" cipher Archives - HIPAA News, Web & Email Security Tips & News - Plus More | LuxSci
LuxSci

Posts Tagged ‘cipher’

256-bit AES Encryption for SSL and TLS: Maximal Security

Wednesday, February 4th, 2015

SSL and TLS are the workhorses that provide the majority of security in the transmission of data over the Internet today. However, most people do not know that the degree of security and privacy inherent in a “secure” connection of this sort can vary from “almost none” to “really really good … good enough for US government TOP SECRET data”.  The piece which varies and thus provides the variable level of security is the “cipher” or “encryption technique”.  There are a large number of different ciphers — some are very fast and very insecure.  Some are slower and very secure.  Some weak ones (export-grade ciphers) are around from the days when the USA did not permit the export of decent security to other countries.

AES, the Advanced Encryption Standard, is a relatively new encryption technique/cipher that is the successor of DES.  AES was standardized in 2001 after a 5 year review, and is currently one of the most popular algorithms used in symmetric key cryptography (which, for example, is used for the actual data transmission in SSL and TLS).  It is also the “gold standard” encryption technique; many security-conscious organizations actually require that their employees use AES-256 (256-bit AES) for all communications.

This article discusses AES, its role in SSL, which web browsers and email programs support it, how you can make sure that you only use 256-bit AES encryption of all secure communications, and more.

Read the rest of this post »

What Level of SSL or TLS is Required by HIPAA?

Tuesday, January 13th, 2015

SSL and TLS are not actually monolithic encryption entities that you either use or do not use to connect securely to email servers, web sites, and other systems.  SSL and TLS are evolving protocols which have many nuances to how they may be configured.  The “version” of the protocol you are using and the nuances of the configuration directly affect the security achievable through your connections.

Some people use the terms SSL and TLS interchangeably, but TLS (version 1.0 and beyond) is actually the successor of SSL (version 3.0). … see SSL versus TLS – what is the difference?  In 2014 we have seen that SSL v3 is very weak and should not be used going forward by anyone (see the POODLE attacks, for example), TLS v1.0 or higher should be used.

Among the many configuration nuances of SSL and TLS, which “ciphers” are permitted have the greatest impact on security.  A “cipher” defines the specific encryption algorithm to be used,  the secure hashing (message fingerprinting / authentication) algorithm to be used, and other related things.   Some ciphers that have long been used, such as RC4, have become weak over time and should not be used in secure environments.

Given these nuances, people are often at a loss as to what is specifically needed for HIPAA compliance or any kind of effective level TLS security.

Read the rest of this post »

Are Export-Grade Encryption Options Needed Anymore?

Saturday, November 15th, 2008

The short answer is “no” … unless you need to support web browsers 8+ years old on computers that cannot be patched or upgraded and which are not in the USA or Canada. 

Read the rest of this post »