About Hardware encryption AES 256 bit crucial mx100

Similar Messages

• CF9 Encrypt with AES 256-bit, example anyone?

  Hi there. I'm looking for a working example of  the Encrypt method using the AES 256 bit key.  I think that I have the Unlimited Strength Jurisdiction Policy Files enabled.  And I'm still getting the CFError,
  The key specified is not a valid key for this encryption: Illegal key size. 
  Now i hit the wall, can't get it.  What wrong am i doing?  How can I verify that the policy files are installed and accessible to my cf file?  Any help is greatly appreciated.
  <cfset thePlainText  = "Is this working for me?" />
  Generate Secret Key (128):  <cfset AES128 = "#generatesecretkey('AES',128)#" /> <cfdump var="#AES128#"><BR>
  Generate Secret Key (192):  <cfset AES192 = "#generatesecretkey('AES',192)#" /> <cfdump var="#AES192#"><BR>
  Generate Secret Key (256):  <cfset AES256 = "#generatesecretkey('AES',256)#" /> <cfdump var="#AES256#"><BR><BR>
  <cfset theKey    = AES256 />
  <cfset theAlgorithm  = "AES/CBC/PKCS5Padding" />
  <cfset theEncoding  = "base64" />
  <cfset theIV    = BinaryDecode("6d795465737449566f7253616c7431323538704c6173745f", "hex") />
  <cfset encryptedString = encrypt(thePlainText, theKey, theAlgorithm, theEncoding, theIV) />
  <!--- Display results --->
  <cfset keyLengthInBits  = arrayLen(BinaryDecode(theKey, "base64")) * 8 />
  <cfset ivLengthInBits  = arrayLen(theIV) * 8 />
  <cfdump var="#variables#" label="AES/CBC/PKCS5Padding Results" />
  <cfabort>

  Verison 10 is different from 9 because they run on different servlet containers. CF 10 uses Tomcat, CF 9 uses JRun, so things are in different places.
  \\ColdFusion10\jre\lib\security seems like the correct locaiton for the policy files to me. I actually gave you the wrong locations in my original post (sorry about that).  According to the installation instructions they belong in <java-home>\lib\security, which is looks like you've found.
  So something else is wrong. Here are some things to look at, in no particular order:
  1. Are you using a JVM other than the Java 1.6 that comes with CF10?
  2. Did you restart Tomcat after coping the files in?
  3. Note that I keep saying FILES, did you copy BOTH of th .jar files from the JCE folder you unzipped into the security directory.  It should have prompted you to overwrite existing files.
  4. Did you try unzipping the files and copying them in again, on the chance that they did not overwrite the originals?
  Sorry, I don't have CF10 installed to give this a try. But I have no reason to believe that it would not work in 10. It's all just JCA/JCE on the underlying JAVA, and I have heard no reports from anyone else that it doesn't work.
  Jason

• Windows 8.1 Pro Bitlocker AES 256-bit cypher question

  Hi, all
  Have an odd situation I cannot make any sense of. I have a desktop PC running Windows 8.1 Pro. I launched gpedit.msc and changed Bitlocker’s cypher strength from the default AES 128-bit to AES 256-bit.
  I then connected a brand new Western Digital 4TB external drive (model WDBFJK0040HBK-04) to the PC via USB 3.0, and Bitlocker-encrypted the drive. Opened a command prompt window as administrator, ran “manage-bde –status” for the drive in question,
  which indicated the drive was encrypted with the 128 bit cypher strength, instead of 256 bits, as I had selected. Have unencrypted, rebooted and re-encrypted the drive time and again, always with the same results.
  When connecting the same external 4TB drive to a Windows Server 2012 R2 Essentials in which I had made the exact same changes via gpedit.msc,
  I can encrypt it with the 256-bit cypher strength, with no problems.
  No TPM is used in either scenario, just a passphrase.
  Anyone has any idea why my 256-bit setting is being ignored in the Windows 8.1 Pro machine?
  Thanks
  Arsene
  ArseneL

  Well, running rsop.msc in my Server 2012 R2 machine does show my 256-bit bitlocker setting took, however, running rsop.msc in my Win 8.1 Pro machine shows it did not, which explains the problem I am having.
  Now all I have to do is find out why my request is not taking, even though I am logged in as an admin.
  Thanks!!
  ArseneL

• Generating AES 256 bit key using seed

  Hi
  As part of encryption requirements for encrypting the body of the SOAP Message while calling an external Web Service, it is requried to encrypt using a shared symmetric key.
  First step is to create a password digest
  Base64(sha1(nonce + createdTimestamp + password)) - This step is working completely fine and produces a 160 bit Hash
  The next step is to generate an AES 256 bit key using the above hash as the Seed. This should generate a 256 bit encrytpion key which can then be used to encrypt the message body.
  Would appreciate if anyone who knows how to generate AES 256 bit key using a hash seed in Java (v1.4.2) can provide some guidance.
  P:S. I am using WSS4J API to use WS-Security

  I have to generate 256-bit AES key with a 128-bit IV using the above password digest and the IV used for in the creation of the AES key prefixes the cipher text.
  The external WebService is .net webservice.
  Edited by: GUPTAG on Nov 25, 2008 3:05 AM

• Help enabling AES 256-bit cipher suites

  I can't seem to create an SSLServerSocket with the 2 AES 256-bit cipher suites that are supposed to be available in JDK1.4.2. As you can see in the following code, the SSLServerSocket, ss, is enabled with the 2 AES_256 cipher suites. But, when ss.getEnabledCipherSuites() is invoked, those 2 suites aren't listed. What's up?
  Also, what is this SSLv2Hello that I can't seem to get rid of?
      String[] PROTOCOLS = {"SSLv3", "TLSv1"};
      String[] CIPHER_SUITES = {"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
                                "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
                                "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
                                "TLS_RSA_WITH_AES_256_CBC_SHA",
                                "TLS_RSA_WITH_AES_128_CBC_SHA",
                                "SSL_RSA_WITH_3DES_EDE_CBC_SHA"};// create an SSLServerSocket ss
          SSLContext context = SSLContext.getInstance("TLS", "SunJSSE");
          context.init(myKeyManagers, myTrustManagers, SecureRandom.getInstance("SHA1PRNG", "SUN"));
          SSLServerSocketFactory ssFactory = context.getServerSocketFactory();
          SSLServerSocket ss = ssFactory.createServerSocket();
          ss.setEnabledProtocols(PROTOCOLS);
          ss.setEnabledCipherSuites(CIPHER_SUITES);// output a bunch of useful debugging information
          System.out.println(System.getProperty("java.version") + "\n");
          Provider[] providers = Security.getProviders();
          for(int i=0; i < providers.length; ++i)
              System.out.println(providers[i] + "\n" + providers.getInfo() + "\n********************");
  String[] enabledProtocols = ss.getEnabledProtocols();
  for(int i=0; i < enabledProtocols.length; ++i)
  System.out.println(enabledProtocols[i]);
  String[] enabledCipherSuites = ss.getEnabledCipherSuites();
  for(int i=0; i < enabledCipherSuites.length; ++i)
  System.out.println(enabledCipherSuites[i]);
  OUTPUT
  1.4.2
  SUN version 1.42
  SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; JKS keystore; PKIX CertPathValidator; PKIX CertPathBuilder; LDAP, Collection CertStores)
  SunJSSE version 1.42
  Sun JSSE provider(implements RSA Signatures, PKCS12, SunX509 key/trust factories, SSLv3, TLSv1)
  SunRsaSign version 1.42
  SUN's provider for RSA signatures
  SunJCE version 1.42
  SunJCE Provider (implements DES, Triple DES, AES, Blowfish, PBE, Diffie-Hellman, HMAC-MD5, HMAC-SHA1)
  SunJGSS version 1.0
  Sun (Kerberos v5)
  SSLv2Hello
  SSLv3
  TLSv1
  TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  TLS_RSA_WITH_AES_128_CBC_SHA

  Now I get an Exception when I run the same program.
  OUTPUT
  1.4.2
  SUN version 1.42
  SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; JKS keystore; PKIX CertPathValidator; PKIX CertPathBuilder; LDAP, Collection CertStores)
  SunJSSE version 1.42
  Sun JSSE provider(implements RSA Signatures, PKCS12, SunX509 key/trust factories, SSLv3, TLSv1)
  SunRsaSign version 1.42
  SUN's provider for RSA signatures
  SunJCE version 1.42
  SunJCE Provider (implements DES, Triple DES, AES, Blowfish, PBE, Diffie-Hellman, HMAC-MD5, HMAC-SHA1)
  SunJGSS version 1.0
  Sun (Kerberos v5)
  java.lang.IllegalArgumentException: Cannot support TLS_DHE_RSA_WITH_AES_256_CBC_SHA with currently installed providers
          at com.sun.net.ssl.internal.ssl.CipherSuiteList.<init>(DashoA6275)
          at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.setEnabledCipherSuites(DashoA6275)
          at test.util.ConcreteSSLServerSocketFactory.initSocket(ConcreteSSLServerSocketFactory.java:111)
          at test.util.ConcreteSSLServerSocketFactory.createServerSocket(ConcreteSSLServerSocketFactory.java:100)
          at test.Test.main(Test.java:111)
  Exception in thread "main"

• AIR-AP1131AG-I-K9 support AES 256 bit ?

  hi,
  I have several AP devices:
  Product/Model Number: AIR-AP1131AG-I-K9
   System Software Filename: c1130-k9w7-tar.124-3g.JA
   System Software Version: 12.4(3g)JA
  Bootloader Version: 12.3(8)JEA
  i need to know if  AES 256 bit is supported by this devices and if the current software need to upgrade for that.
  Regards,

  HI Ben,
  As per my knowledge this Software dont support 256 bit key size.
  Here is the link:http://www.cisco.com/c/en/us/td/docs/wireless/access_point/12-4_3g_JA/configuration/guide/ios1243gjaconfigguide/s43wep.html
  another version: 12.3(8)JA supports 256 bit key size to protect data traffic,
  http://www.cisco.com/c/en/us/td/docs/wireless/access_point/12-3_8_JA/configuration/guide/1238jasc/s38wep.html
  Regards
  Don't forget to rate helpful posts

• Aes-256 or aes-128 bit

  Hello
  I'm trying to keep the CPU down as much as possible on my ASA-5540. We're running 8.2.5 on it. We have a bout 80 active IPSec tunnels so far, all which are using AES-256 bit for phase1/2, 75 of the tunnels are mostly ezy vpn connections. Currently the CPU during peak usage is averaging around 22%.  We're planning on having over 1000 IPsec connections, mostly will be remote vpn access with about 170 of them ezy vpn and 250 l2l tunnels.
  Is there any noticable CPU performance gain by using AES-128 bit instead of AES-256 on the phase2?
  Thanks,
  John

  Just wondering if someone out there has noticed any performance gains by using AES-128 instead of AES-256. I'm trying standardize on a policy going forward.
  Thanks!

• Pre-shared key should be at least 256 bits of cryptographically random data

  Hi all,
  i need some info, i got a client IPSEC VPN form.
  they asked that (Pre-shared key should be at least 256 bits of cryptographically random data)
  what does that really mean?
  Key consisting of 256 characters like abcdefg......till256 characters are done ?           
  or it means encryption we define in policy like
  crypto isakmp policy 8
  authentication  pre-share
  encryption  aes-256 ????????
  Please help me to understand this requirement for my cisco asa.

  64 hex characters  =  256 binary bits
  Michael
  Please rate all helpful posts

• Need 256 Bit AES Full Disk Encryption for a Mac.  The other discussions regarding this issue are very old.  Does anyone have any current advice regarding encryption software?

  Does anyone have any advice regarding 256 bit full disk encryption software for Macs?  The other discussions on the topic are years old, so I would like some current input.  Thanks for your help in advance.

  Depending on your Mac, you might not want to upgrade to OS X 10.7 or 10.8 as it will not run the PowerPC based software your currently using costing a bundle to replace it all, also they will slow down your machine if it's not a more recent issue. You don't want to upgrade OS X without AppleCare defending your possibly bricked logicboard that's for sure.
  Filevault encrypts the boot drive, however in doing so makes it near impossible to fix if you have a software issue and need to recover files directly or by using specialty software. Also it robs the machine of performance even more than the Lions do. So you will really need a SSD to work best with 10.7/10.8 and Filevault, then it has to be freshly installed. Filevault needs 50% free space on the boot drive, then it's going to write to the slower 50% half of the hard drive where performance is terrible compared to the first 50%.
  Also Filevault is cracked under certain conditions, and if someone gets their hands on the machine (like the law) and knows what they are doing.
  If you take your Filevaulted machine to Apple to fix, they are going to require the password to fix the machine obviously.
  Software based encryption is vulnerable, you might want to instead place your sensitive data on external self-encrypting hardware that doesn't rely upon software or computer hacks/bypasses (ike freezing the RAM) to get to it.
  http://www.datalocker.com/products/datalocker-dl3.html
  Iron Keys for portable USB self encryption, both work with any computer, so your not locked into one platform.
  With the senstive data off the computer and on a external device, there is the option of removing, hiding and securing the device. If used with a computer that's never connected to the Internet, it's safe from snoopers, except from a survelliance van parked outside your door.

• How do I prioritize 256 bit encryption over the 128 bit variant?

  Hello folks,
  been using the fox for ages now. Thanks for the fine product :) .
  Up to now I also never had a problem I couldn't find a solution for, but strangely enough, that one gets me, since I seem to be unable to find an option allowing me to deactivate the 128 bit variant of encryption.
  The bank whose homepage it concerns already told me that they are offering it, and there was this nice add on that allowed me to deavtivate the rc4 protocol, but I just don't get from AES 128 to AES 256 wich I just like a banking site to have...
  Any solution would be much appreciated, thanks in advance.

  You can set all 128 bit SSL3 prefs to false on the about:config page to force using stronger ciphers.
  Filter: ssl3*128
  To open the <i>about:config</i> page, type <b>about:config</b> in the location (address) bar and press the "<i>Enter</i>" key, just like you type the url of a website to open a website.<br />
  If you see a warning then you can confirm that you want to access that page.<br />
  *Use the Filter bar at to top of the about:config page to locate a preference more easily.
  *Preferences that have been modified show as bold (user set).
  *Preferences can be reset to the default via the right-click context menu if they are user set
  *Preferences can be changed via the right-click context menu: Modify (String or Integer) or Toggle (Boolean)
  Some websites with old software may require to temporarily set security.ssl3.rsa_rc4_128_md5 to true if you get a cipher overlap error.

• Encrypt/decrypt AES 256, vorsalt error

  Hiyas.
  So I'm trying to get encrypt/decrypt to work for AES 256, with both 32byte key and 32byte IVorSalt. (Yup-new java security files v6 installed)
  'IF' I 32byte key but dont use a IV at all, I get a nice looking AES 256 result. (I can tell it's AES 256 by looking the length of the encrypted string)
  'IF' I use a 32byte key and 16bit salt, I get a AES 128 result (I know- as per docs theyre both s'posed to the same size, but the docs are wrong).
  But when i switch to using both a 32byte key AND a 32byte salt I get the error below.
  An error occurred while trying to encrypt or decrypt your input string: Bad parameters: invalid IvParameterSpec: com.rsa.jsafe.crypto.JSAFE_IVException: Invalid IV length. Should be 16.
  Has anyone 'EVER' gotten encrypt to work for them using AES 256 32byte key and 32byte salt? Is this a bug in CF? Or Java? Or I am doing something wrong?
  <!--- ////////////////////////////////////////////////////////////////////////// Here's the Code ///////////////////////////////////////////////////////////////////////// --->
  <cfset theAlgorithm  = "Rijndael/CBC/PKCS5Padding" />
  <cfset gKey = "hzj+1o52d9N04JRsj3vTu09Q8jcX+fNmeyQZSDlZA5w="><!--- these 2 are the same --->
  <!---<cfset gKey = ToBase64(BinaryDecode("8738fed68e7677d374e0946c8f7bd3bb4f50f23717f9f3667b2419483959039c", "Hex"))>--->
  <cfset theIV    = BinaryDecode("7fe8585328e9ac7b7fe8585328e9ac7b7fe8585328e9ac7b7fe8585328e9ac7b","hex")>
  <!---<cfset theIV128    = BinaryDecode("7fe8585328e9ac7b7fe8585328e9ac7b","hex")>--->
  <cffunction    name="DoEncrypt" access="public" returntype="string" hint="Fires when the application is first created.">
      <cfargument    name="szToEncrypt" type="string" required="true"/>
      <cfset secretkey = gKey>               
      <cfset szReturn=encrypt(szToEncrypt, secretkey, theAlgorithm, "Base64", theIV)>
      <cfreturn szReturn>
  </cffunction>   
  <cffunction    name="DoDecrypt" access="public" returntype="string" hint="Fires when the application is first created.">
      <cfargument    name="szToDecrypt" type="string" required="true"/>
      <cfset secretkey = gKey>   
      <cfset szReturn=decrypt(szToDecrypt, secretkey, theAlgorithm, "Base64",theIV)>       
      <cfreturn szReturn>
  </cffunction>
  <cfset szStart = form["toencrypt"]>
  <cfset szStart = "Test me!">
  <cfset szEnc = DoEncrypt(szStart)>
  <cfset szDec = DoDecrypt(szEnc)>
  <cfoutput>#szEnc# #szDec#</cfoutput>

  Hi edevmachine,
  This Bouncy Castle Encryption CFC supports Rijndael w/ 256-bit block size. (big thanks to Jason here and all who helped w/ that, btw!)
  Example:
  <cfscript>
    BouncyCastleCFC = new path.to.BouncyCastle();
    string = "ColdFusion Rocks!"; 
    key = binaryEncode(binaryDecode(generateSecretKey("Rijndael", 256), "base64"), "hex");//the CFC takes hex'd key
    ivSalt = binaryEncode(binaryDecode(generateSecretKey("Rijndael", 256), "base64"), "hex");//the CFC takes hex'd ivSalt
    encrypted = BouncyCastleCFC.doEncrypt(string, key, ivSalt);
    writeOutput(BouncyCastleCFC.doDecrypt(encrypted, key, ivSalt));
  </cfscript>
  Related links for anyone interested in adding 256-bit block size Rijndael support into ColdFusion:
  - An explanation of how to install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files into ColdFusion
  - An explanation of how to install the Bouncy Castle Crypto package into ColdFusion (near bottom, under the "Installing additional security providers" heading)
  - An explanation of how to connect the Bouncy Castle classes together
  - Bouncy Castle's doc for the Rijndael Engine
  And here is the full CFC as posted in the StackOverflow discussion:
  <cfcomponent displayname="Bounce Castle Encryption Component" hint="This provides bouncy castle encryption services" output="false">
  <cffunction name="createRijndaelBlockCipher" access="private">
      <cfargument name="key" type="string" required="true" >
      <cfargument name="ivSalt" type="string" required="true" >
      <cfargument name="bEncrypt" type="boolean" required="false" default="1">
      <cfargument name="blocksize" type="numeric" required="false" default=256>
      <cfscript>
      // Create a block cipher for Rijndael
      var cryptEngine = createObject("java", "org.bouncycastle.crypto.engines.RijndaelEngine").init(arguments.blocksize);
      // Create a Block Cipher in CBC mode
      var blockCipher = createObject("java", "org.bouncycastle.crypto.modes.CBCBlockCipher").init(cryptEngine);
      // Create Padding - Zero Byte Padding is apparently PHP compatible.
      var zbPadding = CreateObject('java', 'org.bouncycastle.crypto.paddings.ZeroBytePadding').init();
      // Create a JCE Cipher from the Block Cipher
      var cipher = createObject("java", "org.bouncycastle.crypto.paddings.PaddedBufferedBlockCipher").init(blockCipher,zbPadding);
      // Create the key params for the cipher    
      var binkey = binarydecode(arguments.key,"hex");
      var keyParams = createObject("java", "org.bouncycastle.crypto.params.KeyParameter").init(BinKey);
      var binIVSalt = Binarydecode(ivSalt,"hex");
      var ivParams = createObject("java", "org.bouncycastle.crypto.params.ParametersWithIV").init(keyParams, binIVSalt);
      cipher.init(javaCast("boolean",arguments.bEncrypt),ivParams);
      return cipher;
      </cfscript>
  </cffunction>
  <cffunction name="doEncrypt" access="public" returntype="string">
      <cfargument name="message" type="string" required="true">
      <cfargument name="key" type="string" required="true">
      <cfargument name="ivSalt" type="string" required="true">
      <cfscript>
      var cipher = createRijndaelBlockCipher(key=arguments.key,ivSalt=arguments.ivSalt);
      var byteMessage = arguments.message.getBytes();
      var outArray = getByteArray(cipher.getOutputSize(arrayLen(byteMessage)));
      var bufferLength = cipher.processBytes(byteMessage, 0, arrayLen(byteMessage), outArray, 0);
      var cipherText = cipher.doFinal(outArray,bufferLength);
      return toBase64(outArray);
      </cfscript>
  </cffunction>
  <cffunction name="doDecrypt" access="public" returntype="string">
      <cfargument name="message" type="string" required="true">
      <cfargument name="key" type="string" required="true">
      <cfargument name="ivSalt" type="string" required="true">
      <cfscript>
      var cipher = createRijndaelBlockCipher(key=arguments.key,ivSalt=arguments.ivSalt,bEncrypt=false);
      var byteMessage = toBinary(arguments.message);
      var outArray = getByteArray(cipher.getOutputSize(arrayLen(byteMessage)));
      var bufferLength = cipher.processBytes(byteMessage, 0, arrayLen(byteMessage), outArray, 0);
      var originalText = cipher.doFinal(outArray,bufferLength);
      return createObject("java", "java.lang.String").init(outArray);
      </cfscript>
  </cffunction>
  <cfscript>
  function getByteArray(someLength)
      byteClass = createObject("java", "java.lang.Byte").TYPE;
      return createObject("java","java.lang.reflect.Array").newInstance(byteClass, someLength);
  </cfscript>
  </cfcomponent>
  Thanks!,
  -Aaron

• System Requirements for Hardware Encryption on Crucial SEDs

   
  The majority of current Crucial SSDs are Self-Encrypting Drives (SEDs) which means all data is always encrypted by the controller when written to the NAND and decrypted when read. Windows 8 BitLocker can work with this built-in hardware encryption ability when you apply a password in Windows, provided the following requirements are met:
  •    BitLocker only supports TPM version 1.2 and 2.0 (or newer). In addition, you must use a Microsoft-provided TPM driver (Please note, BitLocker can also work without a TPM, but it will need a USB flash drive to set the password instead)
  •    The system needs to support UEFI 2.3.1
  •    Make sure UEFI boot is enabled and you have a UEFI enabled Windows 8 installed
  •    The computer must boot natively from UEFI.
  •    The boot order must be set to start first from the SSD (not the USB or CD drives)
  •    Dynamic discs are not supported by BitLocker
  •    The SSD must have two partitions (drives with Windows installed generally do anyway) and the main partition to be encrypted must be NTFS
  •    Ensure ATA Security features, for example Secure Boot, are disabled in the BIOS. The M500 supports either ATA Security or TCG Opal (which is needed for SED) but not both.
  •    The system needs to support Opal 2.0 The Opal 2.0 standard is not backwards compatible; Crucial SEDs are not compatible with Opal 1.0
  •    The computer must have the Compatibility Support Module (CSM) disabled in UEFI.
  Looking for more information on Crucial SSDs?  Learn more here!
  Looking for Customer Service? Contact Crucial Support for your region.

  i'm very glad to read, from the article you referenced, that there's no performance hit.  but that's only 1 of 2½ issues.  i have some follow-up questions.  perhaps we should take this to a forum instead of the knowledge base?
  -what about prior issue #2 (securely wiping the drive)?  is this easily and instantly doable?  we'll ignore #3 (relying on microsoft gets ½ a point). 
  -with the encryption keys stored on the controller, doesn't using third-party encryption software mean the keys themselves aren't encrypted by a user pw, making it that much easier for someone with physical access to the drive to extract them from the firmware?
  -if the controller is doing the encryption, why bother with bitlocker?  is it so slightly-more-savvy-than-average joe can easily enable it, or so you don't have to write it into the firmware?  (i'm being serious, not snarky--i'm a software developer myself.)  personally, i'm dual-booting win7* and ubuntu 14, which means i need 2 separate encryption methods instead of just supplying my credentials at boot to decrypt the hd and then choosing which os to load.
  -also, if i upgrade the windows os, ms requires the os volume to be decrypted first.  this would obviously not be the case if windows was unaware that it was encrypted.
  *last, what about those poor silly saps who are running win7 (or earlier)?  i just read that win7 bitlocker doesn't support self-encrypting drives--it was an update as of win8.  we're just out of luck?  i realize you can't support everything, but win7 is still a ms-supported os, and it seems like a better service to (more of) your customers to enable full-disk encryption all the time.
  thank you!

• Going from 128-bit to 256-bit encryption

  Hello all,
  This is my first post here so please be gentle.
  I'm a tech manager who inherited an undocumented environment and have a question regarding upgrading the encryption on our 6.1 iPlanet instances from 128-bit to 256-bit.
  I've searched through the documentation and I can't seem to get a clear answer.
  1. To upgrade to 256-bit do I just need to update the following line in my obj.conf file:
  PathCheck fn="ssl-check" secret-keysize="128"
  to
  PathCheck fn="ssl-check" secret-keysize="256"
  2. Are there any dependencies for making this change such as generating a new SSL cert?
  Thanks in advance - Bill

  Here is some documentation about ssl-check :
  http://docs.sun.com/app/docs/doc/820-2203/abujv?l=en&a=view&q=ssl-check
  The ssl-check function is used along with a Client tag to limit
  access of certain directories to non-exportable browsers. If a
  restriction is selected that is not consistent with the current cipher
  settings, this function displays a warning that ciphers with larger
  secretkeysizes must be enabled.
  secret-keysize (Optional) Minimum number of bits required in the secret key.
  Which version of 6.1 Server are you using?
  $cd <web-server-install-dir>/<web-server-instance-dir>/
  $start -versionCan you send your server.xml settings?
  Assuming your machine is foo.bar.test.com
  $cd alias
  $../bin/https/admin/bin/certutil -L -d . -p  https-foo.bar.test.com-foo-displays the server's certificate nickname lets say it is Server-Cert
  Then try to get the certificate details in ascii format
  $../bin/https/admin/bin/certutil -n Server-Cert -p https-foo.bar.test.com-foo-It will show something like :
  Certificate:
      Data:
          Version: 3 (0x2)
          Serial Number: .... (0x...)
          Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
          Issuer: "CN=..."
          Validity:
              Not Before: .... 2008
              Not After : .... 2018
          Subject: "CN=..."
          Subject Public Key Info:
              Public Key Algorithm: PKCS #1 RSA Encryption
              RSA Public Key:
                  Modulus:
                      bd:10:c2:e0:bc:ad:fd:e6:75:ce:86:82:51:de:bf:37:
                      51:05:06:89:db:c2:6d:0c:31:f4:19:32:90:59:77:c1:
                      a0:6c:ef:88:54:ed:f8:d3:d2:6a:f7:22:f4:c6:95:60:
                      06:3a:64:f3:e4:0c:09:f4:37:c6:44:e7:d4:37:5a:4d
                  Exponent: 65537 (0x10001)
  ...Each line in Modulus section corresponds to 128 bits. In my case I have 4 lines, so my certificates key size is 4*128 = 512 bits.
  Can you send your modulus info i.e key size with which your certificates were created?
  Edited by: mv on Feb 8, 2008 9:28 AM

• 256 bit encryption with Distiller?

  I have Acrobat X and am using a watched folder and Distiller to generate encrypted .pdf documents.
  Distiller is set to 128 bit encryption and I don't see any way to change that.
  The help button on the Distiller security settings dialog links to a help page about Acrobat security instead of Distiller ( I filed a bug about that already).
  Thanks in advance for any help.

  The user will probably have to open each file and set the security in Acrobat after Distiller has made them.
  Beware of 256 bit encryption, it puts severe limits on the software people can use to read the files.

• AES 256 Revision 6 (PDF 2.0) Encryption

  I am trying to implement decryption of AES 256 Revision 6 (PDF 2.0) as described in the ISO 32000-2 spec and having some success but getting some peculiar results that I cannot resolve and would appreciate some suggestions.
  Using Acrobat X on a PC and encrypting using password encryption compatible with Acrobat X, I created a set of about 20 Acrobat X encrypted PDF tests. When I ran these through our implementation to decrypt as following ISO 32000-2 particularly Algorithms 2.A and 2.B most decrypted successfully and produced correct output. However a few failed either in the authentication phase or in the intermediate key computation stage, with the latter showing an error by an invalid decryption of the first stream of PDF encountered. Next I tried another set of different tests and also got a similar pass rate. Finally I took one unencrypted PDF test and chose the same security settings of compatible with Acrobat X, restrict editing, and printing, and allowed print and used the same password for 15 generated versions of this PDF test. 13 of these 15 resultant encrypted tests ran successfully with our implementation of the Revision 6 decryption algorithm. Two failed, with one failing a match on both user and owner key and the other failing computing the intermediate owner key.
  In the past when we have implemented earlier Revision 5 256 AES, or even older compatibility versions it always was the case that you either had the software working or you didn’t. And the new PDF 2.0 2B algorithm with 64+ hashes and 64+ aes encryptions of data along with 16 byte mod 3 math computations leaves little room for error.
    I believe that Acrobat when encrypting is choosing a random AES IV and all data including input /U /O /UE, and /OE strings differ. Even for the case described above of the same input test, same password, and same Acrobat encryption options. Thus the input into Algorithm 2-B will differ but the output should for authentication match the first 32 bytes of the O or U key or should result in a correct final result for intermediate owner or user key if the corresponding match occurred above.
  However for the few exceptions that fail the above decryption it is not easy to determine what went wrong. Just about any change to the implementation of Algorithm 2.B breaks all working test cases instead of giving a clue as to what the issue is. The possible suspects are the new SHA-384 and SHA-512 and the encrypt code. We have used SHA-256 and the AES decrypt portion in earlier implementation of revision 5 and had no problems. The AES and hash code we are using is from Gladman1. I was wondering what others are using? It looks like Acrobat X is using RSA BSAFE Crypto – C2 at least for FIPS. Could Leonard or somebody else at Adobe tell me if this RSA software is also used in general with Acrobat X?
  And I think that it would be very beneficial to have and publish a set of test vectors given input into algorithm 2.B along with correct intermediate results for each step. For each hash – including which method used per step show hash results, and also encryption step results, number of steps beyond 64 minimum, as well as final result. For the 80% of tests I have working I could produce this info. For those tests I cannot get working I would need help. Perhaps someone at Adobe or elsewhere who has had greater success than I have can help? I can provide input for the problematic tests either through this forum or privately at [email protected].
  1) http://www.gladman.me.uk/
  2) http://blogs.adobe.com/security/2011/05/update-fips-validation-certificates-for-acrobat-an d-reader-x.html

  I create a simple file called 256encrypt.pdf and encrypted with aes256
  I am using "Algorithm 2.B: Computing a hash" from ISO32000-2 to verify the user password
  user password: password
  User string from the PDF test file : f4 65 f1 69 9a e2 ea 71 ba e7 6b 48 bb 12 8f 1f 18 74 e3 d3 e2 97 7e b8 d6 fe 9f 7f 86 b0 6d 89 c9 38 40 c5 64 dc 5a 32 04 4d 9c 6f 28 d2 98 d0
  User string hash value:  f4 65 f1 69 9a e2 ea 71 ba e7 6b 48 bb 12 8f 1f 18 74 e3 d3 e2 97 7e b8 d6 fe 9f 7f 86 b0 6d 89
  User Validatiaon salt: c9 38 40 c5 64 dc 5a 32
  User Key salt:04 4d 9c 6f 28 d2 98 d0
  The input for the "Algorithm 2.B: Computing a hash" is as follows:
  user Validation Salt: c9 38 40 c5 64 dc 5a 32
  password: 70 61 73 73 77 6f 72 64 (password)
  step 1: SHA256(password+user Validation Salt)
  the result is  K = 9d 47 2d 4e f0 96 cd dd 7a 8c 04 8d b4 d2 b8 ee be fe b9 9f 7f cc e1 29 ea 63 ad f2 a3 d5 11 5b
  step 2: Make a new string K1 with 64 repetitions of the input password and K
  K1= 70 61 73 73 77 6f 72 64 9d 47 2d 4e f0 96 cd dd 7a 8c 04 8d b4 d2 b8 ee be fe b9 9f 7f cc e1 29 ea 63 ad f2 a3 d5 11 5b
         70 61 73 73 77 6f 72 64 9d 47 2d 4e f0 96 cd dd 7a 8c 04 8d b4 d2 b8 ee be fe b9 9f 7f cc e1 29 ea 63 ad f2 a3 d5 11 5b
         70 61 73 73 77 6f 72 64 9d 47 2d 4e f0 96 cd dd 7a 8c 04 8d b4 d2 b8 ee be fe b9 9f 7f cc e1 29 ea 63 ad f2 a3 d5 11 5b
          70 61 73 73 77 6f 72 64 9d 47 2d 4e f0 96 cd dd 7a 8c 04 8d b4 d2 b8 ee be fe b9 9f 7f cc e1 29 ea 63 ad f2 a3 d5 11 5b
  Total 64 times , total length = 0xa00
  step3: Encrypt K1 with AES_128(CBC)
  AES_CBC_128_NOPADDING:
  Key = 9d 47 2d 4e f0 96 cd dd 7a 8c 04 8d b4 d2 b8 ee
  IV =   be fe b9 9f 7f cc e1 29 ea 63 ad f2 a3 d5 11 5b
  K1 64 repeat of the 70 61 73 73 77 6f 72 64 9d 47 2d 4e f0 96 cd dd 7a 8c 04 8d b4 d2 b8 ee be fe b9 9f 7f cc e1 29 ea 63 ad f2 a3 d5 11 5b
  Result : Total length is 0xa00. The beginning part of the E is
  E =
  47 df 2a 7f 90 8a c4 d9 f2 8b a0 f1 49 f0 8e 09 51 c4 a3 ce fd 28 48 f3 d7 c1 04 76 1b 6b 5b f2 6d 3d 2c 3f 03 26 76 06 d5 67 44 c8 2a b6
  10 02 a5 8d a7 93 4f 94 02 b9 bf 93 b5 2d 17 82 02 3b f7 8e 8a 07 0f 18 ed 19 b3 ba 55 8b 14 b7 45 16 80 47 4f 6e c3 b6 20 d2 72 cd d1 46
  2c d3 88 f7 c4 f7 e3 3a 04 3d 72 4f e0 d2 66 63 c4 9c 77 7c c5 53 fd 69 81 f6 3b 3d f5 8e b2 bd 66 4e 0f c6 1e 96 5e 91 e2 3d 60 5c 60 75
  a3 13 49 58 85 e8 bb 37 93 91 4c 4f 79 a5 80 f2 13 be 44 22 aa e5 ee 6c 29 2c 76 50 a3 15 85 69 5e e9 c5 29 13 2a f6 67 51 8e 1e 7f 23 8a
  90 a7 fe 93 c7 ff 45 ee 2a f0 c0 70 f1 78 2e 80 bd be 06 4f ad 69 4d 47 e6 3f ae e2 6a 76 ef 3e 56 8f 2d f5 c9 49 26 f3 7e 6e 61 8b 5e e6
  e6 2d dd 76 cd 30 33 1d fe bf 11 60 ce 33 35 43 da b7 33 9b b9 6a 86 cd 35 a0 ca 84 99 0c ca 71 28 b3 01 b9 23 b4 a0 87 4e fb ff af b6 bd
  step4:
  The result of the first 16 bytes of E mod 3 is 1
  step5:
  Using SHA384 to get 48 bytes K
  K = 29 de 28 c1 f0 17 c9 37 bd 93 97 e3 b5 51 b0 86 b9 0c 96 e0 77 28 87 1c 11 7b 41 ce 64 bf a8 7f f2 8b a2 7b 52 58 79 a9 63 c0 b2 31 f8 4e e4 6e
  This is the end of round 1 and go back to step 2 using this new K
  When round is equal or bigger than 64, check E[last byte], if E[last byte] > round -32, go back to step 2
  The final round is 69. and the final result is
  K = ab 7c c6 03 bc da 85 51 3f 3d 22 fb 58 8c 42 1d 45 67 55 92 9f 4f d2 41 b3 93 07 04 7d b1 30 6d
  But this K does not match with the first 32 byte of the user string.