Foregenix Blog

Andrew McKenna

Your Encryption Checklist


,12/01/18 10:14

Based on real and potential weaknesses identified in existing security protocols as well as industry guidance on algorithms, the following are some things to bear in mind when considering your business’ plans for encryption in 2018.

✓ SSL v3 and TLS v1.0 are deprecated and should be disabled on all public interfaces. I suggest using https://www.ssllabs.com to test your interfaces.

✓ The chances are that TLS v1.1 and v1.2 are not impervious to future attacks so being prepared for TLS v1.3 is a good idea. While this isn't generally available on browsers yet, you should certainly start testing this now as part of your standard development lifecycle.

✓ TDES double-length, TDES 128-bit (or 112-bit not including parity bits), is not considered strong encryption and is only acceptable for use using the Derived Unique Key Per Transaction (DUKPT) scheme.

✓ The caveat to the above is that NIST is deprecating TDES in general (https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA) and urges all users of TDES to migrate to AES as soon as possible. Therefore, if you are currently developing a solution that implements encryption, default to AES; and if you are using any TDES keys for data encryption or key encryption, it's worth reviewing your technical options and possible timelines for migration to stronger keys.

✓ Lastly, a lot of encryption is implemented in order to satisfy compliance requirements without appropriate consideration of security. Transparent encryption, where sensitive data is known to be encrypted but is never visibly encrypted (or unreadable), probably doesn't provide the level of security you would like to have. For your security and the security and privacy of your customers, it’s worth identifying reviewing protections for sensitive data.

Encryption is difficult for the experts to get right; this is why we've had KRACK, Poodle, HeartBleed, Beast and so on. While encryption, properly implemented, can provide excellent security, the technical advances in attack sophistication also must push us to be flexible in implementation and ready for change.


Guided Website Threat Review

Guided Website Threat Review


Tags: Encryption


Kirsty Trainer
"Key" to Secure Data - P2PE - Derived Unique Key Per Transaction (DUKPT)

Written by Andrew McKenna, PCI QSA, PCIP at Foregenix The encryption key infrastructure usually ...

Read More
Duncan Slater
Alert: Major UK Payment Service Provider iFrame Man-In-The-Middle Breach

The Foregenix Digital Forensics and Incident Response Team recently reported a man-in-the-middle ...

Read More

Cyber Security Insights

Jake Dennys
17/01/18 09:23

Cryptocurrency Malware Affects 55% Of Businesses Worldwide.

Earlier this month we discussed mining malware and how crypto’s popularity might have an effect on it’s usage. Well, a report from Check Point has ...

Read More

Andrew McKenna
12/01/18 10:14

Your Encryption Checklist

Based on real and potential weaknesses identified in existing security protocols as well as industry guidance on algorithms, the following are some ...

Read More

Zacharias Pigadas
09/01/18 09:11

Supply Chain Attacks: A Closer Look

We, as Foregenix and as a security community, have seen our fair amount of breaches publicised the last year or so. Many of them are your ...

Read More

Jake Dennys
24/11/17 15:17

Black Friday Sees Website Traffic Increase by 200%

Black Friday is upon us and as I’m sure you know, it comes hand in hand with lucrative tech discounts from across the industry. For businesses ...

Read More

Richard Jones
17/11/17 09:39

Successfully implementing GDPR: Compliance and Awareness

The General Data Protection Requirement (GDPR) is essentially about privacy. It relies on cyber security controls to ensure that legitimately used ...

Read More