Home Tags Digital Signature

Tag: Digital Signature

At death’s door for years, widely used SHA1 function is now...

Algorithm underpinning Internet security falls to first-known collision attack.

Encryption in 2016: Small victories add up

Technology development seems to gallop a little faster each year.

But there's always one laggard: encryption. Why the deliberate pace? Because a single, small mistake can cut off communications or shut down businesses. Yet there are times when you take stock—only to discover the encryption landscape seems to have transformed overnight. Now is that time.

Although the changes have been incremental over several years, the net effect is dramatic. Some of those changes began shortly after Edward Snowden's disclosures of the U.S. government’s extensive surveillance apparatus. Others are the natural result of cryptographic ideas reaching the marketplace, says Brent Waters, an associate professor at the University of Texas at Austin and the recipient of the Association for Computing Machinery’s 2015 Grace Murray Hopper Award. “Many of the new tools and applications available are based on research innovations from 2005 and 2006,” Waters says. “We are just realizing what type of crypto functionality is possible.” A step closer to an encrypted world Encrypted web traffic is the first step toward a more secure online world where attackers cannot intercept private communications, financial transactions, or general online activity. Many sites, including Google and Facebook, have turned HTTPS on by default for all users. But for most domain owners, buying and deploying SSL/TLS certificates in order to secure traffic to their sites has been a costly and complicated endeavor. Fortunately, Let’s Encrypt and its free SSL/TLS certificates have transformed the landscape, giving domain owners the tools to turn on HTTPS for their websites easily.

A nonprofit certificate authority run by the Internet Security Research Group, Let’s Encrypt is backed by such internet heavyweights as Mozilla, the Electronic Frontier Foundation, Cisco, and Akamai. How ubiquitous has HTTPS become? In October, Josh Aas, head of Let’s Encrypt and former Mozilla employee, posted a graph from Mozilla Telemetry showing that 50 percent of pages loaded that day used HTTPS, not HTTP. While the graph showed only Firefox users, the figure is still significant, because for the first time, the number of encrypted pages outnumbered unencrypted pages. NSS Labs expects the trend to continue, predicting that 75 percent of all Web traffic will be encrypted by 2019. Free certificate offerings will further accelerate adoption. By next year, the number of publicly trusted free certificates issued will likely outnumber those that are paid for, says Kevin Bocek, vice president of security strategy and threat intelligence at key-management company Venafi. Many enterprises will also start using free services. With certificate cost no longer a consideration, certificate authorities will focus on better tools to securely manage certificates and protect their keys. Speaking of certificate management, after years of warnings that SHA-1 certificates were weak and vulnerable to attack, enterprises are making steady progress toward upgrading to certificates that use SHA-2, the set of cryptographic hash functions succeeding the obsolete SHA-1 algorithm. Major browser makers, including Google, Mozilla, and Microsoft, have pledged to deprecate SHA-1 by the beginning of the year and to start blocking sites still using the older certificates.

Facebook stopped serving SHA-1 connections and saw “no measurable impact,” wrote Facebook production engineer Wojciech Wojtyniak. From May to October 2016, the use of SHA-1 on the web fell from 3.5 percent to less than 1 percent, as measured by Firefox Telemetry.

Enterprises can’t be complacent, though, since recent estimates from Venafi suggest approximately 60 million websites still rely on the insecure encryption algorithm. “We look forward to the industry's movement toward greater use of stronger certificates like SHA-256,” Wojtyniak said. Crypto is still king Cryptography has taken quite a beating over the past few months, with researchers developing cryptographic attacks such as Drown, which can be used to decrypt TLS connections between a user and a server if the server supports SSLv2, and Sweet32, a way to attack encrypted web connections by generating huge amounts of web traffic. Nation-state actors also have encryption in their crosshairs. Late last year, Juniper Networks uncovered spying code implanted in specific models of its firewall and Virtual Private Network appliances. Many experts believe the NSA was involved. Shortly after the cache of hacking tools allegedly belonging to the NSA made its way to underground markets this summer, Cisco discovered a vulnerability in its IOS, IOS XE, and IOS XR software that powers many of its networking devices.

The flaw, which could be used to extract sensitive information from device memory, was similar to the vulnerability exploited by the tools and was related to how the operating system processed the key exchange protocol for VPNs, Cisco said. Even Apple’s iMessage app, the poster child for how companies can bring end-to-end encryption to the masses, had its share of issues.

Cryptography professor Matthew Green and his team of students at Johns Hopkins University were able to develop a practical adaptive chosen ciphertext attack that could decrypt iMessage payloads and attachments under specific circumstances.

The team also found that iMessage lacked the forward secrecy mechanism, meaning attackers could decrypt previously encrypted messages, such as those stored in iCloud.

Forward secrecy works by generating a new key after a set period of time so that even if the attackers obtained the original key, the previously encrypted messages can’t be cracked. One thing remains clear despite all the bad news: Cryptography is not broken.

The mathematics behind cryptographic calculations remain strong, and encryption is still the best way to protect information. “The latest attacks have not been on the math, but on the implementation,” Waters says. In fact, encryption works so well that attackers rely on it, too.

Criminals are equally as capable of obtaining keys and certificates to hide their activities inside encrypted traffic.

The fact that this attack vector is fast becoming default behavior for cybercriminals “almost counteracts the whole purpose of adding more encryption,” Bocek says. Cybercriminals are using encryption to great effect in ransomware. Once the files are encrypted, victims have to either pay up to obtain a key or wipe their systems and start over. Just as attackers target flawed implementations, security researchers have successfully developed decryption tools for ransomware variants that contained mistakes in their encryption code. Government backs down on backdoors Technology firms have always had to balance security and privacy concerns with law enforcement requests for user information.

FBI Director James Comey had been pushing hard for backdoors in technology products using encryption, claiming that increased use of encryption was hindering criminal investigations. While companies frequently quietly cooperate with law enforcement and intelligence requests, the unprecedented public showdown between the FBI and Apple showed that in recent years, enterprises are beginning to push back. The FBI backed down in that fight, and a bipartisan Congressional working group—with members of both House Judiciary and Energy & Commerce Committees—was formed to study the encryption problem.

The House Judiciary Committee’s Encryption Working Group unequivocally rejected Comey's calls for backdoors and advised the United States to explore other solutions. “Any measure that weakens encryption works against the national interest,” the working group wrote in its report. “Congress cannot stop bad actors—at home or overseas—from adopting encryption.

Therefore, the Committees should explore other strategies to address the needs of the law enforcement community.” Weakening encryption so that police can break into encrypted devices would speed up criminal investigations, but it would be a short-term win "against the long-term impacts to the national interest," the working group warned.

Alternative strategies include giving law enforcement legal methods to compel suspects to unlock their devices and improving metadata collection and analysis. While the working group report indicates Congress will not pursue legal backdoors, other encryption-related battles are looming on the horizon.

The report seemed to support letting police use "legal hacking" to break into products using software vulnerabilities that only law enforcement and intelligence authorities know about, which poses its own security implications.

The technology industry has an interest in learning about vulnerabilities as soon as they are found, and not letting the government stockpile them with no oversight. As for Comey's "going dark" claim, the working group said “the challenge appears to be more akin to ‘going spotty.’” Adding to the enterprise tech stack Governments have been trotting out the terrorists “going dark” argument for years and will always play on those fears, says Mike Janke, co-founder and chairman of encrypted communications company Silent Circle. What's changing is that the enterprises are becoming more serious about securing their communications stack and are less willing to compromise on those features. Many organizations were shocked at the extent of government surveillance exposed by former NSA contractor Edward Snowden.

They reacted by integrating secure video and text messaging tools along with encrypted voice calls into the enterprise communications stack, Janke says.

Encryption is now a bigger part of the technology conversation, as enterprises ask about what features and capabilities are available.
IT no longer treats encryption as an added feature to pay extra for, but as a must-have for every product and platform they work with. Consumers were outraged by the surveillance programs, and anecdotal evidence indicates many have signed up for encrypted messaging apps such as WhatsApp and Signal.

But for the most part, they aren't paying for secure products or changing their behaviors to make privacy a bigger part of their daily lives. The change is coming from CSOs, vice presidents of engineering, and other technical enterprise leaders, because they're at the forefront of making security and privacy decisions for their products and services. With Tesla now digitally signing firmware for every single one of its internal components with a cryptographic key, it's easier to ask TV manufacturers or toymakers, "Why aren't you doing that?" says Janke. Consumers are the ones who will benefit from encryption built in by default as enterprises change their mindset about the importance of encryption.  Riding the innovation wave Cryptography tends to go in waves, with important innovations and research from 2005 to 2006 finally coming out as practical applications. Researchers are currently looking at improving the "precision of encrpytion," instead of the current model of all or nothing, where if something is exposed, everything gets leaked. "Encrpytion can be precise like a scalpel, giving fine-grained control over the information," Waters says. Google has looked at cryptography in its experiments with neural networks. Recently, its Google Brain team created two artificial intelligence systems that was able to create their own cryptographic algorithm in order to keep their messages a secret from a third AI instance that was trying to actively decrypt the algorithms. The dawn of quantum computing will also spur new avenues of research. “If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use,” wrote the National Institute of Standards and Technology in a public notice. Once such machines become widely available, “this would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere." To prepare for that eventuality, NIST is soliciting work on "new public-key cryptography standards," which will "specify one or more additional unclassified, publicly disclosed digital signature, public-key encryption, and key-establishment algorithms that are capable of protecting sensitive government information well into the foreseeable future, including after the advent of quantum computers.” The submission deadline is Nov. 30, 2017, but NIST acknowledges the work will take years to be tested and available, noting that "historically, it has taken almost two decades to deploy our modern public key cryptography infrastructure." “Regardless of whether we can estimate the exact time of the arrival of the quantum computing era, we must begin now to prepare our information security systems to be able to resist quantum computing,” NIST said. There have been a number of intriguing advances in cryptography, but it will likely be years before they become available to enterprise IT departments, and who knows what form they will take.

The future of cryptography promises even more security.

The good news is we are already experiencing some of the benefits now.

NIST requests ideas for crypto that can survive quantum computers

Christmas miracle: Government preparing properly for problem expected to land in ~20 years The United States' National Institute of Standards and Technology has issued a “Notice and request for nominations for candidate post-quantum algorithms.” The Institute (NIST) has cottoned on to the fact that “If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use.” The agency therefore observes, in its explanation of the Notice, that once such machines are widely available, “This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere.” The Notice therefore calls for the development of “... new public-key cryptography standards will specify one or more additional unclassified, publicly disclosed digital signature, public-key encryption, and key-establishment algorithms that are capable of protecting sensitive government information well into the foreseeable future, including after the advent of quantum computers.” NIST reckons it will get something useful within a year, as it's set a deadline of November 30th, 2017, for submissions. But it doesn't think the work will be widely-tested for 20 years, writing that “Historically, it has taken almost two decades to deploy our modern public key cryptography infrastructure.” “Therefore, regardless of whether we can estimate the exact time of the arrival of the quantum computing era, we must begin now to prepare our information security systems to be able to resist quantum computing.” You read the above right: this is an example of a government agency being sensibly far-sighted. As it happens, late last week Microsoft offered up a speech on the subject some of its research on just this subject. In the video below, Gorjan Alagic from the University of Copenhagen's Quantum Information Theory group explores “how to securely transmit many large quantum states using a single short key, and how to authenticate such transmissions.” To be honest, the concept and math go over your correspondent's head.

But if you've an hour to spare, and that's as likely in this week as any, perhaps you'll be able to tell us more about Alagic's approach. ® Youtube Video Sponsored: Next gen cybersecurity.
Visit The Register's security hub

The Best Encryption Software of 2017

The Electronic Frontier Foundation aims to protect Web traffic by encrypting the entire Internet using HTTPS.

Chrome now puts a little warning marker in the Address Bar next to any non-secure HTTP address.

Encryption is important, and not only for Web surfing.
If you encrypt all of the sensitive documents on your desktop or laptop, a hacker or laptop thief won't be able to parley their possession into identity theft, bank account takeover, or worse.

To help you select an encryption product that's right for your computer, we've rounded up a collection of current products.

As we review more products in this area, we'll keep the list up to date.

No Back Doors

When the FBI needed information from the San Bernardino shooter's iPhone, they asked Apple for a back door to get past the encryption.

But no such back door existed, and Apple refused to create one.

The FBI had to hire hackers to get into the phone.

Why wouldn't Apple help? Because the moment a back door or similar hack exists, it becomes a target, a prize for the bad guys.
It will leak sooner or later.
In a talk at Black Hat this past summer, Apple's Ivan Krstic revealed that the company has done something similar in their cryptographic servers. Once the fleet of servers is up and running, they physically destroy the keys that would permit modification.

Apple can't update them, but the bad guys can't get in either.

All of the products in this roundup explicitly state that they have no back door, and that's as it should be.
It does mean that if you encrypt an essential document and then forget the encryption password, you've lost it for good.

Two Main Approaches

Back in the day, if you wanted to keep a document secret you could use a cipher to encrypt it and then burn the original. Or you could lock it up in a safe.

The two main approaches in encryption utilities parallel these options.

One type of product simply processes files and folders, turning them into impenetrable encrypted versions of themselves.

The other creates a virtual disk drive that, when open, acts like any other drive on your system. When you lock the virtual drive, all of the files you put into it are completely inaccessible.

Similar to the virtual drive solution, some products store your encrypted data in the cloud.

This approach requires extreme care, obviously.

Encrypted data in the cloud has a much bigger attack surface than encrypted data on your own PC.

Which is better? It really depends on how you plan to use encryption.
If you're not sure, take advantage of the 30-day free trial offered by each of these products to get a feel for the different options.

Secure Those Originals

After you copy a file into secure storage, or create an encrypted version of it, you absolutely need to wipe the unencrypted original. Just deleting it isn't sufficient, even if you bypass the Recycle Bin, because the data still exists on disk, and data recovery utilities can often get it back.

Some encryption products avoid this problem by encrypting the file in place, literally overwriting it on disk with an encrypted version.
It's more common, though, to offer secure deletion as an option.
If you choose a product that lacks this feature, you should find a free secure deletion tool to use along with it.

Overwriting data before deletion is sufficient to balk software-based recovery tools. Hardware-based forensic recovery works because the magnetic recording of data on a hard drive isn't actually digital.
It's more of a waveform.
In simple terms, the process involves nulling out the known data and reading around the edges of what's left.
If you really think someone (the feds?) might use this technique to recover your incriminating files, you can set your secure deletion tool to make more passes, overwriting the data beyond what even these techniques can recover.

Encryption Algorithms

An encryption algorithm is like a black box.

Dump a document, image, or other file into it, and you get back what seems like gibberish. Run that gibberish back through the box, with the same password, and you get back the original.

The U.S. government has settled on Advanced Encryption Standard (AES) as a standard, and all of the products gathered here support AES.

Even those that support other algorithms tend to recommend using AES.

If you're an encryption expert, you may prefer another algorithm, Blowfish, perhaps, or the Soviet government's GOST.

For the average user, however, AES is just fine.

Public Key Cryptography and Sharing

Passwords are important, and you have to keep them secret, right? Well, not when you use Public Key Infrastructure (PKI) cryptography.

With PKI, you get two keys. One is public; you can share it with anyone, register it in a key exchange, tattoo it on your forehead—whatever you like.

The other is private, and should be closely guarded.
If I want to send you a secret document, I simply encrypt it with your public key. When you receive it, your private key decrypts it.
Simple!

Using this system in reverse, you can create a digital signature that proves your document came from you and hasn't been modified. How? Just encrypt it with your private key.

The fact that your public key decrypts it is all the proof you need. PKI support is less common than support for traditional symmetric algorithms.

If you want to share a file with someone and your encryption tool doesn't support PKI, there are other options for sharing. Many products allow creation of a self-decrypting executable file. You may also find that the recipient can use a free, decryption-only tool.

What's the Best?

Right now there are three Editors' Choice products in the consumer-accessible encryption field.

The first is the easiest to use of the bunch, the next is the most secure, and the third is the most comprehensive.

AxCrypt Premium has a sleek, modern look, and when it's active you'll hardly notice it.

Files in its Secured Folders get encrypted automatically when you sign out, and it's one of the few that support public key cryptography.

CertainSafe Digital Safety Deposit Box goes through a multistage security handshake that authenticates you to the site and authenticates the site to you. Your files are encrypted, split into chunks, and tokenized.

Then each chunk gets stored on a different server.

A hacker who breached one server would get nothing useful.

Folder Lock can either encrypt files or simply lock them so nobody can access them.
It also offers encrypted lockers for secure storage.

Among its many other features are file shredding, free space shredding, secure online backup, and self-decrypting files.

The other products here also have their merits, too, of course. Read the capsules below and then click through to the full reviews to decide which one you'll use to protect your files. Have an opinion on one of the apps reviewed here, or a favorite tool we didn't mention? Let us know in the comments.

FEATURED IN THIS ROUNDUP

Steganos Safe 18

Having your laptop stolen is traumatic; having the thief gain access to your sensitive documents could be catastrophic.

To avert the possibility of catastrophe, use an encryption tool to protect your most important files. With Steganos Safe 18, you can create any number of encrypted storage containers.
Steganos combines an impressive variety of security options with an interface that's very easy to use.

Your $39.95 purchase lets you install Steganos Safe on up to five PCs.

This is a one-time cost, which is a common model for encryption tools.

Editors' Choice utility Folder Lock also costs $39.95, and Ranquel Technologies CryptoForge goes for $39.70. You'll pay $45 for Cypherix PC, and $59.95 for CryptoExpert. Note, though, that those are single licenses.

The five-license Steganos package is quite a bargain.

In addition to being available a standalone product, Steganos Safe is an integral part of the full Steganos Privacy Suite.

This suite also includes Steganos Password Manager 18 and a number of other useful tools.

What Is Encryption?

Throughout history, rulers and generals have needed to communicate their plans in secret, and their enemies have devoted great resources to cracking their secret communication systems.

A cipher that simply replaces every letter with a different letter or symbol is easy enough to crack based on letter frequency.

France's Louis XIV used a system called The Great Cipher, which held out for 200 years before anyone cracked it.

Father-son team Antoine and Bonaventure Rossignol conceived the idea of encoding syllables rather than letters, and letting multiple code numbers represent the same syllable.

They also included nulls, numbers that contributed nothing to the cipher.

But even this long-unbroken cipher pales in comparison with modern encryption technology.

Advanced Encryption Standard (AES), the US government's official standard, runs blocks of data through multiple transformations, typically using a 256-bit key.

Bruce Schneier's Blowfish algorithm should be even tougher to crack, as it uses a 448-byte key.

Whatever the size of the key, you must get it to the recipient somehow, and that process is the weakest point in the system.
If your enemy obtains the key, whatever its size, you lose. Public Key Infrastructure (PKI) cryptography has no such weakness.

Each user has two keys, a public key that's visible to anybody and a private key that nobody else has.
If I encrypt a file with your public key, you can decrypt it with the private key.

Conversely, if I encrypt a file with my private key, the fact that you can decrypt it with my public key proves it came from me—a digital signature.

Getting Started with Steganos Safe

The Steganos encryption utility's installation is quick and simple. Once finished, it shows you a simple main window that has two big buttons, one to create a new safe and one to open a hidden safe.

When a safe is open, it looks and acts precisely like a disk drive. You can move files into and out of it, create new documents, edit documents in place, and so on.

But once you close the safe, its contents become totally inaccessible. Nobody can unlock it without the password, not even Steganos.

Like Editors' Choice tools CertainSafe Digital Safety Deposit Box, AxCrypt, and Folder Lock, Steganos uses AES for all encryption. However, it cranks the key size up from the usual 256 bits to 384 bits.

CryptoExpert and CryptoForge offer four different algorithms, and Advanced Encryption Package goes over the top with 17 choices.

Few users have the knowledge to make an informed choice of algorithm, so I see no problem sticking with AES.

Steganos warns if you try to close a safe while you still have files from the safe open for editing.
In addition to the basic safe, Steganos can optionally create portable safes and cloud safes.
I'll cover each safe type separately.

Create a Safe

The process of creating a new safe for storing your sensitive documents is quite simple, with a wizard that walks you through the steps. You start by assigning a name and drive letter to the safe—the program's main window shows you the name.

By default, Steganos creates the file representing your safe in a subfolder of the Documents folder, but you can override that default to put it wherever you want, including on a network drive.

Next, you define the safe's capacity, from a minimum of 2MB to a maximum that depends on your operating system. Unlike Cypherix PE and CryptoExpert, with Steganos the initial capacity doesn't have to be a hard limit. You can create a safe whose size grows dynamically.

Folder Lock works a bit differently. While you must set a maximum size at creation, it only uses as much space as its current content requires.

A newly created Cypherix volume requires formatting. With Steganos, the safe is ready for use immediately.

The next step is to select a password.
If you've created a master password for
Steganos Password Manager, the password dialog should look familiar.
Steganos rates password strength as you type.
If you wish, you can define the password by clicking a sequence of pictures rather than typing it in.

There's also an option to enter the password using a virtual keyboard.

Folder Lock and InterCrypto Advanced Encryption Package 2016 also offer a virtual keyboard.

Here's a useful option. You can choose to store the password on a removable drive, making that drive effectively the safe's key.

By default, a safe opened in this way closes automatically when you remove the key.
It's not two-factor authentication, as you can still unlock the safe using just the password, but it's certainly convenient.
In a similar situation, you can configure InterCrypto CryptoExpert 8 to require both the master password and the USB key.

Digging into the program's settings, you can simplify the process by disabling advanced wizard options.
If you do so, Steganos chooses default values for each new safe's drive letter and filename.

There's a special option that only appears for safes smaller than 3MB.
If you've chosen an acceptable size, a link appears explaining how you can create a hidden safe.
Steganos can hide a small-enough safe inside a video, audio, or executable file.

After creating the safe, you click it, choose Hide from the menu, and select a carrier file.
Steganos stuffs the entire safe into the carrier, without affecting the carrier's ability to function as a program or audio/video file.

To open it, you click Open a Hidden Safe on the main window, select the carrier, and enter the password. Just don't forget where you hid the safe.

Portable Safes

For additional security, consider creating a portable safe that you only bring out when you need to access it.

The process is similar. You start by selecting the target device, which can be a USB storage device or an optical drive. You define the size and create a password, just as for a regular safe.

But then the process diverges.

Steganos creates and opens what it calls a prepackaging drive, using the drive letter of your choice.
Showing its age, the tool warns that portable safes don't support Windows NT 4.0 or Windows 95/98/Me. You click to open the prepackaging drive and drag the desired files into it. When you click Next, Steganos creates the necessary files on the target device. You're done!

If the size of the portable safe is less than about 512MB, Steganos creates what it calls a SelfSafe by default.

As with the hidden option for regular safes, you won't even see this as a choice if your desired size is too large.

The SelfSafe is a single executable file called SteganosPortableSafe.exe that contains both the necessary decryption code and the data representing the safe's contents. Otherwise, it stores the contents in a folder called Portable_Safe and adds a file called usbstarter.exe.

Either way, launching the file lets you enter the password and open the portable safe.

In testing, I did run into one surprise; a portable safe is not completely portable.
It requires the Steganos encryption engine. You can only open and work with your portable safe on a PC where you've installed the program.

Cloud Safes

As noted, you can open a portable safe on any PC where you've installed Steganos Safe.

Creating a cloud safe is another way to share your encrypted files between PCs.
Steganos supports the cloud storage services Dropbox, Google Drive, or Microsoft OneDrive. Whichever you choose, you must install that cloud service's desktop app.

The help points out that Google Drive and OneDrive must re-sync the entire safe when there's any change, while DropBox can selectively sync changes only.

My test PC didn't have any of the desktop apps installed, and the cloud safe creation dialog reflected this fact.

For testing purposes, I installed the Dropbox app.

As with a regular safe, you select a name and drive letter and then choose the safe's size.

For a cloud safe, you don't get the option to have the safe expand as needed.

Create your password, wait for the safe's initialization, and you're ready to go.

The safe syncs to the cloud each time you close it, and you can use it on any PC that has both Steganos and the proper cloud app installed.

Advanced Features

Click a safe and click Settings to bring up the administration dialog. Here you can change the password, name, and file location for the safe, but that's not all. On the main page of the dialog you can color-code the safe, and choose whether Windows should see it as a local drive or a removable drive. On the Events tab, you can choose whether to open the safe when you log on, and whether to close it on events such as screen saver activation or going into standby.

There's an option to define an action that occurs after the safe opens, and after it closes.

For example, you could configure it to automatically launch a file that resides within the safe after opening it, or automatically make a backup copy after closing it.

Perhaps most interesting is the Safe in a Safe feature.

This defines a separate safe, hidden within the normal safe, occupying a user-defined percentage of available space, and having its own password.

Depending on which password you use to open the safe, you either open the Safe in a Safe, or the original safe that contains it.
Sneaky! But take care.
If you overfill the outer safe, its contents can wipe out the super-secret Safe in a Safe.

Steganos Shredder

It's all well and good to put your most sensitive files into an encrypted safe, but if you leave the unencrypted originals on disk, you haven't accomplished much, security-wise.

Even if you delete the originals, they're not really gone, because their data remains on disk until new data overwrites it.

For true privacy, you must use a secure deletion tool that overwrites file data before deletion, something like this program's file-shredder component.

The easiest way to use the shredder is to right-click a file or folder and choose Destroy from the menu that appears.
Steganos overwrites the file's data once and then deletes it.

This should be sufficient to foil software-based file recovery systems, though it would still be theoretically possible for a hardware-based forensic tool to get back some or all of the data.

Folder Lock, by contrast, lets you choose up to 35 overwrite passes, which is overkill, as there's no added benefit after seven passes.

Launching the full File Shredder from the main window's menu reveals that it does more than just securely delete files.

As with Folder Lock, Steganos can overwrite all the free space on a disk.

Doing so wipes out all traces of previously deleted files, in effect shredding them ex post facto.

This can be a lengthy process, so you may want to use the scheduler to set it for a time when you're not using the computer. You can also schedule daily or weekly free space shredding. Note that if you stop and restart the free space shredding process, it skips quickly past previously shredded areas.

Finally, there's the Complete Shredder nuclear option.

Choose this to completely wipe out all data on a drive, including partition data.

A drive that's been shredded in this way must be formatted before you can do anything with it. Like shredding free space, this process can take quite a while.

By observation, you can't shred the active Windows volume, which makes sense. When I tried, there was no error message, but it did nothing.

Comprehensive Encrypted Storage

Steganos Safe 18 focuses on the singular task of creating encrypted storage containers for your sensitive files, and it does that task very well.
It's easier to use than most of its competitors, and its Safe in Safe and hidden safe options are unique. You can only use its portable safe and cloud safe features on PCs that have the program installed, but your purchase gets you five licenses.

However, Folder Lock does most of what Steganos does, and quite a lot more.
It features include encryption of individual files and folders, secure storage of private data, a history cleaner, and (at an extra cost) secure online backup.

AxCrypt Premium is even easier to use than Steganos, and supports public key cryptography.

And CertainSafe Digital Safety Deposit Box protects your cloud-stored encrypted files against any possibility of a data breach.

These three are our Editors' Choice products for encryption, but Steganos is a worthy contender.

Back to top

PCMag may earn affiliate commissions from the shopping links included on this page.

These commissions do not affect how we test, rate or review products.

To find out more, read our complete terms of use.

Google open-sources test suite to find crypto bugs

Working with cryptographic libraries is hard, and a single implementation mistake can result in serious security problems.

To help developers check their code for implementation errors and find weaknesses in cryptographic software libraries, Google has...

Google Test Suite Checks Open Source Cryptographic Library Security

Google's new Project Wycheproof will let software engineers look for previously known flaws in their open source cryptographic libraries. Google has released a set of tests that developers can use to check some open source cryptographic libraries for k...

Internet giants will join forces to stop online sharing of terrorist...

EnlargeFrettie reader comments 4 Share this story Facebook, Microsoft, Twitter, and YouTube have announced that they will be working together to curb the dissemination of terrorist material online.

The Web giants will create a shared industry database of hashes—digital fingerprints that can identify a specific file—for violent terrorist imagery and terrorist recruitment materials that have previously been removed from their platforms. According to a statement the four companies have jointly released, the hope is that "this collaboration will lead to greater efficiency as we continue to enforce our policies to help curb the pressing global issue of terrorist content online." Once a hash has been added to the database, "other participating companies can then use those hashes to identify such content on their services, review against their respective policies and definitions, and remove matching content as appropriate." Matching content will not be removed automatically, the statement says, and other online services will be encouraged to join the scheme. Each participating company will "independently determine what image and video hashes to contribute to the shared database," but no details of how the scheme will work in practice have been provided.

A likely model is Microsoft's PhotoDNA, which is used to combat online images of child sex abuse. Microsoft's system "compiles a digital signature of images, which can be matched against a database of known child pornography images." However, there is an important difference between the two situations. Whereas child sex abuse is unambiguously illegal, and relatively clear-cut in its definition, it is much harder defining what exactly constitutes "violent terrorist imagery or terrorist recruitment videos or images." As a result, there is a risk that the new database will lead to censorship, where controversial but legal material is removed as a result of an overcautious approach. The four companies claim to be aware that this is an issue, and say in their statement that "throughout this collaboration, we are committed to protecting our users’ privacy and their ability to express themselves freely and safely on our platforms." Ars has asked the Open Rights Group for its comments on this point, but has not yet received a reply.

This post will be updated when a response is received. This latest move reflects a growing pressure on Internet companies from politicians around the world to remove material that is deemed illegal or harmful.

Back in May, Facebook, Microsoft, Twitter, and YouTube announced that they had agreed with the European Commission a code of conduct on illegal online hate speech. A few days ago, the EU's justice commissioner Vera Jourova said that the four were not doing enough to comply with the code, and she threatened to bring in new Europe-wide laws to address the problem unless they and other online services tried harder, according to Reuters.

This newly announced database might well be part of an effort to head off that possibility. This post originated on Ars Technica UK

NSA could put undetectable “trapdoors” in millions of crypto keys

EnlargeJorge Láscar reader comments 30 Share this story Researchers have devised a way to place undetectable backdoors in the cryptographic keys that protect websites, virtual private networks, and Internet servers.

The feat allows hackers to passively decrypt hundreds of millions of encrypted communications as well as cryptographically impersonate key owners. The technique is notable because it puts a backdoor—or in the parlance of cryptographers, a "trapdoor"—in 1,024-bit keys used in the Diffie-Hellman key exchange.

Diffie-Hellman significantly raises the burden on eavesdroppers because it regularly changes the encryption key protecting an ongoing communication.

Attackers who are aware of the trapdoor have everything they need to decrypt Diffie-Hellman-protected communications over extended periods of time, often measured in years. Knowledgeable attackers can also forge cryptographic signatures that are based on the widely used digital signature algorithm. As with all public key encryption, the security of the Diffie-Hellman protocol is based on number-theoretic computations involving prime numbers so large that the problems are prohibitively hard for attackers to solve.

The parties are able to conceal secrets within the results of these computations.

A special prime devised by the researchers, however, contains certain invisible properties that make the secret parameters unusually susceptible to discovery.

The researchers were able to break one of these weakened 1,024-bit primes in slightly more than two months using an academic computing cluster of 2,000 to 3,000 CPUs. Backdooring crypto standards—"completely feasible" To the holder, a key with a trapdoored prime looks like any other 1,024-bit key.

To attackers with knowledge of the weakness, however, the discrete logarithm problem that underpins its security is about 10,000 times easier to solve.

This efficiency makes keys with a trapdoored prime ideal for the type of campaign former National Security Agency contractor Edward Snowden exposed in 2013, which aims to decode vast swaths of the encrypted Internet. "The Snowden documents have raised some serious questions about backdoors in public key cryptography standards," Nadia Heninger, one of the University of Pennsylvania researchers who participated in the project, told Ars. "We are showing that trapdoored primes that would allow an adversary to efficiently break 1,024-bit keys are completely feasible." While NIST—short for the National Institute for Standards and Technology—has recommended minimum key sizes of 2,048 bits since 2010, keys of half that size remain abundant on the Internet.

As of last month, a survey performed by the SSL Pulse service found that 22 percent of the top 200,000 HTTPS-protected websites performed key exchanges with 1,024-bit keys.

A belief that 1,024-bit keys can only be broken at great cost by nation-sponsored adversaries is one reason for the wide use. Other reasons include implementation and compatibility difficulties. Java version 8 released in 2014, for instance, didn't support Diffie-Hellman or DSA keys larger than 1,024 bits.

And, to this day, the DNSSEC specification for securing the Internet's domain name system limits keys to a maximum of 1,024 bits. Poisoning the well Solving a key's discrete logarithm problem is significant in the Diffie-Hellman arena. Why? Because a handful of primes are frequently standardized and used by a large number of applications. If the NSA or another adversary succeeded in getting one or more trapdoored primes adopted as a mainstream specification, the agency would have a way to eavesdrop on the encrypted communications of millions, possibly hundreds of millions or billions, of end users over the life of the primes.
So far, the researchers have found no evidence of trapdoored primes in widely used applications.

But that doesn't mean such primes haven't managed to slip by unnoticed. In 2008, the Internet Engineering Task Force published a series of recommended prime numbers for use in a variety of highly sensitive applications, including the transport layer security protocol protecting websites and e-mail servers, the secure shell protocol for remotely administering servers, the Internet key exchange for securing connections, and the secure/multipurpose Internet mail extensions standard for e-mail. Had the primes contained the type of trapdoor the researchers created, there would be virtually no way for outsiders to know, short of solving mathematical problems that would take centuries of processor time. Similarly, Heninger said, there's no way for the world at large to know that crucial 1,024-bit primes used by the Apache Web server aren't similarly backdoored.
In an e-mail, she wrote: We show that we are never going to be able to detect primes that have been properly trapdoored.

But we know exactly how the trapdoor works, and [we] can quantify the massive advantage it gives to the attacker.
So people should start asking pointed questions about how the opaque primes in some implementations and standards were generated. Why should the primes in RFC 5114 be trusted without proof that they have not been trapdoored? How were they generated in the first place? Why were they standardized and pretty widely implemented by VPNs without proof that they were generated with verifiable randomness? Unlike prime numbers in RSA keys, which are always supposed to be unique, certain Diffie-Hellman primes are extremely common.
If the NSA or another adversary managed to get a trapdoored prime adopted as a real or de facto standard, it would be a coup.

From then on, the adversary would have possession of the shared secret that two parties used to generate ephemeral keys during a Diffie-Hellman-encrypted conversation. Remember Dual_EC_DRBG? Such a scenario, assuming it happened, wouldn't be the first time the NSA intentionally weakened standards so it could more easily defeat cryptographic protections.
In 2007, for example, NIST backed NSA-developed code for generating random number generators.

Almost from the start, the so-called Dual_EC_DRBG was suspected of containing a deliberately designed weakness that allowed the agency to quickly derive the cryptographic keys that relied on the algorithm for crucial randomness.
In 2013, some six years later, Snowden-leaked documents all but confirmed the suspicions. RSA Security, at the time owned by the publicly traded corporation EMC, responded by warning customers to stop using Dual_EC_DRBG.

At the time, Dual_EC_DRBG was the default random number generator in RSA's BSAFE and Data Protection Manager programs. Early this year, Juniper Networks also removed the NSA-developed number generator from its NetScreen line of firewalls after researchers determined it was one of two backdoors allowing attackers to surreptitiously decrypt VPN traffic. In contrast to 1,024-bit keys, keys with a trapdoored prime of 2,048 bits take 16 million times longer to crack, or about 6.4 × 109 core-years, compared with the 400 core-years it took for the researchers to crack their trapdoored 1,024-bit prime. While even the 6.4 × 109 core-year threshold is considered too low for most security experts, the researchers—from the University of Pennsylvania and France's National Institute for Research in Computer Science and Control at the University of Lorraine—said their research still underscores the importance of retiring 1,024-bit keys as soon as possible. "The discrete logarithm computation for our backdoored prime was only feasible because of the 1,024-bit size, and the most effective protection against any backdoor of this type has always been to use key sizes for which any computation is infeasible," they wrote in a research paper published last week. "NIST recommended transitioning away from 1,024-bit key sizes for DSA, RSA, and Diffie-Hellman in 2010. Unfortunately, such key sizes remain in wide use in practice." In addition to using sizes of 2,048 bits or bigger, the researchers said, keys must also be generated in a way that holders can verify the randomness of the underlying primes. One way to do this is to generate primes where most of the bits come from what cryptographers call "a 'nothing up my sleeve' number such as pi or e." Another method is for standardized primes to include the seed values used to ensure their randomness.
Sadly, such verifications are missing from a wide range of regularly used 1,024-bit primes. While the Federal Information Processing Standards imposed on US government agencies and contractors recommends a seed be published along with the primes they generated, the recommendation is marked as optional. The only widely used primes the researchers have seen come with such assurances are those generated using the Oakley key determination protocol, the negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS version 1.3, and the Java Development Kit. Cracking crypto keys most often involves the use of what's known as the number field sieve algorithm to solve, depending on the key type, either its discrete logarithm or factorization problem.

To date, the biggest prime known to have its discrete logarithm problem solved was 768 bits in length from last year.

The feat took about 5,000 core years.

By contrast, solving the discrete logarithm problem for the researcher's 1,024-bit key with the trapdoored prime required about a tenth of the computation. "More distressing" Since the early 1990s, researchers have known that certain composite integers are especially susceptible to being factored by NFS.

They also know that primes with certain properties allow for easier computation of discrete logarithms.

This special set of primes can be broken much more quickly than regular primes using NFS.

For some 25 years, researchers believed the trapdoored primes weren't a threat because they were easy to spot.

The new research provided novel insights into the special number field sieve that proved these assumptions wrong. Heninger wrote: The condition for being able to use the faster form of the algorithm (the "special" in the special number field sieve) is that the prime has a particular property.

For some primes that's easy to see, for example if a prime is very close to a power of 2. We found some implementations using primes like this, which are clearly vulnerable. We did discrete log computations for a couple of them, described in Section 6.2 of the paper. But there are also primes for which this is impossible to detect. (Or, more precisely, would be as much work to detect as it is to just do the discrete log computation the hard way.) This is more distressing, since there's no way for any user to tell that a prime someone gives them has this special property or not, since it just looks like a large prime. We discuss in the paper how to construct primes that have this special property but the property is undetectable unless you know the trapdoor secret. It's possible to give assurance that a prime does not contain a trapdoor like this. One way is to generate primes where most of the bits come from a "nothing up my sleeve" number like e or pi.
Some standards do this.

Another way is to give the seeds used for a verifiable random generation algorithm. With the current batch of existing 1,024-bit primes already well past their, well, prime, the time has come to retire them to make way for 2,048-bit or even 4,096-bit replacements.

Those 1,024-bit primes that can't be verified as truly random should be viewed with special suspicion and banished from accepted standards as soon as possible.

Welcome to the machine—Yahoo mail scanning exposes another US spy tool

EnlargeAurich / Thinkstock reader comments 25 Share this story Imagine a futuristic society in which robots are deployed to everybody's house, fulfilling a mission to scan the inside of each and every residence.

Does that mental image look far-off and futuristic? Well, this week's Yahoo e-mail surveillance revelations perhaps prove this intrusive robot scenario has already arrived in the digital world. Days ago, Reuters cited anonymous sources and reported that Yahoo covertly built a secret "custom software program to search all of its customers' incoming e-mails for specific information." Yahoo, the report noted, "complied with a classified US government directive, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI." Reuters then followed up, saying Yahoo acted at the behest of the secret Foreign Intelligence Surveillance Court. Not to be outdone, The New York Times reported Yahoo used its system designed to scan for child pornography and spam to search for messages containing an undisclosed "signature." The Times said a FISA judge found probable cause to believe that this digital signature "was uniquely used by a foreign power." The scanning has ceased, the report noted, but neither of the news agencies said how long the search lasted and when it began. Yahoo denies how the reports portrayed its assistance, saying they are "misleading." Other tech companies have denied participating in such surveillance as it was outlined in those reports. At its most basic level, this newly surfaced tool exposes another US digital surveillance program.
It differs from so-called "upstream" spying in which the authorities tap directly into the Internet backbone and scan for certain search terms—a spying program with diminishing returns as more and more data on the Internet has become encrypted.

This Yahoo situation is also different from the Prism program, where the authorities acquire customer data from tech companies matching chosen search selectors. In this latest bit of spying to come to light, it still hasn't been revealed whether the Yahoo e-mail scanning was of e-mail metadata—like the headers—or of a message's content. Many, including NSA whistleblower Edward Snowden, believe content was being scanned.

And if it was content, that would make the latest program perhaps even more aggressive than the US bulk collection of telephone metadata Snowden exposed. That metadata includes the phone numbers of both parties in a call, calling card numbers, the length and time of the calls, and the international mobile subscriber identity (IMSI) number for mobile callers. The NSA had kept a running database of this information, but now the telcos keep it and allow the government to query it in terror investigations on an as-needed basis.

The Fourth Amendment does not apply to these searches. To be sure, a great deal of information can be gleaned from this metadata—but, obviously, scanning content of e-mail is an even greater privacy intrusion. In the most extreme sense, the Yahoo revelation highlights a new tool in the quiver of US spies. When metadata queries and e-mail scanning combine, such tools provide enormous precedent for wanton, science-fiction-like spying by machines on humans, according to Jennifer Granick, the civil liberties director at the Center for Internet and Society at Stanford Law School. "They're saying we can spy on everybody.
It doesn't count as spying unless you’re guilty," she told Ars.

The Yahoo disclosure, she added, "It's part of constellation of tools, each with its own intelligence benefits and each with its own privacy and security safeguards, and lack of safeguards." Kurt Opsahl, the deputy executive director of the Electronic Frontier Foundation, said the Reuters and The New York Times stories underscore the vulnerability of our online communications to US spies. "We know that the telephone metadata program was all the providers, for all the customers, for all of the time, local, long distance, and international call(s)," he said in an e-mail. "While the Yahoo program is broader, because it scans content, we have yet to find the scope of the Yahoo program—whether it is limited to Yahoo, whether it is time limited, etc.

They are both egregious, but we don't know the full scope of Yahoo to assess." Snowden took to Twitter and said if Yahoo "repurposed" its child-porn and spam scanning system as stated by The New York Times, the scan was likely "content." That would make it an unprecedented search, issued by a single search warrant, of content affecting millions of people's Yahoo accounts. While some (even Snowden) suggest the scanning could be a hunt for malware the government was seeking to capture, the search nevertheless raises substantial Fourth Amendment privacy questions in the digital age. Elizabeth Goitein, co-director of the Liberty and National Security Program at the Brennan Center for Justice, suggested that the precedent set here has scary, real-world privacy implications outside the online world.
If a judge can authorize a single probable cause warrant to allow a bot to scan hundreds of millions of e-mails, then a judge presumably could order the same surveillance by a non-human robot in the real world. "It's sort of the equivalent of sending a robot to everyone’s home to look for a piece of evidence. You can say it’s not a person, but it's a computer. Would that be OK?" Goitein said to Ars. "In order to find a murder weapon, they sent a robot in every house in this country to look for it.

That's kinda like what we're talking about here." Robert S. Litt, the general counsel for the US Office of the Director of National Intelligence, explains the government's thinking when it comes to non-human spying on humans.
In the April edition of the Yale Law Journal, he wrote that if scanning is not done by a human, then no harm, no foul: Similarly, in the hypothetical Internet case, if the government electronically scans electronic communications, even the content of those communications, to identify those that it is lawfully entitled to collect, and no one ever sees a non-responsive communication, or even knows that it exists, where is the actual harm? Indeed, while I am no expert, I believe that this scanning is similar to what private companies and government agencies already do on their networks for the purposes of identifying and stopping malware. In both of these situations, while government computers may electronically touch information about you contained in a digital database, the government actually knows nothing more about you than it did before—unless and until it has a valid purpose for learning that information.

Fourth Amendment analysis should be based on that reality, rather than on hypotheticals. Richard Kolko, a spokesman for the Office of the Director of National Intelligence, would not address the Yahoo scanning.

But in a statement, he said, "Under FISA, activity is narrowly focused on specific foreign intelligence targets and does not involve bulk collection or use generic keywords or phrases.

The United States only uses signals intelligence for national security purposes, and not for the purpose of indiscriminately reviewing the e-mails or phone calls of ordinary people."

New cloud attack takes full control of virtual machines with little...

Enlargereader comments 33 Share this story The world has seen the most unsettling attack yet resulting from the so-called Rowhammer exploit, which flips individual bits in computer memory.
It's a technique that's so surgical and controlled that it allows one machine to effectively steal the cryptographic keys of another machine hosted in the same cloud environment. Until now, Rowhammer has been a somewhat clumsy and unpredictable attack tool because it was hard to control exactly where data-corrupting bit flips happened. While previous research demonstrated that it could be used to elevate user privileges and break security sandboxes, most people studying Rowhammer said there was little immediate danger of it being exploited maliciously to hijack the security of computers that use vulnerable chips.

The odds of crucial data being stored in a susceptible memory location made such hacks largely a matter of chance that was stacked against the attacker.
In effect, Rowhammer was more a glitch than an exploit. Now, computer scientists have developed a significantly more refined Rowhammer technique they call Flip Feng Shui.
It manipulates deduplication operations that many cloud hosts use to save memory resources by sharing identical chunks of data used by two or more virtual machines. Just as traditional Feng Shui aims to create alignment or harmony in a home or office, Flip Feng Shui can massage physical memory in a way that causes crypto keys and other sensitive data to be stored in locations known to be susceptible to Rowhammer. “Surprisingly practical and effective” "Prior work has demonstrated that co-hosted VMs can spy on each other to a certain extent (e.g. cryptographic keys can be leaked), but this attack is fundamentally more damaging and the first of its kind," Ben Gras, one of the Vrije Universiteit Amsterdam researchers who devised the technique, told Ars. "We can reliably corrupt the memory of a target VM in a highly precise and controlled way.
Scientifically, this is our contribution—we show for the first time it is possible to effect this seemingly random corruption on data anywhere in the software stack in a highly precise and controlled way." The research team, which also included a member from Belgium's Katholieke Universiteit Leuven, went on to show how an attacker VM can use Flip Feng Shui to compromise RSA cryptography keys stored on another VM hosted in the same cloud environment.
In one experiment, the attacker VM compromised the key used to authenticate secure shell access, a feat that allowed the VM to gain unauthorized access to the target.
In a separate experiment, the attacker VM compromised the GPG key used by developers of the Ubuntu operating system to verify the authenticity of updates. With the compromised GPG key, the attacker VM was able to force the target to download and install a malicious update. The key compromises work by obtaining the target's public key in advance, a requirement that's generally not a problem because public keys don't reveal the secrets contained in their corresponding private key.

The attacker VM then uses what the researchers call Deduplication Flip Feng Shui to induce a bit flip in a specific part of the public key.

The flip, in turn, creates a new public key that's weak enough to be factored so that attackers can derive the corresponding private key.
In other words, the Rowhammer attack tricks the target VM into accepting a new public key.

And because the attackers know the corresponding private key, they gain unauthorized SSH access and can sign malicious Ubuntu updates. "We find that, while [Deduplication Flip Feng Shui] is surprisingly practical and effective, existing cryptographic software is wholly unequipped to counter it, given that 'bit flipping is not part of their threat model,'" the researchers wrote in a recently published research paper titled "Flip Feng Shui: Hammering a Needle in the Software Stack." "Our end-to-end attacks completely compromise widespread cryptographic primitives, allowing an attacker to gain full control over the victim VM," the researchers wrote. The experiment attempted the bit flipping hack only against RSA keys, but Gras, the Vrije Universiteit Amsterdam researcher, said he expects it to work against keys or parameters based in the Digital Signature Algorithm, Diffie-Hellman, Elliptic Curve Cryptography, and Elliptic Curve Diffie-Hellman crypto systems as well.
Such exploits would allow attackers not only to gain unauthorized access but also to eavesdrop on legitimate sessions.

Flip Feng Shui was first presented three weeks ago at the 25th Usenix Security Symposium and will be featured again in November at the Black Hat security conference in London. For the attacks to work, the cloud hosting the VMs must have deduplication enabled so that physical pages are shared between customers.

The researchers relied on deduplication features available in the kernel-based Virtual Machine and Kernel SamePage Merging functions that are included in Linux, but the researchers believe the technique will work on other operating systems that also provide deduplication.

And of course, the memory chips used by the host must be vulnerable to Rowhammer attacks, a requirement that's met by 110 out of 129 DDR3 models and eight out of 12 DDR4 varieties tested. Lastly, the prototype attack relied on a Linux setting known as transparent huge pages to make the attack simpler and faster, but the researchers said it would work even if the setting wasn't enabled. The researchers have laid out a variety of hardware and software approaches that can help defend against Flip Feng Shui attacks.

The hardware solutions included subjecting DRAM chips to extensive Rowhammer testing, relying on memory with error-correcting codes, and exploring a newer protection known as directed row refresh that's implemented in certain types of DDR4 chips.
Software mitigations include disabling memory deduplication.

Beyond that, developers and engineers should consider taking additional precautions, such as checking security-sensitive information for integrity immediately before it's used to make sure it hasn't been subjected to bit flips.

The research paper lays out the defenses in much greater detail. "Our attacks allow an attacker to completely compromise co-hosted cloud VMs with relatively little effort," the researchers warn at the conclusion of their paper. "Even more worryingly, we believe Flip Feng Shui can be used in several more forms and applications pervasively in the software stack, urging the systems security community to devote immediate attention to this emerging threat." Post updated to correct the explanation of the key compromise in the sixth-to-last paragraph.

The Best Encryption Software of 2016

Businesses, websites, and government agencies that store your personal data have a duty to protect that data from hackers. Not that even the best practices and security software can keep the hackers out—they always find a way in.

But if the data is properly encrypted, stealing it doesn't do the hacker much good. You can up your security game by encrypting sensitive data on your own desktop and laptop computers. We've rounded up a collection of products to help you with that project.

This isn't an exhaustive list, and we will update this story with additional products in the future. No Back DoorsWhen the FBI needed information from the San Bernardino shooter's iPhone, they asked Apple for a back door to get past the encryption.

But no such back door existed, and Apple refused to create one.

The FBI had to hire hackers to get into the phone. Why wouldn't Apple help? Because the moment a back door or similar hack exists, it becomes a target, a prize for the bad guys.
It will leak sooner or later.
In a talk at Black Hat, Apple's Ivan Krstic revealed that the company has done something similar in their cryptographic servers. Once the fleet of servers is up and running, they physically destroy the keys that would permit modification.

Apple can't update them, but the bad guys can't get in either. All of the products in this roundup explicitly state that they have no back door, and that's as it should be.
It does mean that if you encrypt an essential document and then forget the encryption password, you've lost it for good. Two Main ApproachesBack in the day, if you wanted to keep a document secret you could use a cipher to encrypt it and then burn the original. Or you could lock it up in a safe.

The two main approaches in encryption utilities parallel these options. One type of product simply processes files and folders, turning them into impenetrable encrypted versions of themselves.

The other creates a virtual disk drive that, when open, acts like any other drive on your system. When you lock the virtual drive, all of the files you put into it are completely inaccessible. Similar to the virtual drive solution, some products store your encrypted data in the cloud.

This approach requires extreme care, obviously.

Encrypted data in the cloud has a much bigger attack surface than encrypted data on your own PC. Which is better? It really depends on how you plan to use encryption.
If you're not sure, take advantage of the 30-day free trial offered by all of these products to get a feel for the different options. Secure Those OriginalsAfter you copy a file into secure storage, or create an encrypted version of it, you absolutely need to wipe the unencrypted original. Just deleting it isn't sufficient, even if you bypass the Recycle Bin, because the data still exists on disk, and data recovery utilities can often get it back. Some encryption products avoid this problem by encrypting the file in place, literally overwriting it on disk with an encrypted version.
It's more common, though, to offer secure deletion as an option.
If you choose a product that lacks this feature, you should find a free secure deletion tool to use along with it. Overwriting data before deletion is sufficient to balk software-based recovery tools. Hardware-based forensic recovery works because the magnetic recording of data on a hard drive isn't actually digital.
It's more of a wave form.
In simple terms, the process involves nulling out the known data and reading around the edges of what's left.
If you really think someone (the feds?) might use this technique to recover your incriminating files, you can set your secure deletion tool to make more passes overwriting the data. Encryption AlgorithmsAn encryption algorithm is like a black box.

Dump a document, image, or other file into it, and you get back what seems like gibberish. Run that gibberish back through the box, with the same password, and you get back the original. The U.S. government has settled on Advanced Encryption Standard (AES) as a standard, and all of the products gathered here support AES.

Even those that support other algorithms tend to recommend using AES. If you're an encryption expert, you may prefer another algorithm, Blowfish, perhaps, or the Soviet government's GOST.

For the average user, however, AES is just fine. Public Key Cryptography and SharingPasswords are important, and you have to keep them secret, right? Well, not when you use Public Key Infrastructure (PKI) cryptography. With PKI, you get two keys. One is public; you can share it with anyone, register it in a key exchange, tattoo it on your forehead—whatever you like.

The other is private, and should be closely guarded.
If I want to send you a secret document, I simply encrypt it with your public key. When you receive it, your private key decrypts it.
Simple! Using this system in reverse, you can create a digital signature that proves your document came from you and hasn't been modified. How? Just encrypt it with your private key.

The fact that your public key decrypts it is all the proof you need. PKI support is less common than support for traditional symmetric algorithms. If you want to share a file with someone and your encryption tool doesn't support PKI, there are other options for sharing. Many products allow creation of a self-decrypting executable file. You may also find that the recipient can use a free, decryption-only tool. What's the Best?Right now there are two Editors' Choice products in the consumer-accessible encryption field. One is the easiest to use of the bunch, the other is the most secure. AxCrypt Premium has a sleek, modern look, and when its active you'll hardly notice it.

Files in its Secured Folders get encrypted automatically when you sign out, and it's one of the few that support public key cryptography. CertainSafe Digital Safety Deposit Box goes through a multi-stage security handshake that authenticates you to the site and authenticates the site to you. Your files are encrypted, split into chunks, and tokenized.

Then each chunk gets stored on a different server.

A hacker who breached one server would get nothing useful. The other products here also have their merits, of course. Read the full reviews and decide which one you'll use to protect your files. Have an opinion on one of the apps reviewed here, or a favorite tool we didn't mention? Let us know in the comments. FEATURED IN THIS ROUNDUP