Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

NSA advises defense, national security supply chain on replacing deprecated encryption protocols

The US National Security Agency (NSA) has published guidelines instructing government agencies and suppliers involved in defense and national security on how to update obsolete encryption protocols.

Published on January 5, the recommendations (PDF) advise system administrators on how to detect and “replace unauthorized or deprecated TLS protocols with ones that meet current standards”, the agency said in a press release.

The advice extends to implementing a strong cipher suite and key exchange methods, plus server certificates issued by an authorized certification authority.

The NSA has also published server configurations and network signatures on its GitHub repository to help sysadmins update their network components.

TLS laggards

“Remediation is crucial to decreasing computer system and network attack surfaces and preventing unauthorized access to private data,” said the NSA.

“Obsolete TLS configurations are still in use in US Government systems” despite the NSA previously releasing urgent guidance on the issue, reads the guidance. “While the standards and most products have been updated, implementations often have not kept up.”

The guidelines are aimed at helping the Department of Defense (DoD), National Security System (agencies or contractors involved in national security), and Defense Industrial Base (weapons systems supply chain) comply with the Committee on National Security Systems Policy 15 (PDF), and guidance from the National Institute of Standards and Technology (NIST) and Committee on National Security Systems.

However, the guidelines also say: “Since these risks affect all networks, all network owners and operators should consider taking these actions to reduce their risk exposure and make their systems harder targets for malicious threat actors.”

‘Very few’ technical skills

Exploiting obsolete TLS protocol configurations requires “very few” technical skills, according to an infographic (PDF) published by the NSA to illustrate the threat.

Adversaries, say the guidelines, can use techniques such as “passive decryption and modification of traffic through man-in-the-middle attacks” (MitM) to access sensitive data such as

proprietary information, sensitive network files, HTTPS web traffic, passwords, and social security numbers.

New attack techniques for breaking TLS encryption emerge periodically.

‘A little disappointed’

Robert Merget, chair for network and data security at the Ruhr University Bochum, welcomed the guidance – but expressed reservations about certain specifics.

“Having a good TLS configuration and implementation is elemental, as it often is the first line of defense against Man-in-the-Middle attacks and mass surveillance,” he told The Daily Swig.

Government guidance is “often a major driving factor for better cryptography, not only for government services but also for the industry in general,” he added.

Advertisement. Scroll to continue reading.

“Therefore, I appreciate that the NSA supports recent movements away from TLS 1.0 and 1.1 towards the more secure TLS 1.2 and 1.3.

“However, I am a little disappointed that the NSA still recommends RSA and DH(E) key exchange algorithms, as both have shown to have weaknesses and implementation pitfalls in the past.

“I was also surprised that the CBC-mode was not explicitly mentioned, as it is also a common cause for implementation errors in TLS and should be avoided if possible.”

Source: https://portswigger.net/daily-swig/nsa-advises-defense-national-security-supply-chain-on-replacing-deprecated-encryption-protocols

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Google has announced the first open-source quantum resilient FIDO2 security key implementation, which uses a unique ECC/Dilithium hybrid signature schema co-created with ETH Zurich....

Cyber Security

Security researchers have dissected a recently emerged ransomware strain named ‘Big Head’ that may be spreading through malvertising that promotes fake Windows updates and Microsoft Word...

Cyber Security

A new form of communication on Twitter called the Encrypted Direct Message has been made available by Twitter. It will appear in your inbox...

Cyber Security

The agency continues its post-quantum cryptography push as it looks to create guidance for all sectors. The latest step in post-quantum cryptography guidance is...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO