Encryption Weblog

The family of SHA (blocked algorithm of parasitic information) is a whole of relative cryptographic functions of parasitic information. The function most generally used in the family, Sha-1, is used in a large variety of popular applications of safety and proclaims a protocol, including TLS, SSL, PGP, SSH, S/mime, and IPSec. Sha-1 is regarded as the successor with MD5, a first, employee usually function of parasitic information. The algorithms of SHA were designed by the agency of national safety (NSA) and published like normalizes government of the USA. The first member of the family, published in 1993, is called officially SHA; however, this is often called Sha-0 to avoid confusion with its successors. Two years afterwards, Sha-1, the first successor of SHA, was published. Four additional alternatives since were published with increased ranges of output and a slightly different design: Sha-224, Sha-256, Sha-384, and Sha-512 -- sometimes collectively indicated under the name of Sha-2. Attacks for were found Sha-0 and Sha-1. No attack still was returned Sha-2 account of the alternatives, but since they are similar to Sha-1, researchers is worried, and develops candidates for a news, better standard of jamming.

Posted by karl at 12:24 PM | Permalink

SSL is a transport-layer security protocol, that encrypts data between the network source and destination based on keyed encryption. Once that data is received by your web server, from a network standpoint, SSL's job is done, and any transferred data that is process by IIS will be processed and stored in the clear. If you want to secure the data past that point, you need to look into something like PGP, which could possibly be used in conjunction with an IMAP or SMTP client to re-encrypt the data on the disk and e-mail that encrypted data to the recipient (you), who would then decrypt it a
second time using the same software.

Posted by karl at 09:21 PM | Permalink

Howto encrypt your hard drive.

If it is windows, the easiest one is the one built into it, the EFS (encrypted file system) which uses triple-des as the cipher algorithm, and that is fairly secure.

If the OS is linux, then it is not so simple to do, but from what I have tried and read, the most secure is a program called loop-aes. Essentially you boot off a live linux-cd like knoppix and run the program from there. If you want to have the HD encrypted while booted into the OS, you have to recompile the kernel to add in some special options, and make a loopback device that essentially encrypts/decrypts data to/from the drive, which is no easy task to set up.

Encryption is not like what's in the movies. It's hard to setup, harder to break, and not very sexy.

Posted by karl at 11:28 PM | Permalink

HTTPS is effectively HTTP using SSL (Secure Sockets
Layer). SSL merely encrypts the content of the packets
before being sent from the server to client.

Yes you can use ISA server to create a rule to allow HTTPS
to the internet server in question. You can either do
this via the default internet protocol rule wizard
(includes HTTP, ftp and Gopher) and then adapt this to
deny any protocols you do not want used.

If you have an app that needs access, you should consider
a protocol filter rule to allow egress to the server
concerned using SSL.

Posted by karl at 11:22 PM | Permalink

HOWTO Set Up SSL Using IIS 5.0 and Certificate Server 2.0

Otherwise, you need to create a certificate request and send it off to a
certification authority (CA) to get your certificate.

Alternatively, you can self-sign your own certificate. I think there is a
tool in the IIS 6.0 Res Kit that allows you to do that.

Posted by karl at 11:18 PM | Permalink

I am doing a paper on email encryption and I have two theories: The level of encryption depends on the information being encrypted. Much email is non-sensitive info so encryption is not used. At other times, like for medical records, email is encrypted to protect confidential info. Email encryption is not used because users don't know how much it is worth. Email encryption developers need funds to create privacy, but different users value privacy differently. Many users want free online privacy, expecting it to be "provided" by the Net. Others, like corportate users, will pay resonable fees to companies (like Verisign) because they need strong encryption. What I need are papers, books, or other documents that back up (or refute) the above claims. If anyone has user survey data (how users value email encryption) that would be ideal!

Posted by karl at 06:36 PM | Permalink

The majority of solutions of IPSec VPN need the hardware and/or the software of independent design. In order to reach IPSec VPN, the working station or the device in question must have an application of software of customer of IPSec installed. It is a pro and an idiot.

The pro is that it provides an additional layer of safety if the machine of customer is required not only to run the good software of customer of VPN to connect itself to your IPSec VPN, but also must make it configure correctly. These are the additional obstacles that an unauthorized user should obtain more before reaching your network.

The con is that it can be a financial burden to maintain the licences for the software of customer and a nightmare so that the support of technology installs and of the software of customer configures on all the machines remotely particularly if they cannot be on the site physically to configure the software themselves. It is this con who touted generally because one of largest for for the solutions of SSL of rival (fix the layer of casings) VPN.

Consequently almost each computer in the world is already equipped with the "software of customer" necessary to be connected to a SSL VPN. Another pro of SSL VPN is that they allow a more precise access control. Initially of all they rather provide tunnels to the specific applications than with LAN. whole So of corporation, the users on connections of SSL VPN can only reach the applications to which they are configured to reach rather than the whole network.

In the second place, it is easier to provide various rights of access to various users and to have a more granular control of the access of user. An idiot of SSL VPN is however that you reach the application by a web browser which means that they function really only for applications sequence-based.

It is possible sequence-of allowing other applications so that they can be consulted by SSL VPN, however to make is added thus to the complexity of the solution and eliminates part of for. To have the direct access only to the sequence-allowed applications of SSL also means that the users do not have access to the resources of network such as printers or centralized storage and cannot employ the VPN for the division of file or protections of file. SSL VPN had gained in the prevalence and popularity; however they are not the good solution for each example. In the same way, IPSec VPN appropriate to each example either.

The suppliers continue to develop manners of increasing the functionality of SSL VPN and it is a technology which should observe to you narrowly if you are on the market for a remotely blocked solution of network management. That now, it is significant to carefully consider the needs for your remote users and weighs for and it against each solution to better determine what work for you.

Posted by karl at 06:27 PM | Permalink

Certificates are used by webbrowsers in order to verify a website is secure. The certificates are issued by Certificate Authorities like Verisign and other independent third parties that issue certificates to organizations and individuals after a thorough investigation that the prospective certificate owner is the individual or the organization that it claims to be.

Verisign has a very regirous certification process requiring you to submit a lot of documentaion about you and your orginasation. Other CA's do not require as much documentation and therfore do not charge as much as Verisign.

From a webbrowser point of view, it doesn't matter if you pick an expensive or inexpensive CA.

Posted by karl at 09:51 PM | Permalink | Comments (7)