Security Advances: Think Ahead or Fall Behind

Security is an arms race – you need to move or you will get left behind. And getting left behind in security means that you’ll be separated from the herd and ripe for successful attacks.


27 December 2013

fish swimming opposite stream

Security is an arms race – you need to move or you will get left behind. And getting left behind in security means that you’ll be separated from the herd and ripe for successful attacks.

According to Moore's Law, computing power doubles every 18 months. So, if you say 'it will take 100 years to brute force my encryption,' in a year and a half, the 'time to crack' will be reduced to 50 years and so on.

This brings the need for increasing the key size to protect data that has long-term value. It is not a simple task, especially if systems are not designed to allow key size increase and key rotation. As a customer, I would make sure that providers are capable of staying current with cryptography advances and can swap out weak keys and outdated algorithms.

But the interesting thing with security is, the attacker almost never goes after the countermeasure that you implemented. They will probe until they find the one you missed.

For the example above, the data that is securely stored with proper key rotation and size increase processes in place, most likely, was once sent over a Transport Layer Security (TLS)-protected link. Let's assume AES256 was used to encrypt the packets. Good, right? In fact, it’s not good enough. A substantial number of connections use the key of the Secure Sockets Layer (SSL) certificate (maybe we should start calling them TLS certificates) to encrypt the data. This is not necessary, since the HTTPS session is temporary - a temporary key would be sufficient.

Unnecessary implementations almost always lead to weaknesses.

Using certificate keys instead of temporary session keys for TLS allows adversaries to store the transmitted encrypted stream and try to get the certificate used either covertly (highlight the importance of destroying old certificates) or by legal means. If the certificate key was used to generate a temporary session key - the provider would not be in a position to lose the keys or submit them as result of legal request. Some call this Perfect Forward Secrecy.

You may think this sounds too unlikely to worry about, I thought so too up until recently when I attended a session at Cloud Security Alliance Congress which discussed how easy it is for governments (especially outside of the United States) to gain access to private data.

I always suspected that the USA had the most protections, but this one was a real eye-opener.

In my next post, I’ll write in more detail about a few of the interesting topics we came across at the CSA Congress. Until next time -

 

 



Mushegh Hakhinian

Mushegh Hakhinian

Mushegh Hakhinian represents Intralinks at the Cloud Security Alliance SME Council, is a certified information systems security professional, and is a frequent contributor to industry publications. Prior to joining Intralinks, Mr. Hakhinian lead security functions at a multi-tenant online banking service provider and an international bank.