Category Archives: Encryption

Cipher – Wikipedia, the free encyclopedia

Posted on by

In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryptiona series of well-defined steps that can be followed as a procedure. An alternative, less common term is encipherment. To encipher or encode is to convert information into cipher or code. In non-technical usage, a 'cipher' is the same thing as a 'code'; however, the concepts are distinct in cryptography. In classical cryptography, ciphers were distinguished from codes.

Codes generally substitute different length strings of characters in the output, while ciphers generally substitute the same number of characters as are input. There are exceptions and some cipher systems may use slightly more, or fewer, characters when output versus the number that were input.

Codes operated by substituting according to a large codebook which linked a random string of characters or numbers to a word or phrase. For example, "UQJHSE" could be the code for "Proceed to the following coordinates." When using a cipher the original information is known as plaintext, and the encrypted form as ciphertext. The ciphertext message contains all the information of the plaintext message, but is not in a format readable by a human or computer without the proper mechanism to decrypt it.

The operation of a cipher usually depends on a piece of auxiliary information, called a key (or, in traditional NSA parlance, a cryptovariable). The encrypting procedure is varied depending on the key, which changes the detailed operation of the algorithm. A key must be selected before using a cipher to encrypt a message. Without knowledge of the key, it should be extremely difficult, if not impossible, to decrypt the resulting ciphertext into readable plaintext.

Most modern ciphers can be categorized in several ways

"Cipher" is alternatively spelled "cypher"; similarly "ciphertext" and "cyphertext", and so forth.

The word "cipher" in former times meant "zero" and had the same origin: Middle French as cifre and Medieval Latin as cifra, from the Arabic ifr = zero (see ZeroEtymology). "Cipher" was later used for any decimal digit, even any number. There are many theories about how the word "cipher" may have come to mean "encoding":It was firstly introduced by Ab Abdallh Muammad ibn Ms al-Khwrizm.

Ibrahim Al-Kadi concluded that the Arabic word sifr, for the digit zero, developed into the European technical term for encryption.[1]

In non-technical usage, a "(secret) code" typically means a "cipher". Within technical discussions, however, the words "code" and "cipher" refer to two different concepts. Codes work at the level of meaningthat is, words or phrases are converted into something else and this chunking generally shortens the message.

An example of this is the Telegraph Code which was used to shorten long telegraph messages which resulted from entering into commercial contracts using exchanges of Telegrams.

Read the rest here:
Cipher - Wikipedia, the free encyclopedia

Encryption Can Create Stormy Weather in the Cloud

Posted on by

By John P. Mello Jr. 02/17/15 5:00 AM PT

Encryption has received a lot of attention lately as a solution to the growing data breach problem, but one of the hang-ups dogging the technology has been its ability to play nice in the cloud.

That's especially true if an organization wants to control the keys by which its data is scrambled and use services offered by a cloud provider beyond simple storage.

For example, if a cloud provider can't decrypt a client's data, it could break the provider's antivirus, data loss prevention, file preview and text indexing functions, as well as pose performance challenges.

"If the cloud provider can't decrypt your data, the cloud just becomes a dumb bucket," Adrian Sanabria, a senior analyst with the enterprise security practice at The 451 Group, told TechNewsWorld.

That's why cloud service providers in the past have had access to users' data encryption keys. As long as a user trusted their provider, that approach was acceptable, but that's no longer the case for many organizations.

Compliance with regulations requires some businesses to control the keys by which they encrypt their data. Other organizations just don't want to lose control of their information.

However, if an organization wants to use a cloud provider's services, it can allow a provider to access its keys. "Encryption still takes place in the cloud, but it's done with keys managed by the customer," Todd Partridge, director of product marketing at Intralinks, told TechNewsWorld.

From a security perspective, though, that solution is imperfect. A rogue employee of the cloud provider could abuse those key privileges to peek at, or leak a customer's data. The solution also opens the door for lawyers or government authorities to snatch the data.

Those authorities usually obtain data from a provider through a civil or criminal subpoena. As long as there isn't a gag order attached to the subpoena -- a rare occurrence except in national security cases -- a customer with control of its encryption keys has a chance to protect their data.

Read more:
Encryption Can Create Stormy Weather in the Cloud

Obama hedges position on encryption. It’s good. It’s bad.

Posted on by

President Barack Obama is making his position on encryption known: he is a supporter and "believer in strong encryption" but also "sympathetic" to law enforcement's needs to prevent terror attacks.

"I think the only concern is... our law enforcement is expected to stop every plot. Every attack. Any bomb on a plane. The first time that attack takes place, where it turns out we had a lead and couldn't follow up on it, the public's going to demand answers. This is a public conversation that we should be having," Obama said in a Friday interview with Re/Code. "I lean probably further in the direction of strong encryption than some do inside law enforcement. But I am sympathetic to law enforcement, because I know the kind of pressure they're under to keep us safe. And it's not as black and white as it's sometimes portrayed. Now, in fairness, I think those in favor of air tight encryption also want to be protected from terrorists."

Encryption became a hot-button topic in the wake of the summer 2013 leaks by National Security Agency whistleblower Edward Snowden. His documents, including some seemingly showing that Skype has a backdoor, highlighted a broad online global surveillance society and set off a cottage industry of encryption companies.

Both the FBI and the Justice Department are demanding that companieslike Apple and Google that are beginning to outfit mobile phone devices with encryption by defaultshould build backdoors to allow law enforcement access. Without a backdoor, the encryptionlikely prevents authorities from physically accessing contents directly from the phones' hardware, even with a warrant.

The chief executive isn't faulting companies for building encrypted tools. "I think they are properly responding to a market demand." But the president, his second remarks on the topic in a month, said "we can't pretend" that there's not a tradeoff between civil liberties and safety.

One of the interesting things about being in this job, is that it does give you a bird's-eye view. You are smack dab in the middle of these tensions that exist. But, there are times where folks who see this through a civil liberties or privacy lens reject that there's any tradeoffs involved. And, in fact, there are. And you've got to own the fact that it may be that we want to value privacy and civil liberties far more than we do the safety issues. But we can't pretend that there are no tradeoffs whatsoever.

US-based companies are not required to provide the government with backdoors into their wares. The law surrounding this issue is the Communications Assistance for Law Enforcement Act of 1994, commonly referred to as CALEA. It requires that telcos make their phone networks amenable to wiretaps, but it doesnt apply to phone hardware or most other communication services.

With British Prime Minister David Cameron at his side, the president last monthsaid:

If we find evidence of a terrorist plot and despite having a phone number, despite having a social media address or e-mail address, we cant penetrate that, thats a problem, Obama said.

Silicon Valley companies, he said, will help solve the problem because "theyre patriots."

Follow this link:
Obama hedges position on encryption. It’s good. It’s bad.

Web standard promising faster page loads wins approval

Posted on by

HTTP 2.0 is the standard's first new version in 16 years. In practice, the new standard will bring more privacy-protection encryption to the Web, too.

Newly approved web standard promises faster page loads.

A new version of the HTTP standard that promises to deliver Web pages to browsers faster has been formally approved, the Internet protocol's first revision in 16 years.

The specifications for HTTP 2.0 have been formally approved, according to a blog post by Mark Nottingham, who as chairman of the IETF HTTPBIS Working Group serves as the standard effort's leader. The specifications will go through a last formality -- the Request for Comment documenting and editorial processes -- then be published, Nottingham wrote.

HTTP, short for Hypertext Transfer Protocol, is one of the seminal standards of the Web. It governs how a browser communicates with a Web server to load a Web page. HTTP 2.0, the protocol's first major revision since HTTP 1.1 in 1999, is designed to load Web pages faster, allowing consumers to read more pages, buy more things and perform more and faster Internet searches.

The new standard is based on SPDY, a protocol Google introduced in 2009. The technology spread to Google's own Chrome browser, Mozilla's Firefox, Microsoft's Internet Explorer, many websites such as Facebook that they reach, and the some of the software that delivers Web pages to browsers.

The core feature of SPDY and HTTP 2.0 is "multiplexing," which lets many data-transfer requests share a single underlying network connection between a Web browser and the Web server across the Internet. In terms of computing resources, those requests are costly to set up, and Web pages have been demanding more and more over the years as the Web has grown more complex.

In practice, HTTP 2.0 also brings another big change: encryption. Google has long pushed for encryption on the Web to protect privacy and cut down on hacking vulnerabilities, and SPDY requires encryption technology called TLS (Transport Layer Security), formerly called SSL for Secure Sockets. That encryption push grew a lot stronger after the former National Security Agency contractor Edward Snowden revealed extensive government surveillance, and SPDY's creators along with some IETF saw the performance benefits of HTTP 2.0 as a good way to coax more of the Web toward encryption.

There's also a practical reason for encryption in HTTP 2.0: it makes it easier to adopt a new version of HTTP. That's because it sets up a direct connection between the Web server origin and the Web browser destination, and that direct connection sidesteps problems from intermediate network equipment that might not yet support HTTP.

However, some IETF members -- notably some of those that make or operate that intermediate equipment -- didn't like the encryption requirement. Thus, the IETF didn't require it as part of the HTTP 2.0 standard. However, in practice, encryption is very likely, because Firefox and Chrome won't support HTTP 2.0 without encryption.

See original here:
Web standard promising faster page loads wins approval