive.

AxCrypt Premium has a sleek, modern look, and when it's active you'll hardly notice it. Files in its Secured Folders get encrypted automatically when you sign out, and it's one of the few that support public key cryptography.

CertainSafe Digital Safety Deposit Box goes through a multistage security handshake that authenticates you to the site and authenticates the site to you. Your files are encrypted, split into chunks, and tokenized. Then each chunk gets stored on a different server. A hacker who breached one server would get nothing useful.

Folder Lock can either encrypt files or simply lock them so nobody can access them. It also offers encrypted lockers for secure storage. Among its many other features are file shredding, free space shredding, secure online backup, and self-decrypting files.

The other products here also have their merits, too, of course. Read the capsules below and then click through to the full reviews to decide which one you'll use to protect your files. Have an opinion on one of the apps reviewed here, or a favorite tool we didn't mention? Let us know in the comments.

Pros: MicroEncryption renders bulk data breach of cloud-stored files impossible. Logon handshake authenticates both user and server. Can share files with guests or other users. Retains previous versions of modified files. Secure chat.

Cons: If you forget password or security answers, you lose all access. Can only share entire folders, not files.

Bottom Line: When backing up your sensitive files to the cloud, CertainSafe Digital Safety Deposit Box emphasizes security over all else, but it doesn't sacrifice ease of use.

Pros: Encrypted lockers protect files and folders. Secure online backup. Can lock files and folders, making them invisible. File shredding. Free space shredding. Self-decrypting files. Many useful bonus features.

Cons: Product serial number stands in for master password by default. Locked files are not encrypted. Secure backup requires separate subscription.

Bottom Line: Folder Lock can lock access to files for quick, easy protection, and also keep them in encrypted lockers for serious protection. It combines a wide range of features with a bright, easy-to-use interface.

Pros: Very easy to use. Handles editing encrypted files. Secure sharing using public key cryptography. Secure file deletion. Generates memorable passwords. Secure online password storage.

Cons: Can be risky if you don't ensure local security of your PC.

Bottom Line: AxCrypt Premium makes encryption simple enough for any user, and even offers public key cryptography for secure sharing of encrypted files.

Pros: Offers 17 encryption algorithms. Supports PKI. Secure deletion. Password generator. Encrypts text to/from the clipboard. Command-line operation.

Cons: Awkward, dated user interface. Password generator doesn't work well. Some features described in Help system are absent.

Bottom Line: InterCrypto's Advanced Encryption Package is by far the most feature-rich encryption tool we've tested. But its awkward and dated interface make it one that should be reserved for experts.

Pros: Easy to encrypt file just by moving them into a secure volume. Password quality meter. Can share volumes. Mobile edition. Can encrypt files and folders for email.

Cons: Secure deletion doesn't handle unencrypted originals. Complicated creation of secure volumes, especially after the first. Expensive for what it does.

Bottom Line: Cypherix Cryptainer PE creates encrypted volumes for storing your sensitive files. Lock the volume and nobody can access the files. It does the job, but it's relatively expensive.

Pros: Encrypts files and folders with optional compression. Includes secure deletion. Straightforward user interface. Self-decrypting EXE option.

Cons: No filename encryption. Lacks advanced features.

Bottom Line: Cypherix SecureIT handles the basic task of encrypting and decrypting files and folders in a workmanlike fashion, but it lacks advanced features offered by the competition.

Pros: Can use one to four encryption algorithms. Simple, context-menu-based operation. Can keep passphrase in memory. Secure deletion. Text encryption. Filename encryption.

Cons: Passphrase memory can be a security risk for the careless. Fewer features than some competitors.

Bottom Line: CryptoForge offers a simple, context-menu-based approach to encryption and secure deletion, and it also handles text-only encryption. It's a fine choice for keeping your files safe.

Pros: Creates secure storage for sensitive files. Easy to use. Two-factor authentication.

Cons: Lacks secure deletion. Displayed some odd error messages in testing.

Bottom Line: Any file you drop into InterCrypto CryptoExpert 8's secure storage vaults gets encrypted when you lock the vault. It's easy to use, but it lacks some features and we found some confusing errors in our testing.

Pros: Many options for hiding encrypted files. Easy to use. Two-factor authentication. Can hide existence of containers. Comprehensive secure-deletion file shredder. Trace remover. Price includes five licenses.

Cons: Combination of hidden container and two-factor authentication can destroy data. Portable encrypted containers only portable on systems with Steganos installed.

Bottom Line: Steganos Safe creates secure encrypted storage for your sensitive files. It's very easy to use, and it offers some unique options for maintaining privacy and secrecy.

More here:
The Best Encryption Software of 2018 | PCMag.com

We take data protection very seriously! Over the years we have added a number of security and encryption features to various parts of AWS. We protect data at rest with Server Side Encryption for Amazon S3 and Amazon Glacier, multiple tiers of encryption for Amazon Redshift, and Transparent Data Encryption for Oracle and SQL Server databases via Amazon RDS. We protect data in motion with extensive support for SSL/TLS in CloudFront, Amazon RDS, and Elastic Load Balancing.

Today we are giving you yet another option, with support for encryption of EBS data volumes and the associated snapshots. You can now encrypt data stored on an EBS volume at rest and in motion by setting a single option. When you create an encrypted EBS volume and attach it to a supported instance type, data on the volume, disk I/O, and snapshots created from the volume are all encrypted. The encryption occurs on the servers that host the EC2 instances, providing encryption of data as it moves between EC2 instances and EBS storage.

Enabling EncryptionYou can enable EBS encryption when you create a new volume:

You can see the encryption state of each of your volumes from the console:

Important DetailsAdding encryption to a provisioned IOPS (PIOPS) volume will not affect the provisioned performance. Encryption has a minimal effect on I/O latency.

The snapshots that you take of an encrypted EBS volume are also encrypted and can be moved between AWS Regions as needed. You cannot share encrypted snapshots with other AWS accounts and you cannot make them public.

As I mentioned earlier, your data is encrypted before it leaves the EC2 instance. In order to be able to do this efficiently and with low latency, the EBS encryption feature is only available on EC2s M3, C3, R3, CR1, G2, and I2 instances. You cannot attach an encrypted EBS volume to other instance types.

Also, you cannot enable encryption for an existing EBS volume. Instead, you must create a new, encrypted volume and copy the data from the old one to the new one using the file manipulation tool of your choice. Rsync (Linux) and Robocopy (Windows) are two good options, but there are many others.

Each newly created volume gets a unique 256-bit AES key; volumes created from encrypted snapshots share the key. You do not need to manage the encryption keys because they are protected by our own key management infrastructure, which implements strong logical and physical security controls to prevent unauthorized access. Your data and associated keys are encrypted using the industry-standard AES-256 algorithm.

Encrypt NowEBS encryption is available now in all eight of the commercial AWS Regions and you can start using it today! There is no charge for encryption and it does not affect the published EBS Service Level Agreement (SLA) for availability.

Jeff;

See original here:
New EBS Encryption for Additional Data Protection | AWS ...

How much does encryption software cost?

Most encryption software costs about $40 and can be used on multiple devices. If it only comes with one user license, look to see if it includes self-extracting files. This allows you to send encrypted files to another user or to yourself through email and open it on another device that doesnt have the same program installed on it. Usually this is done by providing the receiver with a password that unlocks and decrypts the file.

Key Features of Encryption Software

Version CompatibilityIf your computer runs an older version of Windows, such as Vista or XP, make sure the encryption program supports your operating system. On the flip side, you need to make sure you choose software that has changed with the times and supports the latest versions of Windows, including 8 and 10.

While all the programs we tested are compatible with every version of Windows, we feel thatSensiGuardis a good choice for older computers because it only has the most essential tools and wont bog down your old PC. Plus, it is easy to move to a new computer if you choose to upgrade. However, it takes a while to encrypt and decrypt files.

If you have a Mac computer, you need a program that is designed specifically for that operating system none of the programs we tested are compatible with both Windows and Mac machines. We believe Concealer is the best option for Macs, but Espionage 3 is also a good choice.

Mac encryption software doesnt have as many extra security features as Windows programs. They typically lack virtual keyboards, self-extracting file creators and password recovery tools. Mac programs also take a lot more time to secure files compared to Windows software.

SecurityEncryption software uses different types of ciphers to scramble your data, and each has its own benefits. Advanced Encryption Standard, or 256-bit key AES, is used by the U.S. government, including the National Security Agency (NSA), and is one of the strongest ciphers available. It scrambles each bit of information. Blowfish and its newer version, Twofish, are encryption algorithms that use block ciphers they scramble blocks of text or several bits of information at once rather than one bit at a time.

The main differences between these algorithms are performance and speed, and the average user wont notice the difference. Blowfish and Twofish cant encrypt large files, so if you need to secure gigabytes of data, use AES encryption. Blowfish and Twofish algorithms are considered practically unbreakable, though given enough time and computing power, both could theoretically be broken.

AES has long been recognized as the superior algorithm and is required for financial institutions, schools, government agencies and healthcare facilities that deal with sensitive personal information. Because of this we preferred programs that use it and ensured these were included in our final choice of the best encryption software.

Read the original:
Best Encryption Software 2018 - Encrypt Files on Windows PCs

Encryption has a long history dating back to when the ancient Greeks and Romans sent secret messages by substituting letters only decipherable with a secret key. Join us for a quick history lesson and learn more about how encryption works.

In todays edition of HTG Explains, well give you a brief history of encryption, how it works, and some examples of different types of encryptionmake sure you also check out the previous edition, where we explained why so many geeks hate Internet Explorer.

Image by xkcd, obviously.

The ancient Greeks used a tool called a Scytale to help encrypt their messages more quickly using a transposition cipherthey would simply wrap the strip of parchment around the cylinder, write out the message, and then when unwound wouldnt make sense.

This encryption method could be fairly easily broken, of course, but its one of the first examples of encryption actually being used in the real world.

Julius Caesar used a somewhat similar method during his time by shifting each letter of the alphabet to the right or left by a number of positionsan encryption technique known as Caesars cipher. For instance, using the example cipher below youd write GEEK as JHHN.

Plain: ABCDEFGHIJKLMNOPQRSTUVWXYZCipher: DEFGHIJKLMNOPQRSTUVWXYZABC

Since only the intended recipient of the message knew the cipher, it would be difficult for the next person to decode the message, which would appear as gibberish, but the person that had the cipher could easily decode and read it.

Other simple encryption ciphers like the Polybius square used a polyalphabetic cipher that listed each letter with the corresponding numeric positions across the top and side to tell where the position of the letter was.

Using a table like the one above you would write the letter G as 23, or GEEK as 23 31 31 43.

Enigma Machine

During World War II, the Germans used the Enigma machine to pass encrypted transmissions back and forth, which took years before the Polish were able to crack the messages, and give the solution to the Allied forces, which was instrumental to their victory.

Lets face it: modern encryption techniques can be an extremely boring subject, so instead of just explaining them with words, weve put together a comic strip that talks about the history of encryption, inspired by Jeff Mosers stick figure guide to AES. Note: clearly we cannot convey everything about encryptions history in a comic strip.

Back in those days, people do not have a good encryption method to secure their electronic communication.

Lucifer was the name given to several of the earliest civilian block ciphers, developed by Horst Feistel and his colleagues at IBM.

The Data Encryption Standard (DES) is a block cipher (a form of shared secret encryption) that was selected by the National Bureau of Standards as an official Federal Information Processing Standard (FIPS) for the United States in 1976 and which has subsequently enjoyed widespread use internationally.

Concerns about security and the relatively slow operation of DES in software motivated researchers to propose a variety of alternative block cipher designs, which started to appear in the late 1980s and early 1990s: examples include RC5, Blowfish, IDEA, NewDES, SAFER, CAST5 and FEAL

The Rijndael encryption algorithm was adopted by the US Government as standard symmetric-key encryption, or Advanced Encryption Standard (AES). AES was announced by National Institute of Standards and Technology (NIST) as U.S. FIPS PUB 197 (FIPS 197) on November 26, 2001 after a 5-year standardization process in which fifteen competing designs were presented and evaluated before Rijndael was selected as the most suitable encryption algorithm.

Many encryption algorithms exist, and they are all suited to different purposesthe two main characteristics that identify and differentiate one encryption algorithm from another are its ability to secure the protected data against attacks and its speed and efficiency in doing so.

As a good example of the speed difference between different types of encryption, you can use the benchmarking utility built into TrueCrypts volume creation wizardas you can see, AES is by far the fastest type of strong encryption.

There are both slower and faster encryption methods, and they are all suited for different purposes. If youre simply trying to decrypt a tiny piece of data every so often, you can afford to use the strongest possible encryption, or even encrypt it twice with different types of encryption. If you require speed, youd probably want to go with AES.

For more on benchmarking different types of encryption, check out a report from Washington University of St. Louis, where they did a ton of testing on different routines, and explained it all in a very geeky write-up.

All the fancy encryption algorithm that we have talked about earlier are mostly used for two different types of encryption:

To explain this concept, well use the postal service metaphor described in Wikipedia to understand how symmetric key algorithms works.

Alice puts her secret message in a box, and locks the box using a padlock to which she has a key. She then sends the box to Bob through regular mail. When Bob receives the box, he uses an identical copy of Alices key (which he has somehow obtained previously, maybe by a face-to-face meeting) to open the box, and read the message. Bob can then use the same padlock to send his secret reply.

Symmetric-key algorithms can be divided into stream ciphers and block ciphersstream ciphers encrypt the bits of the message one at a time, and block ciphers take a number of bits, often in blocks of 64 bits at a time, and encrypt them as a single unit. Theres a lot of different algorithms you can choose fromthe more popular and well-respected symmetric algorithms include Twofish, Serpent, AES (Rijndael), Blowfish, CAST5, RC4, TDES, and IDEA.

In an asymmetric key system, Bob and Alice have separate padlocks, instead of the single padlock with multiple keys from the symmetric example. Note: this is, of course, a greatly oversimplified example of how it really works, which is much more complicated, but youll get the general idea.

First, Alice asks Bob to send his open padlock to her through regular mail, keeping his key to himself. When Alice receives it she uses it to lock a box containing her message, and sends the locked box to Bob. Bob can then unlock the box with his key and read the message from Alice. To reply, Bob must similarly get Alices open padlock to lock the box before sending it back to her.

The critical advantage in an asymmetric key system is that Bob and Alice never need to send a copy of their keys to each other. This prevents a third party (perhaps, in the example, a corrupt postal worker) from copying a key while it is in transit, allowing said third party to spy on all future messages sent between Alice and Bob. In addition, if Bob were careless and allowed someone else to copy his key, Alices messages to Bob would be compromised, but Alices messages to other people would remain secret, since the other people would be providing different padlocks for Alice to use.

Asymmetric encryption uses different keys for encryption and decryption. The message recipient creates a private key and a public key. The public key is distributed among the message senders and they use the public key to encrypt the message. The recipient uses their private key any encrypted messages that have been encrypted using the recipients public key.

Theres one major benefit to doing encryption this way compare to symmetric encryption. We never need to send anything secret (like our encryption key or password) over an insecure channel. Your public key goes out to the worldits not secret and it doesnt need to be. Your private key can stay snug and cozy on your personal computer, where you generated itit never has to be e-mailed anywhere, or read by attackers.

For many years, the SSL (Secure Sockets Layer) protocol has been securing web transactions using encryption between your web browser and a web server, protecting you from anybody that might be snooping on the network in the middle.

SSL itself is conceptually quite simple. It begins when the browser requests a secure page (usually https://)

The web server sends its public key with its certificate.The browser checks that the certificate was issued by a trusted party (usually a trusted root CA), that the certificate is still valid and that the certificate is related to the site contacted.The browser then uses the public key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data.The web server decrypts the symmetric encryption key using its private key and uses the browsers symmetric key to decrypt its URL and http data.The web server sends back the requested html document and http data encrypted with the browsers symmetric key. The browser decrypts the http data and html document using the symmetric key and displays the information.

And now you can securely buy that eBay item you really didnt need.

If you made it this far, were at the end of our long journey to understanding encryption and a little bit of how it worksstarting from the early days of encryption with the Greeks and Romans, the rise of Lucifer, and finally how SSL uses asymmetric and symmetric encryption to help you buy that fluffy pink bunny on eBay.

Were big fans of encryption here at How-To Geek, and weve covered a lot of different ways to do things like:

Of course encryption is far too complicated a topic to really explain everything. Did we miss something important? Feel free to lay some knowledge on your fellow readers in the comments.

View original post here:
What Is Encryption, and How Does It Work?

End-to-end encryption (E2EE) is a system of communication where only the communicating users can read the messages. In principle, it prevents potential eavesdroppers including telecom providers, Internet providers, and even the provider of the communication service from being able to access the cryptographic keys needed to decrypt the conversation.[1] The systems are designed to defeat any attempts at surveillance or tampering because no third parties can decipher the data being communicated or stored. For example, companies that use end-to-end encryption are unable to hand over texts of their customers' messages to the authorities.[2]

In an E2EE system, encryption keys must only be known to the communicating parties. To achieve this goal, E2EE systems can encrypt data using a pre-arranged string of symbols, called a pre-shared secret (PGP), or a one-time secret derived from such a pre-shared secret (DUKPT). They can also negotiate a secret key on the spot using Diffie-Hellman key exchange (OTR).[3]

As of 2016, typical server-based communications systems do not include end-to-end encryption. These systems can only guarantee the protection of communications between clients and servers, meaning that users have to trust the third parties who are running the servers with the original texts. End-to-end encryption is regarded as safer because it reduces the number of parties who might be able to interfere or break the encryption.[4] In the case of instant messaging, users may use a third-party client to implement an end-to-end encryption scheme over an otherwise non-E2EE protocol.[5]

Some non-E2EE systems, such as Lavabit and Hushmail, have described themselves as offering "end-to-end" encryption when they did not.[6] Other systems, such as Telegram and Google Allo, have been criticized for not having end-to-end encryption, which they offer, enabled by default.[7][8]

Some encrypted backup and file sharing services provide client-side encryption. The encryption they offer is here not referred to as end-to-end encryption, because the services are not meant for sharing messages between users. However, the term "end-to-end encryption" is often used as a synonym for client-side encryption.[citation needed]

End-to-end encryption ensures that data is transferred securely between endpoints. But, rather than try to break the encryption, an eavesdropper may impersonate a message recipient (during key exchange or by substituting his public key for the recipient's), so that messages are encrypted with a key known to the attacker. After decrypting the message, the snoop can then encrypt it with a key that they share with the actual recipient, or their public key in case of asymmetric systems, and send the message on again to avoid detection. This is known as a man-in-the-middle attack.[1][9]

Most end-to-end encryption protocols include some form of endpoint authentication specifically to prevent MITM attacks. For example, one could rely on certification authorities or a web of trust.[10] An alternative technique is to generate cryptographic hashes (fingerprints) based on the communicating users public keys or shared secret keys. The parties compare their fingerprints using an outside (out-of-band) communication channel that guarantees integrity and authenticity of communication (but not necessarily secrecy), before starting their conversation. If the fingerprints match, there is in theory, no man in the middle.[1]

When displayed for human inspection, fingerprints are usually encoded into hexadecimal strings. These strings are then formatted into groups of characters for readability. For example, a 128-bit MD5 fingerprint would be displayed as follows:

Some protocols display natural language representations of the hexadecimal blocks.[11] As the approach consists of a one-to-one mapping between fingerprint blocks and words, there is no loss in entropy. The protocol may choose to display words in the user's native (system) language.[11] This can, however, make cross-language comparisons prone to errors.[12] In order to improve localization, some protocols have chosen to display fingerprints as base 10 strings instead of hexadecimal or natural language strings.[13][12] Modern messaging applications can also display fingerprints as QR codes that users can scan off each other's devices.[13]

The end-to-end encryption paradigm does not directly address risks at the communications endpoints themselves. Each user's computer can still be hacked to steal his or her cryptographic key (to create a MITM attack) or simply read the recipients decrypted messages both in real time and from log files. Even the most perfectly encrypted communication pipe is only as secure as the mailbox on the other end.[1] Major attempts to increase endpoint security have been to isolate key generation, storage and cryptographic operations to a smart card such as Google's Project Vault.[14] However, since plaintext input and output are still visible to the host system, malware can monitor conversations in real time. A more robust approach is to isolate all sensitive data to a fully air gapped computer.[15] PGP has been recommended by experts for this purpose:

If I really had to trust my life to a piece of software, I would probably use something much less flashy GnuPG, maybe, running on an isolated computer locked in a basement.

However, as Bruce Schneier points out, Stuxnet developed by US and Israel successfully jumped air gap and reached Natanz nuclear plant's network in Iran.[16] To deal with key exfiltration with malware, one approach is to split the Trusted Computing Base behind two unidirectionally connected computers that prevent either insertion of malware, or exfiltration of sensitive data with inserted malware.[17]

A backdoor is usually a secret method of bypassing normal authentication or encryption in a computer system, a product, or an embedded device, etc[18]. Companies may also willingly or unwillingly introduce backdoors to their software that help subvert key negotiation or bypass encryption altogether. In 2013, information leaked by Edward Snowden showed that Skype had a backdoor which allowed Microsoft to hand over their users' messages to the NSA despite the fact that those messages were officially end-to-end encrypted.[19][20]

See more here:
End-to-end encryption - Wikipedia

AES encryption

Encrypt and decrypt text with AES algorithm

As you see this implementation is using openssl instead of mcrypt and the result of the encryption/decryption is not compatible with each other.The mcrypt function will be deprecated feature in PHP 7.1.x

It is a webtool to encrypt and decrypt text using AES encryption algorithm. You can chose 128, 192 or 256-bit long key size for encryption and decryption. The result of the process is downloadable in a text file.

If you want to encrypt a text put it in the white textarea above, set the key of the encryption then push the Encrypt button.The result of the encryption will appear in base64 encoded to prevent character encoding problems.If you want to decrypt a text be sure it is in base64 encoded and is encrypted with AES algorithm!Put the encrypted text in the white textarea, set the key and push the Decrypt button.

When you want to encrypt a confidential text into a decryptable format, for example when you need to send sensitive data in e-mail.The decryption of the encrypted text it is possible only if you know the right password.

AES (acronym of Advanced Encryption Standard) is a symmetric encryption algorithm.The algorithm was developed by two Belgian cryptographer Joan Daemen and Vincent Rijmen.AES was designed to be efficient in both hardware and software, and supports a block length of 128 bits and key lengths of 128, 192, and 256 bits.

AES encryption is used by U.S. for securing sensitive but unclassified material, so we can say it is enough secure.

Please fill out our survey to help us improving aesencryption.net.

We appreciate your feedback!

View post:
AES encryption

HTTP Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP) for secure communication over a computer network, and is widely used on the Internet.[1][2] In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS), or formerly, its predecessor, Secure Sockets Layer (SSL). The protocol is therefore also often referred to as HTTP over TLS,[3] or HTTP over SSL.

The principal motivation for HTTPS is authentication of the accessed website and protection of the privacy and integrity of the exchanged data while in transit. It protects against man-in-the-middle attacks. The bidirectional encryption of communications between a client and server protects against eavesdropping and tampering of the communication.[4] In practice, this provides a reasonable assurance that one is communicating without interference by attackers with the website that one intended to communicate with, as opposed to an impostor.

Historically, HTTPS connections were primarily used for payment transactions on the World Wide Web, e-mail and for sensitive transactions in corporate information systems.[citation needed] Since 2018[update][citation needed], HTTPS is used more often by webusers than the original non-secure HTTP, primarily to protect page authenticity on all types of websites; secure accounts; and keep user communications, identity, and web browsing private.

The Uniform Resource Identifier (URI) scheme HTTPS has identical usage syntax to the HTTP scheme. However, HTTPS signals the browser to use an added encryption layer of SSL/TLS to protect the traffic. SSL/TLS is especially suited for HTTP, since it can provide some protection even if only one side of the communication is authenticated. This is the case with HTTP transactions over the Internet, where typically only the server is authenticated (by the client examining the server's certificate).

HTTPS creates a secure channel over an insecure network. This ensures reasonable protection from eavesdroppers and man-in-the-middle attacks, provided that adequate cipher suites are used and that the server certificate is verified and trusted.

Because HTTPS piggybacks HTTP entirely on top of TLS, the entirety of the underlying HTTP protocol can be encrypted. This includes the request URL (which particular web page was requested), query parameters, headers, and cookies (which often contain identity information about the user). However, because host (website) addresses and port numbers are necessarily part of the underlying TCP/IP protocols, HTTPS cannot protect their disclosure. In practice this means that even on a correctly configured web server, eavesdroppers can infer the IP address and port number of the web server (sometimes even the domain name e.g. http://www.example.org, but not the rest of the URL) that one is communicating with, as well as the amount (data transferred) and duration (length of session) of the communication, though not the content of the communication.[4]

Web browsers know how to trust HTTPS websites based on certificate authorities that come pre-installed in their software. Certificate authorities (such as Let's Encrypt, Digicert, Comodo, GoDaddy and GlobalSign) are in this way being trusted by web browser creators to provide valid certificates. Therefore, a user should trust an HTTPS connection to a website if and only if all of the following are true:

HTTPS is especially important over insecure networks (such as public Wi-Fi access points), as anyone on the same local network can packet-sniff and discover sensitive information not protected by HTTPS. Additionally, many free to use and paid WLAN networks engage in packet injection in order to serve their own ads on webpages. However, this can be exploited maliciously in many ways, such as injecting malware onto webpages and stealing users' private information.[5]

HTTPS is also very important for connections over the Tor anonymity network, as malicious Tor nodes can damage or alter the contents passing through them in an insecure fashion and inject malware into the connection. This is one reason why the Electronic Frontier Foundation and the Tor project started the development of HTTPS Everywhere,[4] which is included in the Tor Browser Bundle.[6]

As more information is revealed about global mass surveillance and criminals stealing personal information, the use of HTTPS security on all websites is becoming increasingly important regardless of the type of Internet connection being used.[7][8] While metadata about individual pages that a user visits is not sensitive, when combined, they can reveal a lot about the user and compromise the user's privacy.[9][10][11]

Deploying HTTPS also allows the use of HTTP/2 (or its predecessor, the now-deprecated protocol SPDY), that are new generations of HTTP, designed to reduce page load times, size and latency.

It is recommended to use HTTP Strict Transport Security (HSTS) with HTTPS to protect users from man-in-the-middle attacks, especially SSL stripping.[11][12]

HTTPS should not be confused with the little-used Secure HTTP (S-HTTP) specified in RFC 2660.

As of April2018[update], 33.2% of Alexa top 1,000,000 websites use HTTPS as default,[13] 57.1% of the Internet's 137,971 most popular websites have a secure implementation of HTTPS,[14] and 70% of page loads (measured by Firefox Telemetry) use HTTPS.[15]

Most browsers display a warning if they receive an invalid certificate. Older browsers, when connecting to a site with an invalid certificate, would present the user with a dialog box asking whether they wanted to continue. Newer browsers display a warning across the entire window. Newer browsers also prominently display the site's security information in the address bar. Extended validation certificates turn the address bar green in newer browsers. Most browsers also display a warning to the user when visiting a site that contains a mixture of encrypted and unencrypted content.

Most web browsers alert the user when visiting sites that have invalid security certificates.

The Electronic Frontier Foundation, opining that "In an ideal world, every web request could be defaulted to HTTPS", has provided an add-on called HTTPS Everywhere for Mozilla Firefox that enables HTTPS by default for hundreds of frequently used websites. A beta version of this plugin is also available for Google Chrome and Chromium.[16][17]

The security of HTTPS is that of the underlying TLS, which typically uses long-term public and private keys to generate a short-term session key, which is then used to encrypt the data flow between client and server. X.509 certificates are used to authenticate the server (and sometimes the client as well). As a consequence, certificate authorities and public key certificates are necessary to verify the relation between the certificate and its owner, as well as to generate, sign, and administer the validity of certificates. While this can be more beneficial than verifying the identities via a web of trust, the 2013 mass surveillance disclosures drew attention to certificate authorities as a potential weak point allowing man-in-the-middle attacks.[18][19] An important property in this context is forward secrecy, which ensures that encrypted communications recorded in the past cannot be retrieved and decrypted should long-term secret keys or passwords be compromised in the future. Not all web servers provide forward secrecy.[20][needs update]

A site must be completely hosted over HTTPS, without having part of its contents loaded over HTTPfor example, having scripts loaded insecurelyor the user will be vulnerable to some attacks and surveillance. Also having only a certain page that contains sensitive information (such as a log-in page) of a website loaded over HTTPS, while having the rest of the website loaded over plain HTTP, will expose the user to attacks. On a site that has sensitive information somewhere on it, every time that site is accessed with HTTP instead of HTTPS, the user and the session will get exposed. Similarly, cookies on a site served through HTTPS have to have the secure attribute enabled.[11]

HTTPS URLs begin with "https://" and use port 443 by default, whereas HTTP URLs begin with "http://" and use port 80 by default.

HTTP is not encrypted and is vulnerable to man-in-the-middle and eavesdropping attacks, which can let attackers gain access to website accounts and sensitive information, and modify webpages to inject malware or advertisements. HTTPS is designed to withstand such attacks and is considered secure against them (with the exception of older, deprecated versions of SSL).

HTTP operates at the highest layer of the TCP/IP model, the Application layer; as does the TLS security protocol (operating as a lower sublayer of the same layer), which encrypts an HTTP message prior to transmission and decrypts a message upon arrival. Strictly speaking, HTTPS is not a separate protocol, but refers to use of ordinary HTTP over an encrypted SSL/TLS connection.

Everything in the HTTPS message is encrypted, including the headers, and the request/response load. With the exception of the possible CCA cryptographic attack described in the limitations section below, the attacker can only know that a connection is taking place between the two parties and their domain names and IP addresses.

To prepare a web server to accept HTTPS connections, the administrator must create a public key certificate for the web server. This certificate must be signed by a trusted certificate authority for the web browser to accept it without warning. The authority certifies that the certificate holder is the operator of the web server that presents it. Web browsers are generally distributed with a list of signing certificates of major certificate authorities so that they can verify certificates signed by them.

Let's Encrypt, launched in April 2016,[21] provides free and automated SSL/TLS certificates to websites.[22] According to the Electronic Frontier Foundation, "Let's Encrypt" will make switching from HTTP to HTTPS "as easy as issuing one command, or clicking one button."[23]. The majority of web hosts and cloud providers already leverage Let's Encrypt, providing free certificates to their customers.

The system can also be used for client authentication in order to limit access to a web server to authorized users. To do this, the site administrator typically creates a certificate for each user, a certificate that is loaded into their browser. Normally, that contains the name and e-mail address of the authorized user and is automatically checked by the server on each reconnect to verify the user's identity, potentially without even entering a password.

An important property in this context is perfect forward secrecy (PFS). Possessing one of the long-term asymmetric secret keys used to establish an HTTPS session should not make it easier to derive the short-term session key to then decrypt the conversation, even at a later time. DiffieHellman key exchange (DHE) and Elliptic curve DiffieHellman key exchange (ECDHE) are in 2013 the only ones known to have that property. Only 30% of Firefox, Opera, and Chromium Browser sessions use it, and nearly 0% of Apple's Safari and Microsoft Internet Explorer sessions.[20] Among the larger internet providers, only Google supports PFS since 2011[update] (State of September 2013).[citation needed]

A certificate may be revoked before it expires, for example because the secrecy of the private key has been compromised. Newer versions of popular browsers such as Firefox,[24] Opera,[25] and Internet Explorer on Windows Vista[26] implement the Online Certificate Status Protocol (OCSP) to verify that this is not the case. The browser sends the certificate's serial number to the certificate authority or its delegate via OCSP and the authority responds, telling the browser whether the certificate is still valid.[27]

SSL and TLS encryption can be configured in two modes: simple and mutual. In simple mode, authentication is only performed by the server. The mutual version requires the user to install a personal client certificate in the web browser for user authentication.[28] In either case, the level of protection depends on the correctness of the implementation of software and the cryptographic algorithms in use.

SSL/TLS does not prevent the indexing of the site by a web crawler, and in some cases the URI of the encrypted resource can be inferred by knowing only the intercepted request/response size.[29] This allows an attacker to have access to the plaintext (the publicly available static content), and the encrypted text (the encrypted version of the static content), permitting a cryptographic attack.

Because TLS operates at a protocol level below that of HTTP, and has no knowledge of the higher-level protocols, TLS servers can only strictly present one certificate for a particular address and port combination.[30] In the past, this meant that it was not feasible to use name-based virtual hosting with HTTPS. A solution called Server Name Indication (SNI) exists, which sends the hostname to the server before encrypting the connection, although many old browsers do not support this extension. Support for SNI is available since Firefox 2, Opera 8, Safari 2.1, Google Chrome 6, and Internet Explorer 7 on Windows Vista.[31][32][33]

From an architectural point of view:

A sophisticated type of man-in-the-middle attack called SSL stripping was presented at the Blackhat Conference 2009. This type of attack defeats the security provided by HTTPS by changing the https: link into an http: link, taking advantage of the fact that few Internet users actually type "https" into their browser interface: they get to a secure site by clicking on a link, and thus are fooled into thinking that they are using HTTPS when in fact they are using HTTP. The attacker then communicates in clear with the client.[34] This prompted the development of a countermeasure in HTTP called HTTP Strict Transport Security.

HTTPS has been shown vulnerable to a range of traffic analysis attacks. Traffic analysis attacks are a type of side-channel attack that relies on variations in the timing and size of traffic in order to infer properties about the encrypted traffic itself. Traffic analysis is possible because SSL/TLS encryption changes the contents of traffic, but has minimal impact on the size and timing of traffic. In May 2010, a research paper by researchers from Microsoft Research and Indiana University discovered that detailed sensitive user data can be inferred from side channels such as packet sizes. More specifically, the researchers found that an eavesdropper can infer the illnesses/medications/surgeries of the user, his/her family income and investment secrets, despite HTTPS protection in several high-profile, top-of-the-line web applications in healthcare, taxation, investment and web search.[35] Although this work demonstrated vulnerability of HTTPS to traffic analysis, the approach presented by the authors required manual analysis and focused specifically on web applications protected by HTTPS.

The fact that most modern websites, including Google, Yahoo!, and Amazon, use HTTPS causes problems for many users trying to access public Wi-Fi hot spots, because a Wi-Fi hot spot login page fails to load if the user tries to open an HTTPS resource.[36][37] Several websites, such as neverssl.com or nonhttps.com, guarantee that they will always remain accessible by HTTP.

Netscape Communications created HTTPS in 1994 for its Netscape Navigator web browser.[38] Originally, HTTPS was used with the SSL protocol. As SSL evolved into Transport Layer Security (TLS), HTTPS was formally specified by RFC 2818 in May 2000.

See the original post:
HTTPS - Wikipedia

KaKa File Encryption is a tiny and portable piece of kit that password-protects files on your computer, in order to prevent unauthorized users from accessing them. It can be effortlessly handled, even by users with little or no experience in this kind of apps.

As installation is not a prerequisite, you can just drop the executable file anywhere on the hard drive and run it directly.

Alternatively, you can store KaKa File Encryption on a removable device (like a USB flash drive) and run it on any computer. Therefore, you can keep the utility with you whenever you're on the go.

What's more important is that the Windows Registry section does not receive entry updates and files are not left behind on the hard drive after program removal.

The interface of the program is formed from a small, regular window with a simple-to-use layout. The "what you see is what you get" concept clearly applies to the app, since there are no other options available, aside from the ones visible in the main frame.

Loading files into the working environment is done with the help of the file browser or "drag and drop" function. It is possible to encrypt multiple items in a single session with the same password. The main application window reveals the name, path and status for each file. Basically, all you have to do is write a password, confirm it and click a button to initialize the encryption operation.

KaKa File Encryption locks the original files without creating new ones. In order to decrypt them, you must have the program stored somewhere on the hard drive or flash drive. Once you decrypt a file, the restriction is automatically removed by the tool, so you have to redo the entire task.

The application barely uses CPU and system memory, hence it shouldn't affect the computer's overall performance. It has a good response time, applies the protection status rapidly and is pretty stable. We haven't come across any issues in our tests. To conclude, KaKa File Encryption comes packed with the necessary and suffice elements for protecting files against unauthorized use.

File encryption Encrypt file Secure file Encrypt Encryption Encrypting Protect

More here:
Download KaKa File Encryption 1.3 - softpedia.com

If you're looking for the best encryption software for your needs in 2018, then you've come to the right place, as we've listed the top software that will keep your important files and documents safe from malicious users.

The sad fact is that as hackers are become ever more adept at stealing private information, we must be ever more vigilant when it comes to protecting our files, regardless of if we are a business or home user, and this is where our list of the best encryption software of 2018 comes in.

Encryption tools encode data so that it can only be unlocked with a certain key, making it harder for third-parties to gain access. This means that only people who have access to that key can also access the data, making encryption software an essential tool for keeping data safe.

These encryption tools can be used to protect data such as email addresses, customer transactions and passwords, and other crucial information which you really cant afford to potentially expose. Many companies are also using encryption software to ensure internal online conversations and emails are kept private.

So which are the best encryption tools? Read on for our pick of the very best tools for keeping your data safe.

Free encryption for everyone

Platforms: Windows, macOS, Linux | Resources covered: Encryption and brute-force attack protection | Cloud-based: No | Integrations: No | Free trial: N/A

Basic version is completely free

Provides effective encryption

Selective approach

Initial download is a bit confusing

VeraCrypt is one of the most popular security tools, providing you with enterprise-grade encryption for important data.

The system is quite easy to use, and all it really does is add encrypted passwords to your data and partitions. All you have to do is give the tool a few details about your data, such as volume size, location and specified hashing algorithms and then the program does its thing.

Whats also nifty about VeraCrypt is that its immune to brute-force attacks, so you never have to worry about hackers decrypting your passwords and other sensitive data. The basic version of the software is completely free, as well.

Encryption for small teams and individuals

Platforms: Windows, macOS | Resources covered: Encryption, password protection, mobile apps | Cloud-based: Yes | Integrations: Google Docs, Dropbox | Free trial: 30 days (fully free version also available)

Strong encryption for personal use

Free version available

Mainly mobile-oriented

While free software can be convenient for some, its not always as powerful as premium offerings, and AxCrypt is a good bet if you want something reliable. The software has been designed specifically for individuals and small teams within businesses.

It provides strong security, with files protected by either 128-bit or 256-bit AES encryption, which should thwart any intruders. There are also cloud storage capabilities thrown into the mix the software will automatically protect files saved on services such as Google Drive and Dropbox.

AxCrypt is fully multilingual, and it can work with languages such as Dutch, French, German, Italian, Korean, Spanish, Swedish, Russian and Portuguese with more support planned for the future. As well as this, theres passport management, and you can access your encrypted files through a smartphone app.

The Premium package is $27 per year (roughly 20, AU$34), while there is a free version which has much fewer options.

Effective encryption for individuals

Platforms: Windows, Android, iOS | Resources covered: Encryption, password protection, brute-force attack prevention | Cloud-based: Yes | Integrations: No | Free trial: N/A

Free to download basic version

Effective personal encryption

Mainly mobile oriented

Although its important to protect assets on company computers, its also crucial to add protection to any device that stores critical data. For instance, most employees have access to their company emails and other accounts on their smartphones, and they need to be protected.

Folder Lock is a good option when it comes to adding encryption to your mobile devices. The app can protect your personal files, photos, videos, contacts, wallet cards, notes and audio recordings stored in your handset.

There are some other hidden security features, too. Not only is there encryption, but you can also set a decoy password, hacker deterrents, log unauthorised login attempts, back up all your passwords and get notified on potential brute-force attacks. The basic app is free to download, with a pro version available if you want more.

Powerful protection indeed

Platforms: Windows | Resources covered: Encryption, password protection, brute-force attack prevention | Cloud-based: No | Integrations: No | Free trial: 30 days

Uses multiple encryption methods

Powerful encryption

It may be too complicated for some

Windows-only

CryptoExpert is Windows desktop software which offers secure data vaults for all your data, ensuring its always protected from potential breaches.

It provides more powerful encryption than some of the other tools and apps listed in this article, boasting fast on-the-fly operation. The system can back up a range of different files, including certificates, Word, Excel and PowerPoint files, multimedia files and email databases.

The best thing about CryptoExpert 8 is that it can secure vaults of unlimited size, and it uses Blowfish, Cast, 3DES and AES-256 encryption algorithms. The latter are highly effective and industry-acclaimed. Itll work with 32-bit and 64-bit versions of Windows 7, 8 and 10.

A quality cloud-based solution

Platforms: Desktop | Resources covered: Encryption, password protection, brute-force attack prevention, secure file storage | Cloud-based: Yes | Integrations: No | Free trial: 30 days

Completely cloud-based

Affordable monthly plan

Not everyone wants cloud-based security

CertainSafe is highly effective cloud-based encryption software which attempts to mitigate all aspects of risk and is compliant with industry regulations.

With the platform, you can store and share documents, private messages, photos, videos and other files without exposing them to third-party sources. You can even collaborate and communicate with colleagues through the system, with all correspondence encrypted.

CertainSafe also adds automated security for business databases and applications, meaning you dont always have to do things manually. You can subscribe for a monthly plan, but before making any decisions, theres the option to get a free trial and try things out that way.

Here is the original post:
Top 5 best encryption software tools of 2018 | TechRadar

When you need to protect the privacy of an email message, encrypt it. Encrypting an email message in Outlook means it's converted from readable plain text into scrambled cipher text. Only the recipient who has the private key that matches the public key used to encrypt the message can decipher the message for reading. Any recipient without the corresponding private key, however, sees indecipherable text.

This article is specifically about encrypting and digitally signing a message with S/MIME. To understand the full list of email encryption options go to the article on Email Encryption in Office 365.

What happens if the recipient doesn't have the corresponding private key? The recipient will see this message:

"This item cannot be displayed in the Reading Pane. Open the item to read its contents."

And if the recipient tries to open the item, a dialog box opens with this message:

"Sorry, we're having trouble opening this item. This could be temporary, but if you see it again you might want to restart Outlook. Your Digital ID name cannot be found by the underlying security system."

Sending and viewing encrypted email messages requires both sender and recipient to share their digital ID, or public key certificate. This means that you and the recipient each must send the other a digitally signed message, which enables you to add the other person's certificate to your Contacts. You cant encrypt email messages without a digital ID.

If you send an encrypted message to a recipient whose email setup doesnt support encryption, you're offered the option of sending the message in an unencrypted format.

Any attachments sent with encrypted messages also are encrypted.

In message that you are composing, click File > Properties.

Click Security Settings, and then select the Encrypt message contents and attachments check box.

Compose your message, and then click Send.

When you choose to encrypt all outgoing messages by default, you can write and send messages the same as with any other messages, but all potential recipients must have your digital ID to decode or view your messages.

On the File tab. choose Options >Trust Center > Trust Center Settings.

On the Email Security tab, under Encrypted email, select the Encrypt contents and attachments for outgoing messages check box.

To change additional settings, such as choosing a specific certificate to use, click Settings.

In the message that you're composing, on the Options tab, in the More Options group, click the dialog box launcher in the lower-right corner.

Click Security Settings, and then select the Encrypt message contents and attachments check box.

Compose your message, and then click Send.

When you choose to encrypt all outgoing messages by default, you can write and send messages the same as you do with any other messages. All potential recipients, however, must have your digital ID to decode or view those messages.

On the File tab, click Options > Trust Center > Trust Center Settings.

On the E-mail Security tab, under Encrypted e-mail, select the Encrypt contents and attachments for outgoing messages check box.

To change additional settings, such as choosing a specific certificate to use, click Settings.

In the message, on the Message tab, in the Options group on the ribbon, click the Encrypt Message Contents and Attachments button .

Note:If you don't see this button, click the Options Dialog Box Launcher in the lower-right corner of the group to open the Message Options dialog box. Click the Security Settings button, and in the Security Properties dialog box, select Encrypt message contents and attachments. Click OK, and then close the Message Options dialog box.

Compose your message and send it.

Choosing to encrypt all outgoing messages means, in effect, your e-mail is encrypted by default. You can write and send messages the same as with any other e-mail messages, but all potential recipients must have your digital ID to decode your messages.

On the Tools menu, click Trust Center, and then click E-mail Security.

Under Encrypted e-mail, select the Encrypt contents and attachments for outgoing messages check box.

To change additional settings, such as choosing a specific certificate to use, click Settings.

Click OK twice.

View post:
Encrypt email messages - Outlook