Your operational technology (OT) network’s security is only as strong as the weakest link in your supply chain. Threat actors are increasingly finding ways to locate and break that weakest link.
Encryption: XChaCha20 vs. AES-256 – What’s the difference?
The battle of encryption standards
Encryption is the cornerstone of online data security. It ensures that confidential information is accessible only to its owner or authorized recipients, making it nearly impossible for cybercriminals to open or use the files, even if they somehow get ahold of them.
But there’s not just one way to encrypt data. Multiple encryption algorithms exist to help protect sensitive information, and naturally, debates arise over which one is the best.
In this article, we’ll dive into two leading encryption algorithms, XChaCha20 and AES-256. We’ll explore how they work and how they differ, trying to determine which one might be better. Let’s start by defining both.
What is AES encryption?
AES is a type of encryption that uses the same key for both encrypting and decrypting data, which is why it’s called symmetric encryption. It works by chopping data into small blocks and then using that single secret key to scramble and unscramble the information. Known for being both secure and efficient, AES is used by the US government and many other organizations.
How does AES encryption work?
To explain how AES works, we’ll dive into a bit of technical detail, but stick with us if you’re curious about the process. So, as already mentioned, AES breaks your data into blocks (each 128 bits or 16 bytes in size) and encrypts each block separately.
While the block size stays the same, you can choose between 128-, 192-, or 256-bit keys for encryption—more bits mean more possible key combinations and stronger security.
Encryption with AES involves several rounds of processing for each data block. For instance, AES with a 256-bit key goes through 14 rounds. Once encrypted, the data can be sent safely over the web, and only someone with the right key can decrypt it; otherwise, the data is unreadable.
What is XChaCha20 encryption?
Like AES, XChaCha20 is symmetric encryption, which means it uses a single key to scramble and unscramble data. However, XChaCha20 is also a 256-bit stream encryption type, with “stream” referring to the fact that, instead of dividing data into blocks, XChaCha20 encrypts each bit of data one at a time. Some argue that this makes XChaCha20 a better choice than AES, which is why XChaCha20 is often used in modern encryption systems.
How does XChaCha20 work?
XChaCha20 uses a 256-bit key and a 192-bit nonce to generate a keystream—a sequence of random numbers. It encrypts data by combining this keystream with the plaintext using XOR, which compares corresponding bits: if they are the same, the result is 0; if they are different, the result is 1.
This process scrambles the data in a way that can be reversed for decryption. The larger nonce size in XChaCha20 helps prevent security issues related to nonce reuse, enhancing its overall security.
Key differences between XChaCha20 and AES
We know that technical details can be a lot to take in. So, to make things easier, we’ve created a simple bulleted list that breaks down the differences between the two encryption algorithms. Here’s a straightforward comparison:
AES encryption
Older: AES has been around since 2001.
Block-based: Works with fixed-size blocks of data (128 or 16 bits).
More complex: Involves multiple rounds of encryption with key sizes of 128, 192, or 256 bits.
Hardware-dependent: Often requires hardware support for optimal performance.
Prone to human error: Key management and nonce handling can be tricky, leading to potential errors.
XChaCha20
More modern: XChaCha20 was introduced in 2014.
Stream-based: Encrypts data bit by bit using a stream cipher.
Simpler: Faster to implement with a 256-bit key and a 192-bit nonce.
Less hardware-dependent: Doesn’t always require hardware support for efficient performance.
Less prone to human error: Larger nonce size helps reduce issues with nonce reuse and simplifies key management.
The main difference between AES-256 and XChaCha20 encryption is that AES-256 is a block cipher, meaning it encrypts data in fixed-size chunks, while XChaCha20 is a stream cipher that handles data one bit at a time. AES-256 has a long-standing reputation as the “advanced encryption standard,” while XChaCha20 is relatively new but gaining popularity.
AES-256 encryption is more complex than XChaCha20, which comes with a few drawbacks:
The more complex the algorithm, the higher the chance of mistakes that could put your data at risk.
AES-256 often needs special hardware to run efficiently, whereas XChaCha20 works well on regular software. For example, newer Intel, AMD, and ARM processors support AES, but older or entry-level devices like Android Go phones, smart TVs, and smartwatches may not have built-in support.
Without that special hardware, AES-256 can be significantly slower compared to XChaCha20.
Use cases and industry adoption
As we discussed earlier, AES has become a popular encryption standard across many industries. You’ll find it widely used in finance, healthcare, and government services. However, XChaCha20 is starting to make waves, especially in areas where high security and performance are critical, like mobile devices and IoT applications.
One of the key reasons for its growing popularity is that XChaCha20 is less susceptible to certain side-channel attacks compared to AES, making it a top pick for situations that demand extra security.
XChaCha20 vs. AES – which is better?
Although both AES and XChaCha offer high security and are useful in various scenarios, the speed and simplicity of XChaCha20, along with its ability to run smoothly without specialized hardware, are making it a popular choice for many companies—even Google.
On top of that, key management is much easier with XChaCha20. The longer nonce it uses reduces the risk of collisions and simplifies the process overall, making implementations more straightforward and less prone to errors.
Here at NordPass, we know how crucial it is to stay ahead of the curve and provide our customers with the best, most up-to-date tech solutions. That’s why we’ve chosen XChaCha20 encryption for our password manager. With its speed, simplicity, and ease of use, it’s likely that more companies will follow suit in the future.
Bottom line
Both AES-256 and XChaCha20 are great at encrypting and, therefore, securing sensitive data. But XChaCha20 really shines when it comes to simplicity and speed, making it a better choice for situations where you need both top performance and easy setup.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About NordPass
NordPass is developed by Nord Security, a company leading the global market of cybersecurity products.
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.
Remote workers’ security: Enabling device access with Smart Remote Access
It is often tough for both IT admins and companies to enable remote access. IT admins struggle to establish secure connections and manage remote personal devices. Companies, on the other hand, worry about security risks, high costs, and keeping up with regulations.
These challenges are even greater for businesses with strict device security policies that require devices to stay in the office while allowing remote working. Organizations that outsource their workforce also face increased security risks of data breaches and difficulty controlling devices.
That’s why remote work security is key. In this article, we’ll explain how NordLayer’s Smart Remote Access (SRA) functionality secures authorized device access, protects data with encryption, and simplifies remote device management.
What is remote work security?
Securing a remote workforce means putting strong security measures in place to protect company devices and company data from being accessed by the wrong users. This strategy helps protect your data and systems when employees, including outsourced or temporary ones, work from outside the office. That’s why super strict device security is a must. This way, you can prevent unauthorized access and ensure that only approved devices can connect to the company network.
The challenge is finding a balance between strict security and remote work. Businesses can use security measures that fit remote setups. One practical approach is implementing solutions that control device access and ensure compliance with security policies. In other words, you need to cover all bases while securely enabling remote device access.
3 pillars of remote work security
To keep your employees, data, and systems safe, focus on three main areas. These key elements will help you stay ahead of potential threats and ensure smooth remote operations:
Pillar 1: Securing access to SaaS applications
Remote work security is all about protecting collaboration and productivity tools, along with any other tools that store sensitive business, employee, or customer data. Make sure that only authorized users can access them.
Pillar 2: Defense against web threats
Safeguard against security risks from general web access, such as malware and phishing attacks, by implementing a Secure Web Gateway (SWG) framework.
Pillar 3: Managing applications via ZTNA
Manage company software, whether hosted on-premise or in the cloud, using solutions that contribute to Zero Trust Network Access (ZTNA) for secure and controlled access.
By covering these bases, you’ll keep your remote work environment secure and running smoothly.
Most common remote work security risks
As remote device access becomes more common, businesses face several critical threats. From unauthorized access to phishing and malware infections, these risks can severely impact security. Weak password policies, regulatory non-compliance, unmanaged personal devices, and insecure cloud access contribute to the growing list of challenges.
To put it plainly, it’s like trying to fix a flat tire with a piece of string—it’s not going to hold up without a proper solution. Let’s have a closer look at these challenges:
Unauthorized access
One of the biggest risks businesses face with remote work is unauthorized access, which often results in data breaches.
Phishing
Attackers send fake messages and emails to trick users into revealing confidential information using social engineering techniques.
Malware infections
Remote personal devices are always at risk if not well-protected. If a remote device gets malware, it could infect the entire network and compromise far more sensitive data than expected.
Weak password security
Poor password policies can lead to unauthorized access.
Unsecured cloud and SaaS access
Using insecure alternatives to VPN endangers your data security and exposes it to cyber-attacks.
Best practices for remote work security
Can employees (and their devices) be 100% secure while working remotely? Can they have secure access to company resources? It’s tough, but following these steps can help reduce security risks.
Choose Smart Remote Access (SRA) for remote device control
With SRA, IT admins create a secure connection policy that provides virtual access to a specific company device. Smart Remote Access makes managing diverse devices easier. For example, it helps troubleshoot devices, install or delete apps, or change a remote user’s laptop settings. It also ensures compliance with company security policies and industry regulations.
What’s great about using SRA is that it is intuitive and user-friendly. To enable it, simply add gateways in the Smart Remote Access settings in the Control Panel.
Next, to set up secure connections, just connect to the same gateway, name your devices, and make a few configuration changes. choose a Virtual Private Gateway and click Enable.
Once you enable the feature for your Virtual Private Gateway, a local network (LAN) will be set up between all devices connected to that private gateway. This makes it easy for team members to collaborate on projects or share files securely.
Boosting remote work security
SRA allows you to create secure connection policies to access company resources easily. What’s the best way to create an even more robust security framework that protects remote work environments? Combine Smart Remote Access with multi-factor authentication (MFA). These two solutions contribute to the Zero Trust Network Access (ZTNA) framework and enhance overall security.
MFA adds an extra security layer by requiring multiple verification factors for access. SRA ensures that only authenticated and authorized users can access specific applications and resources.
Smart Remote Access and RDP/VNC: Why encryption matters
Virtual Network Computing (VNC) allows users to remotely access and control another computer’s desktop interface over a network. RDP, or Remote Desktop Protocol, developed by Microsoft, lets users connect to another computer over a network. With RDP, you can see and interact with the remote computer’s desktop as if you were sitting right in front of it.
Now, what’s the difference between SRA, RDP, and VNC? SRA uses robust encryption protocols, ensuring data integrity and confidentiality during remote access. It also integrates VPN technology, adding extra protection. This setup protects sensitive data and prevents unauthorized device access. That’s why SRA is a better choice than basic RDP and VNC.
It also helps you avoid “naked,” unprotected connections and gives you peace of mind when it comes to secure remote device access.
How NordLayer can help
NordLayer offers solutions to secure your remote workforce, integrating advanced security measures like encrypted connections, multi-factor authentication (MFA), Virtual Private Network (VPN) technology, and Identity and Access Management (IAM) to ensure robust protection against cyber threats and data breaches.
Smart Remote Access is key to securing remote work environments. By addressing common risks and following best practices, businesses can protect their sensitive data and keep operations running smoothly in an increasingly remote world.
Want to try out our adaptive and user-friendly solutions? Contact our team to find out more.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About NordLayer
NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.
About NordLayer
NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.
Keepit supports dairy company Emmi with SaaS data backup for Microsoft
Emmi AG, the largest dairy processing company in Switzerland, is working with Keepit’s backup solution for Microsoft 365
COPENHAGEN, DENMARK. August 23, 2024 – Since April 2024, Emmi AG, the largest dairy processing company in Switzerland with its own presence in 14 countries worldwide, has been working with the backup solution for Microsoft 365 from Keepit, a leading provider of cloud backup for SaaS applications.
After the expiry of its previous backup solution, Emmi was faced with the challenge of finding a comprehensive, scalable, and future-proof alternative. There were several reasons in favor of the Danish software-as-a-service company: The solution needed to back up all of Emmi’s business-critical SaaS data for Microsoft 365, Azure DevOps and Entra ID on an independent private cloud, ensure business continuity, be able to restore the data immediately, and be user-friendly. And all this at a transparent fixed price with no hidden costs. Keepit meets these criteria and even offers its backup-as-a-service from Swiss data centers. Keepit stores two copies of the backed-up data on its own storage solution in two data centers, ensuring a clean air gap: A decisive factor for Emmi’s security requirements.
After a proof of concept in production with real data, the backup solution was introduced — smoothly and in just a few hours. The operation of the Keepit solution required only minimal training for employees. The simple and almost self-explanatory functionality of the solution promoted internal acceptance.
For Emmi, the uncomplicated direct communication and the high level of expertise of all those involved also proved their worth. Another advantage of the Keepit solution is that it fits seamlessly into the dairy company’s IT landscape and thus supports the centralized management of backups. The reliable, automated solution requires hardly any operational effort on Emmi’s part.
For Marc Baumann, Lead Data Platform Services, the results of the collaboration speak for themselves: “With Keepit, we can effectively minimize downtime and data loss by performing regular backups without storage space restrictions. Overall, Keepit contributes significantly to Emmi’s risk management by providing a reliable and scalable backup solution that secures business operations.”
With Emmi’s international business activities, it was also important that technology partners could provide a globally available and scalable offering. Keepit’s global infrastructure was therefore another key advantage. The collaboration underlines Emmi’s commitment to innovation and data security in the digital era. Keepit is proving to be the ideal partner for mastering the challenges of a globally active dairy.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Keepit
At Keepit, we believe in a digital future where all software is delivered as a service. Keepit’s mission is to protect data in the cloud Keepit is a software company specializing in Cloud-to-Cloud data backup and recovery. Deriving from +20 year experience in building best-in-class data protection and hosting services, Keepit is pioneering the way to secure and protect cloud data at scale.
