TLS (Transport Layer Security) is a cryptographic protocol that provides privacy for applications. TLS is usually implemented on top of common protocols such as HTTP for web browsing or SMTP for email. HTTPS is the usage of TLS over HTTP, which is the most popular way of securing communication between a web server and client and is supported by the bulk of major web servers.
As TLS has become more popular and easier to use, we have seen the adoption of this technology by malware to secure its own communication. It is fairly straightforward for malware to plug into existing TLS libraries, and in some cases include an entire implementation in its own source code. This ease of use is troubling because it allows malware to easily evade detection and blend into benign traffic patterns typically observed on a network. In short, malware authors know how to use encryption, and they use it in TLS and in custom applications across many different ports and protocols.
In this blog post, we highlight some of the trends we are seeing with respect to the volume of malware traffic taking advantage of TLS, and on which ports this traffic appears. We compare and contrast malware’s usage of TLS with that of benign network traffic. Finally, we conclude by giving next steps to detect malware even in the face of encryption.
Read More »
Tags: 2016 Annual Security Report, 2016 ASR, encryption, malware, TLS
Cisco developed Next Generation Encryption (NGE) in 2011. NGE was created to define a widely accepted and consistent set of cryptographic algorithms that provide strong security and good performance for our customers. These are the best standards that can be implemented today to meet the security and scalability requirements for network security in the years to come; or to interoperate with the cryptography that will be deployed in that time frame. Most importantly, all of the NGE algorithms, parameters, and key-sizes are widely believed to be secure. No attacks against these algorithms have been demonstrated.
Recently there has been attention on Quantum-Computers (QC) and their potential impact on current cryptography standards. Quantum-computers and quantum algorithms is an area of active research and growing interest. Even though practical quantum-computers have not been demonstrated until now, if quantum-computers became a reality they would pose a threat to crypto standards for PKI (RSA, ECDSA), key exchange (DH, ECDH) and encryption (AES-128). These standards are also used in Cisco NGE.
An algorithm that would be secure even after a quantum-computer is built is said to have postquantum security or be quantum-computer resistant (QCR). AES-256, SHA-384 and SHA-512 are believed to be postquantum secure.
Read More »
Tags: cryptography, encryption, Next Generation Encryption, postquantum cryptography
Securing our digital lives used to be simpler. Up until a few years ago, we primarily used email as a means for transferring or exchanging files between two parties. A handful of companies emerged to provide email encryption for those who needed it. Most other people did not worry about it.
Today, file exchange has gone beyond email. Users regularly transfer important and sensitive business and personal information using a variety of applications. It takes only a few button clicks to transfer files using Dropbox or Box. People regularly exchange files via instant messengers like Skype, Whatsapp, or Gtalk. Employees log into cloud service providers such as Salesforce and click on icons to send out invoices, proposals, quotations, and the like. Security online is no longer simple and there are many more threats to worry about.
Read More »
Tags: Cisco EIR, Cisco Entrepreneurs in Residence, encryption, Pawaa, SecurelyShare, security
Traditional block ciphers work on fixed blocks of data—as an example, AES is well-defined for 128/192/256 bits. But one of the issues is the need for padding—so if you need to encrypt small amounts of data you may end with a huge difference in input vs. output size. As an example, using AES/128 on ECB mode to encrypt an IPv4 address results in an input size of 32 bits, but an output size of 128 bits. This may not be desired for some applications.
To address such needs, we have designed the FNR encryption scheme. FNR stands for Flexible Naor and Reingold. Our proposed encryption scheme is a practical variant of Naor and Reingold’s work. We are releasing the reference implementation of the FNR encryption scheme under open source license LGPLv2.
FNR is an experimental small domain block cipher for encrypting objects (< 128 bits) like IPv4 addresses, MAC addresses, arbitrary strings, etc. while preserving their input lengths. Such length preserving encryption would be useful when encrypting sensitive fields of rigid packet formats, database columns of legacy systems, etc. in order to avoid any re-engineering efforts for privacy preservation.
Read More »
Tags: Block cipher, deterministic encryption, encryption, format preserving encryption, length preserving encryption
Enrollment over Secure Transport (EST) is a new standard (RFC7030) designed to improve the lifecycle management of digital certificates, a key element for secure communications. Cisco Engineer Max Pritikin coauthored the EST standard.
We’re very excited about the potential use cases of EST, which are, as we’ll discuss in a moment, pretty versatile.
To understand EST and how it works, let’s look at a basic use case: A controller, such as a Wi-Fi access point, manages an endpoint. To secure the management communication, both the controller and the endpoint authenticate each other using certificates. EST is a new way to obtain those certificates that is more secure and comprehensive than previous approaches, such as Secure Certificate Enrollment Protocol (SCEP). One area EST is superior to previous approaches is that it enables the use of Cisco’s Next Generation Encryption (NGE), which uses Elliptic Curve Cryptography (ECC) to get the job done as opposed to RSA encryption. That’s a lot of acronyms, so let’s take a step back to explore what this all means.
The next level of encryption
Today’s modern threats demand a new standard of encryption. Cisco’s move to NGE is paving the way for the next decade of cryptographic security. NGE provides a complete algorithm suite that is comprised of authenticated encryption, elliptic-curve based digital signatures and key establishment, and cryptographic hashing. These components provide high levels of security and scalability, aimed at protecting critical data and setting the standard for encrypting sensitive data in networks all over the world.
These cryptographic technologies meet the evolving needs of governments and enterprises by using innovative, battle-tested cryptographic algorithms and protocols, and are beginning to be used in place of legacy cryptographic approaches. EST drives the adoption of ECC, strengthening Cisco’s products and in turn strengthening the security posture of our customers.
EST can be used for a variety of purposes. Enterprises with a number of network endpoints require the “re-enrollment” (re-issuance) of certificates every period, potentially every year. This helps prevent servers going offline due to expired certificates, and the ensuing scramble to obtain and install updates. EST enables automatic re-enrollment to obtain a new certificate, making this a faster and less labor-intensive process. Additionally, EST supports automatic redistribution of CA certificates when they are updated. These improvements are immediately valuable and will be very important for future Internet of Everything (IoE) environments where the large numbers of endpoints will make certificate management highly complex.
Protecting against modern threats
For another example of how EST can help protect the modern network, look no further than your home page and the daily news. The recently discovered Heartbleed bug has thrown the industry into a panic, with enterprises, consumers, and organizations scrambling to assess the fallout and determine an appropriate remediation strategy. Many sites are recommending the replacement of certificates. If EST were in wide deployment, its re-enrollment capabilities would significantly reduce the impact of refreshing the server certificate, supporting much more rapid resolution of the security vulnerability.
As an open standard, EST will increase interoperability with other company’s offerings, including our CA partners. Cisco has taken steps to accelerate adoption and interoperability by providing EST software in the open source community, through Github. Even at this early stage, we’re seeing some positive feedback. Phil Gibson, chairman of the PSNGB, the Industry Trade Association for Public Services Networks (PSN) suppliers, said: “The Public Services Network is now the primary infrastructure for the majority of government communications in the UK and the encryption solutions it uses must continue to evolve. Due to the large and varied number of encryption devices in use, a scalable certificate provisioning protocol is critical to the migration to next generation encryption (CESG PRIME). Cisco’s release of its EST code into the open source community will facilitate rapid adoption by the PSN community. With the release of this code, other vendors will be able to accelerate their adoption of EST and this in turn expands the choice of encryption solutions available to public sector organizations.”
This is an overview of what we can do with EST, and we’re just getting started. We have started to build libraries to incorporate EST into Cisco products, which will likely begin later this year or early next. Stay tuned for additional updates over the coming months.
Tags: cybersecurity, ECC, encryption, EST, NGE, security