Feedback (Verbesserungsvorschläge): HMAC authentication/Cipher Block Chaining/Diffie-Hellman key exchange/Station-to-Station (STS) protocol/Pretty Good Privacy/Perfect Forward Secrecy/Encryption Tool (Cloud Storage/Backup)/New Payment Methods

Mon, 25 Nov 2019 23:47:17 -0800

Feedback (Verbesserungsvorschläge):

4096-bit encryption/Elliptic Curve Cryptography (logon encryption types)/Two-factor authentication/Connection (SSL/TLS encryption)/

OpenDNS server (IPv6)/Full IPv6 support/HMAC authentication/Cipher Block Chaining/Diffie-Hellman key exchange/

Station-to-Station (STS) protocol/Pretty Good Privacy/Perfect Forward Secrecy/Encryption Tool (Cloud Storage/Backup)/

Bonus: company pension scheme (for all employees)/Optional: New Payment Methods

 

Please forward the suggestions to the responsible departments (EDV department/technical department/Web hosting provider/incl. the partner).

For the forwarding I thank you in advance.

 

4096 bit encryption:

https://www.pcwelt.de/ratgeber/Verschluesselung_-_Was_ist_noch_unknackbar_-Sicherheits-Check-8845011.html

https://www.heise.de/security/artikel/Kryptographie-in-der-IT-Empfehlungen-zu-Verschluesselung-und-Verfahren-3221002.html?seite=all

 

These are recommended for encryption.

 

Highly Secure Elliptic Curve Cryptography (Login Encryption Types):

https://de.wikipedia.org/wiki/Elliptic_Curve_Cryptography

https://www.heise.de/select/ix/2017/3/1487529933065685

https://www.computerweekly.com/de/definition/Elliptische-Kurven-Kryptografie-Elliptic-Curve-Cryptography-ECC

https://www.globalsign.com/de-de/blog/ecc-101/

https://www.ssl247.de/certificats-ssl/rsa-dsa-ecc

 

For the customer area these are ideally suited.

 

Two-Factor Authentication (TOTP):

https://de.wikipedia.org/wiki/Zwei-Faktor-Authentisierung

https://www.pcwelt.de/ratgeber/Wichtige_Dienste_per_Zwei-Faktor-Authentifizierung_schuetzen-Sicherheit-8679969.html

https://www.security-insider.de/flexiblere-zwei-faktor-authentifizierung-an-vpns-a-700259/

https://www.security-insider.de/remote-access-vpn-mit-zwei-faktor-authentifizierung-a-389000/

http://www.itseccity.de/produkte-services/it-security/vpn-loesungen/ncp-engineering090315.html

 

The customer accounts are doubly secured by the Two-factor authentication and therefore very difficult to hack.

The activation of the Two-factor authentication is voluntary (option in the customer account). When you use

Two-factor authentication activated, you need to login to the desktop version (PC) always the authenticator app.

 

Authenticator app:

a) FreeOTP Authenticator

b) Authy

c) Microsoft Authenticator

d) Lastpass Authenticator

e) Google Authenticator

 

Two-factor authentication is immediately active and armed. The next time you log in, the 6-digit code must be used when

calling the Authenticator App for the customer account is displayed in the field provided for this purpose (authenticator code).

 

Connection (SSL/TLS encryption):

If the connection is encrypted using SSL/TLS, it is almost impossible for anyone to read the online traffic.

 

OpenDNS server (IPv6):

https://www.opendns.com/about/innovations/ipv6/

 

These are recommended for safety reasons.

 

Full IPv6 support:

This means that users will automatically receive an IPv6 address in addition to the normal IPv4 address after establishing an Internet connection.

This gives you full access to the IPv6 network. In addition, full IPv6 integration also means that all users are automatically protected from IP leaks via IPv6.

This provides full connectivity and future viability, since many mobile networks no longer allocate IPv4 on their own (cgNAT could slow down the connection speed).

 

These are recommended for safety reasons.

 

HMAC authentication: https://en.wikipedia.org/wiki/HMAC

HMAC stands for keyed-hash message authentication code. A message authentication code is a protection against the modification of transmitted data

by an attacker who receives the data can read in real time. TLS hash values (hence the H in HMAC) from the many ways to reliably authenticate messages.

 

Cipher Block Chaining: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#CBC

CBC stands for Cipher Block Chaining, which is every message depending on the previous passes.

So can yourself short interruptions of the channel can be quickly noticed.

 

Diffie-Hellman key exchange: https://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange

A symmetric encryption scheme is used, the key of which is the negotiation of Diffie-Hellman key exchanges with elliptic curves.

The server and the app use intelligent math to negotiate and verify the secret key, which is then used to encrypt the entire session's data.

 

Station-to-Station (STS) protocol: https://en.wikipedia.org/wiki/Station-to-Station_protocol

In public-key cryptography, the Station-to-Station (STS) protocol is a cryptographic key agreement scheme.

The protocol is based on classic Diffie–Hellman, and provides mutual key and entity authentication.

Unlike the classic Diffie–Hellman, which is not secure against a man-in-the-middle attack, this protocol

assumes that the parties have signature keys, which are used to sign messages, thereby providing

security against man-in-the-middle attacks. In addition to protecting the established key from an attacker,

the STS protocol uses no timestamps and provides perfect forward secrecy. It also entails two-way explicit

key confirmation, making it an authenticated key agreement with key confirmation (AKC) protocol.

 

Pretty Good Privacy: https://en.wikipedia.org/wiki/Pretty_Good_Privacy

PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography,

and finally public-key cryptography; each step uses one of several supported algorithms. Each public

key is bound to a username or an e-mail address. The first version of this system was generally known

as a web of trust to contrast with the X.509 system, which uses a hierarchical approach based on certificate

authority and which was added to PGP implementations later. Current versions of PGP encryption include

both options through an automated key management server.

 

Perfect Forward Secrecy: https://en.wikipedia.org/wiki/Forward_secrecy

With Perfect Forward Secrecy, even if a dedicated opponent is somehow able to attack the computer or server during a session, they will not

be able to decode traffic from past sessions. The provider uses namely with each connection a new secret key. Even if you stay connected to

the provider for a long period of time, the provider automatically changes the key every 60 minutes. This key renewal process every 60 minutes

guarantees "forward secrecy". So if an attacker succeeds in compromising the key, in the worst case scenario, he could track the data for up

to 60 minutes. Then everything is secret again.

 

Encryption Tool (Cloud Storage/Backup): https://nuetzlich.net/gocryptfs/

With the Locker App you can save your data within seconds with end-to-end encryption. Drag and drop into a vault folder and you're done.

GoCryoptFS requires a locker key to open and close a lock. When a locker is applied, a 256-bit key is generated using Libsodium. Thereafter,

this Locker key is still encrypted with XSalsa20-Poly1305 MAC using a secret key (this is assigned to one when setting up the account).

Now the locker key is secured and the file can be encrypted. This is done using AES-GCM for file content encryption and EME for file

name encryption. To gain access to the files in the vault, the user must set a master password. Every time you want to open your vault,

you need this password. It should be easy to remember, as you will often need it. The master password is also important for encryption

of the secret key. The user is the only one who knows the master password. It is not stored in the app or on the servers in order

not to be hacked. If you forget or lose your master password despite its importance, you can reset it with the so-called recovery key.

This recovery key is obtained as an emergency tool during registration.

 

Advantages:

1.) Encryption with just one click

2.) Ability to reset the master password

3.) Possible with any file type and size

4.) Encrypts the data stored locally on the computer as well as those in the cloud

5.) Access on multiple devices

6.) App available for macOS and Windows

7.) Strong encryption systems (Argon2, AES-256, ECC)

8.) Easy to use & user friendly

 

Bonus: Company pension scheme (for all employees):

https://de.wikipedia.org/wiki/Betriebliche_Altersversorgung

 

This is recommended for all employees (workers/employees). The statutory pension is not secure (further cuts will follow).

 

Optional: New payment methods

Credit Cards, PayPal, Sofortüberweisung, Bitcoin, Vouchers (Starbucks) and PaySafeCard,

Bitcoin, Skrill, Webmoney, Plimus, Payza, Cherry Credits, Mercado, Pago, Raekc, MyCard,

Indomog, Pagseguro, Fanapay, Qiwi, Interac, Sofortüberweisung, Przelewy , Dotpay, iDeal,

Alipay, Giropay, E-Prepag, SanalPara, PostaCeki, ToditoCash, Ukash, CashU, Phone Payment,

Fortumo, Gudang Voucher, MOLPoints, Ecopayz, Necard, Gamania, Neosurf, GSCash, Ticket Surf,

All o Pass, SMS Coin, MicroOdeme, ImpulsePay, DaoPay, Bank Transfer, Mobile Payment,

SEPA direct debit authorization (with a right of withdrawal), Purchase on account (14 days payment term)

and cash on delivery in Austria, Germany, Switzerland

 

_______________________________________________
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://lists.pidgin.im/listinfo/support

Reply via email to