![]() Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols were developed to create protected channels using encryption and authentication to ensure the security of sensitive data between a server and a client. The National Security Agency (NSA) has released guidance to help organizations eliminate weak encryption protocols, which are currently being exploited by threat actors to decrypt sensitive data. Prepare for cryptographic agility to always stay ahead of malicious actors’ abilities and protect important information.NSA Releases Guidance on Eliminating Weak Encryption Protocols ![]() However, using obsolete TLS configurations provides a false sense of security since it looks like the data is protected, even though it really is not,” the NSA writes, “Make a plan to weed out obsolete TLS configurations in the environment by detecting, remediating, and then blocking obsolete TLS versions, cipher suites, and finally key exchange methods. “Organizations encrypt network traffic to protect data in transit. In its document the NSA makes a point to harp on the illusion of security older TLS configurations can provide it may appear that data is protected but really it isn’t. For RSA key transport and DH/DHE key exchange, keys lesst han 2048 bits should not be used, and ECDH/ECDHE using custom curves should not be used.” “NSA recommends RSA key transport and ephemeral DH (DHE) or ECDH (ECDHE) mechanisms, with RSA or DHE key exchange using at least 3072-bit keys and ECDHE key exchanges using the secp384r1elliptic curve. RSA key transport with the appropriate mechanisms in place is recommended: When it comes to cipher suites - cryptographic algorithms that factor into TLS transmission - weak and obsolete cipher suites like NULL, RC2, RC4, DES, IDEA, and TDES/3DES should not be used those that support TLS 1.3 and TLS 1.2 should be double checked to ensure they’re not running older cipher suites either. SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 are not be used. Going forward, if they’re not already, the NSA is encouraging organizations to only use TLS 1.2 or TLS 1.3. The NSA’s guidance covers recommended TLS versions, cipher suites, and key exchange mechanisms, how to detect old versions and how to remediate out-of-date devices. In order to sufficiently protect sensitive data, organizations need robust protection that means keeping up with new versions of the TLS protocol and shedding support for obsolete versions. Government systems, something which could open them up to adversaries accessing sensitive operational traffic. While it doesn’t point fingers, the document does note that obsolete TLS configurations are in use in U.S. The guidance reiterates that NIST, the National Institute of Standards and Technology, and CNSS, the Committee on National Security Systems, prohibit the use of obsolete protocols and that those in charge of systems at the National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) would be well served to follow it. While the guidance is technically for all organizations - all network owners and operators should consider taking these actions, the NSA said - it's specifically geared towards those who oversee federal websites and services. That's partly why the National Security Agency this week released guidance for organizations to help eliminate use of these obsolete protocols. While many of those attacks are years old, it doesn't diminish the fact that outdated transport layer security (TLS) protocols continue to pose a threat. ![]() ![]() Attacks like DROWN - an exploit which took advantage of a flaw in SSLv2 on servers running SSL/TLS, along with other acronymic attacks through the years like POODLE, BREACH, BEAST and CRIME, are prime examples of some of the problems with weak encryption protocols. Experts have long warned about the dangers associated with old, deprecated encryption protocols.
0 Comments
Leave a Reply. |