今日已更新 339 条资讯 | 累计 19899 条内容
关于我们

标签:#encryption

找到 8 篇相关文章

AI 资讯

France to Stop Certifying Non-Quantum-Safe Encryption

France is accelerating its transition to post-quantum encryption: France’s cybersecurity agency ANSSI said on Tuesday it would stop certifying security products that lack quantum-resistant encryption, a move that will force government bodies and critical operators to shift away from older systems. Samih Souissi, ANSSI’s chief of staff, said at the France Quantum conference that the agency would halt such certifications from 2027, and that businesses should be buying only quantum-safe products by 2030. ANSSI approval is required for use in French government agencies and critical infrastructure, making the policy a de facto phase-out of older encryption...

2026-07-06 原文 →
AI 资讯

Cloud KMS and Bring-Your-Own-Key: What You're Actually Trusting

Every major cloud provider sells a key management service, and most sell a "bring your own key" option layered on top, marketed as the difference between trusting the provider and trusting yourself. The pitch is clean. The mechanics underneath are not, and the part that actually determines who can read your data is rarely the part the sales page shows you. If you've provisioned storage on AWS, Google Cloud, or Azure in the last few years, you've seen the encryption-at-rest checkbox: "encrypt with a key you manage." It sounds like a meaningful control. In practice it's three different architectures wearing the same marketing label, and they don't provide the same guarantee. What a KMS Actually Does A cloud Key Management Service is a hosted service that generates, stores, and performs operations with cryptographic keys on your behalf. When you ask a KMS to encrypt something, in most cases the plaintext key material never leaves the service's boundary. What you get back is a ciphertext blob and, for envelope encryption schemes, a wrapped data key you can use locally. The design goal is real: keys shouldn't sit in application memory or config files where a compromised host can grab them. The question that matters is not "does a KMS exist in this architecture" but "who can invoke it, and under what legal or operational conditions." That's where customer-managed keys and bring-your-own-key start to diverge in ways the naming doesn't make obvious. Customer-Managed Keys vs Bring-Your-Own-Key Customer-managed keys (CMK) means the key was generated inside the provider's KMS, under your account, and you control the access policy: who can use it, when it rotates, whether it can be disabled. The key material itself still lives entirely inside the provider's infrastructure. You never see the raw bytes. You're managing permissions on a key you didn't generate and can't export. Bring-your-own-key (BYOK) means you generate the key material yourself, outside the provider's environme

2026-07-02 原文 →
开源项目

Factoring RSA Keys with Many Zeros

Interesting research on a new class of weak RSA keys: keys with lots of zeros. It turns out that these keys are out in the wild. The badkeys project is an open-source service that checks public keys for known vulnerabilities. While developing this tool, Hanno collected a massive number of real-world keys from public sources, including Certificate Transparency logs, internet-wide TLS and SSH scans, PGP keys, and many others. By searching this dataset for unexpectedly sparse RSA moduli, we uncovered a large number of keys in the wild with the patterns in Figure 1...

2026-06-30 原文 →
AI 资讯

How to implement field-level AES-256-GCM encryption in Spring Boot (and why we packaged it into one annotation)

If you've ever had to encrypt a nationalId , a creditCardNumber , or a medicalRecord field in a Spring Boot entity, you already know the drill. You write an AttributeConverter , you wire up a Cipher instance, you generate an IV, you figure out where the key lives, you get the GCM tag handling wrong once, you fix it, and three weeks later you finally trust it enough to ship. We've done this enough times — across healthcare and fintech projects — that we stopped doing it manually. This post walks through the full implementation from scratch, the mistakes that are easy to make along the way, and then shows the one-annotation version we eventually packaged into Nucleus , our open-core Java framework. Why GCM, and not just AES-CBC If you search "AES encryption Java" you'll find a lot of CBC-mode examples. Don't use them for new code. CBC gives you confidentiality but no integrity check — an attacker can flip bits in the ciphertext and you won't know it happened until something downstream breaks in a weird way, or worse, doesn't break at all. GCM (Galois/Counter Mode) gives you both confidentiality and authentication in one pass. It produces an authentication tag alongside the ciphertext, and decryption fails loudly if either the ciphertext or the tag has been tampered with. It's also the mode behind TLS 1.3, which is a reasonable signal that it's held up to scrutiny. The relevant specification is NIST SP 800-38D. Building it by hand Here's a minimal, correct implementation. This is the version you'd write before you have a framework to lean on. public class AesGcmEncryptor { private static final String ALGORITHM = "AES/GCM/NoPadding" ; private static final int GCM_TAG_LENGTH_BITS = 128 ; private static final int GCM_IV_LENGTH_BYTES = 12 ; private final SecretKey key ; public AesGcmEncryptor ( SecretKey key ) { this . key = key ; } public String encrypt ( String plaintext ) { try { byte [] iv = new byte [ GCM_IV_LENGTH_BYTES ]; SecureRandom . getInstanceStrong (). nextByt

2026-06-19 原文 →
AI 资讯

rclone crypt: encrypt files client-side before they touch any cloud

If you want files encrypted before they ever reach a cloud provider — so the provider only ever sees ciphertext — rclone crypt is the simplest tool that works with almost any backend (S3, Google Drive, Dropbox, pCloud, Backblaze B2, a plain SFTP box…). This is client-side, zero-knowledge-style encryption you fully control. Here's a clean setup. The idea rclone crypt is a wrapper remote : it sits on top of a normal remote and transparently encrypts file contents and file/dir names on the way up, decrypts on the way down. Your passphrase never leaves your machine. local files -> [crypt remote: encrypt] -> [storage remote] -> cloud (sees ciphertext only) 1. Install curl https://rclone.org/install.sh | sudo bash # or: sudo apt install rclone rclone version 2. Configure the underlying storage remote rclone config # n) New remote -> name it e.g. "drive" -> pick your provider -> OAuth/keys Test it: rclone lsd drive: 3. Add a crypt remote on top rclone config # n) New remote -> name "secret" -> storage: "crypt" # remote> drive:encrypted # a subfolder on the storage remote # filename_encryption> standard # also encrypts file names # directory_name_encryption> true # password> (generate a strong one) # password2> (salt - optional but recommended) Back up the passphrase + salt in a password manager. There is no recovery if you lose them — that's the whole point of zero-knowledge. 4. Use it # Upload (everything is encrypted client-side first): rclone copy ~/Documents secret: -P # List (decrypted view, local only): rclone ls secret: # Mount as a normal folder: rclone mount secret: ~/CloudCrypt --vfs-cache-mode writes On the provider's side you'll see only opaque names like a1b2c3d4... — no filenames, no content. 5. Verify the provider sees nothing rclone ls drive:encrypted # raw view = encrypted blobs + scrambled names If you can read filenames here, filename encryption isn't on — recheck step 3. Gotchas crypt encrypts content + names, not the number of files or their sizes. A m

2026-06-14 原文 →
AI 资讯

How I built an E2EE chat in Go + React (with AI agent support)

🚀 Try it now: Open the Arthas web app — create a room, share the code, chat with E2EE. No signup needed. TL;DR — Try It in 2 Minutes No signup required. A free public server is running at wss://arthas100-arthas-server.hf.space/ws . 1. Create an encrypted room (CLI) # Linux/macOS — download and make executable curl -L -o arthas-cli https://github.com/michaelwang123/arthas/releases/latest/download/arthas-cli chmod +x arthas-cli # Windows (PowerShell) — download the .exe # curl.exe -L -o arthas-cli.exe https://github.com/michaelwang123/arthas/releases/latest/download/arthas-cli-windows-amd64.exe # Create a room — generates AES-256 key locally, outputs share code ./arthas-cli create --server wss://arthas100-arthas-server.hf.space/ws --name "Alice" # Windows: .\arthas-cli.exe create --server wss://arthas100-arthas-server.hf.space/ws --name "Alice" # Output: # ✓ Room created! Share code: # QYEq9uxfKP9h-KCUsPUay:NlZezXoUErYr92grhif3Y-Hy3FOOK1ocb3WocCJJrQM # # The encryption key never leaves your device. ⚠️ Keep this terminal open — the room exists only while at least one participant is connected. 2. Join from another terminal (or send the code to a friend) # Linux/macOS ./arthas-cli join QYEq9uxfKP9h-KCUsPUay:NlZezXoUErYr92grhif3Y-Hy3FOOK1ocb3WocCJJrQM \ --server wss://arthas100-arthas-server.hf.space/ws \ --name "Bob" # Windows # .\arthas-cli.exe join QYEq9uxfKP9h-KCUsPUay:NlZezXoUErYr92grhif3Y-Hy3FOOK1ocb3WocCJJrQM --server wss://arthas100-arthas-server.hf.space/ws --name "Bob" That's it — you're chatting end-to-end encrypted. The server only sees ciphertext blobs; it cannot read, store, or parse anything. 💡 Prefer a web UI? Open the Arthas web app , create a room, and share the code. Bonus: Connect an AI Agent to the Same Room Every AI agent channel today (Telegram bots, Slack apps, Discord) transmits prompts in plaintext. With Arthas, your AI joins the encrypted room as a regular participant — the server can't tell human from bot (both are encrypted binary blobs). npm

2026-06-03 原文 →