WHAT IS ENCRYPTION?
With the newspaper headlines heralding the leakage of data from companies (over 700 million records were compromised in 2014, 74% of which are actually from small businesses), the idea of encrypting data for security purposes is increasingly the subject of discussion.
Encryption is the process of transforming information (referred to as “plaintext”) to make it unreadable to anyone except those possessing special knowledge (referred to as a “key”). It’s kind of like having the combination for a safe; you can unlock it with the correct number string. Once “decrypted” with the appropriate key, the information is revealed as it was transmitted (usually, again, in plaintext). Long used by governments and the military to facilitate secret communication, it is now commonly used in both wireless computer devices as well as for opening transmitted data or for access to programs and web pages and accessing the computers they are located on. It’s been in the news lately, as hackers have stolen credit card information from department stores, and the stores have been accused of having insecure protection of that information.
The opposite of encrypting data is to store it is referred to as storing it “in the clear”.
WHERE IS THE ENCRYPTION?
Generally, encryption itself can be either hardware (the “key” is stored in the device and data is sent to the device for encryption) or software (encryption and decryption is done in the computer and the key is in the computer’s memory). Hardware keys are more secure, but less frequently used except in enterprises: It’s almost impossible to steal a hardware key, as it never leaves the device, a software key not so much, although it is most frequently used by both businesses and for personal use.
Further, in before determining what data to encrypt you must also separate the data between that which is at rest, in transit, or in use and also determine if the data is covered by government or industry policies or enterprise policy. “End-to-end encryption” means that only the sender and the recipient of the message will be able to unlock and read it, no one in between, not even your ISP, making it perfect for transmitting personal or medical information and the like.
ADDITIONS TO STANDARD ENCRYPTION
Encryption is safe for many transmissions. But it’s still not all that safe for large businesses, which store huge databases of information (like credit cards) which naturally require a much higher level of security. For more, see below. (Again, read the news lately, or check the Security page of this site.)
So, for added protection, those encrypted passwords can also additionally be “hashed” and “salted”.
Hashing means that, using an algorithm, data like a password is compressed, sometimes into a single digit. For example, a name (like “Elizabeth Sotomeier” ) could be hashed to a single integer (like “02”). Using hashing, a recipient can compare the sending and receiving keys, even without knowing their content, to determine if they are the same.
Salting the data means that different additional random data (usually up to 128 characters, see below) is added to the end of the hashed data each time (the cyrptographic “nonce” [“number once”]), making it even more difficult to decrypt using Rainbow tables or brute force attacks.
These are known as “one way” functions. If a standard encrypted password is stolen, a professional dedicated hacker can work backwards with it. But if it’s hashed and/or salted, it’s virtually impossible to work backwards, even with rainbow tables or brute force attacks. That is, even if a hacker gets the hashed password, they can’t work backwards to get the encrypted password itself. It’s like the salting process has “shredded” the key.
Here’s how it actually works: An encrypted password is created. A salt is then added to the password. Next, the salt plus the password is hashed. To that resulting has value, the salt is added in plaintext (perhaps with a delimiter or call-in). So the database would show “salt:hash(salt+password)”. If a different salt is used for each user in the database (as it should be), it would make it virtually impossible to pre-compute all of those values, making it virtually impregnable.
OTHER BUSINESS CONSIDERATIONS
In larger and more complex organizations, you should also be aware of “key lifecycle management,” which ensures that one system can manage the different types of keys for all the technologies in the organization while protecting access to each system. Finally, while there is a current trend toward information “castling” or “siloing,” in which organizations are essentially creating segregated information packets within their system, many experts believe that such practices are more prone to create potential mobility access and sharing problems than would a good encryption program.
When choosing an encryption program, remember that the algorithm (formula) is the secret, not the key. So it’s always best to use a FIPS (Federal Information Processing Standard) 140-2 approved type algorithm. The RSA algorithm is the most commonly used encryption and authentication algorithm and is part of most web browsers. But there’s also the original DES, then other non-proprietary algorithms such as Blowfish and Bcrypt, and then the more commonly used AES, all depending on the level of security you require. And don’t forget to extend the encryption policy to mobile devices such as smart phones, tablets and laptops, as well as to train staff in its use, otherwise you’ll still have major holes in your security. See also, WPS, which you should avoid.
For companies in sensitive businesses and others, there are now ways to PRISM-proof your communications. Using software named Bitmessage, which creates email addresses which are 36 characters long, then stored in a QR code, communications are secure from snooping. Until the next invention, anyway. Click HERE for more. See also Enigmail, Mailvelope, Infoencrypt, Mymaincrypt and Gpg4Win. Click HERE for more.
ENCRYPTION OVER WIRELESS NETWORKS
This a separate area of encryption. Wireless computer encryption is the safeguarding of the transmission wirelessly over computer networks. It has its own special protocols, which include the original WEP (Wired Equivalent Privacy), a 64-bit process introduced in September 1999 as part of IEEE 802.11. It uses stream cipher RC4 for confidentiality and CRC-32 checksum for integrity using 10 hexadecimal characters. They key size (40 bits) was limited by the U.S. Government’s export restrictions on cryptographic technology at the time. Now, because even newbie crackers can hack WEP, it’s not used very often, although some simple residential wireless routers suggest this (don’t do it). Therefore, starting 2003, WPA (Wi-Fi Protected Access), which uses a 128-bit encryption process and therefore provides higher security between access points and clients, became the standard. Finally, starting in 2004, WPA2, sometimes called WPA Radius, increased security to 256-bit encryption and incorporated a new message authentication code that is far more secure, as each user on a business network must have his own passkey, not a shared one. 128 bit encryption is still most common today. It requires a 26 character hex key. Click HERE for more information about how it’s calculated. There are random key generators for this purpose, click HERE for one. The two most common encryption standards are Open PGP and S/Mime (X-509).
WARNING: For true business hackers, cracking most encryption algorithms is child’s play: We must note that, while encryption is pretty secure, it is unfortunate that like everything else, as it gets better and better, so do the hackers that seek to break it. (Look at how outdated the original WEP encryption has become - any kid can break it with apps available on the Internet, taught how to use it via a YouTube video). And, as processing power increases, along with the decreasing cost to rent extremely powerful cloud servers by the hour, those inclined to break encryption are also getting better and better at doing so. So, if you have data protected by encryption, you have to be continuously vigilant that you are up-to-date with your protection technology. Using what’s become known as “factoring as a service”, 512-bit RSA keys can be broken in four hours for just $75 using the power of Amazon’s EC2 cloud computers, something that used to take a supercomputer seven months to carry out when RSA-512 was introduced in 1999. Moore’s law, once again. This is bad news, because many web sites still use these keys, including some 10,000 servers that use the DNSSEC specification to protect domain name system records rely on the key, as do some ten percent of e-mail servers. For the past decade, knowing this, it’s been urged that RSA cryptography be replaced with something known as ECC (elliptical curve cryptography). But, at this point, the NSA has recommended against even adopting ECC and finds that hackers have even found ways to crack the Diffie-Hellman exchange, which was thought to be quite secure. Moreover, it’s been discovered that cracking self-encrypting Western Digital hard drives is child’s play. Now that the SHA-1 hash algorithm (developed by the National Institute of Standards in 2000) is being routinely cracked, almost all software vendors have recommended making the move to SHA-2 for security protection, at least until that is cracked as well. In 2017, Google (working with CWI) successfully developed the first SHA-1 collision, effectively destroying SHA-1 security. Because modern cryptographic hash functions depend on the fact that the algorithm generates a different cryptographic hash for every file, a collision occurs when two separate files have the same hash, which Google exploited by generating two .pdf files with different content but the same SHA-1 hash.
WHAT DO WE MEAN WHEN WE SPEAK ABOUT 64 OR 128 BIT ENCRYPTION?
In order to hide data transmitted over the Internet the process of encryption has been developed to hide the data before it is transmitted and reveal it (decrypt it) when it is received. This is done with an algorithm that can be quite complicated. The algorithm creates a long sequence of characters. How long a sequence depends on whether the encryption algorithm is 40, 64, 128 or 256 bits. The higher the number of bits the longer the key. Note that the number of bits is NOT the same thing or length as the number of characters in the resulting key (which is usually less). For example, a 64-bit key is entered as a string of 10 hexadecimal (base 16) characters. This is because each character represents four bits, and ten digits of four bits each is 40 bits, plus the addition of the necessary concatenated 24-bit IV (“Initialization Vector” which forms the RC4 key) equals the complete 64-bit encryption key. Similarly, the 128-bit key is entered as a string of 26 hexadecimal characters, four bits each, for 104 bits, plus the 24-bit IV totals 128-bits. The 256-bit key is 58 hexadecimal characters at four bits each, plus the 24-bit IV. And so on. Some algorithms use a separate key for encryption and another for decryption. In such cases, the decryption key remains public. The key values increase geometrically. So 2-bit encryption involves four possible key values, 3-bit eight values, 4-bit sixteen values, etc. So, compared to 40-bit encryption, 128-bit offers an 88 additional bits of key length. It’s pretty secure, the key length being 309,485,009,821,345,068, 724,781,056. Pretty hard to crack even with brute force or rainbow tables
PROTECTING YOURSELF WITH ENCRYPTION:
PASSWORD ENCRYPTION: For a general explanation and discussion about the various types of password encryption, click HERE.
WINDOWS FILE ENCRYPTION: If you only have a few files containing sensitive information that you’d like to keep from snooping eyes, the pro versions of Windows has a simple solution, Windows’ Encrypting File System (“EFS”). It’s really quite easy. All you have to do is right-click one of more files, go to Properties, then the Advanced button at the bottom of the General tab, then the Advanced Attributes dialogue box, where you simply enable “Encrypt contents to secure data”. The encrypted files or folders will then be shown in green text. By way of example, when I travel to enterprise clients that have lots of settings and passwords, I add the folder to my Google Drive (I could have used Microsoft’s OneDrive as well) folder so that it’s accessible on my tablet. It takes only a few seconds to encrypt the file before adding it to the Drive folder, but keeps all client information confidential. It’s just as simple for non-business users, for anything you don’t want out there. For phones, you could alternatively or additionally use password protection. For Linux file encryption, click HERE for how to do this.
An extra feature is that if you encrypt a folder, as recommended by Microsoft, all subsequent files that you drop to that folder will also become encrypted. The encryption certificate is contained in a folder stored by Windows. Because of the obvious concern about possible Windows O/S corruption, it is recommended that you also back up the certificate or create a recovery certificate, or your files will be lost forever (click HERE for more about how to do this). If it’s more than a few files or folders, you have other choices: You can use Windows’ BitLocker by simply right-clicking on the drive. (When using this, make sure you don’t format the disk or partition, by selecting “encrypt partition in place”!!) This feature is available in most Windows Pro, Enterprise and Ultimate editions. Or you can try the popular 7-Zip program, which supports highly secure AES-256 encryption for classic Zip files in its own .7z compression format, but takes a little more work as it uses its own file manager to complete the various tasks. As an alternative, you can use a so-called “encryption vault” or “encryption container” like VeraCrypt from French IT security consultant Mounir Adrassi.
If you want to purchase separate file encryption programs, there are many choices: Popular ones are - CryptoForge, Inv Softworks Kryptel, Kakasoft Advanced Folder Encryption, Kruptos 2 Professional and QuickCrypto.
Secure Chat and Messaging Apps: Apple has turned on full-disk encryption on all iOS devices. And Apple has added end-to-end encryption for its iMessage app. This means that all data stored on iPhones and iPads is automaticaly protected. Google offers full-disk encryption, although it is not turned on by default, even on the latest Android devices, and must be enabled. There are also several other apps for this purpose, like Wickr, Signal and Telegram. Signal (for Mac and Android) is often preferred due to its ease of use and uncompromising security using end-to-end encryption, and the chat service retains virtually no information from users, including messages and address books, on its servers. [But be careful, as WhatsApp retains some meta data, including phone numbers and times, and Google Allo and Facebook’s Messenger must be enabled with Incognito sessions or Secret Conversations, respectively.] At the start of a conversation users must exchange encryption keys. But the shortcoming is that both the sender and the recipient must have the same app for use encrypted messages. A plus, however, is that the messages can be programmed to disappear after a certain time period or after being viewed, for the sender’s protection. This is good for those who demand privacy from government snooping, but can also be used by criminals to cover their trail. See also Tip #84 for more.
Voice Calls: No longer is it necessary to buy a burner phone to protect your privacy. There are apps for that. A major player is Signal, available or Apple and Android. Again, though, users at both ends of the communication must have the app. And Signal makes a desktop app for computers which extends secure messaging to the desktop as well. See also, OStel, from The Guardian Project, which uses dowloadable software like CSipSimple and Linphone and works with many devices, including BlackBerry, Nokia and Android devices as well as Mac OS X, Windows, and Linux.
Internet: These days, websites’ use of https:// is much more common, but it’s not everywhere that there is a public connection to the internet. For those who are concerned about this gap, you can encrypt your internet connection through the use of a VPN service like that provided by F-Secure’s Freedome, NordVPN or CybeShostVPN. A VPN service differs slightly from a true corporate VPN, which is normally software installed on a work computer network to enable off-site users to access the corporate network and applications. VPN services, on the other hand, let users establish an encrypted tunnel with a third-party server, then access the Internet through that tunnel. So, for example, if you are in NY and access the Internet through your VPN connection in Paris, you’re viewed as being in Paris, not NY! Not up for so much technology, try using Tor. The Tor Browser, using an “onion” router, bounces your signal around multiple nodes to hide your origin.
E-Mail: Try such services as Hushmail and Ghostmail. These have built-in encryption, but the recipient doesn’t have to have the same service on the other end. They will however, have to have a “secret Q & A combination” to receive the encrypted message. All they have to do is to answer a simple security question, and the rest is handled by the encryption service. Tis is much easier than managing public or private keys, even with apps like Keybase, K-9 and OpenKeyChain, which still require quite a lot of setup effort. Even Microsoft Outlook has some built-in cryptography features. Before users can send encrypted messages to each other, they need to digitally sign messages and exchange certificates. Once done, it’s just a matter of opening up a new message and selecting the option “encrypt message contents and attachments”. Not everyone, however, needs to send every message encrypted. It’s much easier to get one of these services and use it only for the most sensitive messages, and simple G-mail or Outlook for the rest. See the e-mail page of this site for more alternatives.
Hard Drive encryption: Available as BitLocker in many Microsoft O/S versions (discussed above) and FileVault2 on Apple, there are also separate programs like VeraCrypt (successor to the popular TrueCrypt). And both flash drives and external hard drives are readily available which are already or can be encrypted or are self-encrypting. Or just use biometrics, available on many external types of drives. Cloud services abound for secure storage of important files, but the storage isn’t in your direct control. Best to encrypt them before backing up or storing your files in the cloud. Personally, my feeling is that, if you don’t have complete control over your file encrytion and keys, you’re not completely secure. But for most residential use, this isn’t as important an issue.
For more, see these other Glossary definitions: PKI, EFS, BitLocker, DEC, SHA-1 & -2, Certificates. See also, AES, DES, EAP (above), checksum, Hellman, RSA, Blowfish, Bcrypt, concatenation, keyfile, cryptography, biometrics, cipher, rainbow tables, hash, Kerberis token, salt, pervasive memory scraping, multifactor authentication, pre-encryption, 2 factor authentication, Pre-Encryption, eSignatures, Internet Transmission Protocols. And the e-mail page of this site (how to protect your emails); also PhoneFactor in Links. Finally, there’s an excellent interactive web site from the Google Cultural Institute devoted to Bletchley Park, the British compound devoted to decrypting the German enigma machine and other code devices during WW2, and the adjacent National Museum of Computing.
For more about encryption apps and security for e-mails or text messages, click on the links. For more about the hardware side of protection, see e.g. Faraday cage, air-gap, tempest.