Category Archives: Encryption

AWS rolls out encryption options for Amazon RDS using MySQL, PostgreSQL and Oracle database instances

Posted on by

Amazon Web Services

Amazon Web Services took steps to make it easier for users to encrypt data at rest in Amazon Relational Database Service (RDS) database instances running MySQL, PostgreSQL and Oracle Database.

Earlier users to choose between RDS for Oracle Database which adopted AWS-managed keys for Oracle Enterprise Edition (EE) and RDS for SQL Server which used AWS-managed keys for SQL Server Enterprise Edition (EE).

Apart from these possibilities, AWS added RDS for MySQL which adopts customer-managed keys using AWS Key Management Service (KMS), RDS for PostgreSQL which uses customer-managed keys using AWS KMS, and RDS for Oracle Database which uses customer-managed keys for Oracle Enterprise Edition using AWS CloudHSM.

For all of the database engines and key management options, encryption (AES-256) and decryption are applied automatically and transparently to RDS storage and to database snapshots. Users need not make any changes to code or operating model in order to benefit from this important data protection feature.

Launched last year at AWS re:Invent, AWS KMS offers seamless, centralized control over encryption keys. It was designed to help implement key management at enterprise scale with facility to create and rotate keys, establish usage policies, and to perform audits on key usage.

AWS KMS is a managed service which helps create and control the encryption keys used to encrypt data, and adopts Hardware Security Modules (HSMs) to protect the security of keys. AWS Key Management Service is integrated with other AWS services including Amazon EBS, Amazon S3, Amazon RDS, Amazon Redshift, and Amazon Elastic Transcoder. AWS Key Management Service is also integrated with AWS CloudTrail to provide users with logs of all key usage to help meet regulatory and compliance needs.

Users can enable the feature and start to use customer-managed keys for RDS database instances running MySQL or PostgreSQL with a couple of clicks when creating a new database instance. Then, turn on enable encryption and choose the default (AWS-managed) key or create own using KMS and select it from the dropdown menu, and now start using customer-managed encryption for MySQL or PostgreSQL database instances.

CloudHSM is now integrated with Amazon RDS for Oracle Database. This allows users to maintain sole and exclusive control of the encryption keys in CloudHSM instances when encrypting RDS database instances using Oracle Transparent Data Encryption (TDE).

The AWS CloudHSM service helps meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) appliances within the AWS cloud. With CloudHSM, users can control the encryption keys and cryptographic operations performed by the HSM. The AWS CloudHSM service protects encryption keys within HSMs designed and validated to government standards for secure key management. Users can generate, store and manage the cryptographic keys used for data encryption. AWS CloudHSM helps to comply with key management requirements without losing application performance.

Read more:
AWS rolls out encryption options for Amazon RDS using MySQL, PostgreSQL and Oracle database instances

NSA cant crack common encryption software top hacker concludes

Posted on by

Beant Singh assassins arrest shows law catches up with all BJP

Thailand News.Net - Tuesday 6th January, 2015

The Bharatiya Janata Party (BJP) on Tuesday said the arrest of former Punjab chief minister Beant Singh's assassin Jagtar Singh Tara in Thailand clearly indicates that those involved in terrorist ...

The National - Wednesday 7th January, 2015

ABU DHABI // A British tourist stranded in Thailand since Saturday because of fog at Abu Dhabi International Airport is finally flying home tomorrow with an upgrade to business class.Wayne ...

The Nation - Wednesday 7th January, 2015

Prime Minister Prayut Chan-o-cha has received more than 1,000 greeting cards from children, youths and adults, which him happy on the New Year ...

The Nation - Wednesday 7th January, 2015

The United Front of Democracy against Dictatorship and other red-shirt groups will not hold a rally at Parliament on Thursday and Friday, former Pheu Thai MP and red-shirt leader Worachai Hema said ...

The Nation - Wednesday 7th January, 2015

View original post here:
NSA cant crack common encryption software top hacker concludes

Lavabit founder wants to make “dark” e-mail secure by default

Posted on by

Ladar Levison is probably most well-known to Ars readers as the founder of the secure e-mail service Lavabit, which he shut down in mid-2013 in an effort to avoid being forced to comply with a US government demand to turn over users e-mails. But his latest project is a lot grander in scope than a single hosted e-mail service: Levison is attempting, with the aid of some fellow crypto-minded developers, to change e-mail at large and build encryption into its fundamental nature.

As one of the members of the Darkmail Technical Alliance, Levisonalong with Jon Callas, Mike Janke, and PGP designer Phil Zimmermannis working on a project collectively referred to as DIME, the Dark Internet Mail Environment. DIME will eventually take the form of a drop-in replacement for existing e-mail servers that will be able to use DMTP (the Dark Mail Transfer Protocol) and DMAP (Dark Mail Access Protocol) to encrypt e-mails by default.

Conceptually, DIME applies multiple layers of encryption to an e-mail to make sure that the actors at each stage of the e-mails journey from sender to receiver can only see the information about the e-mail that they need to see. The e-mails author and recipient both know who sent the message and where it was bound, but the authors e-mail server doesntit can only decrypt the part of the message containing the recipients e-mail server. The recipient e-mail server knows the destination server and the recipient, but it doesnt know the sender. So if you arrange the four steps in a line from left to rightauthor, origin server, destination server, and recipienteach step in the line is only aware of the identity of the entity directly to its left or right.

Making this work means relying on a federated key management system to handle the layers of encryption, since every entity in the DIME chain has to have its own public and private keypair to encrypt and decrypt the portions of the e-mail that it needs to be able to encrypt or decrypt. Levison envisions this working in somewhat the same manner as DNS, with each organization that uses DIME being the authoritative source for encryption keys for its servers and e-mail addresses. Levison has settled on DNSSEC as being the preferred method for holding a domains e-mail trust anchor, but DNSSECs poor adoption means the protocol will also allow the use of a root Certificate Authority-signed TLS certificate to validate keys.

Levison is doing the initial implementation of DIME using a fork of Lavabits Magma e-mail server, but the plan is to eventually have support for DIME in Postfix and other common Mail Transfer Agents. In e-mail terms, the DIME Magma-based server functions sort of like Exchange, combining the roles of Mail Transfer Agent and Mail Delivery Agent into a monolithic server. If a users e-mail client (the MUA, or Mail User Agent) doesnt support DIME, the spec allows the DIME server to transparently generate keys for the user and encrypt the users messages on their behalf.

"You update your MTA, you deploy this record into the DNS system, and at the very least all your users get end-to-end encryption where the endpoint is the server, Levison explained during a phone interview with Ars. And presumably more and more over time, more of them upgrade their desktop software and you push that encryption down to the desktop."

This optional mode wherein the e-mail servers transparently do the clients encryption for them, is called trustful mode and can either be a bridge for users to until they have a client program that fully supports DIME, or a way for large organizations with legal discovery or regulatory requirements to use DIME but still have access to their users e-mails as needed. It also provides a way for e-mail hosting companies to potentially deploy DIME for hosted accounts without having to worry about what mail clients their customers are using.

From an encryption perspective, DIME will allow some flexibility, while at the same time attempting to ensure some minimal level of security as part of the spec. The DIME toolset will mandate a base set of ciphers, and administrators setting up DIME can specify additional ciphers to use on top of that. According to Levison, DIME will use for ciphers a mandated baseline that I knew was secure, but make it easy to extend upon that." This will be done by encrypting the message components with whatever alternative encryption method the administrator prefers, and then wrapping each component in the mandatory encryption scheme on top of that.

Adoption of DIME by the IETF as a formal set of RFCs would go a long way toward the likelihood of DIME support appearing in other more common existing MTAs like Postfix, rather than requiring administrators to set up Magma in order to take advantage of DIME. To that end, Levison intends to begin circulating the projects specifications document among members of the IETF at the groups meeting this March as a preliminary step toward transforming DIME into a ratified set of standards.

For now, outside of the custom (and preproduction) fork of the Magma server used by Levison, DIME isnt yet fully available or implementable. There is a GitHub repository containing what Levison describes as pre-alpha libraries for DIME, and the team has assembled a 109-page specifications document, but the technology isnt yet in a state where it can be independently deployed and audited.

Continued here:
Lavabit founder wants to make “dark” e-mail secure by default