Page 48 – Encryption Consulting

What is a TLS/SSL Port?

Within the network, constant communication is always happening while using computer systems and software. There must be various components for this communication mechanism to function. A telephone, for example, requires a sender, a receiver, and a signal to connect the two ports. They contain unique numerical addresses that allow the system to determine where the information is transmitted.

These ports are configured to guide traffic to the appropriate destinations; in other words, they are the assistants that instruct systems engaged in determining which service is being sought. Services vary from unencrypted HTTP web traffic on port 80 to FTP on port 21, which transports data and files between servers and clients.

There are 65,535 ports, although not all of them are used daily. On the other hand, the TLS/SSL port is one of the most regularly used ports and is almost certainly utilized daily. So, what port does TLS/SSL use? The TLS/SSL port is 443, HTTPS, and employs TLS/SSL certificates to safeguard port communications. HTTP is the unsecure protocol port (port 80).

What are the most often used TCP ports?

Managing TLS/SSL certificates necessitates a thorough understanding of security and network connectivity. Knowing some of the most frequent TCP (or transmission control protocol) ports may be important.

For your convenience, we’ve created a list of these popular TCP ports and their functions.

Unsecured port numbers with their function:

80, HTTP
21, FTP
119, NNTP
389, LDAP
143, IMAP
110, POP3

Secured port numbers with their function:

443, HTTPS
990, FTPS
563, NNTPS
636, LDAPS
993, IMAPS
995, POP3S

What Is the Purpose of Port 443?

As previously stated, TLS/SSL certificates secure port 443 communications. The primary role of TLS/SSL certificates is to protect information so that online traffic or cybercriminals cannot access it. This is why many businesses choose HTTPS over HTTP to safeguard their data from being exposed or compromised while it is being transferred and received.

SSL vs. TLS and HTTP vs. HTTPS: How do they function together?

SSL vs. TLS

SSL certificates are a defunct word for what is now known as TLS certificates. They fundamentally provide identical security duties, yet many individuals continue to use the word SSL while others use TLS. It’s vital to keep in mind that they aren’t different, which is why certificates are commonly referred to as TLS/SSL, so that people understand that they are not different.

HTTP vs. HTTPS

HTTP and HTTPS are not two distinct protocols. Rather, HTTPS is a specialized form of HTTP that employs TLS/SSL certificates. HTTPS is thus simply a safer version of HTTP that is safer to use while transferring data.

How do they function together?

The default network will begin with HTTP. To protect your network, you must install a TLS/SSL certificate on the web server that you are using. After that, the certificate will confirm your organization’s identity in order to launch the HTTPS protocol. This ensures that data is safely sent from a web server to a web browser.

Why are SSL ports necessary?

You may be asking why your network server needs an SSL port over other ports and internet connection techniques. TLS/SSL certificates will be your most dependable ticket to secure data transport. While safety is paramount, there are a few additional factors to consider:

PCI compliance requires the use of HTTPS:

In order to accept any form of online payment, you must be PCI compliant. This will also protect both your data and the information of your customers.
HTTPS is faster than HTTP

If you have a TLS/SSL certificate-protected page that is HTTPS, your information will most likely load significantly faster than it would on an HTTP website.
Cybercrime

With more businesses, consumers, and internet hackers utilizing the internet on a daily basis, it’s reasonable to assume that security is more important than ever. Using an SSL certificate port to secure your organization is one of the finest preventative actions you can do when it comes to cyber security.

Managing TLS/SSL Certificates

Keeping your apps safe frequently boils down to good TLS certificate management. The use of TLS/SSL certificates is a critical initial step. However, many businesses overlook the need to safeguard their systems against compromise and misuse.

Is Quantum Computing a threat to Cyber Security?

Quantum computers analyze enormous data sets and execute complex computations significantly faster than traditional computers. Google constructed a quantum computer in 2019 that could calculate in 3 minutes and 20 seconds. Still, regular supercomputers would have taken 10,000 years to solve the identical calculation, proving quantum edge or quantum supremacy.

While quantum computing is still in its early stages, upheavals in various areas, including cybersecurity, may occur much sooner than you think. The impact of quantum computing on cybersecurity is tremendous and game-changing.

Quantum computing shows significant promise in various fields, including weather forecasting, artificial intelligence, medical research, etc. However, it poses a substantial threat to cybersecurity, necessitating a shift in how we secure our data.

While quantum computers cannot currently break most of our present types of encryptions, we must immediately keep ahead of the risk and develop quantum-proof solutions. It will be too late if we wait till those powerful quantum computers begin breaking our encryption.

An additional reason to act now

Regardless of when commercially available quantum computers will emerge, the potential of malicious actors harvesting data is another reason to quantum-proof data now. They are already grabbing data and storing it until they can obtain a quantum computer to decipher it.

The data will have already been compromised at that point. The only way to maintain information security, particularly information that must be kept indefinitely, is to protect it today via quantum-safe key transmission.

Quantum Threat to Cybersecurity

Quantum computers will be capable of solving issues that traditional computers are incapable of solving. This involves deciphering the algorithms underlying the encryption keys that safeguard our data and the Internet’s infrastructure.

The encryption used nowadays is largely built on mathematical calculations that would take far too long to decipher on today’s machines. Scientists have been working on constructing quantum computers that can factor progressively bigger numbers since then. Consider two large integers and multiply them together to simplify this. It’s simple to calculate the product, but it’s considerably more difficult to start with a huge number and divide it into its two prime numbers. However, a quantum computer can readily factor those numbers and break the code.

Peter Shor created a quantum method (aptly titled Shor’s algorithm) that can factor in big numbers far faster than a traditional computer.

Today’s RSA encryption is extensively used for transferring critical data over the Internet and is based on 2048-bit numbers. Experts believe that breaking that encryption would require a quantum computer with up to 70 million qubits. The largest quantum computer available today is IBM’s 53-qubit quantum computer, so it may be long before that encryption to be broken.

As the speed of quantum research continues to accelerate, such a computer cannot be developed within the next 3-5 years.

For example, Google and Sweden’s KTH Royal Institute of Technology discovered “a more efficient technique for quantum computers to do the code-breaking calculations, decreasing required resources by orders of magnitude” earlier this year. Their research, featured in the MIT Technology Review, proved that a 20 million-qubit computer could break a 2048-bit number in about 8 hours. However, given the rapid speed of quantum research, such a computer cannot be developed within 3-5 years. That means that continued advances like this will keep pushing the timescale forward.

It’s worth mentioning that perishable sensitive data isn’t the major concern when it comes to the quantum encryption issue. The more serious concern is the susceptibility of information that must remain secret indefinitely, such as banking data, privacy data, national security-level data, etc. Those are the secrets that need to be protected by quantum-proof encryption right now.

Adapting Cybersecurity to Respond to the Threat

Researchers have been working hard to produce “quantum-safe” encryption in recent years. There are many unanswered problems in quantum computing, and scientists are working hard to find answers.

However, one thing is certain about the influence of quantum computing on cybersecurity: it will represent a danger to cybersecurity and current types of encryptions. To mitigate that threat, we must change how we secure our data and begin doing it now.

We must handle the quantum threat the same way we approach other security vulnerabilities: by adopting a defense-in-depth strategy that includes many layers of quantum-safe protection. Security-conscious enterprises recognize the need for crypto agility.

They are looking for crypto-diverse solutions, such as those provided by Encryption Consulting LLC, quantum-safe their encryption now and quantum-ready for tomorrow’s challenges.

Practical Key Management in Banking

Today we’re going to be looking at Practical Key Management as it applies to the banking industry. Transactions taking place online obviously have a great need for efficient protection, there’s many ways to approach this need. We’ll be going over different encryption methods, a practical use case of banking encryption, and analysis on what types of encryptions are most useful in this subject.

Some major challenges of symmetric cryptography

A major problem is the more users you have that require access to the secret key, the more difficult key management becomes. Some ancillary processes may be required for multiple clients to be able to access the same keys.

Symmetric keys also don’t have metadata inherently attached to themselves, so they are vulnerable to expiration. Therefore, a Key Life Cycle Management System can be implemented to automatically rotate expired keys out of the cycle. Furthermore, if one symmetric key is compromised, it makes all users vulnerable – therefore symmetric keys require protection.

The Hardware Security Module (HSM) is a highly advanced and secure storage device specifically for keys. At the end of the key lifecycle, the key must be retired, and a new key must replace it.

Symmetric versus asymmetric cryptography

Symmetric algorithms are very old in concept and revolve around the idea of the same key being used to encrypt and decrypt the information, this can prove useful for speed. However, it is more vulnerable than a newer type of encryption that uses a public and private key for encryption and decryption respectively. This type of encryption, called Asymmetric Encryption, has proved its superiority in security and is now widely implemented to this day.

So why use symmetric encryption at all if asymmetric encryption is more secure? It would be like driving a tank to work instead of a car, sometimes the extra protection can slow you down too much. For differing use cases, such as banking, symmetric algorithms can provide an advantage in making sure the encryption process is done as fast as possible.

How much slower would the world move if internet transactions were several times slower than they are now? How much more expensive would it be to maintain these systems with slower, more complicated algorithms? Hence the need for symmetric encryption.

Asymmetric encryption shines with its uses in digital signing or blockchains, for instance, where absolute data security is paramount. With digital signing, the use of both a public and private key means the identity of the signer of the data can easily be known.

The signer uses their private key for encryption, while the recipient verifies their identity with their public key. As only the public key of the signer can decrypt data encrypted with the signer’s private key, the identity of the signer is verified when the data is decrypted.

Asymmetric encryption algorithms are widely used for protecting online communications nowadays where complex key handling challenges are present. Public Key Infrastructure (PKI) is a major framework that is based on asymmetric encryption. Using HSMs and Key Lifecycle Management, tedious tasks are automated to make it easier to facilitate high availability operations and encryption standard compliance.

How does the symmetric scheme work

Symmetric encryption security devices are highly advanced and secure, but not always the easiest to use. Here’s an example of how a device would work. If two devices need to make a connection, there are three different key types involved:

Master Key is Highly protected and long-term key used to decrypt other keysKey Encryption Key (KEK) – used to encrypt keys, also highly protected
Session Key is Randomly generated number that ensures an uncompromised connection between the two devices
The Master key and KEKs must be updated from time to time, most devices have on board programming that checks key integrity automatically, so this process is made easier. KEKs should always be installed manually by a key custodian or automatically though a preconfigured Key Management System process.

The decryption process is as follows:

The devices make a session key using an RNG (random number generator)
A small amount of data is encrypted on the session key
Encrypts the session key with the KEK
Sends the encrypted data to the recipient device
Destroys session keys
After a certain amount of input data, steps 1-4 are followed for the sake of key variety

However, there are many practical problems arising in this scenario:

How long can master keys be kept secret? How often do they require rotation?
KEKs also must be rotated periodically, what policies govern them?
Every communication link between the two subscribers must use a KEK. How do you ensure availability when many subscribers must be serviced?

Conclusion

Key management can be a complicated process but is important to manage well for the sake of high availability and security, especially with customers and company assets being protected through these encryptions. Both Asymmetric and Symmetric encryption algorithms have their advantages and disadvantages, which makes either type effective depending on the use case. It is important to understand their differences when considering encryption for banking purposes. After breaking down the symmetric encryption process, it becomes an obvious choice for practical key management for banking use cases.

The efficient and secure delivery of keys and certificates, protected by their respective cryptographic standards, is what enables us to conduct our banking business. The integrity and speed information transfer process must be held to the highest priority. At Encryption Consulting, we provide guidance on this framework through education and evaluation to achieve even greater efficiency and security, make sure to check out our blogs and education center for more resources on these topics.

TikTok Data Privacy Settlement

In February, TikTok agreed to pay $92 million to resolve a class-action privacy lawsuit.

The plaintiffs claim TikTok obtained biometric data illegally, mined user information from unpublished draughts, and improperly shared data with third firms such as Google and Facebook.

What Happened Next?

TikTok has agreed to resolve a class-action lawsuit over the collection and use of personal data from TikTok users. This agreement was reached because of 21 lawsuits, a few of which were filed on behalf of minors, and it affects about 89 million TikTok users.

TikTok rejected all the charges made in the complaints but agreed to a $92 million settlement for affected users. “While we disagree with the statements, rather than engaging in prolonged litigation, we’d like to focus our efforts on creating a safe and pleasant experience for the TikTok community,” TikTok said in February after reaching a deal.

So, what aspects of personal information and data privacy did TikTok violate? We can’t be sure because the lawsuit was settled out of court. However, based on the charges and TikTok’s settlement, we can detect possible and likely privacy violations.

The Personal Data Problem

The plaintiffs claim TikTok obtained biometric data illegally, mined user information from unpublished draughts, and inappropriately shared data with third-party firms such as Google and Facebook.

TikTok is accused of using face recognition to obtain a competitive edge over other social media apps. According to the lawsuit, facial recognition was utilized to assess personal information like as age, gender, and race in order to recommend content.

The Illinois Biometric Information Privacy Act granted Illinois residents the opportunity to sue TikTok for utilizing their biometric information without their permission.

The suit claimed that the app mined information from drafted and unposted films and that the user’s personal data was being improperly provided to third parties.

TikTok apparently made improvements as part of the deal to avoid the lawsuit going to trial. They will erase some data; however, whether this data is unpublished draughts or biometrics is unknown.

TikTok has also stated that it will no longer gather biometric data, track user location, harvest information from user-created content, or store US citizens’ data outside the US. All of this, however, may be rectified if its privacy policies are openly published.

The Settlement

Although a $92 million settlement may appear considerable, if applied to all impacted consumers, those in the nationwide subclass would receive a compensation of $0.96 due to attorney fees.

On the other hand, Illinois residents will earn more (up to $5.75 if every eligible person files a claim). Even if only 20% of users claim a portion of the settlement, customers nationwide may only earn $4.79.

An app notice notified Eligible users of the TikTok Data Privacy Notice of Settlement. These specifics can still be seen on the TikTok data privacy settlement website.

Even though TikTok has not agreed to any privacy violations, this settlement has resulted in TikTok entering into new agreements to protect users’ personal data and biometric data.

Many individuals are concerned about TikTok’s suspected use of personal data because they were previously ignorant of the app’s privacy concerns. While the social media behemoth was able to resolve these allegations out of court, the case demonstrates customers’ growing awareness of privacy concerns.

How to fix the SSL Handshake Failed error?

SSL (Secure Sockets Layer) Handshake Failed error occurs when a secure connection fails to be established between a server and a client.

The term “SSL handshake” may appear enigmatic or out of context for those unfamiliar with the technology. If you’re in such a situation and need to figure out why this issue is appearing on your PC, keep reading until the end.

In this article, we will not only define an SSL handshake but also look at why this mistake occurs and what you can do to correct it.

What is an SSL Handshake?

The SSL handshake includes algorithm agreement, certificate exchange, and key exchange utilizing the shared algorithm. So, the ‘SSL handshake’ is the name given to a carefully developed method that aids in the encryption of client-server communication using cryptographic keys.

These keys are exchanged between the client and the server using one of two mutually agreed-upon shared algorithms. If an issue occurs during this process, the ‘SSL handshake failed’ error appears.

What causes the ‘SSL handshake failed’ error?

When two endpoints (server and client) fail to establish a secure connection, an SSL handshake error, also known as error 525, occurs. This can be caused by a variety of difficulties, either on the server or on the client side. If you’re seeing this error, don’t worry; no matter what’s causing it, we’ll help you fix it in no time.

Let us now look at potential solutions to the SSL handshake problem.

How to Fix the “SSL Handshake Failed” Error?

Check the time and date on your system

Before you try any other solution for your SSL handshake error, we strongly advise you to check your system’s date and time. As ridiculous as it may appear, this works for most folks who encounter this type of problem. So, don’t underestimate the power of your system’s date and time settings, which may be incorrect for various reasons.

It could be incorrect owing to carelessness, a software error caused by malware, or just because you are connecting to a server in another time zone using a VPN. If you are using a VPN, it is advised that you set the date and time to the server’s time zone. This relates to the server’s location’s date and time rather than your physical location.

Windows users can reset the date and time as follows:
- Click on the ‘Windows’ option.
- Enter ‘Date and Time Settings’ and select the appropriate option.
- Toggle the ‘set time automatically’ button to set the time automatically.
- If you are using a VPN or need to set the time for any other reason manually, use the ‘Set the date and time manually’ option.
On a Mac, the same thing can be done by going to ‘Menu’ and then ‘System Preferences.’ Similar settings are available for all other operating systems.
Update your web browser

You must always keep your operating system and programs up to date. Many issues, including the ‘SSL handshake failed’ error, can be avoided simply by doing this.

Chrome users can verify this by opening the browser and clicking on the three vertical dots in the top-right corner. Next, select ‘More Tools’, and if your Chrome browser requires an update, you may find it here. If you don’t, it simply indicates that your Chrome browser is up to date.
Deactivate any newly installed plugins or extensions

Most browser plugins and extensions are created by unknown people and may include harmful malware. If you recently installed one of those and are getting the SSL handshake issue, try deleting it and clearing your cache and cookies. After that, reconnect to the same website to see whether you can create a secure connection.

Chrome users can delete the addon by following the procedures below:
- Select the three vertical dots in the upper-right corner.
- Select ‘Settings.’
- Choose ‘Extensions.’
- Select the extension you just installed and click Remove.
Protocol Mismatch

Many users encounter the SSL handshake problem because of protocol incompatibility between the server and the client. Essentially, there are several versions of the SSL/TLS protocol available, and for a successful handshake, the web server and browser must support the same version.

The SSL handshake problem frequently appears when the server is running a protocol version significantly greater than the client machine.

For example, if the server utilizes TLS 1.3 but the browser supports TLS 1.1, the SSL handshake will likely fail because servers do not support earlier versions. You can resolve this by restoring your browser’s original settings and using it without any plugins.

To restore your Chrome browser’s default settings, click the three vertical dots in the top-right corner, then select ‘Settings’ and then ‘System.’ Finally, click the ‘reset settings to original default’ button to finish.
Expired Certificate

SSL creates an encrypted connection between the browser and the server. Whatever data is sent between these two, SSL assures its privacy and security. Because of SSL, we can walk across safe online areas as passionate internet users.

Because security certificates have validity periods, they do expire. These dates are a crucial way of ensuring the security of SSL. The validity period governs and certifies server legitimacy, allowing your web browser to determine the server’s identity.

You may be experiencing the handshake problem because you are attempting to access a website with an invalid certificate.

Conclusion

We’ve gone through some of the most effective fixes for the SSL handshake issue, which might be caused by the browser or system settings. In most cases, changing the time and date settings or deleting the problematic browser extensions resolves the issue.

Only the website owner or administrator may resolve the ‘SSL handshake failed’ issue on the server. Some typical server-side difficulties include an invalid SSL certificate, a free SSL certificate obtained from a fraudulent source, cipher suite issues, and faulty SSL certificate installation. In that scenario, you should contact the website’s owner or administrator for a quick resolution.

Adding SAN (Subject Alternative Name) into Additional Attributes

All the domain names and IP addresses protected by the certificate are listed systematically using the SAN or Subject Alternative Name. The Subject Alternate Names must be provided on an SSL/TLS certificate when further website actions need to be secured so that the DNS server can map the IP address to the domain name.

The SANs information can be found in the SSL/TLS certificate data by clicking on the padlock icon in most web browsers’ address bars. The term SSL SAN, or Secure Socket Layer Subject Alternative Name, describes an SSL certificate’s capacity to cover numerous hostnames, including domains and subdomains. The Subject Alternative Name (SAN) field incorporated in the certificate protects multiple fully qualified domain names (FQDN) with a single SAN SSL certificate, simplifying certificate management and improving security across numerous domains.

In this blog, we will talk about how to add Subject Alternate Name attributes to a certificate, i.e., Web Server Certificate Enrollment with SAN Extension. Also, we will cover an error, i.e., Adding SAN (Subject Alternative Name) into the Additional attributes field on the Microsoft CA Certificate request form doesn’t produce does not automatically produce a certificate with a “Subject Alternative Name” entry.

Web Server Certificate Enrollment with SAN Extension

Enrolling a certificate with a custom SAN extension is now super simple. There is a certain set of instructions to follow, and you’ll get it.

Setting Certificate Template

Most certificate templates are set up to build a subject from Active Directory. But in the case of SSL Certificates, they use Supply in the request because they use a custom subject name. If you are using the default web server template, then there is no need to modify anything. For the custom certificate template, you should update it as given below.

Enrolling a certificate with a custom SAN extension

Also, you need to give Read and Enroll permissions from the security tab to your account.

Setting Certification Authority

Go to the certsrv console and expand Issuing CA.
Go to Certificate Template and open it.
Check whether the template is listed in the window; if not, right-click on the certificate template and then New -> Certificate Template to issue.
Select the required template and click on add.

Certificate Enrollment Process

Open mmc console. In the Console1 window, go to File-> Add/Remove Snap-in.
In the Add/Remove Snap-in dialog box, click on certificates and add.
In certificates, snap in box, click computer account, and next.
In the select computer window, click Local Computer and Finish.
Click Ok and close the snap-in.
Right-click on the personal node. Click on All tasks-> Request new certificate.
In the Before you begin page, click Next.
In the select enrollment policy page, select the appropriate policy and go next.
In the Request Certificate box, click on the required template, expand its details, and open its properties to configure it.
Certificate Properties Dialog box will appear like this.
Since you are using Subject Alternate Name (SAN), you can leave the Subject name empty. In the dropdown, select the proper type for SAN. (In the case of SSL certificates, DNS is common).
In the value box, enter the names in the corresponding format and click add. Repeat this step for all the values you want to add.
Hit Ok and close. You’ll return to the certificate enrollment page. Click on enroll.
Click finish when the certificate is successfully installed.
Here, you can view the Certificate’s SAN details.

Troubleshooting

Issue

The certificate generated doesn’t include SAN (Subject Alternative Name) entry even after adding SAN in the additional attributes field.

Cause

If Microsoft CA’s issuance policy is not set up to accept the Subject Alternative Name(s) attribute via the CA Web enrollment page, executing the preceding steps could not result in a certificate that includes a SAN entry.

Solution

To solve this, we need to run this command through the administrative command prompt:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

After running this command, make sure to restart the ADCS Services by running

net stop certsvc and net start certsvc

Now, you can create the certificate with the SAN entry by using the CA’s web enrollment page.

Create a Subject Alternative Name (SAN) certificate request (CSR)

We will configure this using OpenSSL so, you need to be working out of your OpenSSL\bin directory from a cmd prompt or a PowerShell session.
The Steps are:

Create an openssl configuration file that enables subject alternative names (.cnf)
To generate CSR for SAN we need distinguished_name and req_extensions
Edit your openssl cnf file as the example below

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
countryName = Country Name (2 letter code
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = [example.com]

[ v3_req ]

# Extensions to add to a certificate request

subjectAltName = @alt_names
[alt_names]
DNS.1 = [example.com]
DNS.2 = [example.example.com]
DNS.3 = [example.com.edu]

Create a Certificate Request File (.csr) by running a command.

# openssl req -newkey [priv.key] -out [san.csr] -config [san.cnf]

Please replace [priv.key] with your private key, [san.csr] with your desired csr name and [san.cnf] with your configuration file name.

Conclusion

All the domain names and IP addresses protected by the certificate are organized into a SAN or subject alternative name. You can easily add SAN entries to the certificates by following the certain instructions depicted in this blog. There is an issue when the certificate generated comes out without a SAN entry, even after adding a SAN entry. This can be solved by running a single command which adds the entry, and now you can create the certificate.

What are the Challenges faced in Symmetric Cryptography?

A sender encrypts data using a password, which the recipient must know to access. It is called symmetric, as the same key is used for encryption and decryption. Symmetric cryptography uses a single shared secret to share the encrypted data between different parties, which is why it’s also known as Secret Key Cryptography.

Mechanism of Symmetric Encryption

Symmetric Encryption is a two-way process where a block of plaintext with a given key, called symmetric ciphers, will produce the same original ciphertext. Similarly, if the same key is used on that ciphertext block, it will always produce the original plaintext.

This method is useful when protecting data between parties with an established shared key and for frequently storing confidential data.

For example, ASP.NET uses the 3DES technique to encrypt all the cookie data for a form’s authentication ticket.

Uses of Symmetric Encryption

Symmetric Encryption is an older Encryption method, but it is more efficient and faster than Asymmetric Encryption.

Asymmetric Encryption takes a toll on networks due to heavy CPU use and performance issues with data size. For bulk Encryption or encrypting large amounts of data, Symmetric Encryption is used.

For example, Database encryption. When a database is considered, the secret key can only be available to the dataset for encrypting and decrypting.

A few applications of symmetric cryptography are:

Hashing or Random number generation method.
Payment applications like card transactions where the PII is needed to be protected to prevent identity theft or fraudulent charges.
Validations for confirming whether a message’s senders are who they claim to be.

Major Challenges of Symmetric Cryptography

The weakest point of symmetric Encryption is its aspects of key management.

Key exhaustion

In this type of Encryption, every use of a cipher or key leaks some information that an attacker can potentially use for reconstructing the key. To overcome this, the best way is to use a key hierarchy to ensure that master or key-encryption keys are never over-used and appropriate rotation of keys is done.
Attribution data

Symmetric keys do not have embedded metadata for recording information which generally consists of an expiry date or an Access Control List for indicating the use of the key may be put to. This can be addressed by standards like ANSI X9-31, where a key is bound to information prescribing its usage.
Key Management at large scale

If the number of keys ranges from tens to low hundreds, the management overhead is modest and may be handled by human activity or manually. But, with a large estate, tracking keys’ expiration and rotation arrangement become impractical. So, special software is recommended to maintain the proper life cycle for each created key.
Trust Problem

It is very important to verify the source’s identity and the integrity of the received data. Suppose the data is related to a financial transaction or a contract, the stakes are higher then. Although a symmetric key can be used for verifying the sender’s identity who originated a set of data, this authentication scheme can encounter some problems related to trust.
Key Exchange Problem

This problem arises from the fact that communicating parties need to share a secret key before establishing a secure communication and then need to ensure that the secret key remains secure. A direct key exchange may prove to be harmful in this scenario and may not be feasible due to risk and inconvenience.

How does Symmetric Cryptography get used today?

Both symmetric and asymmetric cryptography is still used often today, even in conjunction with one another. But in terms of Speed, symmetric cryptography beats out asymmetric cryptography.

In symmetric cryptography, the keys used are much shorter or smaller than that in asymmetric cryptography; also, the fact that only one key gets used makes the entire process faster (in asymmetric, two keys are used). Symmetric Cryptography is used when speed is of priority over the increased amount of security.

In Data Storage, symmetric encryption is used to encrypt data stored on a device. But this data is not being transferred anywhere. Also, for Banking, symmetric Encryption is used for encrypting card information or other personal details required for a necessary transaction.

There are many use cases where a combination of both symmetric and asymmetric cryptography is required to improve speed and security. The most common use cases for this hybrid approach are:

Mobile Chat Systems

Asymmetric cryptography is used to verify users’ identity at the start of any conversation. After this, symmetric cryptography is used to encrypt the ongoing part of the conversation.
SSL/TLS

Asymmetric cryptography is used for encrypting a single-use symmetric encryption key. This gets used for encrypting or decrypting the contents of that internet browsing session.

Conclusion

Symmetric Cryptography has proved to be the better choice when banking-grade security is considered for outbalancing all the disadvantages of asymmetric cryptography. Professional banking-grade key management systems will help compensate for the disadvantages of asymmetric cryptography and turn those into advantages.

The Success Story of the Healthcare Industry with CodeSign Secure

Company Overview

This healthcare firm stands at the forefront of medical technology and patient data protection, offering innovative health solutions across the United States. Known for its rigorous adherence to HIPAA and other privacy regulations, the organization prides itself on its advanced data encryption and security measures designed to safeguard patient information.

However, it faces ongoing challenges in its code signing operations, which are crucial for ensuring the authenticity and integrity of its software applications. Despite strong cybersecurity practices, the firm struggles with efficiently managing code signing certificates and processes, affecting software deployment timelines and potentially impacting patient care continuity and trust. It faces challenges, such as a lack of infrastructure protection, insecure devices and firmware, software safety, and malicious macros.

The Challenges

Lack of infrastructure protection

Employees in the healthcare sector often seek tools as efficiency is critical in those organizations. However, the implications of downloading software without proper authorization pose significant risks to the organizational infrastructure. This practice can seem harmless to the employee, but the potential consequences for the greater enterprise can be far-reaching.
Insecure devices and firmware

Instead of the importance of updated firmware to ensure reliable and safe operations of the organization’s fleet of IoT-connected devices, it can be considered a commonly unprotected attack surface that cybercriminals exploit to intrude networks, take over control of the devices to cause disruption or harm, or compromise data.

In a nutshell, insecure firmware equates to an insecure IoT device. Cyberattackers are eager to exploit these weaknesses and gaps in IoT security, not to always attack the devices but to launch other disruptive actions such as DDoS attacks, data breaches or compromise, or malware distribution.
Software safety

A lack of code signing in the organization leads to unprotected software, which, in turn, decreases the organization’s software security posture. Signing your code with a trusted digital certificate ensures only legitimate code is installed in the user’s systems. This helps prevent malware and other malicious codes from infecting the organization’s network.
Malicious Macros

A macro is typically utilized to replace a repetitive series of mouse and keyboard actions common in spreadsheets and word [processing applications like MS Word and MS Excel. A macro virus or malicious macro is a computer virus that replaces a macro.

When a virus replaces these commands and actions, this can cause significant harm to an organization’s computer systems. In OpenEMR or EHR systems, macro buttons are utilized to quickly input medical codes, patient information, or common medical procedures, improving healthcare providers’ efficiency.

Solutions

Role-based access control

CodeSign Secure enables a robust access control system by supporting integration with LDAP for user authentication and customizable workflows for code signing requests. This handled the insufficient access control mechanisms, which increased the risk of unauthorized users gaining access to code signing capabilities and potentially allowing them to sign code with malicious certificates.
HSM Proxy Key Management

CodeSign Secure leverages FIPS 140-2 validated Hardware Security Modules (HSMs) to protect private keys. It centralizes key and certificate management for improved visibility and control and seamlessly integrates with leading HSM vendors such as Entrust, Thales, etc.

This mitigated the challenge of Keys and certificates for code signing that were scattered worldwide, causing inconsistent security practices and operational challenges, including inappropriate automation, lifecycle management, and ownership tracking.
Integration Strategies

CodeSign Secure effectively unifies key and certificate management using efficient HSMs, addressing the challenge of limited visibility and control over an extensive inventory of keys and certificates. This resolved the lack of comprehensive visibility and control over an extensive inventory of keys and certificates.
Hash Validation

CodeSign Secure seamlessly integrates hash validation into the code signing process, ensuring the code undergoes rigorous checks against the most recent antivirus definitions before signing. This mitigates the issue of insufficient hash validation against current antivirus definitions, which increases the risk of signing potentially malicious code.

Impact

CodeSign Secure enables a robust access control system by supporting integration with LDAP for user authentication and customizable workflows for code signing requests. Unauthorized users are prevented from signing code with potentially malicious certificates, reducing the risk of software compromise and reinforcing trust in digitally signed software.
CodeSign Secure leverages FIPS 140-2 validated Hardware Security Modules (HSMs) to protect private keys, centralizes key and certificate management for improved visibility and control, and seamlessly integrates with leading HSM vendors such as Entrust, Thales, etc.

Harnessing the capabilities of HSMs enhances the security of private keys, protecting unauthorized access, data corruption, or potential misuse. The consolidation of key and certificate management ensures uniformity and reinforces security practices, while effortless integration with various HSM vendors affords adaptability and robust key administration.
Implemented an integration strategy that enabled the 32-bit signtool to operate seamlessly on the 64-bit Windows 10 platform. This bridged the compatibility gap, allowing the client to perform macro-signing while upholding security and performance standards. Enabled the client to sign macros (e.g., Excel macro files used to automate tasks on Microsoft Excel) on a 64-bit Windows 10 system with Luna HSM.
CodeSign Secure effectively unifies key and certificate management using efficient HSMs, addressing the challenge of limited visibility and control over an extensive inventory of keys and certificates. This streamlined the oversight of keys and certificates distributed across the globe, guaranteeing uniformity and enhanced security.
CodeSign Secure seamlessly integrates pre-validation into the code signing process, ensuring code undergoes rigorous checks against the most recent antivirus definitions before signing. This enhanced code signing security by signing only clean, trusted code, reducing the risk of security incidents, and maintaining code integrity.

Conclusion

CodeSign Secure effectively addresses unique challenges, ensuring access control, consolidating key management, enabling secure macro-signing, implementing malware hash validation, and much more. These solutions boost security and enhance trust in digitally signed healthcare applications. CodeSign Secure empowers healthcare organizations to confidently implement code signing, advancing patient privacy and protecting data.

10 Enterprise Encryption Key Management Best Practices

Why does strong encryption key management matter? Being involved in this security world, we would have heard different responses; however, there would be one thing in common for all the responses “Save the key from getting compromised.”

As you know, encryption involves scrambling data so only the intended party or organization can access it. This process is accomplished by using encryption keys. Each key contains a randomly generated string of bits. You can think about the encryption key as a password, ex: you access your bank account or any other account if you have your password. Similarly, you can decrypt your data when you have the associated encryption key with you. As you encrypt more and more data, you attain more of these keys, and managing the keys properly is very important.

Compromise of your encryption keys could lead to serious consequences since they could be used to:

Extract/tamper with the data stored on the server and read encrypted documents or emails.
Applications or documents could be signed in your name
Create phishing websites, impersonating your original websites,
Pass through your corporate network, impersonating you, etc.

Do you need to manage your encryption key?

In a word, yes. As stated in NIST SP 800-57 part 1, rev. 5:

Ultimately, the security of information protected by cryptography directly depends on the strength of the keys, the effectiveness of cryptographic mechanisms and protocols associated with the keys, and the protection provided to the keys. Secret and private keys need to be protected against unauthorized disclosure, and all keys need to be protected against modification.

Encryption key management is an essential part of any enterprise security strategy. Proper key management ensures that sensitive data is protected from unauthorized access and that access to encrypted data is granted only to authorized individuals. Here are 10 best practices for effective enterprise encryption key management:

Key Management Best Practices:

Follow key generation best practices

There are specific best practices that should be followed when generating encryption keys. In selecting cryptographic and key management algorithms for a given application, it is important to understand its objectives. This includes using a strong random number generator and creating keys with the sufficient algorithm, length, and regularly rotating keys.
Use a centralized key management system

A centralized key management system is essential for effective key management in an enterprise setting. This system should be secure and allow easy management of keys across the organization.
Use key-encrypting keys

To ensure an extra level of security, consider using key-encrypting keys (KEKs) to protect your encryption keys. KEKs are used to encrypt and decrypt encryption keys, providing an additional layer of security.
Establish key access controls

It is essential to have controls in place for who has access to your encryption keys. This includes establishing access controls for key generation, key storage, and key use.
Centralize User roles and access

Some businesses may utilize thousands of encryption keys, but not every employee needs access to them. Therefore, only individuals whose occupations necessitate it should have access to encryption keys. These roles should be specified in the centralized key management so that only authenticated users will be allowed access credentials to the encrypted data that are connected to that specific user profile.

Additionally, make sure that no administrator or user has exclusive access to the key. This provides a backup plan in case a user forgets his login information or unexpectedly departs the firm.
Use key backup and recovery

Proper key backup and recovery is essential to ensure that you can quickly restore access to your encrypted data in case of an emergency. This includes regularly backing up keys and having a clear plan in place for key recovery.
Use key expiration

Key expiration is a process in which keys are set to expire after a certain period of time. This ensures that keys are regularly rotated and that access to encrypted data is kept up to date.
Use key revocation

Key revocation is a process in which keys are invalidated and can no longer be used to access encrypted data. This is essential for ensuring that access to data is properly controlled and that unauthorized individuals are not using keys.
Use Automation to Your Advantage

An enterprise or larger organization relying solely on manual key management is time-consuming, expensive, and prone to mistakes. With Certificate management we have heard a lot about automation, however it is not just for digital certificate management. The smartest approach to encryption key management is using automation to generate key pairs, renew keys and rotate keys at set intervals.
Preparation to Handle Accidents

Although an administrator or security personel implement the correct policies, controls to secure the sensitive information, key things can go wrong at any point, and the organization must be prepared for it. For example:
- User has lost credential to their keys
- Employee leaves or gets fired from the company
- Used flawed encryption algorithm
- Human error, accidently publishing private key to a public website

For such situations one should always be prepared, identify all possibilities before it actually occurs and take precautionary measures. Audit your security infrastructure on a regular basis to minimize such incidents.

Conclusion

By following these best practices, you can ensure that your enterprise encryption key management is effective and secure. Proper key management is essential for protecting your sensitive data and ensuring that only authorized individuals can access it.

List of Ports Required for Active Directory and PKI

While configuring the network security it is essential to set up the Active Directory (AD), and one of its critical parts involves the secure communication between the AD server and clients. For instance, if your organization is deploying AD to manage user authentication, group policies, and access to shared resources, one of the key steps is to configure your firewall to open certain ports. Without opening these ports, users may face issues logging in, accessing files, or receiving policy updates, causing disruptions across the networks.

Ports required for AD communication

Active Directory acts as a central repository for a user, group, and computer accounts, as well as a variety of other objects, such as shared resources and security policies, and for the proper communication the following ports are required:

TCP/UDP port 53: Port 53 acts as the port used for Domain Name Services, or DNS. DNS Servers are used to communicate with a web client and translate domain names to IP addresses. Most organizations will utilize DNS to make it easier for the different users to reach devices without needing to memorize IP addresses.
TCP/UDP port 88: Port 88 is used to give users access to the Kerberos authentication protocol. This allows access to privileged network resources using tickets given by the server.
TCP/UDP port 135: Port 135 is used for Remote Procedure Call or RPC. RPC is a Windows service relied upon by many services like AD to allow for remote client-server communications.
TCP/UDP port 137-139: Ports 137, 138, and 139 are all used for providing different features relating to SMB protocol over NetBIOS. SMB, or Server Message Block, protocol is mainly used for sharing printers and files within a Windows-based network. Port 137 provides name services across TCP or UDP for SMB, port 138 provides diagram services across UDP for SMB, and port 139 provides session services across TCP or UDP for SMB. As a note, port 138 specifically uses UDP alone, it is not used with TCP.
TCP/UDP port 389: Ports 389 focuses around Lightweight Directory Access Protocol, or LDAP. LDAP allows clients to access protected network resources. Port 389 allows an unencrypted connection to LDAP.
TCP port 445: Port 445, also referred to as Microsoft-ds, works very similarly to ports 137-139, except it allows access to SMB without the need for NetBIOS. This means that NetBIOS layer is not required, and port 445 is mainly used by system administrators to manage objects on the network.
TCP/UDP port 464: Similar to port 88, port 464 is used to interact with Kerberos. Port 464, however, is specifically used for password changes within Microsoft Active Directory (AKA Entra), as Kerberos is the native authentication protocol of Entra.
TCP/UDP port 636: Port 636 also allows users to interact with LDAP, however it uses an encrypted connection. This encryption is generated by SSL/TLS, so you will often see port 636 as connecting to LDAPS.
TCP/UDP port 3268-3269: Ports 3268 and 3269 also connect to services via LDAP, however they are specific to the global catalog. Port 3268 is the unencrypted connection and port 3269 is for encrypted connections.

In addition to these ports, other ports may be required depending on your AD environment’s specific components and features. For example, if you are using Group Policy, the following ports will also be required:

TCP port 80: Port 80 is specifically used for communication between web browsers and servers using HTTP. This port transports data to the web browser in plaintext, an unencrypted method of sending data.
TCP/UDP port 443: Port 443 delivers messages between web servers and browsers via HTTPS, the encrypted connection version of HTTP.
TCP port 445: Port 445 allows access to SMB without the need for NetBIOS.

If you are using ADFS (Active Directory Federation Services) for single sign-on, the following ports will also be required:

TCP port 80
TCP port 443
TCP port 49443: Port 49443 is specifically used for Active Directory Federation Services, or ADFS. ADFS is a method of certificate authentication within Microsoft AD, so this is a critical port in PKIs.

Ports required for PKI communication

In order for a PKI to function properly, certain ports need to be opened on the firewall to allow communication between the various components of the PKI system. These ports include:

TCP port 80

This port is used for HTTP communication, which is required for clients to access the certificate revocation list (CRL) and other information from the certificate authority (CA) server.
TCP port 389

This port is used for LDAP communication, which is required for clients to access the certificate database on the CA server.
TCP port 636

This port is used for LDAPS communication, a secure version of LDAP that uses SSL/TLS for encryption. This is required if you are using LDAP over a public network.
TCP port 9389

This port is used for the Web Services for Management (WS-Management) protocol, which is required for clients to access the CA server using the Certificates snap-in in the Microsoft Management Console (MMC).

In addition to these ports, you may also need to open other ports depending on your PKI system’s specific components and configuration. For example, if you are using Online Certificate Status Protocol (OCSP) to check the status of certificates, you will need to open TCP port 2560.

Troubleshooting firewall issues with PKI

To troubleshoot common firewall issues with a PKI, you can follow these steps:

Verify that the necessary ports are open on the firewall. You can do this by using the netstat command to list all of the open ports on the system and compare the results with the list of ports that are required for your PKI system.
Check the firewall logs to see any entries related to the PKI system. This can help you to identify any specific rules or settings that may be blocking the necessary ports.
Test the connectivity between the PKI components to ensure they can communicate properly. You can do this by using the ping, telnet, or tracert commands to test the connectivity between the client and the CA server and between other components of the PKI system.
If you are still having issues with the firewall, try temporarily disabling the firewall to see if this resolves the problem. This will help you to determine whether the firewall is the cause of the issue or if there is a problem with another component of the PKI system.

Some Frequently asked questions

Here is a set of questions you might ask to identify the root cause of AD misconfiguration and connection issues. These are tailored specifically to help troubleshoot potential issues based on real-world scenarios:

Ques 1: Have you verified if the key ports, such as 389 (LDAP), 88 (Kerberos), and 445 (SMB) for AD communications, are properly configured and not being blocked by firewall?

Ques 2: Are all Domain Controllers resolved through DNS and is there any discrepancy between DNS entries and the actual AD server locations?

Ques 3: Is there any replication issue in AD that could cause inconsistencies between Domain Controllers and clients?

Ques 4: Is there any skew in the time settings between AD components that might cause Kerberos authentication failures?

Ques 5: Are there any specific error codes or warning messages in the event logs that could pinpoint a misconfiguration or service failure?

Ques 6: Is the account used by key AD such as Kerberos, DNS, LDAP still functioning properly, and does it have the necessary permissions?

How can Encryption Consulting help?

Encryption Consulting’s PKI Services and PKI-as-a-service can help you manage your PKI and secure the digital network of your organization. We can design, implement, manage, and migrate your PKI systems according to your specific needs. Managing PKI can seem daunting with the increase in the number of cyber threats. But you can rest assured because our experienced staff will help you build and monitor your PKI. We can assess your PKI based on our custom framework, providing you with best practices for PKI and HSM deployments.

Conclusion

Maintaining the firewall configuration is important in ensuring that your Active Directory and PKI systems function properly. By verifying that the necessary ports are open and troubleshooting any firewall issues that may arise, you can help to keep your Active Directory and PKI systems secure and reliable. For Active Directory, maintaining open communication channels for key ports such as, LDAP, DNS and Kerberos are critical. Similarly, for PKI, enabling ports for HTTP, LDAP and Secure Communication Protocol ensures that certificate service functions effectively, supporting certificate issuance, revocation and status checks.