Crypto is cracked: How not to fall in

Security admins need to stay ahead of vulnerabilities in the most reliable cryptography technologies, from HTTPS to AES

Over the past few weeks, cracks have appeared in the cryptographic technologies on which organizations have long relied. These include the vulnerabilities in HTTPS-protected cookies and last week's hacking of RFID smart cards.

These developments should not come as too significant a surprise. Even demonstrably strong, time-tested crypto can be compromised, as attack methods and tools only improve. With enough time, every great encryption algorithm today will be tomorrow's cracked cipher. That's why all security administrators need to ensure that their enterprise's crypto keeps pace.

[ Download Roger Grimes's new "Data Loss Prevention Deep Dive" PDF expert guide today! | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ] A team of German scientists demonstrated the recent RFID hack. Through one, they were able to perfectly clone the kind of magnetic security card used to give workers in corporate or government buildings -- including NASA -- and as a daily ticket replacement on buses and subways. The demonstration made real the theoretical attack first proposed in 2002. Pulling off such an attack would require the perpetrator to have physical possession of the target card. The technique uses minute voltage changes in a cryptographic "side channel" attack to reveal the card's 112-bit secret 3DES encryption key.

The specified RFID card's vendor, Mifare, was notified six months ago of the attack, and the comedy emerges in the process of ending the marketing of the vulnerable card. That latter point is probably slight comfort to the millions of users of the existing cards. The good news is that most criminals don't have the expertise and equipment to pull off the attack. The real threat right now is to specific targeted, high-value companies from dedicated attackers. In most cases, there are far easier ways to compromise the intended victims to access otherwise protected information.

Notably, 3DES encryption was standardized in 1998, which happens to be the same year its official replacement, Advanced Encryption Standard (AES), was created. AES was standardized in 2001. It's unclear as to why any modern-day encryption card would still be using 3DES; there have been readily available, acceptable upgrades and replacements, including from the same vendor.

Even so, AES has started showing signs of weakness against successive encryption attacks. If history is any guide, security experts and NIST (National Institute of Standards and Technology, which often codifies U.S. government encryption standards) will proclaim AES's replacement long before the cipher is considered useless for protection.

In light of all of this, it's essential for security admins to stay current with the latest encryption recommendations. Here are good questions to ask about your organization's security environment:

Which cipher standards and ciphers are implemented in the encryption and authentication products and services at your company? Do you know them all?

Do you require generally accepted ciphers and key sizes?

Among the other products and services you use, which of them rely on what may now be considered weak ciphers?

Does your company have a policy that prevents the use and implementation of products and services containing weak or unknown ciphers?

What is the minimum allowable cipher-key size for protecting your medium- and high-impact data?
Are the key sizes lengthened over time as crypto attacks weaken smaller key sizes?

In order to keep your enterprise safe, you need a proactive security policy that encourages strong, acceptable ciphers (encryption, authentication, and hash), and performs auditing and monitoring to assure the same. Today's cipher is changing. Are you?