Last updated: 
2 months 6 days ago
Blog Manager
I'm the Information Security Manager at Janet and through this blog I'll be sharing some of my experiences, ideas and thoughts on information security topics.

Group administrators:

Are you managing encryption?

Monday, July 27, 2015 - 16:18

Recent news has nicely coincided with my drafting of an encryption policy as part of our Information Security Management System. “Logjam” joins a growing number of vulnerabilities in cryptosystems such as Heartbleed, BEAST and POODLE. Increased awareness of state surveillance has led to a demand (and supply) of cheaper and easier to deploy cryptographic systems and projects like HTTPS everywhere and Let’s Encrypt have been at the forefront of this movement.

These vulnerabilities mean that there’s a good case for the better management of the cryptosystems that we deploy and provide to the public. Some encryption is almost always better than no encryption, but whilst throwing the TLS switch to ‘on’ might be technically easy, we must take responsibility for ensuring our systems provide the security they promise.

Do you know where and how encryption is being used in your organisation? A full list of every use of encryption might not be practical or useful, but it may make a lot of sense to keep track of publicly accessible systems that offer encryption to their users with HTTPS and IPSEC being the obvious cases. Maintaining a list of these services will leave you better prepared for the next SSL/TLS vulnerability.

Are you managing the certificates and key material for those services adequately?  Do you have plans in place if keys are lost or compromised? Do you know when each one is due for renewal, or if any of them are using soon to be depreciated technology such as SHA-1? Keeping on top of these issues will ensure that users are not presented with unexpected warning messages that they may not understand.

Sometimes the choice of cryptosystem is straightforward: HTTP requires TLS. In others there are real choices: S/MIME or PGP? Occasionally there’s no choice at all and you have to go with a vendor’s proprietary system.  Even once the choice is made, are you configuring the service correctly? Does it offer only the most up to date cipher suites? Do your clients support it? I’ve found BetterCrypto.org to be a great source of best practice crypto configuration for many applications.

It’s good that cryptographic protocols such as TLS, and the widely deployed software that supports it such as OpenSSL, are now getting this attention. Each newly discovered vulnerability only makes the system stronger. How is your organisation managing the use of cryptography? Please feel free to tell us in the comments below.