encryption tools<\/a> provide a selection that includes known-bad (covered below), good, and better algorithms. Yet the menu options rarely provide any clues as to which options provide in which category or which may be unsafe.<\/p>\n\n\n\nEncryption seen as good provides adequate protection, but select better encryption as time, capabilities, and budgets allow. The higher the risk of data theft or the more sensitive the data, the more urgently a transition to better encryption should be considered.<\/p>\n\n\n\n
Currently, there\u2019s no consensus for the \u201cbest\u201d encryption because cost and use case play such a strong role in determining what any organization can deploy. Even newer quantum-resistant algorithms aren\u2019t seen as superior solutions yet because they remain limited in commercial availability and simply haven\u2019t been around long enough to be thoroughly tested.<\/p>\n\n\n\n
Additionally, research the algorithms built into systems to determine if your organization needs to invest in stronger encryption options. For example, the bcrypt encryption library built into UNIX uses the Blowfish cipher (good encryption) and the Password-Based Key Derivation Function 2 (PBKDF2) uses RSA key standards (better encryption).<\/p>\n\n\n\n
Good Encryption Options<\/h3>\n\n\n\n
Good encryption algorithms such as Blowfish, Triple DES, and WPA2 provide acceptable encryption, assuming that the organization also observes encryption best practices.<\/p>\n\n\n\n
\n- Blowfish<\/strong> provides open-source symmetric encryption built into many Unix and Linux libraries for file and full-disk encryption; however, the use of a small block size limits its effective use to files under 4 GB.<\/li>\n\n\n\n
- Triple DES (TDES or 3DES)<\/strong> can still be found used in older payment systems or to protect ATM pin codes but is considered vulnerable to the Sweet32 Birthday attack and was retired from Office 365 by Microsoft in 2019.<\/li>\n\n\n\n
- Wi-Fi Protected Access Version 2 (WPA2)<\/strong> can be found in most wireless routers and provides reasonable protection for encrypted communications.<\/li>\n<\/ul>\n\n\n\n
Retain less sensitive data currently encrypted using such protocols and allow less sensitive data to be transmitted using these encryption algorithms.<\/p>\n\n\n\n
Better Encryption Options<\/h3>\n\n\n\n
Better encryption such as AES, ECC, RSA, Twofish, and WPA3 provide the current best-practice encryption options widely available and are superior to the good encryption algorithms (above).<\/p>\n\n\n\n
\n- The Advanced Encryption Standard (AES)<\/strong>, endorsed by NIST, supports encryption key sizes between 128 and 256 bits and uses both substitution and permutation transformations for encryption.<\/li>\n\n\n\n
- Elliptic-curve cryptography (ECC)<\/strong> uses points on an ellipse to provide strong encryption with key sizes starting at 192-bits (default is 256 bits).<\/li>\n\n\n\n
- Rivest-Shamir-Adleman (RSA)<\/strong> encryption uses large prime numbers as encryption keys that range between 512 and 4096 bits.<\/li>\n\n\n\n
- Twofish<\/strong> encryption succeeds the Blowfish algorithm to provide improved encryption with key sizes between 128 and 256 bits.<\/li>\n\n\n\n
- Wi-Fi Protected Access Version 3 (WPA3)<\/strong> provides improved encryption capabilities over WPA2 and should be adopted on supported wi-fi hardware.<\/li>\n<\/ul>\n\n\n\n
Apply these better encryption standards to important, sensitive, and regulated data to provide stronger resistance to brute force and algorithm attacks.<\/p>\n\n\n\n
<\/span>Weak Encryption Examples<\/span><\/h2>\n\n\n\nProfessionals avoid broken or known-weak encryption standards such as DES, WEP, and WPA. Data previously encrypted using these standards should be actively re-encrypted using stronger algorithms (above).<\/p>\n\n\n\n
\n- Data Encryption Standard (DES)<\/strong> provided the first NIST encryption standard, but the 56-bit keys are too short and vulnerable to brute force guessing attacks.<\/li>\n\n\n\n
- Wired Equivalent Privacy (WEP)<\/strong> introduced wireless security as part of the IEEE 802.11 wireless standard, but severe algorithm design flaws render this algorithm obsolete and dangerous to use.<\/li>\n\n\n\n
- Wi-Fi Protected Access (WPA)<\/strong> replaced WEP with improved encryption, yet remained vulnerable to spoofing attacks and was replaced by WPA2 and WPA3.<\/li>\n<\/ul>\n\n\n\n
Many older computer protocols, such as secure sockets layer (SSL) and the original transport layer security (TLS) standards, also incorporate obsolete encryption algorithms. IT security teams must locate and disable the use of these older protocols throughout the organization.<\/p>\n\n\n\n
<\/span>Bottom Line: Evaluate Encryption Solutions Regularly<\/span><\/h2>\n\n\n\nThe strongest encryption of the 1970s didn\u2019t survive replacement by stronger encryption in the 1990s. Yet those once-strongest encryption options of the 90s now show weaknesses to modern computing power. Fortunately, even as the increased computing power undermines older encryption standards, the computing power also enables the adoption of stronger, more complex encryption with larger key sizes.<\/p>\n\n\n\n
Effective deployment of best practices creates a security environment that enables continuous management and evaluation of encryption processes. Upgrading encryption tools<\/a> will usually be sufficient to maintain encryption as a fundamental layer in any security stack, but continue to evaluate encryption options regularly to remain secure.<\/p>\n\n\n