Educause Security Discussion mailing list archives
Re: [External] Re: [SECURITY] AES-256 and Sensitive Documents
From: "Bukaweski, Dylan S" <dbukawes () PROVIDENCE EDU>
Date: Wed, 28 Nov 2018 20:30:17 +0000
My understanding is that just because the browser supports TLSv1.3 doesn’t mean it is going to use it to connect to the server. If your server only supports TLSv1.2 (not 1.3) with AES-256 for example, the browser is going to have to use that suite or it isn’t going to be able to connect. If the server in question is publicly accessible, you can use Qualys SSL Labs (https://www.ssllabs.com/ssltest/) to see what is supported as far as TLS versions and ciphers. ☺ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Ronald Loneker Sent: Wednesday, November 28, 2018 3:22 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [External] Re: [SECURITY] AES-256 and Sensitive Documents Okay, here's my follow up question, though, about using the web app. If you are using Chrome and TLS is TLS 1.3, you're only encrypting in transit at AES-128 and the federal regulation (I'm getting the specific one from our Financial Aid staff member) is saying it has to be AES-256. True or not true? Ron ----------------------------------- Ron Loneker, Jr. Director, IT Special Projects College of Saint Elizabeth Henderson Hall, Room 202C 2 Convent Road Morristown, NJ 07960 Phone: 973-290-4229<tel:973-290-4229> e-mail: rloneker () cse edu<mailto:rloneker () cse edu> On Wed, Nov 28, 2018 at 2:38 PM Jones, Mark B <Mark.B.Jones () uth tmc edu<mailto:Mark.B.Jones () uth tmc edu>> wrote: For such things we would provide a link to a Web application that would allow the user to upload the document instead. Let https encrypt the document in transit. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Ronald Loneker Sent: Wednesday, November 28, 2018 1:30 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] AES-256 and Sensitive Documents Good Afternoon All - Our Financial Aid office would like to have students and their parents, when e-mailing financial aid documents containing sensitive information, to comply with federal regulations saying the documents should be e-mailed with AES-256 encryption. Since TLS 1.3 was released and is now in use in Chrome, the TLS 1.3 protocol uses only AES-128 encryption so we're considering asking our students and their parents, if e-mailing sensitive documents, to encrypt them with a yet to be decided encryption application at the AES-256 level and attach the encrypted file to the e-mail being sent to our Financial Aid office. We would provide links to easy to use, free encryption software and provide directions on how to download, install and use it. We are also considering adding this software to our computer lab images for those students who want to e-mail documents but don't have access to a computer at home. Right now, the other web browsers seem to be using TLS 1.2, currently operating at the AES-256 level, with Firefox and Safari saying they expect to move to TLS 1.3 in the near future at some point. I'm curious as to what other schools are doing, and whether they are putting any sort of language on their website saying that documents like this should be encrypted to prevent unauthorized access to the data. Please note that I am not looking for vendor solicitations. Ron Loneker, Jr. Director, IT Special Projects College of Saint Elizabeth Henderson Hall, Room 202C 2 Convent Road Morristown, NJ 07960 Phone: 973-290-4229<tel:973-290-4229> e-mail: rloneker () cse edu<mailto:rloneker () cse edu> This email originated from outside of Providence College. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Current thread:
- AES-256 and Sensitive Documents Ronald Loneker (Nov 28)
- Re: AES-256 and Sensitive Documents Penn, Blake C (Nov 28)
- Re: AES-256 and Sensitive Documents Jones, Mark B (Nov 28)
- Re: AES-256 and Sensitive Documents Oberlin, Craig (Nov 28)
- Re: AES-256 and Sensitive Documents Jones, Mark B (Nov 28)
- Re: AES-256 and Sensitive Documents Linc Nesheim (Nov 28)
- Re: AES-256 and Sensitive Documents Gael Frouin (Nov 28)
- Re: AES-256 and Sensitive Documents Oberlin, Craig (Nov 28)
- Re: AES-256 and Sensitive Documents Ronald Loneker (Nov 28)
- Re: [External] Re: [SECURITY] AES-256 and Sensitive Documents Bukaweski, Dylan S (Nov 28)
- Re: AES-256 and Sensitive Documents Jones, Mark B (Nov 28)
- Re: AES-256 and Sensitive Documents Jeff Holden (Nov 28)
- Re: AES-256 and Sensitive Documents Ronald Loneker (Nov 28)
- Re: AES-256 and Sensitive Documents Jeff Holden (Nov 28)
- Re: AES-256 and Sensitive Documents Lovaas,Steven (Nov 29)
- Re: AES-256 and Sensitive Documents Hart, Michael (Nov 29)
- Re: AES-256 and Sensitive Documents Amanda Williams (Dec 13)
- Re: AES-256 and Sensitive Documents Zachary Yamada (Dec 13)
- Re: AES-256 and Sensitive Documents Gael Frouin (Dec 13)
- Re: AES-256 and Sensitive Documents Ronald Loneker (Nov 28)