Welcome to cissp CISSP training Certified Information Systems Security Professional
Search
Nickname Password Security Code Security Code Type Security Code  

You are certified but are your qualified? Become qualified today.

Rated #1 Training

CyberSecurity NBISE

Library of Documents

Forum Postings

CISSP's Blogs

Recommended Podcasts

MISC Menu

Security Books

Surveys

Where do you find the best price for books?

Amazon.Com
Bookpool.Com
The ISC2 webstore
CISSPS.COM
Cheapbooks.com
Ecampus.com
Other (Please leave a comment with name of site)



Results
Polls

Votes: 1463
Comments: 35

Top10 Links

Top10 Downloads

Who's Online

There are currently, 98 guest(s) and 30 member(s) that are online.

You are Anonymous user. You can register for free by clicking here

Training Classes Calendar

Test of Widget

 

cissp CISSP training Certified Information Systems Security Professional: Cryptography

Search on This Topic:   
[ Go to Home | Select a New Topic ]

Hackers blind quantum cryptographers
Posted by boss on Sunday, 29 August 2010 @ 21:45:08 EDT (335 reads)
Topic Cryptography

cdupuis writes "

As seen on the NatureNews web site at:

http://www.nature.com/news/2010/100829/full/news.2010.436.html

Hackers blind quantum cryptographers

Lasers crack commercial encryption systems, leaving no trace.

Zeeya Merali

A way to intercept photons of light to create a security leak has been discovered.

Quantum hackers have performed the first 'invisible' attack on two commercial quantum cryptographic systems. By using lasers on the systems — which use quantum states of light to encrypt information for transmission — they have fully cracked their encryption keys, yet left no trace of the hack.

Quantum cryptography is often touted as being perfectly secure. It is based on the principle that you cannot make measurements of a quantum system without disturbing it. So, in theory, it is impossible for an eavesdropper to intercept a quantum encryption key without disrupting it in a noticeable way, triggering alarm bells.

Vadim Makarov at the Norwegian University of Science and Technology in Trondheim and his colleagues have now cracked it. "Our hack gave 100% knowledge of the key, with zero disturbance to the system," he says.

In standard quantum cryptographic techniques, the sender — called 'Alice' for convenience — generates a secret key by encoding classical bit values of 0 and 1 using two different quantum states of photons, or particles of light. The receiver, 'Bob', reads off these bit values using a detector that measures the quantum state of incoming photons. In theory, an eavesdropper, 'Eve', will disturb the properties of these photons before they reach Bob, so that if Alice and Bob compare parts of their key, they will notice a mismatch.

In Makarov and colleagues' hack, Eve gets round this constraint by 'blinding' Bob's detector — shining a continuous, 1-milliwatt laser at it. While Bob's detector is thus disabled, Eve can then intercept Alice's signal. The research is published online in Nature Phototonics today1.

Breaking the rules

The cunning part is that while blinded, Bob's detector cannot function as a 'quantum detector' that distinguishes between different quantum states of incoming light. However, it does still work as a 'classical detector' — recording a bit value of 1 if it is hit by an additional bright light pulse, regardless of the quantum properties of that pulse.

That means that every time Eve intercepts a bit value of 1 from Alice, she can send a bright pulse to Bob, so that he also receives the correct signal, and is entirely unaware that his detector has been sabotaged. There is no mismatch between Eve and Bob's readings because Eve sends Bob a classical signal, not a quantum one. As quantum cryptographic rules no longer apply, no alarm bells are triggered, says Makarov.

"We have exploited a purely technological loophole that turns a quantum cryptographic system into a classical system, without anyone noticing," says Makarov.

Makarov and his team have demonstrated that the hack works on two commercially available systems: one sold by ID Quantique (IDQ), based in Geneva, Switzerland, and one by MagiQ Technologies, based in Boston, Massachusetts. "Once I had the systems in the lab, it took only about two months to develop a working hack," says Makarov.

This is the latest in a line of quantum hacks. Earlier this year, a group led by Hoi-Kwong Lo at the University of Toronto in Ontario, Canada, also showed that an IDQ commercial system could be fully hacked. However, in that case, the eavesdropper did introduce some noticeable errors in the quantum key2.

Grégoire Ribordy, chief executive of IDQ, says that the hack of Makarov and his group is "far more practical to implement and goes further than anything that has gone before".

Both IDQ and MagiQ welcome the hack for exposing potential vulnerabilities in their systems. Makorov informed both companies of the details of the hack before publishing, so that patches could made, avoiding any possible security risk.

"We provide open systems for researchers to play with and we are glad they are doing it," says Anton Zavriyev, director of research and development at MagiQ.

Ribordy and Zavriyev stress that the open versions of their systems that are sold to university researchers are not the same as those sold for security purposes, which contain extra layers of protection. For instance, the fully commercial versions of IDQ's system also use classical cryptographic techniques as a safety net, says Ribordy.

Makarov agrees that the hack should not make people lose confidence in quantum cryptography. "Our work will ultimately make these systems stronger," he says. "If you want state-of-the-art security, quantum cryptography is still the best place to go." 

"

(Read More... | Score: 5)


Kobil SmartCard Reader hacked
Posted by boss on Monday, 07 June 2010 @ 07:58:47 EDT (534 reads)
Topic Cryptography

cdupuis writes "

No broken seals:  A Windows tool allows unsigned firmware to be installed.

A vulnerability in smartcard readers made by vendor Kobil[1] allows intruders to install specially crafted firmware without opening the sealed housing. Attackers could exploit this to read PINs such as those used for digital document signatures or to display forged data on-screen. To prevent such intrusions from happening, smartcard readers are usually subjected to a special security check before they are approved. Several leading institutions had tested the Kobil readers and confirmed that they complied with the strict German Signature Law (SigG) including the German Federal Office for Information Security (BSI). The German Central Credit Committee (Zentraler Kreditausschuss, ZKA) also approved the TriB@nk device for use with the "Geldkarte" application, and Secoder, the successor of HBCI, for home banking.

In its report on the affected Kobil devices, EMV-TriCAP Reader, SecOVID Reader III and KAAN TriB@nk, the BSI found[2] (German language link): "A firmware signature verification which uses the asymmetric ECDSA algorithm and a bit length of 192 guarantees firmware integrity and authenticity when loading new firmware into the chip card reader." This means it should be impossible to install firmware that does not have a vendor signature.

The reader's boot loader is responsible for checking the signature. A hacker using the name Colibri has managed to bypass the signature check by replacing the reader's boot loader with a specially crafted boot loader. The hacker introduced individual flash memory blocks in the wrong order, so that the memory contained some parts of the crafted boot loader and some parts of Kobil's signed boot loader – which was eventually accepted by the device. However, the crafted boot loader's signature check function was disabled, which allowed the hacker to flash arbitrary firmware onto the reader via USB. Colibri informed Kobil about the problem and released a fascinating and detailed report[3] (German language link) about the hack, as well as a Windows tool and firmware updates for reproducing the issue. Using this information, The H's associates at heise Security successfully managed to inject specially crafted firmware into a "Kaan Trib@nk" smartcard reader (version 79.22).

At the end of April, Kobil released[4] security update 79.23 for the Kaan TriB@nk to close the hole(s). According to Kobil's Head of Product Management and Development, Markus Tak, the update is also designed to prevent attackers from randomly updating memory blocks in the future.


The firmware can be replaced in just a few steps using a Windows tool. Although the hole was disclosed several weeks ago, publicly available information about this problem still remains sparse. While the German Federal Network Agency, being the responsible authority under section 3 of the German Signature Law (SigG), has issued a warning[5] (German language link) about the security hole on its web pages, the information so far doesn't seem to have reached the general user base.

When asked, the ZKA said that the vulnerability was not publicised because the issue affected a "limited group of customers" who were apparently informed directly by the vendor. Furthermore, the ZKA said that the applications for Geldkarte, HBCI and Secoder are not affected by the hole. However, the ZKA's press spokesperson was unable to explain why this should be the case.

Some savings banks have at least pointed out the problem on their web pages and recommend[6] (German language link) that users send their devices to Kobil, for an update. Potential residual risks reportedly make it advisable that users don't update the firmware themselves. In any case, the new firmware hasn't yet been certified. Kobil has not provided any updates for its EMV-TriCAP Reader and SecOVID Reader products, which are also affected.

Talking to heise Security, Colibri gave his hack an intermediate difficulty rating. The hacker said he has analysed devices as a hobby for years and considers other projects such as his analysis of the PowerVU encryption used in military transmissions much more difficult. Colibri said the most involved aspect of the hack was having to write a disassembler for the Toshiba processor used in Kobil's devices.

The vulnerabiltiy casts further bad light on security certifications for systems and software. Prof. Dr. Rainer W. Gerling, the Data Protection and IT Security Officer at the Max Planck Society for the Advancement of Science said in an interview with heise Security: "This hack shows that the quality of a certification depends on the creativity and imagination of the tester. This is a fundamental problem of certifications." It seems that the BSI testers were not the only ones who lacked imagination, because T-Systems also found[7] (German language link) in an independent test that the devices comply with the safe PIN entry requirements described in the German Signature Law and Signature Regulation.

URL of this Article:
http://www.h-online.com/security/news/item/Kobil-smartcard-reader-hacked-1014651.html

Links in this Article:
  [1] http://www.kobil.com/
  [2] https://www.bsi-fuer-buerger.de/cae/servlet/contentblob/485368/publicationFile/29542/02096_pdf.pdf
  [3] http://colibri.net63.net/Smartcard-Reader-Hack.htm
  [4] http://www.kobil.com/index.php?id=1364&L=0
  [5] http://www.bundesnetzagentur.de/cln_1932/DE/Sachgebiete/QES/QES_node.html
  [6] https://www.sparkasse-kraichgau.de/privatkunden/konten_karten/online_mit_hbci/kaan/index.php
  [7] http://www.t-systems-zert.de/pdf/ein_02_sig_pro/zf_02219_d.pdf

"

(Read More... | Score: 0)


Researchers demonstrate brilliant quantum hack
Posted by boss on Monday, 04 January 2010 @ 08:47:44 EST (588 reads)
Topic Cryptography

Anonymous writes "

Two researchers have shown how they can eavesdrop unnoticed on a provably secure quantum key distribution. To do so, Qin Liu and Sebastien Sauge did not of course change the laws of quantum physics. Instead, in archetypal hacker fashion, they successfully attacked the weakest point of a real world, and thus imperfect, implementation of a quantum key distribution system.

Quantum key distribution (QKD) is aimed at permitting absolute security in exchanging secret keys. Simplifying somewhat, it is based on sending two quantum mechanically entangled photons, which can be measured as having a value of 0 or 1, to Alice and Bob. Until either Alice or Bob actually determines the state of one of the photon, that state remains indeterminate. The only certainty is that if Alice at some point measures a 1, Bob will also subsequently measure a 1. If a malicious Eve intercepts the photons, she can read the value, but having done so is unable, according to Heisenberg's uncertainty principle, to generate another photon with the same properties, thus allowing Bob to discover the subterfuge.

And this is where many real – and in some cases already commercially available – QKD systems fall down. Their detectors for measuring individual photons are in fact macroscopic systems. Liu and Sauge gave a live demonstration in Berlin, in which they blinded the detector from a typical QKD system using a bright light source so that it no longer responded to individual photons. The researchers could, though, still trigger the detector using intense targeted pulses. Instead of acting as a quantum mechanical measuring device, they turned Bob's detector into a kind of macroscopic switch, which they operated manually to spoof Bob photons with a specific (polarization) value.

The team was able to use this technique to eavesdrop on a real world QKD system which distributed keys over distances of 290 metres via fibre optic cables. Eve was able to successfully insert herself into the optical fibre and eavesdrop the full secret key without either Alice or Bob becoming aware of her subterfuge.

URL of this Article:
http://www.h-online.com/security/news/item/26C3-Researchers-demonstrate-brilliant-quantum-hack-894215.html

Links in this Article:
  [1] http://events.ccc.de/congress/2009/Fahrplan/events/3576.en.html
"

(Read More... | 4 comments | Score: 0)


Practical AES attacks get closer
Posted by boss on Monday, 03 August 2009 @ 16:15:27 EDT (1114 reads)
Topic Cryptography

cdupuis writes "

NOTE FROM CLEMENT: Another great article by The H Security website at: http://www.h-online.com/

Practical AES attacks get closer

Cryptologists have now developed even more sophisticated attacks on AES encryption systems. According to crypto expert Bruce Schneier, a team consisting of Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich and Adi Shamir have managed to crack reduced versions of AES-256 in practical length of time. Attacking nine-round AES-256 required 239 time, which is even feasible with an ordinary PC, while ten-round would require 245. The time required for eleven rounds, however, is just above practicality at 270. The attack exploits a vulnerability in the key schedule, a function AES-256 uses to derive sub-keys from the main key.

While the new attacks represent major progress in the cryptanalysis of AES, they are still irrelevant for attacks against real-world AES implementations and this is not only because of the reduced number of rounds (by default, AES-256 uses 14 rounds). Also, the attack is a related-key attack, which means that the attacker must have access to the plaintext of several units of ciphertext encrypted with keys that are related in a specific way. Such scenarios can theoretically only be found, for example, in hard disk encryption and network protocols, where the individual block keys are generated in such a weak way.

That the new methods are completely ineffective, or nearly so, when attacking AES-128, which has the shortest keys, seems at first glance, contradictory. The reason: Long keys provide a bigger target, that is more bits, for the cryptologists to establish mathematical relationships. To maintain the integrity of AES encryption Schneier suggests increasing the number of rounds before the first practical attacks reach reach the number of rounds used by standard AES: from ten to 16 for AES-128, from twelve to 20 for AES-192, and from 14 to 28 for AES-256. However, this considerably slows down the encryption process.

See also:

"

(Read More... | 6 comments | Score: 0)


Encryption with elliptical curves scratched
Posted by boss on Wednesday, 22 July 2009 @ 10:44:07 EDT (1087 reads)
Topic Cryptography

cdupuis writes "

Source: lacal.epfl.ch

 

The PlayStation 3 cluster at the École Polytechnique Fédérale in Lausanne has cracked another cryptographic method: 112-bit elliptical curves

PlayStation 3 cluster

Researchers at the École Polytechnique Fédérale (EPFL) in Lausanne, Switzerland, have succeeded in cracking 112-bit encryption based on elliptical curves (ECCp-112). They calculated the secret key associated with a public key by solving the Discrete Logarithm Problem (DLP) for elliptical curves, which displays a complexity of 260 for the numbers involved. The cracked ECC system is a set of parameters defined by the secp112r1PDF standard. That puts it at the lower end of the specifications for ECC encryption systems.

The computation required around half a year on the EPFL cluster, consisting of some 200 PlayStation 3s that had already served to calculate the MD5 collision for creating a fake SSL issuer certificate from RapidSSL. The ECC code designed for the cell processor of the PlayStation 3 was optimised several times during the computation period, and the researchers say that, if the optimised code had been running from the start, the computation would only have taken three and a half months. The previous record was set in 2002, when a distributed cluster consisting of around 10,000 PCs cracked an ECC key within 549 days. At that time, researchers at Notre Dame University cracked an ECCp-109 key, three bits shorter than the new record.

Dr. Arjen Lenstra, who took part in the EPFL project, told heise Security that this result isn't actually a threat to the EC encryption systems used in practice. He said the weakest encryption encountered is based on 160-bit ECC and future developments in encryption standards would in any case have to be based on at least 224-bit ECC. According to the NIST transition proposalPDF, ECCp-160, whose encryption strength is comparable with RSA-1024, must be replaced with a stronger variant after 2010 in order to obtain FIPS certification.

See original article on the fabulous H Security website at:

http://www.h-online.com/security/Encryption-with-elliptical-curves-scratched--/news/113753

"

(Read More... | 8 comments | Score: 0)


Laser cracks 'unbreakable' quantum communications
Posted by boss on Friday, 03 October 2008 @ 14:58:31 EDT (1227 reads)
Topic Cryptography

03 October 20   NewScientist.com news service    David Robson

Quantum cryptography is supposed to be unbreakable. But a flaw in a common type of equipment used makes it possible to intercept messages without detection.

Quantum cryptography has been used by some banks to protect data, and even to hide election results in Switzerland last year. But it has been discovered that shining bright light into the sensitive equipment needed makes it possible to hijack communications without a trace.

"It turns the equipment into a puppet-box that an eavesdropper can control," says Vadim Makarov from the Norwegian University of Science and Technology in Trondheim, who uncovered the vulnerability.

Super secret

Quantum cryptography relies on both users sharing a secret key, each digit of which is encoded into the polarisation of an individual light photon.

"Alice", the sender transmits a stream of photons signalling either 1s or 0s. But for each one she randomly chooses from one of two ways to encode the digit.

Because the receiver, "Bob", doesn't know which system Alice has used he must be able to decode both types and has two pairs of photon detectors – one for each system.

A beam splitter randomly directs each photon received to one of the pairs. If a photon reaches the correct pair it is decoded correctly, if not Bob receives a false result.

Once the transmission is over, Alice uses an unencrypted channel to tell Bob which system she used for each photon. Digits decoded wrongly are discarded to reveal the final secret key used to secure later communications.

In practise, these steps are carried out automatically by a computer system.

An eavesdropper, "Eve", who intercepts the transmission, must emulate Bob's detection method and then pass the data on to him unaltered to fool him everything is normal.

But quantum mechanics makes that impossible. The message will have been changed by Eve's interception to contain errors that reveal her presence when Alice and Bob compare notes later.

Dead giveaway

Now, however, Makarov and colleagues from Sweden and Russia have shown that Eve could control Bob's equipment, so that they both decode exactly the same digits from Alice's transmission.

When Alice later tells Bob which photons he encoded wrong, Eve can learn the key by listening in on the unencrypted message, and there are no extra errors to give her away.

The method exploits the way a common type of photon counter can have its sensitivity reduced by a very bright flash of light. The attack begins when Eve fires a pulse of laser light to all four detectors in Bob's equipment.

After that, Eve can send a second pulse and target it to just one of the four detectors. The pulse is a burst of many single photons all encoded using the same of the two quantum systems, and all carrying the same digit.

Bob's beam splitter initially sends half the photons to each pair of detectors. Photons that reach the detector that is not designed for that encoding system are split again between the two detectors. But not enough power reaches them to exceed the newly raised sensitivity threshold.

The half of the initial pulse that reaches the pair designed for that encoding system are all directed to a single detector – this time with enough intensity to exceed its raised threshold, and it registers a digit.

So by sending on a sequence of encoded photons that are identical to the ones she receives from Alice, Eve can safely intercept a message without leaving the tell-tale quantum errors.

Flash in the pan?

Makarov and colleagues have now uncovered such vulnerabilities in two of the three types of quantum equipment commonly used. They are now investigating ways to solve the flaw without introducing more weaknesses.

Norbert Lütkenhaus from the Institute for Quantum Computing in Waterloo, Canada, acknowledges Makarov's team has discovered a flaw. But he points out that the stronger laser pulses used to prime the detector might be noticed by Bob, giving away the attack.

"I don't think it's a serious flaw," he says. Makarov counters that the initial bright flash would likely be mistaken for noise.

A paper on Makarov's work is available on the arXiv preprint server

Related Articles
Weblinks
See original story at: 

http://www.theglobeandmail.com/servlet/story/RTGAM.20081003.wrskype03/BNStory/Technology/?cid=al_gam_nletter_dtechal

(Read More... | 4 comments | Score: 3.5)


Quantum Key Cryptography Paper by At&T
Posted by boss on Thursday, 28 August 2008 @ 13:34:32 EDT (1238 reads)
Topic Cryptography

cdupuis writes "

NOTE FROM CLEMENT:

Quantum cryptography and more specifically Quantum Key Cryptography or the Quantum Key Distribution Protocol is one of the new subjects covered within the CBK of ISC2.    Here is a nice white paper you can read on the subject.  It is detailed enough for the purpose of the exam.

Executive Summary

Quantum Cryptography is an emerging technology that may offer new forms of security protection. Relying on the laws of quantum mechanics, transmission is carried by a single particle that can only be measured one time, making encryption and decryption difficult to compromise.

Businesses are evaluating architectural solutions using Quantum Cryptography to understand its potential benefits. Future implementations of the technology may soon make it more available for enterprise business.

Click HERE to download Article [PDF, 412KB]

"

(Read More... | 2 comments | Score: 0)


Quantum Cryptography Cost are being reduced greatly
Posted by boss on Wednesday, 04 June 2008 @ 01:22:07 EDT (1428 reads)
Topic Cryptography

cdupuis writes "

Two for One: NIST Design Enables More Cost Effective Quantum Key Distribution

schematic drawing

A highly simplified schematic of a recipient's detectors in a quantum cryptography setup. Conventional cryptography setups (left) require at least two detectors, and the most common setup, known as BB84, requires four. By adding an optical component that delays the travel of photons to the detector, the number of required detectors is cut in half.

Credit: NIST

Researchers at the National Institute of Standards and Technology (NIST) have demonstrated a simpler and potentially lower-cost method for distributing strings of digits, or “keys,” for use in quantum cryptography, the most secure method of transmitting data. The new “quantum key distribution” (QKD) method, outlined in an upcoming paper,* minimizes the required number of detectors, by far the most costly components in quantum cryptography. Although this minimum-detector arrangement cuts transmission rates by half, the NIST system still works at broadband speeds, allowing, for example, real-time quantum encryption and decryption of webcam-quality video streams over an experimental quantum network.

In quantum cryptography, a recipient (named Bob) needs to measure a sequence of photons, or particles of light that are transmitted by a sender (named Alice). These photons have information encoded in their polarization, or direction of their electric field. In the most common polarization-based protocol, known as BB84, Bob uses four single-photon detectors, costing approximately $5,000-$20,000 each. One pair of detectors records photons with horizontal and vertical polarization, which could indicate 0 and 1 respectively. The other pair detects photons with “diagonal”, or +/- 45 degree, polarization in which the “northeast” and “northwest” directions alternatively denote 0 and 1.

In the new method, the researchers, led by NIST’s Xiao Tang, designed an optical component to make the diagonally polarized photons rotate by a further 45 degrees and arrive at the same detector but later, and into a separate “time bin”, than the horizontal/vertical polarized ones. Therefore, one pair of detectors can be used to record information from both kinds of polarized photons in succession, reducing the required number of detectors from four to two. In another protocol, called B92, the researchers reduced the required number of detectors from two to one. And in work performed since their new paper, the researchers further developed their approach so that the popular BB84 method now only requires one detector instead of four.

Although in theory quantum cryptography can transmit absolutely secure keys guaranteed by fundamental physical principles (measuring them will disturb their values and make an eavesdropper instantly known), the imperfect properties of photon detectors may undermine system security in practice. For example, photon detectors have an intrinsic problem known as “dead time,” in which a detector is out of commission for a short time after it records a photon, causing it to miss the bit of data that immediately follows; this could result in non-random (and therefore more predictable) bit patterns in which 0s alternate with 1s. Furthermore, inevitable performance differences between detector pairs can also cause them to record less random sequences of digits. The new design avoids these issues and maintains the security of quantum-key-distribution systems in practical applications.

* L. Ma, T. Chang, A. Mink, O. Slattery, B. Hershman and X. Tang. Experimental demonstration of a detection-time-bin-shift polarization encoding quantum key distribution system. IEEE Communications Letters Vol. 12, No. 6, June 2008. In press.

Media Contact: Ben Stein, bstein@nist.gov, (301) 975-3097

http://www.nist.gov/public_affairs/techbeat/tb2008_0528.htm#qkd

"

(Read More... | 4 comments | Score: 0)


Federal Government to deploy Full Disk Encryption on all government owned system
Posted by boss on Thursday, 28 December 2006 @ 20:23:21 EST (2638 reads)
Topic Cryptography

Anonymous writes "

By Saqib Ali


December 28,2006

 

To address the issue of data leaks from stolen or missing laptops, US Government is planning to use Full Disk Encryption (FDE) on all of the Government owned computers. On June 23, 2006 a Presidential Mandate was put in place requiring all agency laptops to fully encrypt data on the HDD. The US Government is currently conducting the largest single side-by-side comparison and competition for the selection of a Full Disk Encryption product. This implementation will end up being the largest single implementation ever, and all of the information regarding the competition is in the public domain. The selected product will be deployed on Millions of computers in the US federal government space. The evaluation will come to a end in 90 days.

The list of vendors partipicating in this contest, requirements, and other related documents are available at:
http://www.fbo.gov/spg/USAF/AFMC/ESC/FA8771-07-R-0001/Attachments.html

Some of the popular FDE vendors participating in the Contest include Seagate, Mobile Armor, Pointsec, SafeNet, and Credant

As with any other encryption product being used by Federal Government, the selected FDE product must have FIP 140-2 certification. Currently Pointsec and Utimaco hold this certification for the software based FDE solutions.

Full disk encryption (or whole disk encryption) is a kind of disk encryption (software or hardware) which encrypts every bit of data that goes on a disk. The term "full disk encryption" is often used to signify that everything on a disk including the operating system is encrypted. There are also programs capable of encrypting an entire disk fully but cannot directly encrypt the system partition or boot partition of the operating system (e.g. TrueCrypt, which can fully encrypt, for example, an entire secondary hard disk).

Full disk encryption has several benefits compared to regular file or folder encryption, or encrypted vaults. The following are some benefits of full disk encryption:

1. Everything including the swap space and the temporary files are encrypted. Encrypting these files is important, as they can reveal important confidential data.
2. With full disk encryption, the decision of which files to encrypt is not left up to users.
3. Support for pre-boot authentication.

In the light of recent laptops theft and data security breaches, large corporations and government institutions are looking at various Full Disc Encryption (FDE) solution to protect their confidential data on mobile devices. If you would like to discuss more about FDE deployment and FDE solution in general please join the FDE Mailing List

Original article at: http://www.full-disk-encryption.net/fde_govt.html
"

(Read More... | 2 comments | Score: 0)


Great Crypto Tutorials available online for free
Posted by boss on Wednesday, 07 June 2006 @ 15:11:07 EDT (2653 reads)
Topic Cryptography

University of Washington is offering free courses and resources online.

Find Presentations, videos (mp3, WMV), homework, quizzes etc.

http://www.cs.washington.edu/education/courses/csep590/06wi/

http://www.cs.washington.edu/education/courses/csep590/06wi/lectures/

(Read More... | 11 comments | Score: 0)


Great presentation on Cryptography available for download
Posted by boss on Tuesday, 02 May 2006 @ 10:55:08 EDT (1888 reads)
Topic Cryptography

Good day to all,

I would like to bring to your attention a nice tutorial on the subject of Cryptography that has just been added to the www.cccure.org web site.

This tutorial was produced by Robert Beggs, it is a great document.

Thanks Robert for allowing me to report on http://www.cccure.org

You can get the document at:

http://www.cccure.org/modules.php?name=Downloads&d_op=getit&lid=262

(Read More... | 4 comments | Score: 0)


MindTerm SSH
Posted by boss on Tuesday, 02 May 2006 @ 09:45:16 EDT (1849 reads)
Topic Cryptography

jdupuis writes "

MindTerm

Appgate’s MindTerm SSH application runs either as a standalone application or as a java applet. This application is known to work with Windows 95, 98, ME, NT, XP, 2000, Linux, Solaris Sparc and x86, HP-UX, Nokia Communicator, Psion Netpad and many other hand held devices.

MindTerm features include SSH1 & SSH2, TCP traffic tunnelling, X11 forwarding, full feature terminal emulator, terminal cloning, SOCKS & FTP proxy, SFTP, SCP and a variety of ciphers such as AES(128, 192, 256), blowfish and cast128 as well as hmac-md5, hmac-sha1, hmac-md5-96 and hmac-sha1-96 hashes.

Appgate’s MindTerm SSH is offered for personal or limited commercial use or as a fully licensed commercial product which provides added features to the ones mentioned above. For the LINUX enthusiasts who want to get MindTerm to work as a java applet on their web server, an index.html file is required with the parameters provided from the Appgate manual which can be downloaded at the following URL http://www.appgate.com/products/80_MindTerm/110_MindTerm_Download/ and many other features are also available for configuration. To provide the SFTP and SCP features of MindTerm, a signed java applet is needed for direct access to the hard drive, below is simple instructions to accomplish this task.

To get started simply download MindTerm from the above link to your Linux web server in the DocumentRoot path to allow for web access. In order to sign the MindTerm java applet install Sun’s j2sdk package and run the following commands.

1. keytool -genkey -keyalg rsa -alias MyCert -validity 3650

2. jarsigner mindterm.jar MyCert

3. copy HTML and signed JAR file to the server’s DocumentRoot path /var/www/html and chmod 644

Once the above has been performed you have full SSH web base client with tunnelling, SFTP and many other access capabilities to your site or home office. This java application has been developed with security in mind with the many ciphers, hashes and configuration features that are available. The convenience of the web base client and port forwarding provides IT professionals with secure communication with the internal LAN without the inconvenience of carrying around the required software for remote access.

"

(Read More... | 1 comment | Score: 0)


NSA advises switch to faster, lighter crypto
Posted by boss on Monday, 12 December 2005 @ 08:16:20 EST (1592 reads)
Topic Cryptography

cdupuis writes "
BY Florence Olsen
Published on Dec. 9, 2005

More Related Links

The National Security Agency wants federal agencies to consider using a group of algorithms it refers to as Suite B to satisfy future cryptographic requirements. Suite B contains NSA-approved cryptographic algorithms of various key sizes to protect classified and unclassified but sensitive information. NSA has posted a notice about Suite B on its Web site.

With little fanfare, the federal government has been conducting a cryptographic modernization program for the past several years. Suite B is part of that modernization effort.

Agencies preparing to issue mandatory federal identity cards containing cryptographic software should be aware of Suite B, even though the Federal Information Processing Standard (FIPS) 201 for identity cards makes no specific reference to it, said Brendan Ziolo, marketing director at Certicom. The company’s elliptic curve cryptographic (ECC) algorithms are included in Suite B.

FIPS 201 allows agencies to choose ECC or Rivest-Shamir-Aldeman (RSA) algorithms for digital signatures and cryptographic key exchanges. The standard is not yet completely aligned with NSA’s guidance on Suite B, Ziolo said. But if agencies want to simplify their transition to Suite B, he added, they should ask identity card suppliers about including ECC algorithms on the cards that agencies must begin issuing next year under Homeland Security Presidential Directive 12.

ECC offers greater security and more efficient performance than RSA and other widely used first-generation public key algorithms, according to NSA’s notice. “As vendors look to upgrade their systems, they should seriously consider the elliptic curve alternative[s] for the computational and bandwidth advantages they offer at comparable security,” the notice states.

Agencies and their suppliers might consider building FIPS 201-compliant identity cards with both RSA and ECC algorithms or, at least, they should have an ECC transition plan, Ziolo said.

For the federal identity card program, agencies have to buy more than smart cards. They must also acquire card readers and have access to a public-key infrastructure (PKI). “Card readers need to catch up so they can support ECC,” Ziolo said. “The PKI backend will need to support ECC as well,” he said.

In October 2003, NSA licensed 26 ECC patents from Certicom for $25 million. Because ECC offers small key sizes, it is suited for small devices, such as smart cards, for which speedy cryptography is also desirable, Ziolo said.

Original article at:
http://www.fcw.com/article91669-12-09-05-Web&newsletter%3Dyes


"

(Read More... | 1 comment | Score: 0)


TrueCrypt Encryption Tool
Posted by boss on Thursday, 10 November 2005 @ 09:25:56 EST (1810 reads)
Topic Cryptography

Anonymous writes "T r u e C r y p t

Free open-source disk encryption software for Windows XP/2000/2003 and Linux

It can create a virtual encrypted disk within a file and mount it as a real disk.

It can encrypt an entire hard disk partition or a device, such as USB memory stick, floppy disk, etc.

TrueCrypt provides two levels of plausible deniability, in case an adversary forces you to reveal the password:

1) Through the use of Hidden Volumes. More information may be found at http://www.truecrypt.org/hiddenvolume.php

2) No TrueCrypt volume can be identified (TrueCrypt volumes cannot be distinguished from random data).

Encryption algorithms: AES-256, Blowfish (448-bit key), CAST5, Serpent (256-bit key), Triple DES, and Twofish (256-bit key). Supports cascading (e.g., AES-Twofish-Serpent).

This tool is based on Encryption for the Masses (E4M) 2.02a, which was conceived in 1997.

Further information regarding the features of the software may be found in the documentation located at: http://www.truecrypt.org/documentation.php

Find out what is new in TrueCrypt 4.0 at: http://www.truecrypt.org/history.php

Statistics (number of downloads) available at: http://www.truecrypt.org/statistics.php

"

(Read More... | 6 comments | Score: 0)


Cryptool A great tool to learn more about cryptography
Posted by boss on Thursday, 22 September 2005 @ 00:24:23 EDT (1694 reads)
Topic Cryptography

Hi Clement

I found a very good tool to learn Cryptography and Cryptanalysis. It is called Cryptool. Nice for novice or expert, especially good for learning / teaching crypt.

http://www.cryptool.org/

CrypTool

A free software program
 for creating awareness of IT security issues
 for learning about and obtaining experience of cryptography
 for demonstrating encryption algorithms and analysis procedures

1. What is CrypTool?

 a freeware Program with graphical user interface
 a tool for applying and analysing cryptographic algorithms
 with extensive online help, understandable without deep crypto knowledge
 contains nearly all state of the art crypto algorithms
 “playful” introduction to modern and classical cryptography
 not a “hacker tool”

2. Why CrypTool?

 origin in Deutsche Bank’s IT security awareness program
 developed in co-operation with universities
 improve IT security related courses in universities and companies
3. Audience
 target group: students of computer science, commercial IT and mathematics
 also aimed at: interested computer users and application developers
 prerequisites: secondary school mathematics or programming skills

Submitted by
Jaganmohan Kataru
CISSP, MCSE

(Read More... | 4 comments | Score: 0)

Our Sponsors

Login here

Nickname

Password

Security Code:
Security Code
Type Security Code

Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Recommended

CCCure Partners

USA

Security University

Security University

MIDDLE EAST

Dubai, Qatar, Kuwait, Oman

THE OISSG GROUP
The OISSG serving the Middle East security needs

EUROPEAN UNION

Dublin, Ireland
ESPION

Best security training you can get in Ireland

AFRICA

Yaounde-Cameroun
GetSec

The best training one can get in Cameroon

Lagos, Nigeria
Digital Encode

The best security training in Lagos and Nigeria

Most Active Members

· 1: webplu9
Total points: 15228
· 2: side_winder
Total points: 12295
· 3: Lopezco
Total points: 8510
· 4: cissp_newbie
Total points: 7593
· 5: cdupuis
Total points: 6701
· 6: mikeyoung_fla
Total points: 5490
· 7: Vladimir
Total points: 4611
· 8: MMM
Total points: 2969
· 9: damoose
Total points: 2881
· 10: educk
Total points: 2353

Today's Big Story

Random Headlines

Past Articles

Thursday, September 15
· CryptoGram Newsletter
Sunday, August 21
· SHA-1 compromised further
Friday, June 10
· MD5 hashing algorithm weakenesses
Saturday, June 04
· NIST announce Withdrawal of DES
Thursday, March 10
· Is SHA-1 dead? Read to find out below...
Monday, March 07
· Secure hash functions: Whither in 2005?
Thursday, February 24
· Crypto Quiz from Information Security Magazine
Sunday, March 09
· Non-repudiation
Wednesday, July 03
· Press Release
Wednesday, June 12
· Preventing PDF printing from browser
Thursday, May 30
· One-Time Pad - Key Transfer
Monday, October 15
· Excellent Cryptography lectures
Friday, April 13
· A new cryptography download area

All logos and trademarks in this site are property of their respective owner.
The comments are property of their posters, all the rest © 2007 by CCCure.Org, and the site maintainers Clement Dupuis and Nathalie Lambert. Reuse is strictly prohibited without written permission of CCCure.Org or it's maintainers.

This web site is not associated directly or indirectly with ISC2, the SANS Institute, ISACA, or other certification authority. The GCFW, CISSP, SSCP, ISSEP, ISSMP, CISA, and CISM are all the property of their respecful owners. The content of this site is provided to you freely due to the generosity of our sponsors.


  • Career
  • Magazines
  • Conferences
  • Study Books
  • Certifications
  • Training
  • Tutorials
  • Quizzes
  • Forums

    • Page Generation: 0.48 Seconds