Whole disk

Whole disk encryption, as the name implies, refers to the encryption of an entire physical or logical disk. While this is currently done mostly with software, hardware based disk encryption is a growing technology which is expected to surpass software products for whole disk encryption over the next few years. This form of encryption generally encrypts the entire contents of a disk or volume and decrypts/encrypts it during use after a key has been given. This means the data is protected from situations like laptop/disk loss or theft where the data would be encrypted and require a key to decrypt. It would not protect from situations like sending information over the network (e-mail, websites, etc) or from situations where the decryption key was already entered such as the user walking away from their logged-in computer.

When an individual wishes to encrypt a single file or group of files there are several options. Most encryption software has the ability to encrypt files individually using a password or other key. Many encryption programs have the ability to create an encrypted "virtual drive". This is an encrypted file that, when opened with the key, looks like another drive attached to the computer allowing the user to easily open and save files into an encrypted area. Some other applications, like MS Office and OpenOffice, have built-in, single-file encryption features.

This approach can protect against data disclosure on a lost or stolen computer, but only if all of the private information was encrypted. Individual file/folder encryption relies on user education and good practices to ensure that all appropriate information is encrypted.

Depending on how the encryption software is used, this approach can provide protection from data disclosure when transferring information over the network. E.g. an individual file can be encrypted and then sent as an email attachment, assuming the recipient has the ability to decrypt it.

Allowing multiple users to simultaneously access encrypted information is more complicated than a single user. The encryption software must allow the use of either multiple keys (i.e. one for each user) or a shared key (e.g. a shared password). Additionally, the software must deal with multi-user file locking issues (this is usually a problem with the virtual drive approach mentioned in the last section).

This approach can provide an additional layer of protection against the disclosure of highly confidential data on file servers in the event they are compromised. I can also help protect against disclosure on backup media as the files would remain encrypted when backed up.

This approach can get complicated if not all users have the encryption software installed, or they are not configured consistently. This could lead users being unable to access encrypted information or incorrectly believing they have encrypted information when they have not. For these reasons, special attention should be paid to how encryption software behaves and users should be educated to recognize the encryption status of files.

Encrypting information in a database can be done at a couple of levels. The application accessing the database can encrypt information before putting it into the database. This requires intelligence at the application level, but no additional database features. Many databases have built-in encryption functions which applications can use to encrypt data as it is written. This usually requires features at both the application and database level. An encryption application can sit between the application and database, encrypting/decrypting information as it is written and read. This requires buying and installing additional software, but may not require modifications to the application or database.

As mentioned earlier, some applications that arent specifically designed for encryption do have basic encryption functions. Most notably, common productivity suites like Microsoft Office and OpenOffice contain file encryption features. Be cautious of the quality of the built-in encryption features, even within the Microsoft Office product line, some versions (like Office 2007) have a good mechanism, others have poor ones (like Office 2000 and earlier) and still others require proper configuration to provide good protection (like Office 2003). These features can be very handy because they dont require additional licenses, require less training and can be effective for both in transit and at rest encryption. Additionally, they can work well for file exchange since the recipient is more likely to have the ability to decrypt the file. In short, built-in encryption functions can be convenient options, but you should research their effectiveness before using them.

There are a couple of different levels to encryption with email, first is encrypting just an attached file and second is encrypting an entire message. Encrypting an attached file can be accomplished using any single-file encryption process that "sticks" to the file. Naturally, the recipient must have a way of decrypting the file. There are only a couple of commonly used email message encryption technologies, most notably S/MIME and PGP. While S/MIME support is integrated into many email clients, it requires users to have trusted certificates which can be complicated to properly deploy. Using PGP to encrypt email requires installing software, but there are both free and commercial options.

Both of these technologies also allow for digital "signing" of email without encrypting it. This signing process allows the recipient to be certain a message was not altered in transit, but does not protect the content from prying eyes.

Encrypting information while in transit on a network is one of the most common, and important, uses of encryption. One of the most popular forms of this encryption is Secure Sockets Layer (SSL)/Transport Layer Security (TLS), commonly used to encrypt web traffic in transit. Any web application that transmits or collects sensitive information should encrypt the information using SSL/TLS. There are a number of other uses for SSL/TLS encryption, including securing authentication for email communication between clients and servers. SSL/TLS can also be used for "tunneling" to encrypt other forms of network transmission that dont have their own encryption features.

Another common network encryption technology is Secure Shell (SSH) which is largely used for encrypted terminal connections (replacing telnet) and encrypted file transfers (SFTP replacing FTP). Like SSL/TLS, SSH can also be used for tunneling.

A more general form of network traffic encryption is IP Security (IPSec), which operates at a more basic layer than SSL or SSH and can be applied to any network traffic. However, using IPSec requires common configuration between the two computers communicating, so it is generally used within a company/department rather than across the internet.

For wireless networks there are other encryption options that only encrypt information between the computer and the wireless access point. For this reason, they only protect from snooping on wireless and not after the information leaves the access point onto a wired network. The two most common forms are called Wired Equivalent Privacy (WEP) and WiFI Protected Access (WPA). WEP is no longer considered a secure protocol. WPA is much stronger, but has shortcomings and an updated WPA2 standard has been released which improves its security.

More here:
Types of Encryption | Office of Information Technology

REUTERS/Manchester Evening news/Pool The former head of Britain's MI5 intelligence Agency, Jonathan Evans.

Inserting backdoors into encryption software is "not the answer" to battling crime, the former head of MI5 told Business Insider.

Over the last few months, debate has raged between security experts and law enforcement over the correct way to approach encryption the act of scrambling data or communications in such a way that it cannot be understood without the correct key or password.

Since the Snowden revelations about US mass surveillance, companies like Apple and Google have increasingly introduced strong encryption into their products that even they cannot decrypt under any circumstances. This is much to the chagrin of many in law enforcement, who fear that data is "going dark," and that they are losing access to vital evidence. But security experts counter that any "backdoors" in software to let law enforcement bypass these security protections would be open to abuse and make users less safe. "You can't build a backdoor that only the good guys can walk through," cryptography expert Bruce Schneier says.

James Comey, head of the FBI, has been a vocal critic of encryption, calling for tech companies to give law enforcement "front door" access to encrypted data to help tackle terrorist threats like ISIS. Europol chief Rob Wainwright has called encryption the "perhaps the biggest problem" in tackling terrorism.

David Cameron has previously been critical of encrypted communications, asking in a speech in January whether "we want to allow a means of communication between two people which even in extemis with a signed warrant from the home secretary personally that we cannot read? ... My answer to that question is no, we must not." But after deliberating, the Obama administration has opted not to try to impose limits on encryption, instead opting to "continue the conversations with industry," Comey told a Congressional committee earlier this month

Business Insider spoke to Lord Evans, the Director-General of British spy agency MI5 between 2005 and 2013, after he gave a speech at the Good Exchange cybersecurity summit in London on Tuesday. He said that encryption technology makes things significantly harder for authorities, and that British spying laws need updating but that inserting backdoors to allow covert access for law enforcement is "not the answer" because of the risk they could be exploited by others.

Lord Evans has previously called for surveillance laws to be "brought up to date." In a column written for The Telegraph in January 2015, he said that intelligence agencies' legal powers "were not designed for the current digital world. Increasing areas of digital communications are beyond the reach of law enforcement and they are being exploited by those who wish us ill and prey on the vulnerable."

He told Business Insider there is not currently a "satisfactory" answer on how to deal with this.

Former NSA boss Michael Hayden does not support backdoors in encryption, Motherboard reported earlier this month. Discussing failed efforts to curtail encryption in the Nineties, Hayden said: "in retrospect, we mastered the problem we created ... We were able to do a whole bunch of other things. Some of the other things were metadata, and bulk collection and so on."

Here is the original post:
Former MI5 boss Lord Evans: Encryption backdoors 'not the ...

It can't be played in your browser. Download

RANDOM NUMBERS ARE THE BASIS OF TRUST ON THE INTERNET

When crypto becomes predictable, the attackers job is easy.

Harness the power of Quantum Random Number Generation

Let Whitewood TAKE THE UNCERTAINTY OUT OF RANDOM NUMBERS.

Quality

Predictability is the enemy of cryptography.

Attackers dont crack encryption they steal or guess keys. Poor sources of entropy mean keys are less than perfectly random, turning strong encryption into something less. Building confidence starts at the source entropy is the foundation of trust.

Quantity

Entropy is a scarce resource that is taken for granted.

But, as reserves run low, predictability creeps in. High-capacity datacenters are entropy deserts, and demand can outstrip supply as applications compete for random data. Ensuring an adequate supply of entropy should never be left to chance.

Consistency

Entropy is born in the physical world. All devices are different.

User interaction, hardware features and software tools are an ever-changing mix. Securing mobile, consumer and IoT environments cries out for consistency as points of weakness create points of attack. Normalizing access to entropy across distributed systems is key to managing risk.

The Whitewood Entropy Engine solves the problem of entropy generation. It provides random data in a convenient PCIe card form factor. At its core is a patent-pending quantum entropy source that exploits the immutable laws of quantum mechanics to create true unpredictability. Capable of delivering 200Mbps, the Entropy Engine can satisfy the demands of even the highest-performance cryptosystems.

The Whitewood Entropy Server is deployed to deliver truly random data on demand to applications and devices. Incorporating the quantum-powered Entropy Engine, the Entropy Server ensures a consistent supply of entropy to distributed systems where the quality of local random number generators is unknown or in question, such as in virtualized environments, mobile devices, web browsers and IoT deployments.

The Heartbleed vulnerability highlighted the prolific use of OpenSSL and its role in securing data goes well beyond setting up internet connections. OpenSSL is thirsty for entropy, particularly when enabled for Perfect Forward Secrecy. The Whitewood Entropy Client for OpenSSL is an open source tool that enables entropy consumption to be managed and dramatically improved.

Enterprise Infrastructure

Critical systems require critical infrastructure and entropy management is a vital component. Web servers, PKI, data-at-rest encryption, tokenization and core business applications rely on sound cryptography. As enterprises adopt virtualization technologies, deploy private clouds, and push trusted operations to the edge of their networks, it becomes time to take control of entropy.

Hosting and Cloud Providers

In the race to add value, retain customers and grow revenue, entropy management can become a powerful asset. Delivering Entropy-as-a-Service to tenants as a premium service complements other security-related capabilities. Attracting security-critical applications away from the traditional corporate datacenter is a compelling opportunity for all service providers, and entropy services can play a central role in convincing customers that its safe to make the move.

Security Solution Providers

Trust is a core differentiator for security providers. Products ranging from data protection to digital rights management, mobile authentication to PKI, and bitcoin to gaming, all rely on cryptography to do their job safely. Relying on poor sources of entropy on phones, in browsers or in the cloud, compromise a products integrity and risks a vendors reputation. Harnessing the power of quantum-based entropy can help solution providers stand out in the market.

Let Whitewood Help You Take Control

Read more from the original source:
Whitewood Encryption Systems

Sign this petition What this is:

Certain members of Congress and the FBI want to force companies to give the government special access to our datasuch as by building security vulnerabilities or giving the government a golden key to unlock our encrypted communications. But security experts agree that it is not possible to give the government what it wants without creating vulnerabilities that could be exploited by bad actors.

These proposals jeopardize not just our private data, but the security of every technology that relies on this encryption.

One voice could tilt the balance in this debate. We need the President to speak out for uncompromised security.

Sign the below petition to submit your signature electronically to the White Houses We the People site. Help us make this the most popular petition in the site's history.

We petition the Obama Administration to:

Publicly affirm your support for strong encryption.

Reject any law, policy, or mandate that would undermine our security.

The government should not erode the security of our devices or applications, pressure companies to keep and allow government access to our data, mandate implementation of vulnerabilities or backdoors into products, or have disproportionate access to the keys to private data.

We demand privacy, security, and integrity for our communications and systems. As a public, we should be confident that the services we use havent been weakened or compromised by government mandate or pressure. No legislation, executive order, or private agreement with the government should undermine our rights.

Weakening encryption weakens the entire Internet. Mr. President, please endorse strong encryption, and encourage other world leaders to do the same.

100,000 for the White House to respond.

370,000 to make this the most popular WhiteHouse.gov petition ever.

The information you have provided above will be electronically transmitted to the White House via their API (privacy policy).

This app uses the We the People API, but is neither endorsed nor certified by the White House.

Read the original here:
Stand Up For Strong Security