Notably, 3DES encryption was standardized in 1998, which happens to be the same year its official replacement, Advanced Encryption Standard (AES), was created. AES was standardized in 2001. It's unclear as to why any modern-day encryption card would still be using 3DES; there have been readily available, acceptable upgrades and replacements, including from the same vendor.
Even so, AES has started showing signs of weakness against successive encryption attacks. If history is any guide, security experts and NIST (National Institute of Standards and Technology, which often codifies U.S. government encryption standards) will proclaim AES's replacement long before the cipher is considered useless for protection.
In light of all of this, it's essential for security admins to stay current with the latest encryption recommendations. Here are good questions to ask about your organization's security environment:
- Which cipher standards and ciphers are implemented in the encryption and authentication products and services at your company? Do you know them all?
- Do you require generally accepted ciphers and key sizes?
- Among the other products and services you use, which of them rely on what may now be considered weak ciphers?
- Does your company have a policy that prevents the use and implementation of products and services containing weak or unknown ciphers?
- What is the minimum allowable cipher-key size for protecting your medium- and high-impact data?
- Are the key sizes lengthened over time as crypto attacks weaken smaller key sizes?
In order to keep your enterprise safe, you need a proactive security policy that encourages strong, acceptable ciphers (encryption, authentication, and hash), and performs auditing and monitoring to assure the same. Today's cipher is changing. Are you?
This story, "Crypto is cracked: How not to fall in," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.