" AES256 Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more
LUXSCI

Posts Tagged ‘AES256’

What Level of SSL or TLS is Required for HIPAA Compliance?

Saturday, June 2nd, 2018

SSL and TLS are not actually monolithic encryption entities that you either use or do not use to connect securely to email servers, web sites, and other systems.  SSL and TLS are evolving protocols which have many nuances to how they may be configured.  The “version” of the protocol you are using and the ciphers used directly impact the level of security achievable through your connections.

Some people use the terms SSL and TLS interchangeably, but TLS (version 1.0 and beyond) is actually the successor of SSL (version 3.0). … see SSL versus TLS – what is the difference?  In 2014 we saw that SSL v3 was very weak and should not be used going forward by anyone (see the POODLE attacks, for example); TLS v1.0 or higher must be used.

Among the many configuration nuances of TLS, protocol versions supported (e.g., 1.0, 1.1, or 1.2) anf which “ciphers” are permitted have the greatest impact on security.  A “cipher” specifies encryption algorithm to be used,  the secure hashing (message fingerprinting / authentication) algorithm to be used, and other related things such as how encryption keys are negotiated.   Some ciphers that have long been used, such as RC4, have become weak over time and should never be used in secure environments.  Other ciphers provide protection against people who record a secure conversation from being able to decrypt it in the future if somehow the server’s private keys are compromised (perfect forward secrecy).

What level of TLS is required by HIPAA?

Given the many choices of ciphers and TLS protocol versions, people are often at a loss as to what is specifically needed for HIPAA compliance for an appropriate and compliant level TLS security.  Simply “turning on TLS” without also configuring it appropriately is likely to leave your transmission encryption non-complaint.  

Read the rest of this post »

SMTP TLS: All About Secure Email Delivery over TLS

Monday, October 2nd, 2017

TLS stands for “Transport Layer Security” and is the successor of “SSL” (Secure Socket Layer). TLS is one of the standard ways that computers on the Internet transmit information over an encrypted channel. In general, when one computer connects to another computer and uses TLS, the following happens:

  1. Computer A connects to Computer B (no security)
  2. Computer B says “Hello” (no security)
  3. Computer A says “Lets talk securely over TLS” (no security)
  4. Computer A and B agree on how to do this (secure)
  5. The rest of the conversation is encrypted (secure)

In particular:

  • The meat of the conversation is encrypted
  • Computer A can verify the identity of Computer B (by examining its SSL certificate, which is required for this dialog)
  • The conversation cannot be eavesdropped upon (without Computer A knowing)
  • The conversation cannot be modified by a third party
  • Other information cannot be injected into the conversation by third parties.

Basic email security starts with SMTP TLS

TLS (and SSL) is used for many different reasons on the Internet and helps make the Internet a more secure place, when used. One of the popular uses of TLS is with SMTP for transmitting email messages between servers in a secure manner.  See also:

Read the rest of this post »

LUXSCI