Are low bit levels compromising encryption?

Davey Winder
Wednesday, 03 June 2009 04:33

Business IT - Security

Would you use a chocolate teapot to protect your data? Guess what, you might be doing just that.

According to Origin Storage there is plenty of evidence to suggest that a growing number of organisations are now adopting data encryption, no doubt partly in the wake of a huge number of high profile data losses that we have all been reading about.

The RAF recently lost potentially compromising data on a number of personnel, US Army files have been found on an auctioned off MP3 player, and the average cost of a data breach is probably a lot more than you might imagine.

Andy Cordial, Managing Director at Origin Storage, reckons the big question remains "whether the public and private sector organisations adopting data encryption - particularly on their laptops and other portable storage devices - are employing the most powerful levels available."

His comments come at the same time as the National Institute of Standards and Technology (NIST) in the US are recommending that companies should not consider using 1024-bit RSA encryption from 2010, as rapidly-accelerating brute force decryption methodologies make this too dangerous.
 
Microsoft, for example, has followed one NIST recommendation (in part three of NIST's Special Publication 800-57) and agreed to remove support for 1024-bit roots from its root certificate key-store as of January 1, 2011.
 
So what level of encryption should you be using, just to be on the safe side? Well, according to Cordial firms should be considering 2048-bit as a lower limit. Especially where data is stored on a portable device of any kind.

"It's all very well organisations embracing encryption to protect confidential data" Cordial insists "but if they are using a basic level of encryption, chances are their data can still be decoded by an accelerated brute force password attack."

"Since we know how difficult it is to get approval to sell into specific government areas" Cordial concludes "there is a strong chance that the antiquated approvals process may end recommending an encryption technology that will be about as much use as a chocolate teapot."