When it comes to protecting sensitive information like financial data, personal information, and intellectual property, encryption has become a must. By scrambling data through the use of algorithms, only those with access to decryption keys are able to read what's being secured. Encrypted traffic has fulfilled its intended mission: to lock down data. But, could it simultaneously be helping bad actors slip by undetected? And could encrypted traffic actually make it harder for network defenders to spot threats before it's too late? To find out, we sat down with Phil Owens, VP of customer solutions at Stamus Networks. Phil believes… [Continue Reading]

The ability to share secure links for video calls is just one of the privacy-focused messaging app's new features.

Image encryption is a critical and attractive issue in digital image processing that has gained approval and interest of many researchers in the world. A proposed hybrid encryption method was implemented by using the combination of the Nahrain chaotic map with a well-known optimised algorithm namely the grey wolf optimisation (GWO). It was noted from analysing the results of the experiments conducted on the new hybrid algorithm, that it gave strong resistance against expected statistical invasion as well as brute force. Several statistical analyses were carried out and showed that the average entropy of the encrypted images is near to its ideal information entropy.

With the continuous growth and importance of data, the need for strong data protection becomes crucial. Encryption plays a vital role in preserving the confidentiality of data, and attribute-based encryption (ABE) offers a meticulous access control system based on attributes. This study investigates the integration of Fernet encryption with initialisation vector (IV) and ABE, resulting in a hybrid encryption approach that enhances both security and flexibility. By combining the advantages of Fernet encryption and IV-based encryption, the hybrid encryption scheme establishes an effective and robust mechanism for safeguarding data. Fernet encryption, renowned for its simplicity and efficiency, provides authenticated encryption, guaranteeing both the confidentiality and integrity of the data. The incorporation of an initialisation vector (IV) introduces an element of randomness into the encryption process, thereby strengthening the overall security measures. This research paper discusses the advantages and drawbacks of the hybrid encryption of Fernet and IV with ABE.

With AXIS OS 11.8, MACsec is enabled by default. Data is encrypted at the Ethernet Layer 2 network level, safeguarding the integrity of data being transferred between Axis devices and MACsec-enabled Ethernet switches.

A new report by the National Academies of Sciences, Engineering, and Medicine proposes a framework for evaluating proposals to provide authorized government agencies with access to unencrypted versions of encrypted communications and other data.

The universally used Advanced Encryption Standard (AES) encryption can now be dramatically upgraded and customized by a patented technology called the Finite Lab-Transform (FLT).

The universally used Advanced Encryption Standard (AES) encryption can now be dramatically upgraded and customized by a patented technology called the Finite Lab-Transform (FLT)

This innovative offering sets a new standard for secure digital storing, document preservation, and evidence archiving and management

ETSI releases the first Group Report on Encrypted Traffic Integration, protecting end users from malicious attacks

Sophia Antipolis, 1 September 2021

ETSI’s Industry Specification Group on Encrypted Traffic Integration (ISG ETI) has concluded the early part of its work, by identifying problems arising from pervasive encrypted traffic in communications networks.

Read More...

ETSI Encrypted Traffic Integration group extends term to work on cryptographic and key management models

Sophia Antipolis, 2 August 2022

ETSI has recently extended the term of its Industry Specification Group Encrypted Traffic Integration (ISG ETI) for a two-year period through to mid-2024 to work on specific cryptographic and key management models.

Read More...

Péter Budai and Kim Carter discuss End to End Encryption (E2EE), backdoors, the scenarios where E2EE can be and should be used. IM, VoIP, Email scenarios, interservice communication scenarios such as securing data in use.

QSTR-USSD - Low resource requirement, quantum resistant, encryption of USSD messages for use in financial services

A recent study critically examines the security of popular end-to-end encrypted (E2EE) cloud storage providers, uncovering significant vulnerabilities in platforms widely marketed for their user-controlled privacy features.

Windows 11 includes a full-disk encryption feature called Device encryption that protects the data on your system drive. Device encryption uses Microsoft BitLocker technologies, and it's enabled automatically the first time you sign in to Windows 11 using a Microsoft account (or Microsoft Work or school account).
Technically speaking, Device encryption does not encrypt your entire system disk, which is divided into different logical volumes or partitions. Instead, it encrypts the C: drive, which is the volume that contains Windows and other system files. (This drive is often referred to as the system disk.) Any other volumes on this disk will not be encrypted (nor visible normally while using Windows 11).
If you sign in to Windows 11 with a local account, Device encryption will be enabled automatically but not activated (or, fully enabled). If you are using Windows 11 Home, you can only activate Device encryption by signing in to Windows (at least once) with a Microsoft account.
With Windows 11 Pro, you can use the BitLocker control panel, described later in this chapter, to activate Device encryption.
For the most part, Device encryption is seamless and not something you will notice. But it is important to understand that any files that you copy or move to an encrypted disk are encrypted during the copy/move process. Likewise, any files that you copy or move from an encrypted disk are decrypted during that process as well. Decrypted files can be read or used by anyone, on any PC.
When enabled, Device encryption also provides some additional functionality to the system disk on which Windows is installed. For example, when the PC boots, it will examine the integrity of the system to ensure that nothing suspicious has happened to the PC's firmware or startup files. If an issue is found, you'll be prompted to provide the recovery key, which was saved to your Microsoft account (or Work and school account) in the form of a very lengthy text-based password. (This is discussed below.)
Manage device encryption
Device encryption doesn't offer much in the way of management: This feature is enabled for you automatically when you sign in to Windows 11 using a Microsoft account. However, you can ensure that device encryption is enabled and even disable this feature--which we do not recommend--using the Settings app.

To do so, open Settings (WINKEY + I) and navigate to Privacy & security > Device encryption.

If you just signed in to Windows 11 for the first time, you may see an "Encryption is in progress" message at the top of this Settings page. That message will disappear when Windows 11 finishes encrypting the system disk.
Here, you will find a toggle for device encryption and links to "BitLocker drive encryption" and "Find your BitLocker recovery key," the latter of which launches your default web browser and displays an informational website.
If you are using Windows 11 Pro, the "BitLocker drive encryption" link will open the Bi...

The post Device Encryption (24H2) appeared first on Thurrott.com.

In this episode, Tyler demonstrates how to encrypt an external disk on macOS for improved security of the disk's contents.

To encrypt a disk formatted as Apple File System, (APFS) connect it to your Mac, focus on it on the Desktop or Finder sidebar, and choose "Encrypt [disk name]" from the context menu (accessed by pressing VO-Shift-M). You'll then be prompted to create a password for the disk, which will be required to access its contents. As this password is the only way to access the disk's contents, it should be reasonably difficult for others to guess, but easy enough for you to remember.

The next time you connect the disk to your Mac, you'll be prompted for this password, and given the option to remember it in your Mac's Login keychain. This way, you won't need to enter the password when connecting the disk to your Mac, but others will if connecting the disk to theirs. Saved passwords in your Mac's Login keychain can be viewed and edited in Keychain Access (located in the Utilities folder).

If the disk you want to encrypt uses a different file system, like Mac OS Extended or XFAT, you must erase and reformat it as APFS. Note that this process will erase all data on the disk, so be sure to move anything you want to keep to another location before doing so. To erase and reformat a disk:

1. Open Disk Utility (located in the Utilities folder) and choose View > Show all devices (or press Command-2).
2. Select the top level of the external disk in the table and choose Edit > Erase (or press Command-Shift-E). If you’re unsure of what disk is what, you may wish to disconnect other external disks to avoid inadvertently erasing the wrong one.
3. In the resulting dialog, give the disk a name and choose “APFS (Encrypted),” from the format popup menu.
4. Enter the password you want to encrypt the disk with, click Choose, and then click Erase to begin the process.

Note: APFS-formatted Disks are not natively compatible with non-Apple platforms like Windows or Linux. To use an APFS-formatted disk with a non-Apple platform, use something like APFS for Windows, or APFS for Linux.

Police revealed Tuesday they had infiltrated and taken down an encrypted chat app called Ghost used by criminals across the world.

Cadence PCIe/CXL VIP support for Partial Header Encryption in Integrity and Data Encryption.(read more)

Peripheral Component Interconnect Express (PCIe) is a high-speed interface standard widely used for connecting processors, memory, and peripherals. With the increasing reliance on PCIe to handle sensitive data and critical high-speed data transfer, ensuring data integrity and encryption during verification is the most essential goal. As we know, in the field of verification, randomization is a key technique that drives robust PCIe verification. It introduces unpredictability to simulate real-world conditions and uncover hidden bugs from the design. This blog examines the significance of randomization in PCIe IDE verification, focusing on how it ensures data integrity and encryption reliability, while also highlighting the unique challenges it presents. For more relevant details and understanding on PCIe IDE you can refer to Introducing PCIe's Integrity and Data Encryption Feature . The Importance of Data Integrity and Data Encryption in PCIe Devices Data Integrity : Ensures that the transmitted data arrives unchanged from source to destination. Even minor corruption in data packets can compromise system reliability, making integrity a critical aspect of PCIe verification. Data Encryption : Protects sensitive data from unauthorized access during transmission. Encryption in PCIe follows a standard to secure information while operating at high speeds. Maintaining both data integrity and data encryption at PCIe’s high-speed data transfer rate of 64GT/s in PCIe 6.0 and 128GT/s in PCIe 7.0 is essential for all end point devices. However, validating these mechanisms requires comprehensive testing and verification methodologies, which is where randomization plays a very crucial role. You can refer to Why IDE Security Technology for PCIe and CXL? for more details on this. Randomization in PCIe Verification Randomization refers to the generation of test scenarios with unpredictable inputs and conditions to expose corner cases. In PCIe verification, this technique helps us to ensure that all possible behaviors are tested, including rare or unexpected situations that could cause data corruption or encryption failures that may cause serious hindrances later. So, for PCIe IDE verification, we are considering the randomization that helps us verify behavior more efficiently. Randomization for Data Integrity Verification Here are some approaches of randomized verifications that mimic real-world traffic conditions, uncovering subtle integrity issues that might not surface in normal verification methods. 1. Randomized Packet Injection: This technique randomized data packets and injected into the communication stream between devices. Here we Inject random, malformed, or out-of-sequence packets into the PCIe link and mix valid and invalid IDE-encrypted packets to check the system’s ability to detect and reject unauthorized or invalid packets. Checking if encryption/decryption occurs correctly across packets. On verifying, we check if the system logs proper errors or alerts when encountering invalid packets. It ensures coverage of different data paths and robust protocol check. This technique helps assess the resilience of the IDE feature in PCIe in below terms: (i) Data corruption: Detecting if the system can maintain data integrity. (ii) Encryption failures: Testing the robustness of the encryption under random data injection. (iii) Packet ordering errors: Ensuring reordering does not affect data delivery. 2. Random Errors and Fault Injection: It involves simulating random bit flips, PCRC errors, or protocol violations to help validate the robustness of error detection and correction mechanisms of PCIe. These techniques help assess how well the PCIe IDE implementation: (i) Detects and responds to unexpected errors. (ii) Maintains secure communication under stress. (iii) Follows the PCIe error recovery and reporting mechanisms (AER – Advanced Error Reporting). (iv) Ensures encryption and decryption states stay synchronized across endpoints. 3. Traffic Pattern Randomization: Randomizing the sequence, size, and timing of data packets helps test how the device maintains data integrity under heavy, unpredictable traffic loads. Randomization for Data Encryption Verification Encryption adds complexity to verification, as encrypted data streams are not readable for traditional checks. Randomization becomes essential to test how encryption behaves under different scenarios. Randomization in data encryption verification ensures that vulnerabilities, such as key reuse or predictable patterns, are identified and mitigated. 1. Random Encryption Keys and Payloads: Randomly varying keys and payloads help validate the correctness of encryption without hardcoding assumptions. This ensures that encryption logic behaves correctly across all possible inputs. 2. Randomized Initialization Vectors (IVs): Many encryption protocols require a unique IV for each transaction. Randomized IVs ensure that encryption does not repeat patterns. To understand the IDE Key management flow, we can follow the below diagram that illustrates a detailed example key programming flow using the IDE_KM protocol. Figure 1: IDE_KM Example As Figure 1 shows, the functionality of the IDE_KM protocol involves Start of IDE_KM Session, Device Capability Discovery, Key Request from the Host, Key Programming to PCIe Device, and Key Acknowledgment. First, the Host starts the IDE_KM session by detecting the presence of the PCIe devices; if the device supports the IDE protocol, the system continues with the key programming process. Then a query occurs to discover the device’s encryption capabilities; it ensures whether the device supports dynamic key updates or static keys. Then the host sends a request to the Key Management Entity to obtain a key suitable for the devices. Once the key is obtained, the host programs the key into the IDE Controller on the PCIe endpoint. Both the host and the device now share the same key to encrypt and authenticate traffic. The device acknowledges that it has received and successfully installed the encryption key and the acknowledgment message is sent back to the host. Once both the host and the PCIe endpoint are configured with the key, a secure communication channel is established. From this point, all data transmitted over the PCIe link is encrypted to maintain confidentiality and integrity. IDE_KM plays a crucial role in distributing keys in a secure manner and maintaining encryption and integrity for PCIe transactions. This key programming flow ensures that a secure communication channel is established between the host and the PCIe device. Hence, the Randomized key approach ensures that the encryption does not repeat patterns. 3. Randomization PHE: Partial Header Encryption (PHE) is an additional mechanism added to Integrity and Data Encryption (IDE) in PCIe 6.0. PHE validation using a variety of traffic; incorporating randomization in APIs provided for validating PHE feature can add more robust Encryption to the data. Partial Header Encryption in Integrity and Data Encryption for PCIe has more detailed information on this. Figure 2: High-Level Flow for Partial Header Encryption 4. Randomization on IDE Address Association Register values: IDE Address Association Register 1/2/3 are supposed to be configured considering the memory address range of IDE partner ports. The fields of IDE address registers are split multiple values such as Memory Base Lower, Memory Limit Lower, Memory Base Upper, and Memory Limit Upper. IDE implementation can have multiple register blocks considering addresses with 32 or 64, different registers sizes, 0-255 selective streams, 0-15 address blocks, etc. This Randomization verification can help verify all the corner cases. Please refer to Figure 2. Figure 3: IDE Address Association Register 5. Random Faults During Encryption: Injecting random faults (e.g., dropped packets or timing mismatches) ensures the system can handle disruptions and prevent data leakage. Challenges of IDE Randomization and its Solution Randomization introduces a vast number of scenarios, making it computationally intensive to simulate every possibility. Constrained randomization limits random inputs to valid ranges while still covering edge cases. Again, using coverage-driven verification to ensure critical scenarios are tested without excessive redundancy. Verifying encrypted data with random inputs increases complexity. Encryption masks data, making it hard to verify outputs without compromising security. Here we can implement various IDE checks on the IDE callback to analyze encrypted traffic without decrypting it. Randomization can trigger unexpected failures, which are often difficult to reproduce. By using seed-based randomization, a specific seed generates a repeatable random sequence. This helps in reproducing and analyzing the behavior more precisely. Conclusion Randomization is a powerful technique in PCIe verification, ensuring robust validation of both data integrity and data encryption. It helps us to uncover subtle bugs and edge cases that a non-randomized testing might miss. In Cadence PCIe VIP, we support full-fledged IDE Verification with rigorous randomized verification that ensures data integrity. Robust and reliable encryption mechanisms ensure secure and efficient data communication. However, randomization also brings various challenges, and to overcome them we adopt a combination of constrained randomization, seed-based testing, and coverage-driven verification. As PCIe continues to evolve with higher speeds and focuses on high security demands, our Cadence PCIe VIP ensures it is in line with industry demand and verify high-performance systems that safeguard data in real-world environments with excellence. For more information, you can refer to Verification of Integrity and Data Encryption(IDE) for PCIe Devices and Industry's First Adopted VIP for PCIe 7.0 . More Information: For more info on how Cadence PCIe Verification IP and TripleCheck VIP enables users to confidently verify IDE, see our VIP for PCI Express , VIP for Compute Express Link for and TripleCheck for PCI Express For more information on PCIe in general, and on the various PCI standards, see the PCI-SIG website .

Cadence Clarity 3D Solver supports encrypted component models! Using this functionality, vendors can supply their 3D components, such as connectors, to end customers without revealing the physical IP of these designs. The first connector vendor to take advantage of this functionality is Japan Aviation Electronics (JAE),(read more)

Produced by WIRED Brand Lab with AWS | Data security is top priority when building a product in its early stages, but not all software developers have expertise in it. The team at Evervault sought a solution and used AWS' Nitro Enclaves to create it. The result of this collaboration is Evervault Encryption Engine - or E3 - which provides highly constrained compute environments where sensitive data can be securely decrypted and processed. Since AWS and Nitro Enclaves are globally available on demand, Evervault easily provides affordable and secure encryption tools to developers everywhere, allowing for all software developers to ensure data security. 

A new report by the National Academies of Sciences, Engineering, and Medicine proposes a framework for evaluating proposals to provide authorized government agencies with access to unencrypted versions of encrypted communications and other data.

The company is planning to develop tools that will give more controls to meeting hosts and allow users to securely join a meeting.

The company is planning to develop tools that will give more controls to meeting hosts and allow users to securely join a meeting.

Signals that coordinate the rhythms of our heart and lungs offer inspiration for creating 'unbreakable' security codes.

Popular communications platform provider Zoom Video announced on Thursday that it has acquired secure messaging and file-sharing service Keybase for an undisclosed sum. The move is the latest by the company as it attempts to bolster the security of its offerings and build in end-to-end encryption that can scale to the company’s massive user base.

read more

Installing an SSL certificate on your domain is an essential step you should take to secure your WordPress site and now with Let’s Encrypt you can get one for free.

I'll admit I was late to the HTTPS party.

But post Snowden, and particularly after the result of the last election here in the US, it's clear that everything on the web should be encrypted by default.

Why?

0. You have an unalienable right to privacy, both in the real world

Public key encryption with equality test (PKEET) allows testing whether two ciphertexts are generated by the same message or not. PKEET is a potential candidate for many practical applications like efficient data management on encrypted databases. Potential applicability of PKEET leads to intensive research from its first instantiation by Yang et al. (CT-RSA 2010). Most of the followup constructions are secure in the random oracle model. Moreover, the security of all the concrete constructions is based on number-theoretic hardness assumptions which are vulnerable in the post-quantum era. Recently, Lee et al. (ePrint 2016) proposed a generic construction of PKEET schemes in the standard model and hence it is possible to yield the first instantiation of PKEET schemes based on lattices. Their method is to use a $2$-level hierarchical identity-based encryption (HIBE) scheme together with a one-time signature scheme. In this paper, we propose, for the first time, a direct construction of a PKEET scheme based on the hardness assumption of lattices in the standard model. More specifically, the security of the proposed scheme is reduces to the hardness of the Learning With Errors problem.

Homomorphic encryption (HE) allows direct computations on encrypted data. Despite numerous research efforts, the practicality of HE schemes remains to be demonstrated. In this regard, the enormous size of ciphertexts involved in HE computations degrades computational efficiency. Near-memory Processing (NMP) and Computing-in-memory (CiM) - paradigms where computation is done within the memory boundaries - represent architectural solutions for reducing latency and energy associated with data transfers in data-intensive applications such as HE. This paper introduces CiM-HE, a Computing-in-memory (CiM) architecture that can support operations for the B/FV scheme, a somewhat homomorphic encryption scheme for general computation. CiM-HE hardware consists of customized peripherals such as sense amplifiers, adders, bit-shifters, and sequencing circuits. The peripherals are based on CMOS technology, and could support computations with memory cells of different technologies. Circuit-level simulations are used to evaluate our CiM-HE framework assuming a 6T-SRAM memory. We compare our CiM-HE implementation against (i) two optimized CPU HE implementations, and (ii) an FPGA-based HE accelerator implementation. When compared to a CPU solution, CiM-HE obtains speedups between 4.6x and 9.1x, and energy savings between 266.4x and 532.8x for homomorphic multiplications (the most expensive HE operation). Also, a set of four end-to-end tasks, i.e., mean, variance, linear regression, and inference are up to 1.1x, 7.7x, 7.1x, and 7.5x faster (and 301.1x, 404.6x, 532.3x, and 532.8x more energy efficient). Compared to CPU-based HE in a previous work, CiM-HE obtain 14.3x speed-up and >2600x energy savings. Finally, our design offers 2.2x speed-up with 88.1x energy savings compared to a state-of-the-art FPGA-based accelerator.

A method for encrypting data on a disk drive using self encrypting drive is provided. The method includes encryption of data chunks of a computing device. The method further includes associating the encrypted data chunks with encryption key indexes of the computing device. Moreover, the method further includes receiving the encryption key indexes for given logical block addresses of the data chunks. The method further includes determining the encryption keys to be used to encrypt the data chunks based on the encryption key indexes of the data chunks to the disk drive.

A method begins with a processing module obtaining data to store and determining whether substantially similar data to the data is stored. When the substantially similar data is not stored, the method continues with the processing module generating a first encryption key based on the data, encoding the first encryption key into encoded data slices in accordance with an error coding dispersal storage function, and storing the encoded data slices in a dispersed storage network (DSN) memory. The method continues with the processing module encrypting the data using an encryption key of the substantially similar data in accordance with an encryption function to produce encrypted data, compressing the encrypted data in accordance with a compression function to produce compressed data, storing the compressed data when the substantially similar data is stored.

A system is disclosed comprising multiple sets of client computers each client computer having installed thereon an application program The application program comprising client computer specific log-in information, a database system coupled to the set of client computers via a network. The database system having a log-in component for logging-in the client computers, and being partitioned into multiple relational databases each one of which is assigned to one set of the sets of client computers. Each database further storing encrypted data items, each data item being encrypted with one of the user or user-group specific cryptographic keys, the key identifier of the cryptographic key with which one of the data items is encrypted being stored in the database as an attribute of the one of the encrypted data items. The log-in component comprising assignment information indicative of the assignment of the databases to the set of client computers.

Data is secured on a device in communication with a remote location using a password and content protection key. The device stores data encrypted using a content protection key, which itself may be stored in encrypted form using the password and a key encryption key. The remote location receives a public key from the device. The remote location uses the public key and a stored private key to generate a further public key. The further public key is sent to the device. The device uses the further public key to generate a key encryption key, which is then used to decrypt the encrypted content protection key. A new content encryption key may then be created.

A system administrator of a wireless LAN 100 manipulates a personal computer PC1 to change a WEP key. The personal computer PC1 authenticates a memory card MC as genuine under management of the system administrator. In the case of the authenticated memory card MC, changed setting information, as well as a previous WEP key before the change of the setting information, is written into the memory card MC. The system administrator then inserts this memory card MC into a memory card slot of a printer PRT1. The printer PRT1 authenticates the memory card MC as genuine under management of the system administrator. In the case of the authenticated memory card MC, the setting information is updated. This arrangement effectively relieves the user's workload in setting wireless communication devices, while ensuring the sufficiently high security.

A data source may be configured to provide usage data including subscriber identifiers and associated information indicative of subscriber device locations and usage. A data warehouse server may be configured to perform operations including: decrypting subscriber identifiers included in usage data received from the data source using a two-way rolling key groups algorithm; re-encrypting the subscriber identifiers decrypted from the usage data to create secure encrypted identifiers using a one-way secured encryption algorithm; and correlating the subscriber identifiers in the decrypted usage data with the corresponding re-encrypted identifiers.

A system apparatus and method for protecting information are provided. Embodiments of the invention may detect inactivity related to a computing device. Information and encryption key may be removed from a memory. Subsequent activity may be detected. An authentication procedure may be performed, and, contingent on authenticating a relevant entity, a master key may be generated and installed in a memory.