Strength of the Security Protocols

  • Article

Cryptography-based security technologies are implemented by using security protocols. For example, secure mail systems can be implemented by using the S/MIME protocol, and secure network communications can be implemented by using the IPSec suite of protocols. Likewise, secure Web communications can be implemented by using the TLS protocol.

Standards for security protocols, however, whether proprietary or open standards, often contain weaknesses or limitations that attackers can exploit (for example, to launch denial of service attacks). Even the best implementations of protocol standards contain the weaknesses and limitations that are inherent in the standards. Furthermore, protocol standards usually enable support for weaker cryptography by design. For example, the TLS protocol enables confidential communications to default to weak encryption to support government-imposed export restrictions that have been placed on cryptography.

In general, you can reduce the risk of weaknesses or limitations in security protocols by doing the following:

  • Use protocols that have been thoroughly analyzed and tested over time and that have well understood limitations with acceptable security risks.

  • Use the most recent versions of protocols, which offer stronger security or fix identified weaknesses in previous versions of the protocol. Protocols are revised periodically to improve the protocol and add new benefits and features.

  • Use the strongest security options that are available with the protocol to protect valuable information. When it is feasible, require strong cryptography and do not allow systems to default to lower strength cryptography settings unless the value of the information to be protected is low.

  • Prohibit the use of older and weaker versions of protocols when you want to protect valuable information. For example, require Secure Sockets Layer (SSL) version 3 or TLS for secure Web communications, and prohibit less secure SSL version 2 communications.