Encryption in Data Storage and Mail Systems

Posted on October 6, 2011 by brainfold Leave a comment

Encryption and authentication may be used to protect data stored in computers. Many computer systems encrypt passwords in a one-way fashion for storage in the computer memory.

When a user signs on the computer and enters the password, it is encrypted and compared with the stored value. If the two encryptions are equal the user is permitted access to the computer; otherwise access is denied. The encrypted password is often created by using DES; setting the key equal to the password and the plaintext equal to the user’s identity. A Fortran program for implementing this function is given in the NBS Standard for Password Usage

The DES can also be used to encrypt computer files for storage. It also used as key notarisation system which may be integrated into computer systems to protect files from undetected modification and disclosure, and to provide a digital signature capability using the DES. Users have the capability of exercising a set of commands for key management as well as for data encryption and authentication functions. The facilities perform notarisation which, on encryption, seals a key or password with the identities of the transmitter and intended receiver. Thus, in order to decrypt a message, the receiver must be authenticated and must supply the correct identity of the transmitter. This notarisation technique is used in ANSI standard  to protect against key substitutions which could lead to the compromise of sensitive data.

The key notarization system that incorporates the DES may also be used in conjunction with a mail system to provide for secure mail. A cryptographic header that contains the information necessary to decrypt and authenticate a mail file is automatically appended to the file that is transmitted to the receiver. The receiver may then decrypt and authenticate the file in a near transparent manner.

Cryptography

Data Encryption Standard (DES) Algorithm and its Applications

Posted on October 2, 2011 by brainfold Leave a comment

The basic DES algorithm can be used for both data encryption and data authentication.Here we will look into the Encryption aspect. I will follow another post with authentication..

Data Encryption: It is easy to see how the DES may be used to encrypt a 64-bit plaintext input to a 64-bit cipher text output, but data are seldom limited to 64bits. In order to use DES in a variety of cryptographic applications, four modes of operation were developed:

  • electronic codebook (ECB);
  • cipher feedback (CFB);
  • cipher block chaining (CBC); and
  • output feedback (OFB)

Each mode has itsadvantages and disadvantages.

ECB is excellent for encrypting keys;

CFB is typicallyused for encrypting individual characters; and

 

OFB is often used for encrypting satellite communications.

Both CBC and CFB can be used to authenticate data. These modes of operation permit the use of DES for interactive terminal to host encryption, cryptographic key encryption for automated key management applications, file encryption,mail encryption, satellite data encryption, and other applications. In fact, it is extremely difficult, if not impossible, to find a cryptographic application where the DES cannot be applied.

Cryptography

Key Management Plan Review

Posted on September 9, 2011 by brainfold Leave a comment

I mentioned, how to write a Key Management Plan in my previous post with guidelines on what to be included and what are the keys aspects that needed to be addressed as part of Key Life cycle management. In this post, i will talk about the “what to look for” within the Key management plan while reviewing. Having a standard guidelines on Key Management plan review, will ensure the plan has adequate information for Key adinistrator to use once when the keys are sent to production

Key Generation Process

 

 

 

 

 

 

 

 

 Provide dates; location details if appropriate 

  • Date and Time
  • Required attendees (CBA and Non CBA)
  • Key Register (If required)
  • List of Actions and Outcome
Description of how the key(s) will be sourced. This may be via another agency or may be key(s) generation processes or equipment
How the key is to be physically loaded into the hardware and/or software cryptographic system
Describes how the key(s) are to be used

  1. When encryption and decryption occurs;
  2. What data is to be encrypted and decrypted; and
  3. The keys and algorithms are to be used in these transformations
Crypto period(s) for the various key
Details of how the key(s) will be electronically and physically stored

Key Accounting and Distribution

 Detail the number of copies of key to be produced and distributed to the various parties
If appropriate, detail how key(s) are to be destroyed
Details on how keys will be distributed electronically or physically. This should include security details of courier(s), if used, as well as how the couriers will handle contingencies such as loss or compromise of keys
Provide explanation/procedure on the circumstance under which a key may be destroyed
Key archiving usually requires provisions for moving the key to new storage media when the old media are no longer readable because of aging of, or technical changes to, the media readers

Key Contingency

 Describe the conditions under which a compromise of cryptographic key material should be declared
Detail the procedures for recovery of keys and encrypted material
Detail the key compromise procedure on how the incident will be investigated and how to escalate the incident.

Key Retrieval

 The KMP design shall specify how, and the circumstances under which, keys and their bound metadata may be retrieved from a key database storage facility

Maintenance Schedule

 

 Detail the procedures for testing or verification of software upgrades to critical cryptographic services in either the hardware (through firmware) or software

Key Resources

 List of parties involved with their contact details.Depending on the criticality  verify the names of backup custodians as necessary

Key Conveyance form

 Does the KMP covers on agreed format of Key exchange. All parties involved in key Conveyance exchange/Acknowledgement and Key Destroy.
Cryptography

May to Aug 2011 Security News

Posted on September 1, 2011 by brainfold Leave a comment

Wired Threat Level:Newspaper Chain Fights for Copyright Troll’s Survival - Thursday, June 30, 2011

Hack in the Box: European Commission warns against Internet fragmentation- Thursday, June 30, 2011

Hack in the Box:News Corp. Sells Myspace for a Song - Thursday, June 30, 2011

Hack in the Box:Microsoft uncovers scary virus - Thursday, June 30, 2011

Hack in the Box:Google Plus emerges as heavyweight competitor to Facebook- Thursday, June 30, 2011

Wired Threat Level:FBI Raids Iowa Woman’s Home in Lulz Security Hacker Investigation- Wednesday, June 29, 2011

Krebs on Security:Regulators Issue Updated eBanking Security Guidelines- Wednesday, June 29, 2011

Wired Threat Level:Supreme Court Term in Review: It’s a Mixed Bag - Tuesday, June 28, 2011

Krebs on Security:Banks Hold Key to Killing Rogue Pharmacies - Tuesday, June 28, 2011

SSL Security: Q&A: Chris Bailey of AffirmTrust on the new SSL Cerficiate Authority- Wednesday, June 29, 2011

SSL Security:SSL Session Caching (in nginx) - Tuesday, June 28, 2011

SSL Security:Popular, but sluggish secure server? Popularity might not be the reason- Tuesday, June 28, 2011

Krebs on Security:ChronoPay Co-Founder Arrested - Saturday, June 25, 2011

Krebs on Security:$72M Scareware Ring Used Conficker Worm - Friday, June 24, 2011

Krebs on Security:Financial Mogul Linked to DDoS Attacks - Thursday, June 23, 2011

Hack in the Box: LulzSec under attack from hackers, law enforcement - Thursday, June 23, 2011

Hack in the Box:.gov.my prepared for cyber attacks, says CyberSecurity Malaysia- Thursday, June 23, 2011

Google Online security: Introducing DOM Snitch, our passive in-the-browser reconnaissance tool - Wednesday, June 22, 2011

Krebs on Security:Antichat Hacker Forum Breach Reveals Weak Passwords- Wednesday, June 22, 2011

Wired:Hangover Tattoo Infringement Lawsuit Settles - Thursday, June 23, 2011

Wired:British Police Swoop In on Possible LulzSec Suspect - Wednesday, June 22, 2011

SSL Security: Attack on Israeli Certificate Authority, StartCom - Tuesday, June 21, 2011

Krebs on Security:Software Cracks: A Great Way to Infect Your PC - Monday, June 20, 2011

Wired Threat Level:Bitcoin Prices Plummet on Hacked Exchange - Monday, June 20, 2011

SANS Internet Strom: StartSSL, a web authentication authority, suspend services after a security breach, (Tue, Jun 21st) - Tuesday, June 21, 2011

F-Secure: Student faces US extradition over copyright charges? - Tuesday, June 21, 2011

F-Secure:Finland Has It All - Tuesday, June 21, 2011

SANS Internet Strom:Log files – are you reviewing yours?, (Mon, Jun 20th) - Monday, June 20, 2011

Wired Threat Level:Can Microsoft Use DMCA to Kill Competing Xbox 360 Accessories?- Saturday, June 18, 2011

SSL Security: Attack on Israeli Certificate Authority, StartCom - Tuesday, June 21, 2011

SSL Security:DNSSEC authenticated HTTPS in Chrome - Sunday, June 19, 2011

Hack in the box: Has Google created a new type of drive-by security exploit? - Tuesday, June 21, 2011

Hack in the box:Microsoft’s WebGL claims bashed by own employee - Tuesday, June 21, 2011

Hack in the box:Web authentication authority StartSSL suffers security breach- Tuesday, June 21, 2011

Metasploit: Bounty: 30 Exploits, $5,000.00, in 5 weeks - Wednesday, June 15, 2011

Metasploit:Emulating ZeuS DNS Traffic with Metasploit Framework - Tuesday, June 14, 2011

Krebs on Security:Court Favors Small Business in eBanking Fraud Case - Friday, June 17, 2011

Krebs on Security:Microsoft Patches Fix 34 Security Flaws - Wednesday, June 15, 2011

Krebs on Security:Adobe Ships Security Patches, Auto-Update Feature - Wednesday, June 15, 2011

Krebs on Security:Organization Chart Reveals ChronoPay’s Links to Shady Internet Projects - Monday, June 13, 2011

Wired Threat Level: Dropbox Left User Accounts Unlocked for 4 Hours Sunday- Tuesday, June 21, 2011

Wired Threat Level:Righthaven Loss: Judge Rules Reposting Entire Article Is Fair Use- Tuesday, June 21, 2011

Wired Threat Level:Appeals Court Deals Blow to ‘Hot News’ Doctrine - Tuesday, June 21, 2011

Krebs on Security: Apple Update Targets Mac Malware - Wednesday, June 01, 2011

Helpnet Security: Romanian president declared dead by e-mail scam - Wednesday, June 01, 2011

Wired: Internet Researchers Decry DNS-Filtering Legislation - Wednesday, June 01, 2011

Helpnet Security:Spam rate increases, growth expected to continue - Wednesday, June 01, 2011

Krebs on Security:DNS Filtering Bill Riles Tech Experts, Hacktivists - Wednesday, June 01, 201

Schneier on Security:Lockheed Martin Hack Linked to RSA’s SecurID Breach- Monday, May 30, 2011

Schneier on Security:Aggressive Social Engineering Against Consumers - Monday, May 30, 2011

Schneier on Security:Friday Squid Blogging: Hand-Cut Paper Silhouette - Saturday, May 28, 2011

Helpnet Security:Iran aims to exchange the global Internet for a national one- Wednesday, June 01, 2011

Krebs on Security:ChronoPay Fueling Mac Scareware Scams - Friday, May 27, 2011

Wired: Threat Level: Senior Defense Official Caught Hedging on U.S. Involvement in Stuxnet - Friday, May 27, 2011

In Security Complex: How secure is your wallet in Google’s hands? (FAQ) - Friday, May 27, 2011

In Security Complex:Why is Sprint installing junk apps on my Android phone?- Thursday, May 26, 2011

Wired: Threat Level:Senator Blocks Bill Giving Feds Power to Blacklist Piracy Sites- Friday, May 27, 2011

Hack in the box:#HITB2011AMS – IE Security Flaw Exposes Your Cookies - Friday, May 27, 2011

Hack in the box:iOS 4 Hardware Encryption Cracked By Forensics Firm - Friday, May 27, 2011

Hack in the box:Inside the Global War to Stop Web Hackers - Friday, May 27, 2011

Metasploit: Recent Developments in Java Signed Applets - Friday, May 27, 2011

Metasploit:Introducing msfvenom - Wednesday, May 25, 2011

Wired: Threat Level:Copyfight: EFF Co-Founder Enters e-G8 ‘Lion’s Den,’ Rips Into Lions - Thursday, May 26, 2011

Wired: Threat Level:Lamo Summoned to Washington for Bradley Manning Prosecution - Wednesday, May 25, 2011

Wired: Threat Level:Nude Nuns Mass BitTorrent Lawsuit Killed, Clone Lives On- Wednesday, May 25, 201

Krebs on Security:Blocking JavaScript in the Browser - Wednesday, May 25, 2011

Krebs on Security:Facebook Adds Mobile Authentication - Tuesday, May 24, 2011

Krebs on Security:Something Old is New Again: Mac RATs, CrimePacks, Sunspots & ZeuS Leaks - Monday, May 16, 2011

Helpnet Security: Breaches drive enterprises to prioritize access governance - Tuesday, May 17, 2011

Computer world: After hack, Sony offers freebies to unhappy gamers - Tuesday, May 17, 2011

Computer world:White House releases new cyberspace strategy - Tuesday, May 17, 2011

Helpnet Security:Portable biometric fingerprint scanner for iPod touch - Tuesday, May 17, 2011

Helpnet Security:Hackers steal, publish Fox employee passwords - Monday, May 16, 2011

Schneier on Security:The Inner Workings of an FBI Surveillance Device - Monday, May 16, 2011

Hack in the Box:Sony Shuts Down PSN Briefly Due to Flood of Password Resets- Tuesday, May 17, 2011

Hack in the Box:Network security blunders – how to recover - Tuesday, May 17, 2011

Hack in the Box:Teenage duo sentenced over credit card Ghostmarket - Tuesday, May 17, 2011

Jeremiah Grossman: Web security content moving to new WhiteHat Security corp blog- Tuesday, May 17, 2011

Krebs on Security:Critical Flash Player Update Plugs 11 Holes - Saturday, May 14, 2011

Krebs on Security:Anonymous Splinter Group Implicated in Game Company Hack- Friday, May 13, 2011

Krebs on Security: Security Fixes for Microsoft Windows, Office - Wednesday, May 11, 2011

Wired:Find Out if You’re a Target in the Biggest U.S. BitTorrent Lawsuit Ever- Wednesday, May 11, 2011

Schneier on Security: Medieval Tally Stick Discovered in Germany - Wednesday, May 11, 2011

Hack in the box: Source code leaked for pricey ZeuS crimeware kit - Wednesday, May 11, 2011

Wired:Litigious Newspaper Chain Calls Online Aggregators ‘Parasitic’ - Wednesday, May 11, 2011

Helpnet Security: Run OS X, Windows and Linux side-by-side on a Mac mini- Wednesday, May 11, 2011

Krebs on Security:Breach at Michaels Stores Extends Nationwide - Wednesday, May 11, 2011

Wired Threat Level: Biggest BitTorrent Downloading Case in U.S. History Targets 23,000 Defendants - Tuesday, May 10, 2011

Hack in the box: The Pirate Bay Speaks Out Against Proposed EU Firewall - Tuesday, May 10, 2011

Hack in the box:Sony reported to be considering bounty for PSN attack - Tuesday, May 10, 2011

Schneier On  Security: Vulnerabilities in Online Payment Systems - Tuesday, May 10, 2011

Fortinet Security blog: Update to the recent NSS Labs Group Firewall test - Tuesday, May 10, 2011

Help net Security: Free browser-based security assessment - Tuesday, May 10, 2011

Hack in the box:What to Do When Webmail Gets Hacked - Tuesday, May 10, 2011

Help net Security: Cloud-based protection for virtualized environments - Tuesday, May 10, 2011

F-Secure: Problematic Certificates - Tuesday, May 10, 2011

Wired Threat Level:Veteran of 90’s Cyber Gang GlobalHell Charged in Swatting Conspiracy - Tuesday, May 10, 2011

Wired Threat Level:Two Firms Battle for Right to Sue Nude Nuns Downloaders- Tuesday, May 10, 2011

Krebs on Security: Security Group Claims to Have Subverted Google Chrome’s Sandbox- Tuesday, May 10, 2011

Naked Security: SSCC 59 – bin Laden, Sony, LastPass, Patch Tuesday and Mac malware- Sunday, May 08, 2011

Help net security: Poisoned Google image searches becoming a problem - Saturday, May 07, 2011

Help net security:OpenID Attribute Exchange flaw - Saturday, May 07, 2011

Help net security:Facebook scammers go back to using Javascript - Saturday, May 07, 2011

SANS: “Digital Forensics Case Leads: Oracle is on the Warpath, Anonymous accused of PlayStation hack.” - Friday, May 06, 2011

Krebs on Security:Scammers Swap Google Images for Malware - Friday, May 06, 2011

SSL Security: Public key pinning for Google Chrome - Thursday, May 05, 2011

Google Security blog: Website Security for Webmasters - Friday, May 06, 2011

Krebs on Security:LastPass Forces Users to Pick Another Password - Thursday, May 05, 2011

Krebs on Security:RSA Among Dozens of Firms Breached by Zero-Day Attacks- Wednesday, May 04, 2011

ESET Security: NEWS140 – ESET Smart Security and ESET NOD32 Antivirus version 5.0.65 (Beta) is now available for public testing - Friday, May 06, 2011

fortinet security blog: Security Minute – Zombie Awareness Month (May 2011)- Thursday, May 05, 2011

fortinet security blog:Stop Your Computer From Becoming a Zombie! - Wednesday, May 04, 2011

 

The Register: CEOP accused of misleading public over site security fail - Tuesday, May 03, 2011

Krebs on Security: Advanced Persistent Tweets: Zero-Day in 140 Characters - Tuesday, May 03, 2011

Schneier On Security:Nikon Image Authentication System Cracked - Tuesday, May 03, 2011

The Register: Osama malware scams spread to Facebook - Tuesday, May 03, 2011

The Register:North Korea blamed for bank hack - Tuesday, May 03, 2011

Schneier On Security:LiveBlogging the Bin Ladin Assassination - Monday, May 02, 2011

Slashdot:Google Wants Your Voice Data - Tuesday, May 03, 2011

Slashdot:Bin Laden’s Death Causes Twitter Record - Tuesday, May 03, 2011

Helpnet Security: Osama bin Laden Twitter witness' site hacked - Monday, May 02, 2011

Helpnet Security:Creating a secure firewall policy for a large company - Monday, May 02, 2011

SANS: “Digital Forensics Case Leads: Tons o’ tools, a new challenge, and hard drive steganography” - Sunday, May 01, 2011

Krebs on Security:‘Weyland-Yutani’ Crime Kit Targets Macs for Bots - Tuesday, May 03, 2011

Uncategorized