Encryption & Key Management , Governance & Risk Management , IT Risk Management
Sen. Wyden Asks NIST to Develop Secure File Sharing StandardsSenator Says Current Methods Offer Inadequate Protections
U.S. Sen. Ron Wyden, D-Ore., is urging the National Institute of Standards and Technology to create new standards and guidelines for individuals and organizations to securely share sensitive documents online.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
Wyden notes in a letter to NIST Director Walter Copan that government employees still send and receive sensitive documents over the internet using insecure methods, such as zip files, which are easily hacked even when password protected.
Wyden also recommends implementing new technology and better training for government workers to help ensure that sensitive documents can be sent securely with better encryption.
"Many people incorrectly believe that password-protected .zip files can protect sensitive data," Wyden writes in the letter. "Indeed, many password-protected .zip files can be easily broken with off-the-shelf hacking tool. This is because many of the software programs that create .zip files use a weak encryption algorithm by default. While secure methods to protect and share data exist and are feely available, many people do not know which software they should use."
Wyden notes that the increasing number of data breaches, as well as nation-state attacks, point to the need to develop new standards, protocols and guidelines to ensure that sensitive files are encrypted and can be securely shared. He also asked NIST to develop easy-to-use instructions so that the public to take advantage of newer technologies.
A spokesperson for NIST tells Information Security Media Group that the agency is reviewing Wyden's letter and will provide a response to the senator's concerns and questions.
Concerns Over Encryption
Issues concerning encryption, cryptography and the secure sharing of documents remain a topic of great interest within the cybersecurity field and sparked one of the more illuminating conversations at this year's RSA conference in San Francisco (see: 10 Highlights: Cryptographers' Panel at RSA Conference 2019).
Wyden's letter to NIST, however, puts a spotlight on how many individuals rely on outdated methods to share sensitive information.
Matthew Daniel Green, a cryptography expert who’s an associate professor of computer science at Johns Hopkins University, took to Twitter after reading the letter to express concern that many people don't know how easy it is to crack encrypted and password-protected zip files.
"Right now on many ancient versions of Windows, when you 'encrypt' (password protect) a ZIP file using the OS default utility, you get encryption using the legacy ZIP scheme, which is totally broken," Green writes in one part of this thread.
Senator Wyden asks NIST to develop standards for safely sending and receiving files. This would be a modern and secure replacement for the “encrypted” ZIP files most government employees currently email each other. https://t.co/2VAopKNKd9— Matthew Green (@matthew_d_green) June 19, 2019
Green also notes that there is a fairly well-known plaintext attack that targets the cipher of PKZIP, a legacy archiving program that makes zip files possible. The attack can recover the key and password to unlock the document. Green notes that even more modern versions of zip files, which use AES encryption, are susceptible to someone cracking the password.
"We cryptographers are arguing over PGP key sizes," Green writes. "Meanwhile government employees are emailing each other documents encrypted with a cipher that was handily broken in the 90s."
In March, Wyden, along with Sen. Tom Cotton, R-Ark, introduced the "Senate Cybersecurity Protection Act of 2019," which would give the Senate's sergeant at arms responsibility to help secure the personal devices and online accounts used by senators and their staff to help ward off cyberattacks and other threats (see: Bill Seeks to Aid Senators in Protecting Personal Devices).