Published on the 11/09/2013 | Written by Newsdesk
Documents published as a result of leaks by ex-NSA contractor Edward Snowden suggest Western security agencies have managed to crack internet security systems making https sites vulnerable…
Australia-based computer security experts have warned financial institutions, online retailers and businesses involved in B2B online commerce to review their security systems and ban access to their systems from older internet browsers such as Internet Explorer 6 and earlier. Reports in ProPublica, based on documents supplied by Edward Snowden, indicate that UK and US security agencies have accessed information in the Transport Layer Security or Secure Sockets Layer of the internet.
In general, security experts agree that the 128-bit encryption key, which is widely deployed to create a unique key to encode and decipher information can’t be cracked by brute computer force. However Dr Douglas Stebila, senior lecturer in information technology at the Queensland University of Technology, said it couldn’t hurt to move to the 256-bit key while Marco Ostini, a security analyst with Auscert, warned “128-bit is probably not ideal anymore”.
Nigel Phair, formerly with the Australian Federal Police and now a director of the Centre for Internet Safety at the University of Canberra, said, “I think 128 is still strong enough for transactions in the thousands (of dollars). If it’s in the millions then you’d possibly go to 256-bit.”
Stebila noted, “The mathematics behind good encryption are sound. It should not be possible to break good implementations of good encryption.”
However he warned that while 128-bit and AES (advanced encryption standard) keys were generally reliable, the older RC4 cipher, which is still deployed by some organisations, has “some theoretical weaknesses” which could be exploited. In addition, the TLS protocol has in the past required security patches to fix vulnerabilities, while agencies which issue security certificates authenticating websites have also been compromised in the past, introducing further data security risks.
Stebila said that the Western security agencies that have reportedly accessed secure data were more likely to have achieved that by targeting known security weaknesses rather than trying to break 128-bit keys using brute computer strength. They might also, he said, have been responsible for injecting weaknesses into random-number generators used to create the sequences that form cryptographic keys in order to later exploit these vulnerabilities.
In concert with the looming changes to Australia’s data privacy regime this revelation should be seen as a trigger for a privacy and security review by larger enterprises.
