Re: AES-256 and Sensitive Documents

[Amanda Williams <akwilliams () PITTSTATE EDU>]

For the folks using LiquidFiles, curious how it is going. Is it easy to use for both the end user and the recipient? We 
are thinking of implementing it to allow for secure upload of documents. Who on your team is the administrator? 

Thanks, 


Amanda Williams 
IT Security Officer 
Information Technology Services 
Pittsburg State University 
[ callto:620.235.4657 | 620.235.4657 ] 

Simple. Safe. Smart. You are receiving this email because you are a Pittsburg State University student, employee, or 
other University community member. If you have questions or concerns regarding the validity of this email, please 
contact the individual or department that sent this email, ITSecurity () pittstate edu , or Gorilla Geeks at [ 
callto:620-235-4600 | 620-235-4600 ] . 


From: "Hart, Michael" <mhart20 () MSUDENVER EDU> 
To: SECURITY () LISTSERV EDUCAUSE EDU 
Sent: Thursday, November 29, 2018 9:32:12 AM 
Subject: Re: [SECURITY] AES-256 and Sensitive Documents 



We’re currently rolling out LiquidFiles for some of our teams until we can get rights management experience in the 
OneDrive arena. 




From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Lovaas,Steven 
Sent: Thursday, November 29, 2018 8:19 AM 
To: SECURITY () LISTSERV EDUCAUSE EDU 
Subject: Re: [SECURITY] AES-256 and Sensitive Documents 





Has anyone considered OneDrive's capabilities for this kind of need? 




================================ 


Steven Lovaas 


University Information Security Officer 


Colorado State University 


[ mailto:steven.lovaas () colostate edu | steven.lovaas () colostate edu ] 


970-297-3707 


Mit der Dummheit kämpfen Götter selbst vergebens. 


================================ 



From: The EDUCAUSE Security Community Group Listserv < [ mailto:SECURITY () LISTSERV EDUCAUSE EDU | SECURITY () 
LISTSERV EDUCAUSE EDU ] > on behalf of Jeff Holden < [ mailto:jholden () CCCTECHCENTER ORG | jholden () CCCTECHCENTER 
ORG ] > 
Sent: Wednesday, November 28, 2018 5:38:32 PM 
To: [ mailto:SECURITY () LISTSERV EDUCAUSE EDU | SECURITY () LISTSERV EDUCAUSE EDU ] 
Subject: Re: [SECURITY] AES-256 and Sensitive Documents 





The server sets what encryption methods it will accept, without having access to the server config I couldn't tell you 
why it would default to AES128, it could be that was the default server algorithm. If you require AES256 then disable 
all of the other methods on the server. 


Thanks, 

Jeff Holden, CISSP 

Chief Information Security Officer 

California Community Colleges Technology Center 

California Community Colleges Security Center 

[ 
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcccsecuritycenter.org&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7Cc6db27c4e1394cb72f6d08d6560e0e6d%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C636791015714232080&sdata=yrLahaqYFWJnW5FqN%2Bx%2BbqlrD1JrilF2NgysAQE5nfM%3D&reserved=0
 | https://cccsecuritycenter.org ] 


Schedule a meeting [ 
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcalendly.com%2Fjeffholden&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7Cc6db27c4e1394cb72f6d08d6560e0e6d%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C636791015714242089&sdata=zuENJLPzX13H%2Bi7yJbvBRWSx7mz3Q6TmSAfKfUnX6XI%3D&reserved=0
 | calendly.com/jeffholden ] 


[ 
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cccsecuritycenter.org%2Fservices%2Fservice-request&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7Cc6db27c4e1394cb72f6d08d6560e0e6d%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C636791015714242089&sdata=mJJ%2FTDiKlDN0%2BI%2BRS54HuHyzGM3tMhcmrUs%2B0uZsfZA%3D&reserved=0
 | Need
 help with a CCC Security Center Service? ] 


(530) 715-0778 








On Wed, Nov 28, 2018 at 2:55 PM Ronald Loneker < [ mailto:rloneker () cse edu | rloneker () cse edu ] > wrote: 





Thank you - the information I was looking at did not specify this. 





It's curious that the encryption level in Chrome defaulted to AES-126 with the upgrade of the browser to TLS 1.3 while 
the other browsers using TLS 1.2 show they're encrypted at AES-256 by default. 





Interesting. 



Ron 
----------------------------------- 
Ron Loneker, Jr. 
Director, IT Special Projects 
College of Saint Elizabeth 
Henderson Hall, Room 202C 
2 Convent Road 
Morristown, NJ 07960 

Phone: [ tel:973-290-4229 | 973-290-4229 ] 

e-mail: [ mailto:rloneker () cse edu | rloneker () cse edu ] 








On Wed, Nov 28, 2018 at 3:44 PM Jeff Holden < [ mailto:jholden () ccctechcenter org | jholden () ccctechcenter org ] > 
wrote: 

BQ_BEGIN



Unless the RFC changed AES 256 is supported in TLS 1.3 via TLS13-AES256-GCM-SHA384 


Thanks, 

Jeff Holden, CISSP 

Chief Information Security Officer 

California Community Colleges Technology Center 

California Community Colleges Security Center 










On Wed, Nov 28, 2018 at 11:30 AM Ronald Loneker < [ mailto:rloneker () cse edu | rloneker () cse edu ] > wrote: 

BQ_BEGIN



Good Afternoon All - 





Our Financial Aid office would like to have students and their parents, when e-mailing financial aid documents 
containing sensitive information, to comply with federal regulations saying the documents should be e-mailed with 
AES-256 encryption. 





Since TLS 1.3 was released and is now in use in Chrome, the TLS 1.3 protocol uses only AES-128 encryption so we're 
considering asking our students and their parents, if e-mailing sensitive documents, to encrypt them with a yet to be 
decided encryption application at the AES-256 level and attach the encrypted file to the e-mail being sent to our 
Financial Aid office. We would provide links to easy to use, free encryption software and provide directions on how to 
download, install and use it. We are also considering adding this software to our computer lab images for those 
students who want to e-mail documents but don't have access to a computer at home. 





Right now, the other web browsers seem to be using TLS 1.2, currently operating at the AES-256 level, with Firefox and 
Safari saying they expect to move to TLS 1.3 in the near future at some point. 





I'm curious as to what other schools are doing, and whether they are putting any sort of language on their website 
saying that documents like this should be encrypted to prevent unauthorized access to the data. 





Please note that I am not looking for vendor solicitations. 



Ron Loneker, Jr. 
Director, IT Special Projects 
College of Saint Elizabeth 
Henderson Hall, Room 202C 
2 Convent Road 
Morristown, NJ 07960 

Phone: [ tel:973-290-4229 | 973-290-4229 ] 

e-mail: [ mailto:rloneker () cse edu | rloneker () cse edu ] 







BQ_END


BQ_END