DOCSLIB.ORG

Encrypting Stored Data

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Encrypting Stored Data Encrypting stored data Tuomas Aura CS-C3130 Information security Aalto University, autumn 2019 Outline 1. Scenarios for data encryption Simple application of cryptography — and a good example of how 2. File encryption difficult it is to build a secure 3. Encrypting file system EFS system 4. Full disk encryption: BitLocker 5. Data recovery Acknowledgement: These slides are partly based on Microsoft material This lecture uses Windows as a case study. 2 Data encryption ▪ Scenarios: – lost and stolen laptop computers – stolen servers – decommissioning hard disks → Risk of disclosure of confidential data ▪ The obvious solution: encrypt data on disk However: Security often conflicts with usability, reliability and deployability. System design and implementation may have weaknesses 3 Scenarios for data encryption ▪ Lost and stolen laptops – Contain confidential data and access credentials ▪ Physically compromised servers – Contain business secrets, customer data and PII – Unauthorized insiders have physical access ▪ Decommissioned hard disks – Secure decommissioning is expensive – Hardware recycling is typically done in the cheapest and fastest way: no time for secure disk wipe – Old PCs from the US are (were?) shipped to Asia and Africa for recycling 4 FILE ENCRYPTION Simple file encryption 1. User enters 1 passphrase ***** ** 2. Passphrase hashed to produce a key SHA-256 or PBKDF2 2 3. File encrypted with the key – E.g. AES in CBC mode – Integrity check with HMAC or AES-GCM d70f3 Our 619a plan 209b 3 is.… ▪ Examples: crypt(1), gpg, openssl % gpg --output ciphertext.gpg --symmetric plaintext.doc Enter passphrase: 6 Limitations of file encryption ▪ User action needed, and users are lazy ▪ Passphrase can be brute-forced ▪ After encryption, what happens to the old plaintext file? ▪ Software creates temporary files and backup copies – Unencrypted file versions and data fragments may be left on disk ▪ Automation (scripting) is difficult. How to store passphrase? ▪ Incompatibility with advanced services: – Search and indexing – Cloud storage and synchronization Wiping files ▪ Deleting a file marks the space free but does not erase data ▪ Overwriting a file does not always erase the old contents – Unpredictable file system behavior: backups, version history, RAID, copy on write, journal, bad blocks etc. – Solid-state disks (SSD) avoid rewriting the same blocks 8 Wiping files ▪ Overwriting all / free disk space – Must write pseudorandom data, not just zeros or ones – Should read and verify after write Windows: – Erases most data, but no 100% guarantee cipher.exe /W D:\ – Magnetic data remanence still possible ▪ Physical destruction – Heating magnetic medium above its Curie temperature – Grinding disks to powder (SSD fragments may retain data) 9 ENCRYPTING FILE SYSTEM Windows encrypting file system (EFS) ▪ Encryption is a file attribute in NTFS ▪ Enable encryption for a folder → new files encrypted from start ▪ Files can be read when the user is logged in ▪ Encryption and decryption are transparent to applications 11 *) DPAPI = Data Protection API Windows User Username name: EFS key hierarchy 1 Password: ********* Log on to: Domain OK Cancel Shut Down... Options << 1. User logs in with password PBKDF2 2. Hashed to produce key key 2 3. Used to decrypt User’s Master Key 3 User’s DPAPI* Master Key User profile 4. Used to decrypt User’s Private EFS Key 4 User’s Private EFS Key User profile 5. Used to decrypt RSA File Encryption Key $EFS alternate 5 FEK (FEK) data stream Plaintext 6. Used to encrypt 6 file d70f3 Encrypted Our on write and 619a2 File plan 09b15 decrypt on read is.… AES or 3DES 12 EFS ANALYSIS EFS limitations: partial protection ▪ Encrypts contents of specific files and folders ▪ Some data is not encrypted: – Folder and file names – Temp folder, earlier unencrypted file versions, printer spool – Registry, system files and logs – Page file can be encrypted but requires policy configuration ▪ When encrypting plaintext files, the original file is not wiped: always create files in an encrypted folder ▪ Hibernation file may store decryption keys: disable hibernation 14 EFS limitations: attacks ▪ Password cracking is a danger ▪ Key logger or hidden camera can capture user password ▪ Malware can steal EFS data when the user is logged in ▪ Attacker with access to hardware can compromise the OS and install a root kit or key logger, or configure a malicious data recovery agent (DRA) Note that these problems do not apply to lost or stolen laptops EFS limitations: usability ▪ Requires care from user – User must understand what data is encrypted and when – User of a non-domain computer must backup keys or risk data loss – Security depends on a strong password ▪ User login credentials (password) needed for decryption – System cannot index files when user logs out – Backups contain encrypted files (do keep your old EFS recovery keys!) ▪ Transparent decryption can cause surprises – Data decrypted when moved or copied to FAT or transferred over network 16 EFS and password cracking ▪ EFS security depends on the secrecy of the user password ▪ Password hashes are stored in a database on the disk ▪ Password are vulnerable to brute-force attacks – NT hash and older LM hash use no salt and are especially vulnerable (Rainbow tables ,Hellman1980, Oechslin03) ▪ Attacker can boot to another OS, extract the password hashes from the hard disk and crack the user password – User or admin password reset does not give access to encrypted files (why?) ▪ EFS supports smart cards as a login method ▪ Q: Do EFS and Windows Hello work together? FULL DISK ENCRYPTION: BITLOCKER 18 Full disk encryption ▪ Entire disk is encrypted: protects all information on disk – Easier to use correctly than EFS ▪ Password, key, or physical token required to boot or to mount disk; thereafter transparent – Usability and reliability issues? – Requires user/admin to be present at boot time ▪ In software-based products, password must be strong enough to resist brute-force cracking 19 Trusted platform module ▪ Trusted platform module (TPM) is a smart-card-like tamperproof module on the motherboard or integrated in the CPU ▪ Stores cryptographic keys – Protects keys against both software and hardware attacks – Key cannot be stolen, but can it be misused? ▪ Accumulates platform measurements in platform configuration registers (PCR) – Used to check software integrity during the boot process Sealing data with TPM ▪ TPM operations: – TMP_Seal: encrypt data in any platform configuration – TPM_Unseal: decrypt the data, but only if the platform configuration has not changed ▪ When unsealing, the TPM compares current PCR values to ones saved when sealing – TPM refuses to reveal the decryption key if the PCR values are different 21 Software authentication with TPM ▪ Measuring platform configuration: – Each software module computes hash of the next module and extends the hash into a platform configuration register (PCR) in TPM – Then transfers control to the next module ▪ PCRs contain a cumulative fingerprint (hashes) of all software loaded during the boot process ▪ Originally designed as a DRM feature: – Decrypt music only for untampered OS and media player – Another use for TPM and platform measurements is attestation i.e. proving host integrity to another host across the Internet 22 Windows BitLocker ▪ Full-volume encryption in Windows ▪ Principle: Seal the symmetric encryption key with TPM; store the sealed key on the disk; unseal the key when booting ▪ TPM detects tampering of system software – TPM checks the PCR values before unsealing – Trusted boot: can boot to Linux, but Linux cannot unseal the Windows partition ▪ Design goal: laptop thief has to attack the TPM hardware 23 BitLocker partitions Windows partition contains: Volume metadata with MAC Encrypted OS Encrypted page file Encrypted temp files Encrypted data Encrypted hibernation file Encrypted 1.5 GB Windows Boot partition partition Boot partition contains: MBR OS loader Boot utilities BitLocker key hierarchy 1 Storage Root Key (SRK) inside TPM 2 Volume Master Key (VMK) Encrypted keys in volume metadata 3 Full Volume Encryption Key (FVEK) d70f3 Encrypted data 4 and 619a2 bring Plaintext data 09b15 milk … Individual disk blocks are encrypted on write and Separate VMK/FVEK adds flexibility — how? decrypted on read. Extra Algorithms and key sizes material ▪ Storage root key (SRK) is a 2048-bit RSA key ▪ Volume master key (VMK) is a 256-bit symmetric key ▪ Full volume encrypt key (FVEK) is a 128 or 256-bit symmetric key ▪ Disk sectors encrypted with AES in CBC or XTS mode – Initialization vector (IV) derived from sector number (no space for storing a random IV in each disk block) ▪ No integrity check on data – Adding a MAC would increase the data size Measured boot with TPM PCRs on TPM OS loader OS S-CRTF UEFI e.g. Windows Boot (Windows) Manager Master Boot Volume Boot CRTM BIOS Record (MRB) Record e.g. NTFS OS loader OS Boot Sector ▪ Each component in the boot process measures i.e. computes hash of the next component Extra Which PCR values are used for sealing? material *PCR 00: CRTM, BIOS and Platform Extensions (PCR 01: Platform and Motherboard Configuration and Data) *PCR 02: Option ROM Code (PCR 03: Option ROM Configuration and Data) *PCR 04: Master Boot Record (MBR) Code (PCR 05: Master Boot Record (MBR) Partition Table) (PCR 06: State Transitions and Wake Events) (PCR 07: Computer-Manufacturer Specific) *PCR 08: NTFS Boot Sector *PCR 09: NTFS Boot Block *PCR 10: Boot Manager *PCR 11: BitLocker Critical Components ▪ If any of the
Load more

Recommended publications
  • Basic Cryptography
    Basic cryptography • How cryptography works... • Symmetric cryptography... • Public key cryptography... • Online Resources... • Printed Resources... I VP R 1 © Copyright 2002-2007 Haim Levkowitz How cryptography works • Plaintext • Ciphertext • Cryptographic algorithm • Key Decryption Key Algorithm Plaintext Ciphertext Encryption I VP R 2 © Copyright 2002-2007 Haim Levkowitz Simple cryptosystem ... ! ABCDEFGHIJKLMNOPQRSTUVWXYZ ! DEFGHIJKLMNOPQRSTUVWXYZABC • Caesar Cipher • Simple substitution cipher • ROT-13 • rotate by half the alphabet • A => N B => O I VP R 3 © Copyright 2002-2007 Haim Levkowitz Keys cryptosystems … • keys and keyspace ... • secret-key and public-key ... • key management ... • strength of key systems ... I VP R 4 © Copyright 2002-2007 Haim Levkowitz Keys and keyspace … • ROT: key is N • Brute force: 25 values of N • IDEA (international data encryption algorithm) in PGP: 2128 numeric keys • 1 billion keys / sec ==> >10,781,000,000,000,000,000,000 years I VP R 5 © Copyright 2002-2007 Haim Levkowitz Symmetric cryptography • DES • Triple DES, DESX, GDES, RDES • RC2, RC4, RC5 • IDEA Key • Blowfish Plaintext Encryption Ciphertext Decryption Plaintext Sender Recipient I VP R 6 © Copyright 2002-2007 Haim Levkowitz DES • Data Encryption Standard • US NIST (‘70s) • 56-bit key • Good then • Not enough now (cracked June 1997) • Discrete blocks of 64 bits • Often w/ CBC (cipherblock chaining) • Each blocks encr. depends on contents of previous => detect missing block I VP R 7 © Copyright 2002-2007 Haim Levkowitz Triple DES, DESX,
    [Show full text]
  • NTFS • Windows Reinstallation – Bypass ACL • Administrators Privilege – Bypass Ownership
    Windows Encrypting File System Motivation • Laptops are very integrated in enterprises… • Stolen/lost computers loaded with confidential/business data • Data Privacy Issues • Offline Access – Bypass NTFS • Windows reinstallation – Bypass ACL • Administrators privilege – Bypass Ownership www.winitor.com 01 March 2010 Windows Encrypting File System Mechanism • Principle • A random - unique - symmetric key encrypts the data • An asymmetric key encrypts the symmetric key used to encrypt the data • Combination of two algorithms • Use their strengths • Minimize their weaknesses • Results • Increased performance • Increased security Asymetric Symetric Data www.winitor.com 01 March 2010 Windows Encrypting File System Characteristics • Confortable • Applying encryption is just a matter of assigning a file attribute www.winitor.com 01 March 2010 Windows Encrypting File System Characteristics • Transparent • Integrated into the operating system • Transparent to (valid) users/applications Application Win32 Crypto Engine NTFS EFS &.[ßl}d.,*.c§4 $5%2=h#<.. www.winitor.com 01 March 2010 Windows Encrypting File System Characteristics • Flexible • Supported at different scopes • File, Directory, Drive (Vista?) • Files can be shared between any number of users • Files can be stored anywhere • local, remote, WebDav • Files can be offline • Secure • Encryption and Decryption occur in kernel mode • Keys are never paged • Usage of standardized cryptography services www.winitor.com 01 March 2010 Windows Encrypting File System Availibility • At the GUI, the availibility
    [Show full text]
  • Active @ UNDELETE Users Guide | TOC | 2
    Active @ UNDELETE Users Guide | TOC | 2 Contents Legal Statement..................................................................................................4 Active@ UNDELETE Overview............................................................................. 5 Getting Started with Active@ UNDELETE........................................................... 6 Active@ UNDELETE Views And Windows......................................................................................6 Recovery Explorer View.................................................................................................... 7 Logical Drive Scan Result View.......................................................................................... 7 Physical Device Scan View................................................................................................ 8 Search Results View........................................................................................................10 Application Log...............................................................................................................11 Welcome View................................................................................................................11 Using Active@ UNDELETE Overview................................................................. 13 Recover deleted Files and Folders.............................................................................................. 14 Scan a Volume (Logical Drive) for deleted files..................................................................15
    [Show full text]
  • Block Ciphers and the Data Encryption Standard
    Lecture 3: Block Ciphers and the Data Encryption Standard Lecture Notes on “Computer and Network Security” by Avi Kak ([email protected]) January 26, 2021 3:43pm ©2021 Avinash Kak, Purdue University Goals: To introduce the notion of a block cipher in the modern context. To talk about the infeasibility of ideal block ciphers To introduce the notion of the Feistel Cipher Structure To go over DES, the Data Encryption Standard To illustrate important DES steps with Python and Perl code CONTENTS Section Title Page 3.1 Ideal Block Cipher 3 3.1.1 Size of the Encryption Key for the Ideal Block Cipher 6 3.2 The Feistel Structure for Block Ciphers 7 3.2.1 Mathematical Description of Each Round in the 10 Feistel Structure 3.2.2 Decryption in Ciphers Based on the Feistel Structure 12 3.3 DES: The Data Encryption Standard 16 3.3.1 One Round of Processing in DES 18 3.3.2 The S-Box for the Substitution Step in Each Round 22 3.3.3 The Substitution Tables 26 3.3.4 The P-Box Permutation in the Feistel Function 33 3.3.5 The DES Key Schedule: Generating the Round Keys 35 3.3.6 Initial Permutation of the Encryption Key 38 3.3.7 Contraction-Permutation that Generates the 48-Bit 42 Round Key from the 56-Bit Key 3.4 What Makes DES a Strong Cipher (to the 46 Extent It is a Strong Cipher) 3.5 Homework Problems 48 2 Computer and Network Security by Avi Kak Lecture 3 Back to TOC 3.1 IDEAL BLOCK CIPHER In a modern block cipher (but still using a classical encryption method), we replace a block of N bits from the plaintext with a block of N bits from the ciphertext.
    [Show full text]
  • 1 Perfect Secrecy of the One-Time Pad
    1 Perfect secrecy of the one-time pad In this section, we make more a more precise analysis of the security of the one-time pad. First, we need to define conditional probability. Let’s consider an example. We know that if it rains Saturday, then there is a reasonable chance that it will rain on Sunday. To make this more precise, we want to compute the probability that it rains on Sunday, given that it rains on Saturday. So we restrict our attention to only those situations where it rains on Saturday and count how often this happens over several years. Then we count how often it rains on both Saturday and Sunday. The ratio gives an estimate of the desired probability. If we call A the event that it rains on Saturday and B the event that it rains on Sunday, then the intersection A ∩ B is when it rains on both days. The conditional probability of A given B is defined to be P (A ∩ B) P (B | A)= , P (A) where P (A) denotes the probability of the event A. This formula can be used to define the conditional probability of one event given another for any two events A and B that have probabilities (we implicitly assume throughout this discussion that any probability that occurs in a denominator has nonzero probability). Events A and B are independent if P (A ∩ B)= P (A) P (B). For example, if Alice flips a fair coin, let A be the event that the coin ends up Heads. If Bob rolls a fair six-sided die, let B be the event that he rolls a 3.
    [Show full text]
  • Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, Newdes, RC2, and TEA
    Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, NewDES, RC2, and TEA John Kelsey Bruce Schneier David Wagner Counterpane Systems U.C. Berkeley kelsey,schneier @counterpane.com [email protected] f g Abstract. We present new related-key attacks on the block ciphers 3- WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. Differen- tial related-key attacks allow both keys and plaintexts to be chosen with specific differences [KSW96]. Our attacks build on the original work, showing how to adapt the general attack to deal with the difficulties of the individual algorithms. We also give specific design principles to protect against these attacks. 1 Introduction Related-key cryptanalysis assumes that the attacker learns the encryption of certain plaintexts not only under the original (unknown) key K, but also under some derived keys K0 = f(K). In a chosen-related-key attack, the attacker specifies how the key is to be changed; known-related-key attacks are those where the key difference is known, but cannot be chosen by the attacker. We emphasize that the attacker knows or chooses the relationship between keys, not the actual key values. These techniques have been developed in [Knu93b, Bih94, KSW96]. Related-key cryptanalysis is a practical attack on key-exchange protocols that do not guarantee key-integrity|an attacker may be able to flip bits in the key without knowing the key|and key-update protocols that update keys using a known function: e.g., K, K + 1, K + 2, etc. Related-key attacks were also used against rotor machines: operators sometimes set rotors incorrectly.
    [Show full text]
  • The 2006 Analysis of Information Remaining on Disks Offered for Sale on the Second Hand Market
    Journal of Digital Forensics, Security and Law Volume 1 Number 3 Article 2 2006 The 2006 Analysis of Information Remaining on Disks Offered for Sale on the Second Hand Market Andy Jones Security Research Center, British Telecommunicationsand Edith Cowan University Craig Valli Edith Cowan University Iain Sutherland University of Glamorgan Paula Thomas University of Glamorgan Follow this and additional works at: https://commons.erau.edu/jdfsl Part of the Computer Engineering Commons, Computer Law Commons, Electrical and Computer Engineering Commons, Forensic Science and Technology Commons, and the Information Security Commons Recommended Citation Jones, Andy; Valli, Craig; Sutherland, Iain; and Thomas, Paula (2006) "The 2006 Analysis of Information Remaining on Disks Offered for Sale on the Second Hand Market," Journal of Digital Forensics, Security and Law: Vol. 1 : No. 3 , Article 2. DOI: https://doi.org/10.15394/jdfsl.2006.1008 Available at: https://commons.erau.edu/jdfsl/vol1/iss3/2 This Article is brought to you for free and open access by the Journals at Scholarly Commons. It has been accepted for inclusion in Journal of Digital Forensics, Security and Law by an authorized administrator of (c)ADFSL Scholarly Commons. For more information, please contact [email protected]. Journal of Digital Forensics, Security and Law, Vol. 1(3) The 2006 Analysis of Information Remaining on Disks Offered for Sale on the Second Hand Market Andy Jones Security Research Center, British Telecommunications and Edith Cowan University [email protected] Phone: +44 1473 646133 Fax: +44 1473 644385 Craig Valli Edith Cowan University Iain Sutherland University of Glamorgan Paula Thomas University of Glamorgan ABSTRACT All organisations, whether in the public or private sector, use computers for the storage and processing of information relating to their business or services, their employees and their customers.
    [Show full text]
  • Copyrighted Material
    Index Note to the Reader: Throughout this index boldfaced page numbers indicate primary discussions of a topic. Italicized page numbers indicate illustrations. IUSR_computername account, 274–275 Numbers disabling, 61 mapping certificates to, 283–286 3DES, 125–126, 416, 494 user accounts, configuring for 802.1x standard (IEEE), 181–184, 494 delegation, 46 authentication for, 182 ACEs (Access Control Entries) combining VPNs with, 190 authentication for clients, 494 802.11a standard (IEEE), 494 in Discretionary Access Control List, 7 vs. 802.11b, 170 Active Directory (AD), 3, 494 802.11b standard (IEEE), 494 assigning GPO to container in, 28 for certificate store, 404 Configuration container for certificate templates, 360 A mapping certificates to accounts, 283–286 Access Control Entries (ACEs), 494 in mixed mode, 324 in Discretionary Access Control List, 7 publishing certificates through, 404–409 Access Control List (ACL), 494 in child domain, 406–409 Access Control Settings dialog box, 16 from standalone online CA, 404–406 Auditing tab, 16, 440 to view published certificates and CRLs, “Access Is Denied” error message, 420 358–359 access point, 494. See also wireless access Active Directory domain controller point (WAP) client security to traffic, 226–229 access token, 260, 494 testing, 227–229 account lockout policy, in security Active Directory domains templates, 9 Properties dialog box, General tab, 228 account logon events, tracking, 15, 445 trust relationships, 271–273, 272 account management events, tracking, 15, Active Directory object, auditing, 18 445–446 Active Directory Properties dialog box, 228 Account Policies Active Directory Sites and Services (ADSS), security template configuration, 12, 5, 494 12–14, 13 configuration, 407–408 in security templates, 9 Active Directory Users and Computers (ADUC), accountability trail, 14 COPYRIGHTED5, MATERIAL494 accounts Active Server Pages (ASP), SUS and, 111 Administrator account, renaming, 55, 56 AD.
    [Show full text]
  • Jim Allchin on Longhorn, Winfs, 64-Bit and Beyond Page 34 Jim
    0805red_cover.v5 7/19/05 2:57 PM Page 1 4 Scripting Solutions to Simplify Your Life Page 28 AUGUST 2005 WWW.REDMONDMAG.COM MrMr WindowsWindows Jim Allchin on Longhorn, WinFS, 64-Bit and Beyond Page 34 > $5.95 05 • AUGUST Make Room for Linux Apps Page 43 25274 867 27 Active Directory Design Disasters Page 49 71 Project1 6/16/05 12:36 PM Page 1 Exchange Server stores & PSTs driving you crazy? Only $399 for 50 mailboxes; $1499 for unlimited mailboxes! Archive all mail to SQL and save 80% storage space! Email archiving solution for internal and external email Download your FREE trial from www.gfi.com/rma Project1 6/16/05 12:37 PM Page 2 Get your FREE trial version of GFI MailArchiver for Exchange today! GFI MailArchiver for Exchange is an easy-to-use email archiving solution that enables you to archive all internal and external mail into a single SQL database. Now you can provide users with easy, centralized access to past email via a web-based search interface and easily fulfill regulatory requirements (such as the Sarbanes-Oxley Act). GFI MailArchiver leverages the journaling feature of Exchange Server 2000/2003, providing unparalleled scalability and reliability at a competitive cost. GFI MailArchiver for Exchange features Provide end-users with a single web-based location in which to search all their past email Increase Exchange performance and ease backup and restoration End PST hell by storing email in SQL format Significantly reduce storage requirements for email by up to 80% Comply with Sarbanes-Oxley, SEC and other regulations.
    [Show full text]
  • Encrypting File System
    SVEUČILIŠTE U ZAGREBU FAKULTET ELEKTROTEHNIKE I RAČUNARSTVA Seminarski rad iz kolegija „Računalna forenzika“ Encrypting File System Luka Škorić Zagreb, siječanj, 2018. Sadržaj 1. Uvod ................................................................................................................................................ 1 2. NTFS............................................................................................................................................... 2 3. Karakteristike Encrypting File System-a ................................................................................... 4 3.1. Enkripcijski algoritmi ............................................................................................................. 5 3.2. Način rada .............................................................................................................................. 6 3.3. Nedostatci EFS-a .................................................................................................................. 8 4. Zaključak ...................................................................................................................................... 10 5. Literatura ...................................................................................................................................... 11 1. Uvod Enkripcija tvrdog diska predstavlja proces zaštite podataka pretvaranjem podataka u nečitki kod, što kao cilj ima zaštitu istih podataka od nedozvoljenog pristupa. Filesystem - level encryption, često nazvan i file/folder
    [Show full text]
  • How Blancco Helps Mobile Resellers & Recyclers Achieve Compliance
    How Blancco Helps Mobile Resellers & Recyclers Achieve Compliance with the R2 Standard Mobile resellers and recyclers must comply with several standards and certifications before reselling, remarketing or recycling their devices. Following these rules helps mobile organizations ensure that they are protected from potential data remanence that could expose sensitive information. One of the most prominent certifications is called R2. The latest version of the Standard is the R2:2013. Each provision of the R2 Standard is designed to help ensure the transparency, quality, social and environmental responsibility of R2 Certified electronics facilities such as mobile resellers and recyclers. R2:2013 was developed through a transparent multi-stakeholder process, consistent with ANSI essential requirements. R2 undergoes consistent review to advance the requirements in-line with the needs of the industry. Blancco Mobile Diagnostics & Erasure solutions supply mobile resellers around the globe a certified process so that they can meet (and even exceed) the R2 standard for device testing and data sanitization. Blancco solutions exceed the requirements presented in the Standard, with verification and certification of each data erasure. This ensures that data does not remain on mobile devices following processing and prior to moving into the secondary market via reverse/forward logistics. Section of the Standard How Blancco Helps 1. Tested and Full Functions, R2/Ready for Reuse Blancco Mobile Solutions enables mobile resellers and retailers to (A) “Use effective test methods to confirm that all functions quickly and accurately find the source of mobile device issues and for equipment and components are working properly resolve them. and ready for reuse, including properly configured with appropriate legally licensed software where required for operation of equipment and components, and device specific drivers within the product’s hardware…” 2.
    [Show full text]
  • Chapter 2 the Data Encryption Standard (DES)
    Chapter 2 The Data Encryption Standard (DES) As mentioned earlier there are two main types of cryptography in use today - symmet- ric or secret key cryptography and asymmetric or public key cryptography. Symmet- ric key cryptography is the oldest type whereas asymmetric cryptography is only being used publicly since the late 1970’s1. Asymmetric cryptography was a major milestone in the search for a perfect encryption scheme. Secret key cryptography goes back to at least Egyptian times and is of concern here. It involves the use of only one key which is used for both encryption and decryption (hence the use of the term symmetric). Figure 2.1 depicts this idea. It is necessary for security purposes that the secret key never be revealed. Secret Key (K) Secret Key (K) ? ? - - - - Plaintext (P ) E{P,K} Ciphertext (C) D{C,K} Plaintext (P ) Figure 2.1: Secret key encryption. To accomplish encryption, most secret key algorithms use two main techniques known as substitution and permutation. Substitution is simply a mapping of one value to another whereas permutation is a reordering of the bit positions for each of the inputs. These techniques are used a number of times in iterations called rounds. Generally, the more rounds there are, the more secure the algorithm. A non-linearity is also introduced into the encryption so that decryption will be computationally infeasible2 without the secret key. This is achieved with the use of S-boxes which are basically non-linear substitution tables where either the output is smaller than the input or vice versa. 1It is claimed by some that government agencies knew about asymmetric cryptography before this.
    [Show full text]