« First...102030...2,5892,5902,5912,5922,593...2,600...Last »

HowStuffWorks "How Encryption Works"

Posted on by

When we use the Internet, we're not always just clicking around and passively taking in information, such as reading news articles or blog posts -- a great deal of our time online involves sending others our own information. Ordering something over the Internet, whether it's a book, a CD or anything else from an online vendor, or signing up for an online account, requires entering in a good deal of sensitive personal information. A typical transaction might include not only our names, e-mail addresses and physical address and phone number, but also passwords and personal identification numbers (PINs).

The incredible growth of the Internet has excited businesses and consumers alike with its promise of changing the way we live and work. It's extremely easy to buy and sell goods all over the world while sitting in front of a laptop. But security is a major concern on the Internet, especially when you're using it to send sensitive information between parties.

Let's face it, there's a whole lot of information that we don't want other people to see, such as:

Information security is provided on computers and over the Internet by a variety of methods. A simple but straightforward security method is to only keep sensitive information on removable storage media like portable flash memory drives or external hard drives. But the most popular forms of security all rely on encryption, the process of encoding information in such a way that only the person (or computer) with the key can decode it.

In this article, you will learn about encryption and authentication. You will also learn about public-key and symmetric-key systems, as well as hash algorithms.

Go here to read the rest:

HowStuffWorks "How Encryption Works"

What Is Encryption? (with pictures) – wiseGEEK

Posted on by

Encryption refers to algorithmic schemes that encode plain text into non-readable form or cyphertext, providing privacy. The receiver of the encrypted text uses a "key" to decrypt the message, returning it to its original plain text form. The key is the trigger mechanism to the algorithm.

Until the advent of the Internet, encryption was rarely used by the public, but was largely a military tool. Today, with online marketing, banking, healthcare and other services, even the average householder is much more aware of it.

Web browsers will encrypt text automatically when connected to a secure server, evidenced by an address beginning with https. The server decrypts the text upon its arrival, but as the information travels between computers, interception of the transmission will not be fruitful to anyone "listening in." They would only see unreadable gibberish.

There are many types of encryption and not all of them are reliable. The same computer power that yields strong encryption can be used to break weak schemes. Initially, 64-bit encryption was thought to be quite strong, but today 128-bit is the standard, and this will undoubtedly change again in the future.

Though browsers automatically encrypt information when connected to a secure website, many people choose to use encryption in their email correspondence as well. This can easily be accomplished with programs that feature plug-ins or interfaces for popular email clients. The most longstanding of these is called PGP (Pretty Good Privacy), a humble name for very strong military-grade encryption program. PGP allows one to not only encrypt email messages, but personal files and folders as well.

Encryption can also be applied to an entire volume or drive. To use the drive, it is "mounted" using a special decryption key. In this state the drive can be used and read normally. When finished, the drive is dismounted and returns to an encrypted state, unreadable by interlopers, Trojan horses, spyware or snoops. Some people choose to keep financial programs or other sensitive data on encrypted drives.

Encryption schemes are categorized as being symmetric or asymmetric. Symmetric key algorithms such as Blowfish, AES and DES, work with a single, prearranged key that is shared between sender and receiver. This key both encrypts and decrypts text. In asymmetric encryption schemes, such as RSA and Diffie-Hellman, the scheme creates a "key pair" for the user: a public key and a private key. The public key can be published online for senders to use to encrypt text that will be sent to the owner of the public key. Once encrypted, the cyphertext cannot be decrypted except by the one who holds the private key of that key pair. This algorithm is based around the two keys working in conjunction with each other. Asymmetric encryption is considered one step more secure than symmetric encryption, because the decryption key can be kept private.

Strong encryption makes data private, but not necessarily secure. To be secure, the recipient of the data often a server must be positively identified as being the approved party. This is usually accomplished online using digital signatures or certificates.

As more people realize the open nature of the Internet, email and instant messaging, encryption will undoubtedly become more popular. Without it, information passed on the Internet is not only available for virtually anyone to snag and read, but is often stored for years on servers that can change hands or become compromised in any number of ways. For all of these reasons, it is a goal worth pursuing.

Continued here:

What Is Encryption? (with pictures) - wiseGEEK

BlackBerry denies using backdoor-enabled encryption code

Posted on by

BlackBerry Ltd. is denying it uses a flawed encryption algorithm in any of its products, although the company will support the encryption in some cases if a customer chooses to use it.

On Monday, the Globe and Mail reported about an encryption algorithm that, despite being shown by security researchers to have a back door that could render the encryption useless, was still officially blessed by government agencies in the U.S. and Canada to protect sensitive government information. The algorithm, called Dual_EC, was included for more than six years on the Cryptographic Module Validation Program a joint effort by the U.S. National Institute of Standards and Technology and the Communications Security Establishment Canada.

Video: BlackBerry loses $4.4-billion

Because it was officially blessed by the agencies, the algorithm was implemented by dozens of technology companies. According to an NIST document, one of those companies is BlackBerry, which owns the Mississauga security firm that first patented the ideas behind Dual_EC.

However. BlackBerry denies the flawed algorithm is used in the companys products.

In a statement to the Globe and Mail on Monday, a BlackBerry spokeswoman said: BlackBerry does not use the Dual EC DRBG algorithm in our products. We work closely with certification authorities around the world to validate the security of our products, and remain confident in the superiority of our mobile platform for customers using our device and enterprise server technology. BlackBerry public statements and principles have long underscored that there is no back door to our platform. Our customers can rest assured that BlackBerry mobile security remains the best available solution to protect their mobile communications.

Asked how that statement squares with a CMVP document that shows BlackBerry implemented Dual_EC encryption in several instances, the company sent a second statement later in the day:

It is presented in the CMVP documents because [this particular] algorithm is supported within the VPN client and can be made available. However, BlackBerrys default configuration does not require a VPN. If customers deploy a VPN, it may include the algorithm, which we do support. The configuration and choice of the VPN is left to the customers discretion. Dual EC DRBG is not supported by the BlackBerry encryption schemes used to protect data at rest or in transit using BlackBerrys proven secure data transport protocols.

A Virtual Private Network is way to extend a private network (for example, a companys internal intranet) across a wider network, such as the Internet. In effect, the BlackBerry statement appears to indicate that, should a BlackBerry customer choose to use Dual_EC encryption on such a network while running BlackBerry devices and services, the companys technology will support it.

In 2005, researchers at a Mississauga technology company called Certicom filed a patent application for an encryption algorithm that relies on the mathematical concept of elliptic curves. In the patent filings, the researchers noted that a feature of the algorithm allows anyone with a certain key to bypass the encryption listing law enforcement agents as a group that may be interested in such functionality.

See the original post here:

BlackBerry denies using backdoor-enabled encryption code

AlertBoot New Encryption Compliance Reports Prepare Covered Entities For HIPAA Audits

Posted on by

Las Vegas, Nevada (PRWEB) January 23, 2014

AlertBoot, a leading provider of mobile device management and full disk encryption managed services, has seen a surge of interest in its services from HIPAA covered entities (CE) and business associates (BA). This high level of interest has been traced back to the Office of Civil Rights (OCR) plan on launching a permanent program for auditing HIPAA compliance efforts in 2014.

Because the Federal Fiscal Year starts on October 1, CEs and BAs are rushing to ensure compliance with the Final Omnibus Rule, which went into effect in September 2013. Although the deadline was over four months ago, many businesses and organizations are still struggling with HIPAA compliance. The approaching permanent program audit scrutinizes all facets of HIPAA and not just technical ones like the presence of HIPAA-compliant full disk encryption prompting CEs and BAs to bolster any PHI data security weaknesses.

"OCR is really stepping up to the plate when it comes to HIPAA breaches," noted Tim Maliyil, CEO and founder of AlertBoot. "While HIPAA has been around since 1996, it's only in the past couple of years that the HHS [Department of Health and Human Services] received the tools and enforcement authority to go after those who don't comply. Now, OCR appears to be set in enacting a program with an eye towards preventing HIPAA breaches. Such an ambitious program requires funding, and there's a good chance it might come from OCR levying fines for HIPAA compliance issues."

Indeed, OCR Director Leon Rodriguez has been quoted as saying that "OCR 'will leverage more civil penalties'" and that the office has "approval to bank penalties it collects to fund enforcement actions across fiscal years."

HIPAA regulations cover a wide berth, from patients' room listings to data on electronic devices, and guidance from multiple experts is necessary in order to completely comprehend the issues. When it comes to laptop encryption, AlertBoot can aid the struggling organization.

The AlertBoot managed full disk encryption solution for laptops is a NIST-validated, FIPS 140-2 approved solution that uses AES-256 encryption. Because HHS defers to NIST when it comes to details regarding encryption technology, covered entities and business associates know that they've addressed HIPAA Security Rule requirements regarding data-at-rest encryption for laptops.

The integrated, customizable reporting facilitates audits and compliance reviews. AlertBoot users can easily prove that computers are encrypted thanks to the cloud-based aspect to the FDE deployment and installation logs, which report on a computer's encryption status throughout its service life. If the computer is lost or stolen, you can present this report as incontrovertible proof that the laptop was protected, triggering safe harbor provisions under the Breach Notification Rule.

A partial list of benefits include:

Learn today why HIPAA covered entities and business associates trust AlertBoot for their data security compliance requirements by contacting sales@alertboot.com.

See the original post here:

AlertBoot New Encryption Compliance Reports Prepare Covered Entities For HIPAA Audits

Open Source Power for Small Business in 2014

Posted on by

The biggest impact that open source software offers small business in 2014 takes place in the cloud. Open source software powers the cloudwhere you can take advantage of both hosted software and services, and hosted IT infrastructure (e.g., servers). We're already used to hosted services such as Web and mail hosting. They're convenient and cheap, and they prevent headaches.

What about running your small business without buying or maintaining a roomful of your own servers? Do you dream of not having to recruit and retain good tech talent? Can you run your shop with no on-premises servers at allsimply plug into some kind of hosted turnkey IT-in-a-box, and just buy smartphones, tablets, and PCs? The answer to all of these questions is yesand no.

We're in the midst of a genuine tech revolution thanks to cloud technologies, which are possible because of open source software such as OpenStack and OpenShift, and Linux vendors like Red Hat and SUSE. The cloud makes it possible for hosting providers to offer more services than ever. Cloud services fall into three basic levels:

First, consider whether you even want to outsource your IT. It's an attractive option if you can find service providers that offer what you need, and if you have sufficient network bandwidth that lets you work without going crazy waiting for pages to load. The hosting provider handles the burden of provisioning, maintenance, security, and bandwidth, which reduces your staffing needs. It will likely cost less than doing it yourself.

As the state of technology stands right now, you can outsource at least part of your IT to hosting providers and, as the cloud evolves, you'll have a wider range of services and products to choose from in the future. Let's look at a few different scenarios.

If you use Google Apps for Business, you're already outsourcing some of your IT without thinking of it in those terms. Google offers an assortment of basic applications for reasonable prices: Gmail, Google Drive, Google Docs, Google Hangouts (videoconferencing), Google Calendar, and Google+ (communities).

You get to use your own branding and domain name, and you don't need a tech guru to set it up and maintain it. The main pitfall is that Google makes it too easy to share everything with the world, so you have to be very careful with your access permissions. For some small shops, Google Apps for Business is all they need, and at $5/month per user it's a real deal.

Other examples of basic hosted services for small businesses include Dropbox, Swift, GoogleDocs, and Amazon S3. However they may not be suitable, because they don't meet compliance laws that require certain documents remain under your control. If your business has compliance or security concerns, you don't store sensitive documents on cloud services.

So what do you? Set up a private, on-premises cloud withOwnCloud. It isn't magic, but a moderately knowledgeable computer user can manage OwnCloud, and it provides secure file storage, sharing, sync, and management. It also syncs with Dropbox, Swift, GoogleDocs, and Amazon S3, so you can place your external storage under a good central management console. For more information, read our OwnCloud review.

Follow this link:

Open Source Power for Small Business in 2014


« First...102030...2,5892,5902,5912,5922,593...2,600...Last »