Image: Jack Wallen

At some point in your mobile life, you're going to need to send an encrypted message. Whether it's mission-critical, sensitive business data, personal information, or a secret family recipe, the need to hide that information away in an encrypted missive will come to the fore. When that moment arises, you want to be ready. If you happen to use the Android platform, worry not...there are plenty of means to that end.

These are four ways you can send an encrypted message on the Android platform. The sending methods will vary, but the end results will be the same: encryption.

SEE: Free ebookExecutive's guide to mobile security (TechRepublic)

If you're looking for an email app that offers solid encryption, you'd be hard-pressed to find a better one-two punch than K-9 Mail and OpenKeychain: Easy PGP. With these two apps together, you can work with encryption keys (generating, importing, and exporting), send encrypted email, and decrypt incoming email.

An important detail about using these two tools is the order in which you install them. Before installing K-9 Mail, you must first install OpenKeychain and then, from the app's main window (Figure A), generate a new PGP key.

Figure A

Generating a PGP key with OpenKeychain.

After installing OpenKeychain and generating a key, install K-9 Mail and walk through the process of setting up your email account. Once the account is properly set up, tap the menu button (bottom right corner of K-9 Mail), tap Settings | Account settings, tap Cryptography, tap OpenPGP App, select OpenKeychain (Figure B), and grant OpenKeychain access.

Figure B

Selecting the key to use for encryption.

Select the key you generated with OpenKeychain, and now you're ready to start sending encrypted emails. The usual encryption rules apply here, such as the need to import any PGP public keys from users that you want to send encrypted messages; otherwise, you're good to go.

If you're looking for a way to encrypt your SMS messages, Signal may be your best bet. Signal allows you to use your existing contacts, do group chats, and make private phone calls. Signal communicates, via SMS or voice, using advanced end-to-end encryption called TextSecure.

The one caveat to Signal is that anyone you are communicating with must be using Signal to view encrypted messages. Anyone not using Signal will be sent unencrypted messages. If you send an unencrypted message to a user, a message will appear at the top of the chat encouraging them to install the app.

Installing Signal is handled as you would any Android app. During the installation, you must first verify your phone number. Then, Signal will automatically generate your encryption key and apply it to your phone number. When the installation is complete, Signal behaves like any other SMS client. Messages to users who are already using Signal will be automatically encrypted, so there are no extra steps for the user to take.

SEE: Don't use Android pattern lock to protect secrets, researchers warn (ZDNet)

If you're looking for a really simple means to encrypt a quick message so that you can paste that message into an email or an SMS message, you can't go wrong with Encrypt text with CryptMax. With this tool, you install it, type in your message to be encrypted, enter an encryption password, and tap ENCRYPT (Figure C). Now copy the encrypted message, paste it into your email or SMS client, and send away.

Figure C

Encrypting a message with CryptMax.

The recipient of the message will need to install the same app and know the encryption password used for the message. Once the recipient has that, they paste the message into CryptMax, type the encryption password, and tap DECRYPT.

If you don't want to bother installing an application, you can always use something like the Encrypt Easy website. In the designated box, you enter the text you want encrypted, enter an encryption password, tap Encrypt (Figure D), and then copy the resultant message.

Figure D

Encrypting a message via a web-based service.

Paste the encrypted message into an email or SMS message and send it. The recipient of the message will need to either go to the same site used to encrypt the message or make sure whatever app/service they use to decrypt it works with the same encryption algorithm; if it doesn't, encryption will fail.

There are a number of variations on each of these types of apps; the route you take and which app you choose is up to you.

Some people might consider the web-based route a bit less secure because a third-party is involved. If you're looking to send sensitive company information, you'll probably want to work locally and use an app specifically designed for the sending of such data.

From this list, the K-9/OpenKeychain combo would be your most secure and best bet.

See more here:
4 ways to send encrypted messages on Android - TechRepublic

The challenges that data encryption pose for law enforcement are manageable, according to a new analysis by a Washington, D.C., think tank, to be released laterThursday.

The research from the Center of Strategic and International Studies, which was shared with The Hill, found no instances in which encryption played a determinative role in recent major terrorist attacks in Europe and the United States.

The think tank also concluded that encryption does not play a major role in terrorists efforts to recruit followers over the internet.

Privacy advocates and cybersecurity experts largely favor encryption and have raised alarm over the possibility of agencies like the FBI and NSA creating a backdoor to access secured data.

Still, the rise of encryption in mobile and online communications has created hurdles for law enforcement and counterterrorism operations.

The new research estimates the number of law enforcement cases affected by encryption is small, ranging from a few dozen to several hundred. Still, the experts recommend that officials monitor any increase or decrease in the number of investigations thwarted by encryption as well as terrorists use of encryption in their operations.

Our research suggests that the risk to public safety created by encryption has not reached the level that justifies restrictions or design mandates, the report states. The encryption issue law enforcement faces, while frustrating, is currently manageable.

It is not yet clear how the Trump administration will handle encryption, though the president has signaled he is on the opposite side of the debate as privacy advocates. Last year, Trumpcalledfor a boycott against Apple to force the company to help the FBI unlock the iPhone of one of the San Bernardino attackers.

Sen. Jeff SessionsJeff SessionsAla. attorney general to fill Sessions's Senate seat: report Elizabeth Warren rails against Jeff Sessions confirmation in tweet storm ACLU vows to sue Sessions if he violates Constitution as AG MORE (R-Ala.), Trumps choice for attorney general, has said that he wants federal investigators to be able to lawfully overcome encryption in order to pursue leads.

Encryption serves many valuable and important purposes. It is also critical, however, that national security and criminal investigators be able to overcome encryption, under lawful authority, when necessary to the furtherance of national-security and criminal investigations, Sessionssaidin response to questions from Sen. Patrick LeahyPatrick LeahyEncryption of data 'manageable' for law enforcement, think tank says Dems blast Sessions's ties to Trump ahead of final vote Dem senator blasts Trump's 'bromance' with Putin MORE (D-Vt.) ahead of his confirmation hearing last month.

Read the original here:
Encryption of data 'manageable' for law enforcement, think tank says ... - The Hill

Donald TrumpDonald TrumpSessions urges respect in Senate farewell speech Trump attacks Nordstrom over daughters clothing line Trump's Labor pick lays out plans to avoid conflict of interest MOREs White House has discussed encryption policy with the FBI, a bureau official indicated Wednesday.

James Baker, the FBIs general counsel, said he is unaware of any planned changes on encryption policy under the new administration.

There have been some discussions, obviously, about this, he said at an encryption policy event in Washington, D.C.

It is a big topic and one that people have discussed, he continued. I am not aware of any policy change or even a determination at this point in time, given how soon we are into the new administration.

Encryption is a hot-button issue in the ongoing debate about privacy and the federal governments access to secured communications. While the use of encryption is broadly recognized as important to privacy and cybersecurity, it has created problems for federal investigators as they pursue criminal and counterterrorism cases.

The issue took center stage last year in the legal fight between Apple and the FBI as the bureau fought to access an iPhone used by one of the attackers in the San Bernardino, Calif., shooting in December 2015.

At the time, Trump argued that Apple should have aided the bureau in accessing the phone, calling for a boycott of the technology company until it did so.

Ultimately, the FBI paid professional hackers to break into the device.

The use of encrypted messaging apps has risen in recent years, as fears over hacking have compounded.

Baker spoke alongside software and legal experts at an event on the burdens placed on law enforcement by encryption that hosted by the Center for Strategic and International Studies on Wednesday afternoon.

The panelists agreed that the new administration and Congress will likely take up the issue of encryption and other matters related to law enforcements access to data.

I think this will be on the agenda for discussion, said Victoria Espinel, a former government official and president and CEO of BSA the Software Alliance.

I hope its not on the agenda for discussion because of some horrible event that propels it forward.

Excerpt from:
FBI official: No immediate changes to encryption policy under Trump - The Hill

Over the past decade, organisations across every vertical market have attempted a wary balance between regulatory compliance and business agility. Yet with the arrival of the General Data Protection Regulation (GDPR) set to raise the bar yet again in 2018, how can organisations navigate ever more onerous regulatory requirements and penalties for failure to comply; escalating security risks; dispersed and diverse infrastructure models and still achieve operational performance objectives?

Given evolving regulatory demands and threat landscape, securing data in motion especially across Wide Area Networks (WAN) is clearly essential. But when traditional encryption has fundamentally compromised both network performance and essential troubleshooting, once again security and agility are in conflict.

Paul German, CEOCertes Networks, explains the role stealth encryption is playing in delivering data security without operational compromise.

Encryption Imperative

In this increasingly regulated environment, encryption is or should be a fundamental component of the defence in depth security model. Whilst organisations globally have been wrestling with the escalating security demands created in a continually evolving cyber threat landscape, the introduction in 2018 of the GDPR radically extends the business implication of any data breach. After May 2018, not only must a company inform all affected by the security breach, as well as the Information Commissioners Office,within 72 hoursbut the fines can be up to 20 million or 4% of global revenues. There is a very real risk that a data breach could lead to company failure.

Given the growing acceptance that breach is a when not if event, organisations have evolved beyond perimeter only security models to increasingly lock down data both at rest and in motion. Yet data encryption has had a chequered history. Whilst in theory the ability to make all information unintelligible, unusual and valueless to hackers and thieves is clearly compelling, the challenges associated with deploying, maintaining and managing encryption technologies have deterred and inhibited many organisations.

The key problem is the way in which encryption has been deployed to date. Traditionally an organisations infrastructure is broken down into seven layers following the Open Systems Interconnection model (OSI model), from the physical (Layer 1) through to Application (Layer 7). The usual technique of adding encryption at Layer 2 (Data Link) and Layer 3 (Network) essentially means asking routers and switches to undertake an additional and demanding task.

The result is not only drastically compromised network performance but also significant management and troubleshooting issues often bad enough to drive organisations to switch off the encryption solution. In addition, as soon as Layer 2 and Layer 3 encryption is switched on, the organisation is completely blind to the traffic going across the network: it is not just the data that is encrypted but the file headers and network packets. The only option, therefore, when the application team needs to investigate performance problems is to switch off encryption creating additional risk and leading to a security/operations stand-off.

Layer 4 Encryption

The answer to the continued friction between operational goals and security imperatives is to decouple encryption from the infrastructure completely. Rather than being embedded in routers, switches or firewalls, Layer 4 encryption technology is completely separate from the underlying infrastructure. By creating an overlay solution that is dedicated to providing the level of trust for data in motion and applications moving across the infrastructure, this model avoids any impact on network performance and complexity. Furthermore, Layer 4 operates in stealth mode: it is only the data payload that is encrypted not the entire network data packet.

This approach has two essential benefits. Firstly, a hacker that cannot see that encryption has been turned on (because the file headers are not encrypted), will have no idea whether the data is sensitive or not it all looks like worthless data, malformed and of no use. Secondly, if the organisation needs to troubleshoot, key information such as source/destination ports and IP Address information is still visible, enabling investigation and remedial work to be undertaken whilst the encryption is still turned on. All of the complex management and maintenance problems created by Layer 2 and Layer 3 encryption are removed. The data in motion is secure without adding complexity or compromising operational performance of the infrastructure.

Layer 4 encryption also overcomes the problems created by application vendors opting to introduce third party encryption solutions into applications to create a secure connection between clients and servers. While the theory was great, security threats such as Heartbleed and Poodle, which compromised sessions, threw application vendors into a spin. The challenge of getting the third party to fix the problem, then update the application, download a patch and ensure customers have applied that patch across their estate is huge leaving many applications still unpatched years later. Creating a Layer 4 encryption overlay ensures that application data is secure and resolves the software providers security challenges. Indeed, even if the application encryption has been updated, adding Layer 4 encryption creates a double encryption model that ensures whatever may happen in the future to compromise the application Heartbleed Mark 2 the organisation will be secure.

Zero Trust Model

The additional benefit of decoupling encryption from the infrastructure is that it supports the zero trust model that is gaining growing support across the security industry in response to the ever changing threat landscape. While it may appear logical to assume all owned infrastructure from data centres to branch offices, LANs to private WANs is under the organisations control and hence secure, in practice the reality is very different.

Firstly, the vast majority of data breaches now occur as a result of user compromised credentials providing a hacker with direct access to that trusted network. Secondly, the concept of a private WAN is flawed: private WAN services are typically multiple organisations connections delivered over a single shared managed service network using simple labels to separate customer traffic. Unfortunately, simple misconfigurations can result in the networks of two or more organisations becoming merged; at which point secure data is not only open to the service provider? but also at the mercy of that organisations security posture or lack of it. That owned infrastructure is neither under the organisations control nor secure.

What value is a Service Level Agreement with a service provider when the organisation has been breached, the regulator is set to impose huge fines and customer confidence has plummeted? Passing the baton of security over to a third party without truly understanding and then mitigating that risk is a mistake. The only way to ensure that an organisations data is secure is to encrypt it before it hits the WAN if the data does fall into the wrong hands it is of absolutely no use at all.

Conclusion

This is the fundamental concept that organisations need to understand trust nothing, secure everything. By adopting a zero trust model and accepting an inherent risk of breach organisations can take a far more proactive approach to securing data across the entire infrastructure.

Adding Layer 4 Stealth encryption not only secures critical data and underpins compliance with regulations including GDPR but it does so without compromising network performance or operational agility.

About Paul German

Go here to read the rest:
Encryption Without Compromise - ISBuzz News

As the age of Trump gets into full swing, the specter of surveillance is once again brimming back to the surface of our collective imagination. In no small part thanks to the Obama administration, Trump has inherited an increasingly sophisticated system of surveillance, one which in the near future could include omnipresent facial recognition technology, backed by existing tools that can hack into our cell phones or monitor our social media accounts with little hassle.

In light of these threats, says Kevin Bankston, the director of New Americas Open Technology Institute, the best offense is a good defense. Namely, the encryption of our vastdigital lives.

Turning to science fiction, Bankston explains that the near future of surveillance could broadly veer down one of two paths. Either we get the dystopian world of George Orwells 1984, where governments keep an oppressive boot on the necks of their citizenry by monitoring their every move. Or we could end up with the chaotic wasteland seen in the cyberpunk works of Peter Watts, where the concepts of privacy and security on the internet have long since disappeared and every person is only out for themselves laid out in his book, Maelstrom.

Neither scenario is wildly far-fetched: regimes in China, Russia and elsewhere already use surveillance to monitor their citizenry and block content and Western democracies may not be far behind. But encryption, as Bankston puts it, can be a double duty dystopia destroyer.

It protects your data from identity thieves and stalkers and hackers, he says. But it also protects us from 1984, by making it much, much harder for governments to engage in mass surveillance.

At the end of the day, Bankston says, encryption should be seen as a right that we need to fight for one thatll protect us from the worst of all futures.

Here is the original post:
Why We Need Encryption, Explained By Sci-Fi Dystopias - Vocativ

Background

SSL (Secure Sockets Layer) is a standard security technology for establishing an encrypted link between a server and a clienttypically a web server (website) and a browser; or a mail server and a mail client (e.g., Outlook). It allows sensitive information such as credit card numbers, social security numbers, and login credentials to be transmitted securely. To establish this secure connection, the browser and the server need an SSL Certificate.

But how is this accomplished? How is data encrypted so that no oneincluding the worlds biggest super computerscan crack it?

This article explains the technology at work behind the scenes of SSL encryption. It covers asymmetric and symmetric keys and how they work together to create an SSL-encrypted connection. It also covers different types of algorithms that are used to create these keysincluding the mathematical equations that make them virtually impossible to crack.

Not sure you understand the basics of SSL Certificates and technology? Learn about SSL Certificates >>

Asymmetric encryption (or public-key cryptography) uses a separate key for encryption and decryption. Anyone can use the encryption key (public key) to encrypt a message. However, decryption keys (private keys) are secret. This way only the intended receiver can decrypt the message. The most common asymmetric encryption algorithm is RSA; however, we will discuss algorithms later in this article.

Asymmetric keys are typically 1024 or 2048 bits. However, keys smaller than 2048 bits are no longer considered safe to use. 2048-bit keys have enough unique encryption codes that we wont write out the number here (its 617 digits). Though larger keys can be created, the increased computational burden is so significant that keys larger than 2048 bits are rarely used. To put it into perspective, it would take an average computer more than 14 billion years to crack a 2048-bit certificate. Learn more >>

Symmetric encryption (or pre-shared key encryption) uses a single key to both encrypt and decrypt data. Both the sender and the receiver need the same key to communicate.

Symmetric key sizes are typically 128 or 256 bitsthe larger the key size, the harder the key is to crack. For example, a 128-bit key has 340,282,366,920,938,463,463,374,607,431,768,211,456 encryption code possibilities. As you can imagine, a brute force attack (in which an attacker tries every possible key until they find the right one) would take quite a bit of time to break a 128-bit key.

Whether a 128-bit or 256-bit key is used depends on the encryption capabilities of both the server and the client software. SSL Certificates do not dictate what key size is used.

Since asymmetric keys are bigger than symmetric keys, data that is encrypted asymmetrically is tougher to crack than data that is symmetrically encrypted. However, this does not mean that asymmetric keys are better. Rather than being compared by their size, these keys should compared by the following properties: computational burden and ease of distribution.

Symmetric keys are smaller than asymmetric, so they require less computational burden. However, symmetric keys also have a major disadvantageespecially if you use them for securing data transfers. Because the same key is used for symmetric encryption and decryption, both you and the recipient need the key. If you can walk over and tell your recipient the key, this isnt a huge deal. However, if you have to send the key to a user halfway around the world (a more likely scenario) you need to worry about data security.

Asymmetric encryption doesnt have this problem. As long as you keep your private key secret, no one can decrypt your messages. You can distribute the corresponding public key without worrying who gets it. Anyone who has the public key can encrypt data, but only the person with the private key can decrypt it.

Public Key Infrastructure (PKI) is the set of hardware, software, people, policies, and procedures that are needed to create, manage, distribute, use, store, and revoke digital certificates. PKI is also what binds keys with user identities by means of a Certificate Authority (CA). PKI uses a hybrid cryptosystem and benefits from using both types of encryption. For example, in SSL communications, the servers SSL Certificate contains an asymmetric public and private key pair. The session key that the server and the browser create during the SSL Handshake is symmetric. This is explained further in the diagram below.

Public-key cryptography (asymmetric) uses encryption algorithms like RSA and Elliptic Curve Cryptography (ECC) to create the public and private keys. These algorithms are based on the intractability* of certain mathematical problems.

With asymmetric encryption it is computationally easy to generate public and private keys, encrypt messages with the public key, and decrypt messages with the private key. However, it is extremely difficult (or impossible) for anyone to derive the private key based only on the public key.

RSA is based on the presumed difficulty of factoring large integers (integer factorization). Full decryption of an RSA ciphertext is thought to be infeasible on the assumption that no efficient algorithm exists for integer factorization.

A user of RSA creates and then publishes the product of two large prime numbers, along with an auxiliary value, as their public key. The prime factors must be kept secret. Anyone can use the public key to encrypt a message, but only someone with knowledge of the prime factors can feasibly decode the message.

RSA stands for Ron Rivest, Adi Shamir, and Leonard Adleman the men who first publicly described the algorithm in 1977.

Elliptic curve cryptography (ECC) relies on the algebraic structure of elliptic curves over finite fields. It is assumed that discovering the discrete logarithm of a random elliptic curve element in connection to a publicly known base point is impractical.

The use of elliptic curves in cryptography was suggested by both Neal Koblitz and Victor S. Miller independently in 1985; ECC algorithms entered common use in 2004.

The advantage of the ECC algorithm over RSA is that the key can be smaller, resulting in improved speed and security. The disadvantage lies in the fact that not all services and applications are interoperable with ECC-based SSL Certificates.

Pre-shared key encryption (symmetric) uses algorithms like Twofish, AES, or Blowfish, to create keysAES currently being the most popular. All of these encryption algorithms fall into two types: stream ciphers and block ciphers. Stream ciphers apply a cryptographic key and algorithm to each binary digit in a data stream, one bit at a time. Block ciphers apply a cryptographic key and algorithm to a block of data (for example, 64 sequential bits) as a group. Block ciphers are currently the most common symmetric encryption algorithm.

*Note: Problems that can be solved in theory (e.g., given infinite time), but which in practice take too long for their solutions to be useful are known as intractable problems.

Visit link:
All about SSL Cryptography | DigiCert.com

Javascript is disabled in your browser. Some features of the site may not work as intended.

Private Internet Access uses the open source, industry standard OpenVPN to provide you with a secure VPN tunnel. OpenVPN has many options when it comes to encryption. Our users are able to choose what level of encryption they want on their VPN sessions. We try to pick the most reasonable defaults and we recommend most people stick with them. That said, we like to inform our users and give them the freedom to make their own choices.

Data encryption: AES-128

Data authentication: SHA1

Handshake: RSA-2048

Data encryption: None

Data authentication: None

Handshake: ECC-256k1

Data encryption: AES-256

Data authentication: SHA256

Handshake: RSA-4096

Data encryption: AES-128

Data authentication: None

Handshake: RSA-2048

This is the symmetric cipher algorithm with which all of your data is encrypted and decrypted. The symmetric cipher is used with an ephemeral secret key shared between you and the server. This secret key is exchanged with the Handshake Encryption.

Advanced Encryption Standard (256-bit) in CBC mode.

No Encryption. None of your data will be encrypted. Your login details will be encrypted. Your IP will still be hidden. This may be a viable option if you want the best performance possible while only hiding your IP address. This would be similar to a SOCKS proxy but with the benefit of not leaking your username and password.

This is the message authentication algorithm with which all of your data is authenticated. This is only used to protect you from active attacks. If you are not worried about active attackers you can turn off Data Authentication.

HMAC using Secure Hash Algorithm (256-bit).

No Authentication. None of your encrypted data will be authenticated. An active attacker could potentially modify or decrypt your data. This would not give any opportunities to a passive attacker.

This is the encryption used to establish a secure connection and verify you are really talking to a Private Internet Access VPN server and not being tricked into connecting to an attacker's server. We use TLS v1.2 to establish this connection. All our certificates use SHA512 for signing.

2048bit Ephemeral Diffie-Hellman (DH) key exchange and 2048-bit RSA certificate for verification that the key exchange really happened with a Private Internet Access server.

Like RSA-2048 but 3072-bit for both key exchange and certificate.

Like RSA-2048 but 4096-bit for both key exchange and certificate.

Ephemeral Elliptic Curve DH key exchange and an ECDSA certificate for verification that the key exchange really happened with a Private Internet Access server. Curve secp256k1 (256-bit) is used for both. This is the same curve that Bitcoin uses to sign its transactions.

Like ECC-256k1 but curve prime256v1 (256-bit, also known as secp256r1) is used for both key exchange and certificate.

Like ECC-256k1 but curve secp521r1 (521-bit) is used for both key exchange and certificate.

We display a warning in 3 cases:

The recent NSA revelations have raised concerns that certain or possibly all Elliptic Curves endorsed by US standards bodies may have backdoors allowing the NSA to more easily crack them. There is no proof of this for curves used with signing and key exchange and there are experts who think this to be unlikely. We therefore give users the option but display a warning anytime you select an Elliptic Curve setting. We also included the less standard curve secp256k1, which is what Bitcoin uses, was generated by Certicom (a Canadian company) instead of NIST (as the other curves were), and seems to have less places to hide a backdoor. There is strong evidence that a random number generator which uses ECC was backdoored but it was not widely used.

An active attack is one where an attacker gets "between" you and the VPN server, in a position where they can modify or inject data into your VPN session. OpenVPN was designed to be secure against active attackers as long as you are using both data encryption and data authentication.

A passive attack is one where an attacker simply records all data passing over the network but does not modify or inject any new data. An example of a passive attacker is an entity that performs the dragnet capture and storage of all network traffic but does not interfere with or modify it. As long as you are using data encryption your OpenVPN session is secure against passive attackers.

Ephemeral keys are encryption keys which are generated randomly and only used for a certain amount of time, after which they are discarded and securely erased. An ephemeral key exchange is the process by which these keys are created and exchanged. Diffie-Hellman is an algorithm used to perform this exchange. The idea behind ephemeral keys is that once you are done using them and they are thrown away, no one will ever be able to decrypt the data which they were used to encrypt, even if they eventually got full access to all the encrypted data and to both the client and the server.

The rest is here:
Private Internet Access | VPN Encryption

Oracle Advanced Security Transparent Data Encryption (TDE) stops would-be attackers from bypassing the database and reading sensitive information from storage by enforcing data-at-rest encryption in the database layer. Applications and users authenticated to the database continue to have access to application data transparently (no application code or configuration changes are required), while attacks from OS users attempting to read sensitive data from tablespace files and attacks from thieves attempting to read information from acquired disks or backups are denied access to the clear text data.

Out of the box, TDE provides industry standard strong encryption for the database, full key lifecycle management, and integrated support for Oracle Database tools and technologies. TDE enables encryption of database columns or entire application tablespaces. Its high-speed cryptographic operations make performance overhead negligible in most applications. The two-tier encryption key architecture provides easy administration of keys, enforces clear separation of keys from encrypted data, and provides assisted key rotation without having to re-encrypt data. The keystore can be managed using a convenient web console in Oracle Enterprise Manager or using a command-line. In addition, TDE integrates directly with frequently used Oracle Database tools and technologies including Oracle Advanced Compression, Automatic Storage Management (ASM), Recovery Manager (RMAN), Data Pump, GoldenGate, and more. In Oracle engineered systems, TDE gets a performance boost from hardware cryptographic acceleration provided by Intel AES-NI and Oracle SPARC T-series processors. TDE further benefits from Exadata Smart Scans, rapidly decrypting data in parallel on multiple storage cells, and from Exadata Hybrid Columnar Compression (EHCC), reducing the total number of encryption and decryption operations performed.

Transparent Data Encryption fully supports Oracle Multitenant. When moving a pluggable database (PDB) that contains encrypted data, the TDE master keys for that PDB are transferred separately from the encrypted data to maintain proper security separation during transit. TDE encryption resumes its normal operation after the PDB has been plugged in and configured.

Read the rest here:
Transparent Data Encryption (TDE) - oracle.com

by Jeff Barr | on 04 OCT 2011 | in Amazon S3 | Permalink |

A lot of technical tasks that seem simple in theory are often very complex to implement. For example, lets say that you want to encrypt all of the data that you store in Amazon S3. You need to choose an encryption algorithm, create and store keys (while keeping the keys themselves safe from prying eyes), and bottleneck your code to ensure that encryption happens as part of every PUT operation and decryption happens as part of every GET operation. You must take care to store the keys in durable fashion, lest you lose them along with access to your encrypted data.

In order to save you from going through all of this trouble (and to let you focus on your next killer app), we have implemented Server Side Encryption (SSE) for Amazon S3 to make it easier for you to store your data in encrypted form. You can now request encrypted storage when you store a new object in Amazon S3 or when you copy an existing object. We believe that this important (and often-requested) new feature will be welcomed by our enterprise customers, perhaps as part of an overall strategy to encrypt sensitive data for regulatory or compliance reasons.

Amazon S3 Server Side Encryption handles all encryption, decryption, and key management in a totally transparent fashion. When you PUT an object and request encryption (in an HTTP header supplied as part of the PUT), we generate a unique key, encrypt your data with the key, and then encrypt the key with a master key. For added protection, keys are stored in hosts that are separate and distinct from those used to store your data. Heres a diagram of the PUT process for a request that specifies SSE:

Decryption of the encrypted data requires no effort on your part. When you GET an encrypted object, we fetch and decrypt the key, and then use it to decrypt your data. We also include an extra header in the response to the GET to let you know that the data was stored in encrypted form in Amazon S3.

We encrypt your data using 256-bit AES encryption, also known as AES-256, one of the strongest block ciphers available. You can apply encryption to data stored using Amazon S3s Standard or Reduced Redundancy Storage options. The entire encryption, key management, and decryption process is inspected and verified internally on a regular basis as part of our existing audit process.

You can use Amazon S3s bucket policies to allow, mandate, or forbid encryption at the bucket or object level. You can use the AWS Management Console to upload and access encrypted objects.

To learn more, check out the Using Encryption section of the Amazon S3 Developer Guide.

Jeff;

PS Theres no additional charge for SSE.

Read more:
New Amazon S3 Server Side Encryption for Data at Rest ...

(TNS) -- Social media, encryption technology and mobile apps have set the stage for the nations first unfiltered presidency with more day-to-day details flowing from the White House than ever before.

Whether its disgruntled bureaucrats tipping off the media through secure email channels or encryption apps, or the Twitter musings of the president himself, citizens now have a front-row seat to the good, the bad and a whole lot of ugly.

The ceaseless flow of information isnt just the result of a pernicious political landscape, but also a simple function of technology: There are now more tools than ever to help guarantee anonymity for sources. Although no method is 100 percent secure (a good rule of thumb is that if it hasnt been hacked yet, it will), many media organizations now provide links to encryption messaging apps and secure email on their websites in order to encourage leakers to come forward. Whether its a detailed transcript of a foreign call with the president or a draft executive order that hasnt become official yet, its clear that government employees are taking the media up on its offer.

Gone are the days of having to meet sources in the darkest corner of a parking garage. Now you can just download a free app from the Apple App Store or Google Play, such as Signal, an encrypted messaging mobile app that is free. Signal can delete messages automatically at prescribed intervals, and while it claims not to retain any identifying information, a lot of these methods have not faced much technological scrutiny yet. Im sure thats about to change.

Then there are apps that were probably never designed for anonymous government leaks but are being employed for that nonetheless. Pidgin is a desktop-based instant messenger plug-in that The Washington Post lists on its website as a suggested method for communicating tips.

The Post as well as the U.K.s Guardian are encouraging sources to use the dark web browser Tor, which lets users surf the web anonymously. Once seen as little more than a haven for drug dealing and other unsavory activities, the Tor browser is more broadly used than ever. It is likely the browser of choice for the information vigilantes at WikiLeaks.

As for transmitting documents on Tor, the open-source software platform known as SecureDrop is commonly used by newspapers and activists. The service is as simple as downloading a file a task that any moderately computer-literate bureaucrat could easily accomplish.

Secure email is another method, but its not for those who need to remain fully anonymous. One of the most popular secure email methods is PGP encryption, an acronym which stands for Pretty Good Privacy. While PGP will obscure the content of your email, it wont protect the name of the sender or the subject line. Newspapers, including this one, employ PGP encryption.

If you need to transmit information and youre afraid of potential hackers stealing your scoop, PGP is the way to go.

Although the media had to back off the story that the Trump administration was sharply curtailing the release of information high-level approval for press releases it turns out is normal during transitions there have been rumblings of dissent in the EPA and NASA.

In addition to a myriad of document leaks, rogue Twitter accounts appear to be sprouting like weeds. Though theres no way to know whether they are legitimate, Twitter accounts claiming to be handled by disaffected NASA scientists, a group of White House staffers and the National Parks Service have popped up in recent weeks.

2017 the Boston Herald Distributed by Tribune Content Agency, LLC.

Go here to see the original:
Apps, Encryption Help Make Once-Private Documents Public - Government Technology