Encryption software is software that uses cryptography to prevent unauthorized access to digital information. [1] [2] Cryptography is used to protect digital information on computers as well as the digital information that is sent to other computers over the Internet. [3]
There are many software products which provide encryption. Software encryption uses a cipher to obscure the content into ciphertext. One way to classify this type of software is the type of cipher used. Ciphers can be divided into two categories: public key ciphers (also known as asymmetric ciphers), and symmetric key ciphers. [4] Encryption software can be based on either public key or symmetric key encryption.
Another way to classify software encryption is to categorize its purpose. Using this approach, software encryption may be classified into software which encrypts "data in transit" and software which encrypts "data at rest". Data in transit generally uses public key ciphers, and data at rest generally uses symmetric key ciphers.
Symmetric key ciphers can be further divided into stream ciphers and block ciphers. Stream ciphers typically encrypt plaintext a bit or byte at a time, and are most commonly used to encrypt real-time communications, such as audio and video information. The key is used to establish the initial state of a keystream generator, and the output of that generator is used to encrypt the plaintext. Block cipher algorithms split the plaintext into fixed-size blocks and encrypt one block at a time. For example, AES processes 16-byte blocks, while its predecessor DES encrypted blocks of eight bytes.
There is also a well-known case where PKI is used for data in transit of data at rest.
Data in transit is data that is being sent over a computer network. When the data is between two endpoints, any confidential information may be vulnerable. The payload (confidential information) can be encrypted to secure its confidentiality, as well as its integrity and validity. [5]
Often, the data in transit is between two entities that do not know each other - such as in the case of visiting a website. As establishing a relationship and securely sharing an encryption key to secure the information that will be exchanged, a set of roles, policies, and procedures to accomplish this has been developed; it is known as the public key infrastructure, or PKI. Once PKI has established a secure connection, a symmetric key can be shared between endpoints. A symmetric key is preferred over the private and public keys as a symmetric cipher is much more efficient (uses fewer CPU cycles) than an asymmetric cipher. [6] [7] There are several methods for encrypting data in transit, such as IPsec, SCP, SFTP, SSH, OpenPGP and HTTPS.
Data at rest refers to data that has been saved to persistent storage. Data at rest is generally encrypted by a symmetric key.
Encryption may be applied at different layers in the storage stack. For example, encryption can be configured at the disk layer, on a subset of a disk called a partition, on a volume, which is a combination of disks or partitions, at the layer of a file system, or within user space applications such as database or other applications that run on the host operating system.
With full disk encryption, the entire disk is encrypted (except for the bits necessary to boot or access the disk when not using an unencrypted boot/preboot partition). [8] As disks can be partitioned into multiple partitions, partition encryption can be used to encrypt individual disk partitions. [9] Volumes, created by combining two or more partitions, can be encrypted using volume encryption. [10] File systems, also composed of one or more partitions, can be encrypted using filesystem-level encryption. Directories are referred to as encrypted when the files within the directory are encrypted. [11] [12] File encryption encrypts a single file. Database encryption acts on the data to be stored, accepting unencrypted information and writing that information to persistent storage only after it has encrypted the data. Device-level encryption, a somewhat vague term that includes encryption-capable tape drives, can be used to offload the encryption tasks from the CPU.
When there is a need to securely transmit data at rest, without the ability to create a secure connection, user space tools have been developed that support this need. These tools rely upon the receiver publishing their public key, and the sender being able to obtain that public key. The sender is then able to create a symmetric key to encrypt the information, and then use the receiver's public key to securely protect the transmission of the information and the symmetric key. This allows secure transmission of information from one party to another. [ citation needed ]
The performance of encryption software is measured relative to the speed of the CPU. Thus, cycles per byte (sometimes abbreviated cpb), a unit indicating the number of clock cycles a microprocessor will need per byte of data processed, is the usual unit of measurement. [13] Cycles per byte serve as a partial indicator of real-world performance in cryptographic functions. [14] Applications may offer their own encryption called native encryption, including databases applications such as Microsoft SQL, Oracle, and MongoDB, and commonly rely on direct usage of CPU cycles for performance. This often impacts the desirability of encryption in businesses seeking greater security and ease of satisfying compliance by impacting the speed and scale of how data within organizations through to their partners. [15]
In cryptography, a cipher is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure. An alternative, less common term is encipherment. To encipher or encode is to convert information into cipher or code. In common parlance, "cipher" is synonymous with "code", as they are both a set of steps that encrypt a message; however, the concepts are distinct in cryptography, especially classical cryptography.
In cryptography, encryption is the process of transforming information in a way that, ideally, only authorized parties can decode. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Despite its goal, encryption does not itself prevent interference but denies the intelligible content to a would-be interceptor.
Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic algorithms based on mathematical problems termed one-way functions. Security of public-key cryptography depends on keeping the private key secret; the public key can be openly distributed without compromising security.
Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transformation to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link. The requirement that both parties have access to the secret key is one of the main drawbacks of symmetric-key encryption, in comparison to public-key encryption. However, symmetric-key encryption algorithms are usually better for bulk encryption. With exception of the one-time pad they have a smaller key size, which means less storage space and faster transmission. Due to this, asymmetric-key encryption is often used to exchange the secret key for symmetric-key encryption.
In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transformation of one fixed-length group of bits called a block. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.
In cryptography, ciphertext or cyphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext that is unreadable by a human or computer without the proper cipher to decrypt it. This process prevents the loss of sensitive information via hacking. Decryption, the inverse of encryption, is the process of turning ciphertext into readable plaintext. Ciphertext is not to be confused with codetext because the latter is a result of a code, not a cipher.
Key exchange is a method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm.
The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.
CipherSaber is a simple symmetric encryption protocol based on the RC4 stream cipher. Its goals are both technical and political: it gives reasonably strong protection of message confidentiality, yet it's designed to be simple enough that even novice programmers can memorize the algorithm and implement it from scratch. According to the designer, a CipherSaber version in the QBASIC programming language takes just sixteen lines of code. Its political aspect is that because it's so simple, it can be reimplemented anywhere at any time, and so it provides a way for users to communicate privately even if government or other controls make distribution of normal cryptographic software completely impossible.
In cryptography and steganography, plausibly deniable encryption describes encryption techniques where the existence of an encrypted file or message is deniable in the sense that an adversary cannot prove that the plaintext data exists.
Multiple encryption is the process of encrypting an already encrypted message one or more times, either using the same or a different algorithm. It is also known as cascade encryption, cascade ciphering, multiple encryption, and superencipherment. Superencryption refers to the outer-level encryption of a multiple encryption.
Disk encryption is a special case of data at rest protection when the storage medium is a sector-addressable device. This article presents cryptographic aspects of the problem. For an overview, see disk encryption. For discussion of different software packages and hardware devices devoted to this problem, see disk encryption software and disk encryption hardware.
EncFS is a Free (LGPL) FUSE-based cryptographic filesystem. It transparently encrypts files, using an arbitrary directory as storage for the encrypted files.
Institute of Electrical and Electronics Engineers (IEEE) standardization project for encryption of stored data, but more generically refers to the Security in Storage Working Group (SISWG), which includes a family of standards for protection of stored data and for the corresponding cryptographic key management.
Disk encryption is a technology which protects information by converting it into code that cannot be deciphered easily by unauthorized people or processes. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. It is used to prevent unauthorized access to data storage.
Filesystem-level encryption, often called file-based encryption, FBE, or file/folder encryption, is a form of disk encryption where individual files or directories are encrypted by the file system itself.
Cryptography, or cryptology, is the practice and study of techniques for secure communication in the presence of adversarial behavior. More generally, cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages. Modern cryptography exists at the intersection of the disciplines of mathematics, computer science, information security, electrical engineering, digital signal processing, physics, and others. Core concepts related to information security are also central to cryptography. Practical applications of cryptography include electronic commerce, chip-based payment cards, digital currencies, computer passwords, and military communications.
There are various implementations of the Advanced Encryption Standard, also known as Rijndael.
Datain use is an information technology term referring to active data which is stored in a non-persistent digital state typically in computer random-access memory (RAM), CPU caches, or CPU registers.
Crypto-shredding is the practice of 'deleting' data by deliberately deleting or overwriting the encryption keys. This requires that the data have been encrypted. Data may be considered to exist in three states: data at rest, data in transit and data in use. General data security principles, such as in the CIA triad of confidentiality, integrity, and availability, require that all three states must be adequately protected.