NSA Publishes New Guidance on Eliminating Weak Encryption Protocols

The National Security Agency (NSA) has issued guidance to assist organizations in eliminating weak encryption protocols that threat actors are presently taking advantage of to decrypt sensitive information.

Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols were created to make secured channels employing authentication and encryption to make certain the protection of sensitive information between a server and a user. The algorithms used by these protocols to encrypt data have since been made current to boost the power of encryption, nevertheless obsolete protocol configurations remain utilized. Attackers are developing new attacks and actively employing them to exploit authentication and weak encryption protocols to decrypt and acquire access to sensitive data.

The NSA makes clear that many products employing obsolete cipher suites, TLS versions, and key exchange methods were kept up to date, nevertheless, implementations were not usually observed and continued utilization of these obsolete TLS configurations pose a heightened risk of exploitation. Usage of obsolete protocols offers an incorrect sense of security, because although data transmissions are safeguarded, the degree of security offered is not enough to stop decryption of information by nation state actors and other threat actors.

The latest NSA guidance points out how to detect out-of-date TLS and SSL configurations, exchange them with the newest, more safe versions, and prohibit out-of-date cipher suites, key exchange methods and TLS versions.

The guidance is largely focused on cybersecurity frontrunners in the Department of Defense (DoD), Defense Industrial Base (DIB), and National Security System (NSS), even so, it may be employed by every network user and operator to be able to better safeguard sensitive information.

The NSA advocates replacing SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 and just utilizing TLS 1.2 or TLS 1.3. The guidance provided specific data on the applications, network signatures, and server configurations needed to just permit strong encryption protocol configurations.

Out of date configurations give threat actors access to sensitive operational traffic via different strategies, for instance passive decryption and alteration of traffic via man-in-the-middle attacks. To aid system administrators in correcting the parts of their network, NSA designed some server configurations and network signatures to go with the report that are accessible on the NSA Cybersecurity Github.

Making updates to the TLS configurations will make certain that government institutions and business establishments have more powerful encryption and authentication and can better safeguard sensitive information.