| Table of Contents |
|---|
...
IP Layer encryption methods - IPSEC
The primary encryption method used at the IP layer is IPsec (Internet Protocol Security), which utilizes various symmetric encryption algorithms like AES,
...
Triple DES, and
...
Blowfish to encrypt data packets at the network layer, providing secure communication over IP networks; it also includes authentication mechanisms to verify data integrity.
Key points about IPsec encryption:
- Encryption algorithms:IPsec supports a variety of encryption algorithms, including AES (Advanced Encryption Standard) which is widely considered the most secure option today.
- Key management:"Internet Key Exchange (IKE)" protocol is used to securely negotiate and establish shared secret keys between communicating devices before encryption can occur.
- Modes of operation:IPsec can operate in two modes:
- Tunnel mode: The entire IP packet is encapsulated and encrypted.
- Transport mode: Only the payload within the IP packet is encrypted.
- Tunnel mode: The entire IP packet is encapsulated and encrypted.
- Authentication header (AH):In addition to encryption, IPsec can utilize an authentication header to verify the integrity of the packet and prevent tampering.
AWS on IPSEC Protocol
Secure Messaging Concepts
Secure Messaging Protocols
Quic Protocol for secure messaging
Quic Protocol for secure messaging
Potential Value Opportunities
Potential Challenges
RCS Test Messages Not fully secure
While RCS (Rich Communication Services) does use some encryption methods like Transport Layer Security (TLS) to protect messages in transit, it is not considered a fully secure, end-to-end encrypted protocol by default, meaning carriers and potentially governments could access message content if they wanted to; therefore, it is not completely secure in the strictest sense.
Key points about RCS and encryption:
- No native E2EE:The core RCS protocol itself does not have built-in end-to-end encryption, which is the highest level of security for messaging.
- Google's approach:Google has implemented its own encryption on top of RCS using the Signal protocol, but this only works when both users are using Google Messages and have RCS chat enabled.
- Carrier access:As RCS is a carrier-based technology, service providers could potentially access message content if they wanted to.
Google RCS is proprietary but now fully encrypted protocol - 2024
.
MFA with SMS text codes is not secure
Government Issues New iPhone, Android 2FA Warning—Stop Using SMS Codes Now. - Forbes 241222
a mandate to “use only end-to-end encrypted communications… such as Signal or similar apps.” Users are urged to use apps that are “compatible with both iPhone and Android operating systems, allowing for text message interoperability across platform,” ruling out Google Messages and iMessage.
2FA/MFA is clearly an absolute as well. This needs to be “FIDO phishing-resistant authentication,” which means something linked to authenticated user hardware allowing for some physical form of authentication. “Where feasible, hardware-based FIDO security keys, such as Yubico or Google Titan, are the most effective; however, FIDO passkeys are an acceptable alternative.”
Hardware-based FIDO security keys, also known as physical security keys or hardware tokens, are external devices that allow passwordless logins. They connect to endpoint devices using USB, NFC, or Bluetooth. Some examples of hardware-based FIDO security keys include:
- YubiKeys: A popular example of a hardware-based FIDO security key
- Hideez Keys: A popular example of a hardware-based FIDO security key
- Solokeys: A popular example of a hardware-based FIDO security key
Other types of FIDO security keys include:
- USB-based keys: These keys are versatile and connect to devices' USB ports for authentication.
- NFC-enabled keys: These keys provide contactless authentication with NFC-enabled devices.
- Bluetooth security keys: These keys enable wireless authentication and are useful for devices without USB ports.
When choosing a FIDO security key, you can consider things like: hardware-based security features, user experience, and certification and compliance requirements.
Not all applications and websites support security keys as a form of authentication.However, many major platforms, including Google, Facebook, Dropbox, and GitHub, support them
Other advice includes locking phones, SIMs and carrier services (such as voicemail) with a PIN wherever available. “This PIN is required for logging into your account or completing sensitive operations, such as porting your phone number—a critical step in countering SIM-swapping techniques.”
FIDO passkeys
FIDO (Fast Identity Online) passkeys are a type of authentication method that use public-private key cryptography to improve online security. They can take many forms, including:
- A hardware security key
- A passkey registered to a website on your browser
- A smartphone with built-in biometric capabilities
- Synced passkeys, which are shared across multiple devices
- Hardware-bound passkeys, which are stored in dedicated hardware devices
Here are some examples of how FIDO passkeys work:
- Sign in: The user receives a prompt to sign in with a passkey.
- Authentication: The user completes a local authentication method using biometrics, a local PIN, or by touching their FIDO Security Key.
- Verification: The client device sends the signed challenge back to the service, which verifies it with the stored public key and signs the user in.
FIDO passkeys are considered phish-resistant because of their cryptographic communication protocols and the fact that they must be registered with the authenticating service.
Candidate Solutions
Secure Messaging Solutions
Step-by-step guide for Example
| Info |
|---|
sample code block
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
Recommended Next Steps
Related articles
| Page Properties | ||
|---|---|---|
| ||
|