What are the Best Encryption Methods?

This is an aggregation of links to recommendations and standards for best encryption practices.

I wrote this back in 2013, but not much has changed for encryption level standards – these are still best sources I can find. So I’m reprinting an old post in the hopes of propagating better information.

This question is getting asked a lot, and the answers you see out in the public sphere of the internet range from pathetically underwhelming to just plain wrong in some cases. So this is my attempt to point people in the right direction. When you do see people who know what they are talking about discussing security the talk can turn towards holy wars, philosophical rabbit holes, or just become so overburdened with acronyms that a layman has to give up. So I’m going to point you to some concise and comprehensive web documents to help solve the problem.

Disclaimer: I’m not an authority, nor am I speaking for my employer, or any other group; this is entirely my own humble opinion.

You must use a combination of security protocols, practices, and standards to truly secure your data and network into the next decade. The brute force hacking ability available to individuals has been greatly extended and enhanced the past few years. By strapping together a high-powered computer and some high-powered video cards hackers can have the power of one of yester year’s supercomputers in their hands without spending the equivalent of a small nation’s budget to get there. Everything, including the methods in the links I’m going send you to, is theoretically hackable given enough computing horsepower and time. Your task is to make the time and horsepower curve too steep for hackers anytime in the immediate future and to persistently upgrade as these methods and standards evolve.

The first stop is Cisco and their next generation encryption white paper. Pay attention to the tables in the document first – upgrading to the recommended Next Generation encryption levels is best, but where circumstance, budget, or hardware capacities prevent that you should go to the “acceptable” levels, and if even that’s not possible, then at least try to meet the minimums in appendix A at the bottom and then add some controls to protect or mitigate your weakly encrypted data. Pay the most attention to tables one and two, which are pretty self-explanatory, and please read the caveats in the text, the heavier overhead encryption methods can cause hardware and software processing overload if you don’t engineer to right capacity. Also note that there’s an NSA paper linked if you need to see what’s needed for Government encryption security.

Next stop is the National Institute of Standards & Technology PDF http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf – this document tells you what our best standards body thinks. At this link you will find many NIST PDFs on most security processes, recommendations, and standards that you might care about including Key Generation & Handling.

The next stop  is W3C – since so much of what we do is web centric, it’s very important to make sure Developers are securing data locally, through web encryption standards, and for cross site vulnerabilities. If you are following modern web standards then you’ll be using a bit of XML to share data & you will find sub links for encrypting XML as well as other protocols, and since it’s important to follow standards to prevent hacking, you should use the W3C validation tools against your pages regularly.

All of this is for naught however if you don’t layer your security – encrypting is just one part of protecting data. You must also consider physical layers, process deterrents, and prevention of social engineering attacks. When all is said and done remember that you must still be able to work – don’t make yourself so secure that you can’t.

President Obama and I agree

President Obama and I agree

I usually have quibbles, reservations, or complete disagreement with much of what our President says, but here I am in 100 percent agreement. Like it our not we are a high energy society. If we want our planet clean then we must have abundant clean energy to keep it that way. Approximately 25 percent of our domestic electricity production is used to clean sewage and treat water, something few people are aware of. Increased Nuclear energy here creates better prospects for our future prosperity, but also better chance for prosperity in the rest of the world. The current world food security crisis is driven in large respect by energy constraints, and we need to remove those constraints to fight hunger and to enable poor nations to improve their lifestyles; which will lead to clean futures everywhere.

The Death of a Good Man: Norman Borlaug RIP

The Death of a Good Man: Norman Borlaug RIP


The anti-Christ of the Luddite factions in Greenpeace has died. Norman Borlaug was the pioneer of genetically modified crops that have kept billions in the subcontinent of Asia from starving to death as the Club of Rome report “Limits to Growth” had predicted in 1972. Literally billions are alive today because of Norman’s work.

Even with that proof of the value of GM crops and their long use the radical anti-science left in Europe still makes resistance to GM crops a staple of every demonstration, and there are even factions doing the same here in the US.

Norman was one of the good guys, and he will be sorely missed – it would be hard to find someone else who has really done more for all of humanity.

It’s Black Tuesday

New Windows Security Patches out

Microsoft has released new security patches, you probably should go get your updates if you are running any flavor of Windows operating systems, Windows Update here.

Overview from SANS Internet Storm Center:

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS09-001 Vulnerabilities in SMB Could Allow Remote Code Execution
  no known exploits. Microsoft considers a working exploit unlikely. Critical Critical Critical

Locking Your Car

I received this in email from Wildbeggar, and I don’t know if it’s reliable info or not but I will dig into it since it does sound plausible. (If wardrivers can tap wifi by hacking WEP, wouldn’t this be easier?)

Something to think about with the holidays coming.

I locked my car, and as I walked away I heard my car door unlock. I went back and locked my car again three times. I looked around and there were two guys sitting in a car in the fire lane next to the store. When I looked straight at them they did not unlock my car again.

How to lock your car safely:

While traveling, my son stopped at a roadside park. He came out to his car less than five minutes later and found someone had gotten into his car and stolen his cell phone, laptop computer, GPS navigator briefcase … you name it.

He called the police and, since there were no signs of his car being broken into, the police told him that there is a device that robbers are using now to clone your security code when you lock the doors on your car using your key-chain locking device.

They sit a distance away and watch for their next victim. They know you are going inside of the store, restaurant or bathroom and have a few minutes to steal and run.

The police officer said to be sure to manually lock your car door by hitting the lock button inside the car. That way if there is someone sitting in a parking lot watching for their next victim it will not be you.

When you hit the lock button on your car upon exiting it does not send the security code, but if you walk away and use the door lock on your key chain it sends the code through the airwaves where it can be stolen, something totally new to us.

Be aware of this. Pass this note on.

Look how many times we all lock our doors with our keys, just to be sure we remembered to lock them, and bingo someone has our code, and whatever was in the car can be gone.

Here’s what Snopes.com has to say:

It is theoretically possible for a very determined thief armed with the right technology and the ability to manipulate it correctly to snatch a keycode from the air and use it to enter a vehicle. However, the complexity and length of time involved in that process means your typical crook can’t simply grab an RKE code in a parking lot and open up the corresponding car within a minute or two: the would-be thief would need specialized knowledge and equipment and would have to spend hours (if not days) crunching data and replicating a device to produce the correct entry code, then hope he could locate the same vehicle again once all the other steps had been completed. (In most parking lot scenarios, the target car would be long gone before the putative thief was able to open it.)

So it’s theoretically possible, that makes it possible to probable that the capability can be created. Again I will point out that wardriver hackers have demonstrably broken the encryption on WEP and other WIFI encryption methods in minutes, not hours. [ I haven’t kept up since last time they cracked it, but you can research the latest here, and yes, they’ve cracked WEP’s replacement as well, but for the life of me I can’t remember the acronym to link it right now. ]

It’s easy to get in the habit of clicking the button in your armrest. When you do you get the added benefit of not making a beep or toot-weet sound that used to be a status symbol sound of a car with special features but which is now just commonplace.