Low bit levels could compromise encryption

Newswire reports suggest that the take-up of encryption amongst organizations is improving, but there is a big question mark over the encryption used being powerful enough to beat the crackers, says Andy Cordial, managing director of Origin Storage.

“Recent reports have shown a growing number of organizations are adopting data encryption in the wake of a litany of data breaches, losses and thefts in the last 18 months. The big question, however, is whether the public and private sector organisations adopting data encryption – particularly on their laptops and other portable storage devices – are employing the most powerful levels available,” he added.

Cordial’s comments come as the National Institute of Standards and Technology (NIST) in the US has recommended that firms no longer use 1024-bit RSA encryption from 2010 onwards in the light of rapidly-accelerating brute force decryption methodologies.

Microsoft, meanwhile, says Cordial, has followed NIST’s recommendation – made in part three of NIST’s Special Publication 800-57 – by promising to remove support for 1024-bit roots from its root certificate key-store as of January 1, 2011.

This comes as several research firms – notably IDC and Research & Markets – are reporting the take-up of encryption amongst organization around the world as taking off.

If you look at Research & Markets’ “Information Security – Asia Pacific Endpoint Encryption Market Outlook 2009 – 2013” report just issued, says Cordial, encryption is now recognized as a fundamental element to protecting data.

And, he continued, IDC’s various global encryption reports in recent months back this up – encryption take-up is now soaring.

Whilst this is apparently good news, Origin’s managing director added, the $64,000 question is whether firms are using a strong enough form of encryption, preferably 2048-bit and above.

This, he says, is particularly important where data is being stored on a laptop’s hard drive or, for that matter, any form of portable storage, which – unlike a desktop PC – can be taken almost anywhere.

“It’s all very well organizations embracing encryption to protect confidential data, but if they are using a basic level of encryption, chances are their data can still be decoded by an accelerated brute force password attack,” he said.

“Since we know how difficult it is to get approval to sell into specific government areas, there is a strong chance that the antiquated approvals process may end recommending an encryption technology that will be about as much use as a chocolate teapot,” he added.