What is the difference between "encryption" and "content protection"?

Many people have questions about the difference between encryption (i.e. transfer encryption) and content protection (also called "encryption at rest".) This article means to explain these two security features available for Aspera transfers.

Aspera (fasp) uses on-the-fly data encryption to ensure the security and integrity of data in flight. Using 128-bit AES encryption in which the key is re-initialized throughout the duration of the transfer using a standard CFB (Cipher Feedback) mode with a unique, secret nonce (or "initialization vector") for each block, fasp provides protection against all standard attacks based on sampling of encrypted data and ensures the integrity of each block transferred. For a more in-depth explanation of encryption and the Aspera Security Model see: https://support.asperasoft.com/entries/20933197-security-model

Using encryption is optional and some users may decide to transfer without encryption to reduce CPU load (resource taken to encrypt at the sender and decrypt at the receiver) especially on slower computers and to optimize transfers for high speeds. This can be done via the GUI by unchecking the "Encrypt data in transit" option on the security tab for a single transfer or a configured "connection." For command line transfers encryption is enabled by default and can be disabled by including the "-T" option in your command line string. If desired a server administrator can "require" transfer encryption (will be enabled automatically even if not specified by the client) or "disallow" this encryption in which case the transfer will not use encryption regardless of the request made by the client. Additionally, when configuring transfer encryption the server administrator can specify that the encryption should be in "FIPS 140-2-certified" encryption mode.

Content Protection, available with Aspera since version 2.5, is also termed "encryption at rest" or "filewise encryption." This features provides the means for files transferred with Aspera to be stored "encrypted" on the server or at the final destination. If a server requires encryption at rest or the sender opts to use content protection, each file will be "encrypted" or "enveloped" and stored with a server configurable extension (by default .aspera-env). The recipient will use the password supplied by the sender to either decrypt the files upon download or after download using the freely available Aspera Crypt application (available for Windows and Mac.) (http://www.asperasoft.com/en/downloads/26) Files that are content protected can only be decrypted with the same password specified by the sender when uploaded.

On the command line, the user specifies content protection (filewise encryption) with "-o FileCrypt=encrypt". For transfers initiated with an Aspera GUI, content protection is specified by checking the "Encrypt uploaded files with a password" on the Security tab for the individual transfer or configured "connection." 

For Connect Server and Faspex end users the use of transfer encryption is controlled solely by the server admin and will be recognized by the Connect plug-in based on the fasp URL. Transfer encryption is configurable by the server admin on a 'global', 'group' or 'per user' basis. End users cannot specify an option other than the one specified by the server administrator. Similarly the use of content protection is configured by the server administrator although in Faspex the admin can configure a user to have an option to use content protection on a per transfer basis (in addition to the ability to configure 'globally' or 'per user.') If provided on a 'per-transfer' basis, the sender will have a checkbox on the "Send" screen "Use encryption-at-rest" that will allow them to selectively encrypt all files uploaded to that server in that transfer session. When encryption is used the sender and receiver must agree upon the password used and this must be communicated to the other party.

Powered by Zendesk