Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

 

Sunday, January 22, 2017

 
  New Resources
Security Logging Service
Travel Tips for Data Security
Free Security/Privacy Training Resources
Penn+Box
Two-step verification
Combating Malware
SafeDNS
Phishing Archive
Cloud Computing and Data Outsourcing
Best Practices for Applications with Confidential University Data
 
  Security "Greatest Hits"
Managing Passwords
E-mail Harassment & Forgery
Hoaxes, frauds & scams
Spam
Phishing
Wireless Networking
Encryption
 
  Best Practices
Standards
Secure desktop computing
Secure servers
Secure data deletion
Securing printers
Tips for safe computing
Computing policies
 
  More in-depth information for
Local support providers
System administrators
 
  Security initiatives
Critical Component compliance
Authentication & authorization
Penn Security & Privacy Assessment (SPIA)
Security Liaisons (Restricted Access)
Secure Share
Secure Space
Vulnerability Scanner
 
  Related links
Electronic privacy
PennKey
Viruses
Worms, trojans, backdoors

DRAFT RECOMMENDATIONS

Encryption

The Problem

  • Portable devices like laptops and thumb drives can be lost or stolen. If they contain sensitive data such as SSNs, bank account numbers, or electronic patient health information, they should be encrypted to avoid fines and criminal misuse.
  • E-mail offers little or no privacy, making it a bad medium for confidential communications. To share sensitive data, either use Secure Share or send an encrypted attachment (see below).

Encrypting Laptops and Thumb Drives

  1. Ensure you have a good backup.
  2. Encrypt:

Sharing Files with Sensitive Data

  • Using Web App: Secure Share is a service that can be useful to transfer files securely between individuals affiliated with Penn when other mechanisms (e.g. secure, shared file servers) aren't available.
  • Using Email: Another option (especially for sharing information with individuals outside of Penn) is to put the sensitive data in a document, encrypt it, and send it in email:
    1. Put sensitive data into document using Microsoft Word/Excel 2007 or later.
    2. Select Save As > Tools > General Options > Password to open
    3. Set unguessable password:
      • Like this: CebCavuts9 or NutellaToastMelonBun
      • Not This: W3Lc0me123 (attackers use guessing tools that trivially make substitutions like 3 for e, etc.)
    4. Call recipient and tell them the password.
    5. NOTE: Setting a Password to modify is optional. However, using only this password is NOT strong enough to protect the document. You must set a Password to open in order to encrypt the document securely.

    Alternatively, use WinZip rather than Microsoft Office in the preceding directions.

  • Using PGP: Further information is available here for Local Support Providers (LSPs) who wish to consider using PGP.

Technical Footnotes

TechRepublic published an analysis that stated "Office 2007 uses AES (Advanced Encryption Standard) with a 128-bit key and SHA-1 hashing. For stronger protection, you can increase the key length to 256 bits by editing the registry or using Group Policy. This improves the security of password-protected files, especially when long, complex passwords are used."

The sales page for AOPR password recovery software from Elmcomsoft states "With computation-intensive encryption used in latest versions of Microsoft Office [referring to Office 2007+], password recovery tools relying solely on computer's CPU are no longer able to provide reasonable recovery times." This assumes the user sets an unguessable password, of course.

The wikipedia AES article states "As for now, there are no known practical attacks that would allow anyone to read correctly implemented AES encrypted data."

Various versions of Microsoft's "Enhanced Cryptographic Provider (RSAENH)" and "Cryptographic Primitives Library (bcrypt.dll)" are listed on NIST's FIPS 140-1 and 140-2 validated cryptographic modules page as being validated to 140-2. Versions of Office prior to 2007 apparently used a compatibility mode by default that subverted the strong encryption that was available.

Starting with version 18.5, WinZip Enterprise can be configured to operate in a FIPS 140-2 compliant way. Otherwise, WinZip provides what they say is "FIPS 197 certified" AES encryption although it is not listed on the NIST site. It's possible that in 18.5 Enterprise, they link with platform-specific NIST-certified libraries.

Last updated: Thursday, December 10, 2015

top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania