Encryption

Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. In an encryption scheme, the intended communication information or message, referred to as plaintext, is encrypted using an encryption algorithm, generating ciphertext that can only be read if decrypted. For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated by an algorithm. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients, but not to unauthorized interceptors.

Share tech news, updates, or what's on your mind.

Sign up to Post

A most recent PCI scan of our ASA firewall has revealed multiple deficiencies. We use the firewall for remote access VPN connections using Anyconnect, with a minimum TLS level of 1.1.


The issues follow - I would like to know the most efficient way of addressing, using ASDM if possible;

- Weak Encryption Ciphers identified on VPN Device (Weak encryption ciphers, such as DES or 3DES, were identified as supported on this VPN device)
- Block cipher algorithms with block size of 64 bits (like DES and 3DES)
- Weak Diffie-Hellman groups identified on VPN Device (Use Diffie-Hellman Key Exchange Group 5 or higher where possible, or the highest available to the VPN endpoints)

It should be expected that all of our VPN endpoints are fairly current.

Would changing the DH group (from Group 2) to Group 5 and setting the TLS1.1 SSL cipher to MEDIUM (removes DES) accomplish this at little risk to VPN clients?

Current VPN connections (ASDM monitoring) indicate the use of AES256 but if you can suggest a command to provide better insight that would be appreciated.

Thanks in advance!
0
Introducing Cloud Class® training courses
LVL 12
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

Hi All,

I was asked a question today, and whilst I have some ideas, I figured it would be good to see what others think in case I am out of date or missing something.

I was asked what encryption option to use for storing confidential information on a cloud storage site.

The site allows encryption of whatever is uploaded, and they *claim* that they don't have the keys (and I believe them).  If we (the client) loses the keys, then the storage site cannot help them.  We have a good system for backing up the keys, and I will also have a copy that I will hold for them, and I am comfortable that this aspect is well covered and secure, both at their end and mine.

This is a secondary backup in case something happens to the office site drive backups they already have in place each day.

The backups include staff records and payroll date, so the client wants to pre-encrypt their bulk data backups prior to storing in the cloud site, which I am all for too.

They want to take the backups, combine them into a single file for a given date (the size of the backups makes this viable), and store that single encrypted file on the cloud site.

They were proposing to zip the backup  using 7-zip and apply the AES option with a password that is 23 random characters, followed by the date (so today would end in 20180814).  That way the password is really 23 characters, but all the passwords are different.

I am okay with that, but perhaps there are better options.  When asked, I …
0
Have several folders I would like to encrypt and send to the cloud. Is BitLockering them enough, or should I use a third party software for such?
0
I'm working on an issue I have with a vendor. They are unable to communicate with our exchange server.  The following message was sent to us.


"A Purchase Order sent to this email address has failed because a “secure delivery could not be established.
If it is a valid email address, please make sure that your company white lists all emails from the @domaint.com domain so Purchase Orders can flow without failures.  Also, please make sure that your email can handle TLS encrypted emails.  Our ordering system utilizes TLS encryption. "

I went to ssllabs.com with the following results

 ________________________________________
 https://www.ssllabs.com

Configuration

Protocols
TLS 1.3      No
TLS 1.2      Yes
TLS 1.1      Yes
TLS 1.0      Yes
SSL 3      No
SSL 2      No
For TLS 1.3 tests, we currently support draft version 28.



Certificate #1: RSA 2048 bits (SHA1withRSA)

Server Key and Certificate #1
Subject      remote.domain.com
Fingerprint SHA256: 242108f159834deXX
Pin SHA256: gJb0SUQGT9xdgAUkLtUabTUHxx
Common names      remote.domain.com
Alternative names      remote.domain.com exchange.domain.local AutoDiscover.domain.local AutoDiscover.domain.com mge.local domain.com
Serial Number      505976e8d2dacd9445086axxx
Valid from      Thu, 09 Jul 2015 21:01:06 UTC
Valid until      Thu, 09 Jul 2020 21:01:06 UTC (expires in 1 year and 10 months)
Key      RSA 2048 bits (e 65537)
Weak key (Debian)      No
Issuer      remote.domain.com   Self-signed
Signature algorithm      SHA1withRSA   INSECURE
Extended Validation      No…
0
Is the Instagram iOS app on my iPhone using an HTTPS SSL to encrypt all session activity from being viewed by my ISP? How do you know? Is there any evidence which proves all app activity on Instagram is encrypted or not encrypted?
0
Hi All,

Researched this and wanted to know if anyone has a solution. Is there any way to encyrpt dpm data at rest. Reached out to Microsoft Support, which confirmed DPM does not support encryption.  Thanks,

Are there third party tools out there to accomplish this.
Were using an old storage server from what I can tell  doesn't support hardware encryption - Proliant SE1220,
0
i have multiple files to encrypt using slift software.
I have the manual steps to encrypt but need help for encrypting it.
I have restriction not to store any password in the scripts hence it required password to be encrypted.
command is
slift.exe /e "sourcedirectory" /pfx "privatekeyfile.pfx" password /cer "partnerpublickey.cer"
can help how to script in powershell.
0
We are evaluating options for email encryption.  We currently use ZixMail to encrypt sensitive information.  The ZixMail always requires the password to open the email and read it.  What other applications are there that offer this same option?  We are using Office 365 and the Microsoft EOP does not have the option to lock the email like ZixMail does, it will keep it in plain text, so if someone gains access to the email account they will be able to read the email.

I have started looking at Virtru for email encryption and was wondering what others are using.

Thank you
0
Bit Locker - Domain Controller

Is it possible to link this to active directory.
So that if a User activates Bit Locker - the password appears in AD - to ensure access if User forgets.

Also how does this work - if a User already has Bit Locker activated on their device.
And finally - is it possible to have this for a selected group - ie. there are some Users who have other encryption products on their devices whom we dont want to touch.
0
I have a small Access that is utilizing MacroShadow's code for a button that saves a report to pdf with a password using Bullzip and even emails it.   Huge thanks to MacroShadow for helping me to get this working.

Only one small problem left.  I have 6 different reports each with their own button.  I want to call the same Function regardless of which report button is clicked.  I can't figure out how to pass the report name to the Function as my variable (currently hard coded report name and paths).  

Can anyone help?  Thank you in advance.

Here is the code.

REPORT BUTTON
Option Explicit

Private Sub EmailPDFBtn_Click()
   Dim NameofReport As String
   NameofReport = "MemberDetailsReportAll"
   
   Call PrintReportAsPDFwithBullZip(NameofReport, , "C:\Users\tfoutz\Documents\RS Member Log\", "ReportAllByName.pdf")
   
   Call SendPDFbyEmail
End Sub


SAVEPDFENCRYPTED MODULE
Option Explicit

Public Declare Function SetDefaultPrinter Lib "winspool.drv" _
                                          Alias "SetDefaultPrinterA" (ByVal pszPrinter As String) As Long
                                         



Function PrintReportAsPDFwithBullZip(ByVal rptName As String, _
                                      Optional sFilterCriteria As String = "", _
                                      Optional sDirectory As String = "", _
                                      Optional sFileName As String = "") _
                                      As Boolean
0
Cloud Class® Course: Microsoft Windows 7 Basic
LVL 12
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

We clone laptops usning MDT (off line) . And when laptops get cloned they run a script to  run susprep and install some App and run encryption by  BitLocker in the end.
All clones run bitlocker except the one which was upgraded to windows 10_1803. The 1803 version of cliets have problems running encryption.They all hangs while in the process of encryption .Looks like they get used area encrypted by default when they get cloned.P;ease see screen shot of a master and cloned Master is Fully Decrypted and cloned has used spaced 100 % encrypted. If I stop the script before it starts running encryption process and manually decrypted a drive and restart script it runs perfectly fine.
How can I prevent MDT not to prevent encrypting HD ? I disabled BitLocker on a task sequence but it clones still has it on
0
I believe my service reference is using Triple DES encryption to communicate with one of our vendor's web services. The server we initiate the call from cannot have the 3DES cipher enabled due to PCI constraints.
How can I set my service reference in C# to use RSA instead?
0
I created this thread at Wilders Security Forum without receiving a response, so I am trying here instead:

So to the problem: I installed DiskCryptor and being the ignoramus that I am, I encountered a problem, namely that I got locked out of my computer. Long ago, I used DiskCryptor without any problems; however, my computer now has UEFI, something which it seems DiskCryptor is not supporting. It is mentioned on the home page, and I knew the software had not been updated for long, but I just did what I did the last time I used it (maybe it sounds more stupid than it actually was?)

Anyway, what happened is as follows:

1. Windows refuses to load (after that I browse the DiskCryptor forums)

2. I figure out the UEFI is not supported and as such the bootloader is not working

3. Luckily there is a bootable bootloader a guy created (Yippie! I am saved!!! Or am I?)

4. After some tweaking in BIOS the bootloader starts...

5. Oh no! No disk drives are NOT detected in DiskCryptor! Not in "My computer", not in "Disk Management"... nowhere!

6. What to do? What to do? Ask on the DiskCryptor forum! WHAT? Registration is closed! What to do? What to do? Ahh, ask the pros at Wilderssecurity... (ehm... Experts-Exchange, I mean).

And here I am now, please help, guys and ladies!

The only thing I can think of now that might have to do with the problem is that I created the bootable bootloader in Linux (that took a while to figure out, let me tell you! Piece of cake on …
0
Hi

Does anyone know of a way / app / method that I can password protect a FOLDER without zipping it.

I use 7zip at present but have to zip folder to password protect and im trying to avoid that.

Any Ideas.

Thanks
0
Hi,

I have created a windows form application where I am connecting to a database. The database connection string is currently stored in the App.config file, but the string is stored as plain text. Which is not good as the DB password is readable and therefore vulnerable.

Please could you advise the best approach on how to secure the connection string? The application will be used on multiple machines but ran from a single shared location (not installed on each machine).

My thought was to create a separate application that would convert the connection string to an encrypted string using a password. The decrypt function would be added to the end user application and the encrypted string copied and pasted into the app.config. Using the encryption key along with the decrypt function the end user app should be able to decrypt the connection string.

My issue is that I do not know what type of encryption to use or which type in .NET is the newest.

I am using .NET Framework 4.6.

Please could you help and provide examples as encryption is new to me...

Thanks, Greg
0
With the new GDPR regulations in place I am looking for a service to encrypt certain emails (Payslips, etc) which contain sensitive data.

We are using Office 365 for our email service and I have looked into the encryption services provided by Office 365 but none really suit what we are looking for.

I have looked at encrypting the documents within the email through “7Zip”. Has anyone a suggestion on a service we could use that would make us GDPR compliant when sending sensitive emails or would 7zip or something similar work?
0
My boss just told me that Microsoft is recommending log encryption after reviewing our latest Risk Analysis.  Is there anyone making that work today?  Encrypting all log data?
0
Microsoft Exchange 2016 Vulnerabilities:

We have vulnerabilities for below two points on Exchange 2016.
If we take action and make any changes, does it negative impact on our Exchange servers?
We have total 12 Mailbox Server, 1-WITNESS Server, 1-DAG CLUSTER. Please suggest  on below vulnerabilities.
Need your valuable inputs.

Vulnerabilities:
1) 3DES configuration in registry, & 
2) Disabling “SendExtraRecord” parameters in registry.

SSL Medium Strength Cipher Suites Supported      The remote host supports the use of SSL ciphers that offer medium
strength encryption. Nessus regards medium strength as any encryption
that uses key lengths at least 64 bits and less than 112 bits, or else
that uses the 3DES encryption suite.

Note that it is considerably easier to circumvent medium strength
encryption if the attacker is on the same physical network.

SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability (BEAST)      A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow
information disclosure if an attacker intercepts encrypted traffic
served from an affected system.

TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are
not affected.

This plugin tries to establish an SSL/TLS remote connection using an
affected SSL version and cipher suite and then solicits return data.
If returned application data is not fragmented with an empty or
one-byte record, it is likely vulnerable.

OpenSSL uses…
0
In a meeting we were told that it is possible to know or identify if a user hit a specific page and it’s contents even if the page is locked.  We understand that when a page has a lock it means SSL and that the data to/fro from the site to computer is encrypted.  Is this possible that even thought the page has a lock, there is  a way to identify the encrypted page that the user visited and identify the contents, if it has form or just regular page?
0
Cloud Class® Course: Microsoft Azure 2017
LVL 12
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

I have a Lenovo ThinkPad T470 that every time it reboots BitLocker (BDE) gets tripped.  If I force shut down and turn back on most often it boots into the OS (Win 7 Pro).  But, any warm reboot and it trips.  I've suspended and rebooted with it suspended several times but as soon as I re-enable, problem is back.

Enterprise setting; Image is deployed via Network and BDE encrypts the entire drive as the task sequences execute.  It normally boots into regular logon and disk encryption complete but not this one.

I SUSPECT bad drive (SDD) or controller but have no idea how to prove it for warranty.

T470's have SSD with NVMe via M.2 (and I can't find a GOOD diag tool for this hardware combination.  Most diags I find can't handle the M.2 and never see the SSD at all).  I have wiped and reimaged a second time just in case the first deploy was defective.  Same problem.

So the actual question would be two-fold.  
1.  Does anyone know of a good diag tool for the above hardware
2.  Feedback on WHY this one, machine is giving me headaches!
0
hi there,

Currently I'm trying to create, sign & broadcast bitcoin transaction using btcsuite. For start, I've already had testnet3 address & its associated privatekey for testing. However, hunting through the post and articles like below:-

https://www.thepolyglotdeveloper.com/2018/03/create-sign-bitcoin-transactions-golang/
https://github.com/prettymuchbryce/hellobitcoin/blob/master/transaction.go
https://github.com/btcsuite/btcd/issues/1164

The solution proposed above its not complete, for first one, it only covers until signing (i knew the author claimed its not broadcastable unless you provide the utxo which i did if i'm right) but when tried to braodcast it failed with message

"Error validating transaction: Transaction be9b294695bfb201a5cff32af074a4bf72b073e3c9dad1969111165bf118a622 orphaned, missing reference f0c0d3b3eecf911ede996a74ceadc9366068791450c9e6bacee9ae202f3690d1."

I have no idea what's going on and I suspect its script is incompatible.

So, the bottom line is I just want a workable example in bitcoin testnet3 that shows "from 1 address transfer some bitcoin to other address" by showing the process of creating raw transaction, sign it with private key, turn it to raw transaction in hex format & broadcast it using something like https://live.blockcypher.com/btc/pushtx/ (BTC testnet)

currently my code is as follow:-

package main
import (
    "fmt"
    "encoding/hex"
    "bytes"
    "github.com/btcsuite/btcutil"
    btcchain 

Open in new window

0
TIP  SECURITY  ENCRYPTION & CERTIFICATES

In-place upgrade of encrypted Windows systems using reflectdrivers

Apparently since Win10 v1607 there exists a parameter "/reflectdrivers" in the Windows setup (setup.exe on the DVD / USB stick) see https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-command-line-options

This can be used to tell Setup the location of the encryption drivers (eg Veracrypt) and finally be able to perform upgrades without decrypting!

The Veracrypt developer shares this in a forum post and gives a syntax example for his product:

setup.exe /ReflectDrivers "C:\Program Files\VeraCrypt" /PostOOBE C:\ProgramData\VeraCrypt\SetupComplete.cmd

Open in new window

1
I have tried several things to disable TLS 1.0 on a Windows 7 system.  All the documentation states to add registry keys and reboot.  No matter what  try TLS 1.0 is still reported to be enabled on both the client and the server side of the system.  Here are the registry keys:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

Open in new window

Testing with nmap and openssl both show that TLS 1.0 is still enabled for 3389 (server).  
openssl s_client -connect 192.168.1.1:3389  -tls1
....
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA

Open in new window

nmap --script ssl-enum-ciphers -p 3389 192.168.1.1
PORT     STATE SERVICE
3389/tcp open  ms-wbt-server
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
.....

Open in new window

Going to https://www.ssllabs.com/ssltest/viewMyClient.html shows TLS 1.0 is still enabled on the client side:
 
Protocols
TLS 1.3	Yes
TLS 1.2	Yes
TLS 1.1	Yes
TLS 1.0	Yes
SSL 3	No
SSL 2	No

Open in new window

0
Dear Experts

When we enable encryption in windows 10 systems it encrypts when we store documents, what exactly happens here as we take the stored files from the encrypted  and transfer it via email or copy to USB or share it in network drive all those other side people who have access can open and read or modify based on permissions does it mean it is not file level encryption I mean whoever know the system password files are accessible if someone wants to crack the harddisk then the file formats stored is not as per the document extension like .docs, or .exls please help me to understand this.

2. what does it mean server side encryption like next cloud deployment says we can enable server side encryption how is it different from ssl enablement that is user accessing through https,
please help me understand above two , thank you very much in advance.
0
i'm missing something in my cryptography understanding.

i've looked through several sources and want to verify im getting this right.

the 3DES process:

3 56 bit keys act on a 64 bit block of data.
Key1 encrypts the data, Key 2 decrypts the data, and then Key3 encrypts the data
some implementations use the same key for Key1 and Key3, so effectively in those implementations the total key length is 112, if 3 different keys are used, it's 168 bits.

so, we send the data across the wire and we want to decrypt it.

we take Key3 to decrypt the ciphertext, which still yields ciphertext, because we have to encrypt this ciphertext with Key2, and then go through the 3rd step which is to decrypt that ciphertext, and finally get plaintext.

is this correct?

any further input is very welcome

thanks,

-Dave.J
0

Encryption

Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. In an encryption scheme, the intended communication information or message, referred to as plaintext, is encrypted using an encryption algorithm, generating ciphertext that can only be read if decrypted. For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated by an algorithm. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients, but not to unauthorized interceptors.