Pub. 11 2020 Issue 1

Spring 2020 9 West Virginia Banker E ncryption has been and continues to be used in the fi- nancial institutions' industry to protect data, specifically customer data, by encoding a message or information in such a way that only authorized parties can access the mes- sage or information. In the process, encryption reduces the risk of those who are not authorized from accessing the mes- sage or information. Does encryption prevent interference of the message? No, but it is designed to deny the intelligible content to a fraudster who may intercept the message. 3DES encryption is a major algorithm that has been exten- sively used in the financial institutions' industry. 3DES was first introduced in 1998 and is used to encrypt data in-transit and at rest, including EMV keys for protecting credit card trans- actions and other non-public customer information. Over the years, the financial institution industry has increasingly relied upon 3DES for the protection of customer data. Retirement Announcement. The National Institute of Stand- ards and Technology (NIST) assigns an approval status of encryption algorithms. NIST uses the following four terms to indicate the approval status of an algorithm. • Acceptable — The algorithm is safe and the key length is safe to use. No security risk is currently known when used in accordance with any associated guidelines. • Deprecated — The algorithm and key length may be used, but the user must accept some security risk. • Disallowed — The algorithm or key length is no longer allowed for applying cryptographic protection. • Legacy Use — The algorithm or key length may be used only to process already protected information (i.e., to decrypt ciphertext data or to verify a digital signature). NIST announced in 2018 that 3DES was being retired in 2023. NIST also changed the approval status of 3DES to deprecat- ed until the retirement date is reached. Why Is 3DES Being Retired? In 2001, the Advanced Encryp- tion Standard (AES) was introduced. The ultimate objective was to have AES exist along with 3DES until 2030, when 3DES would be retired. The increasing power of computers have made attacks on algorithms more successful. 3DES has not been immune to the attacks. NIST determined that the retire- ment of 3DES should be accelerated to 2023 after vulnera- bilities were discovered, resulting from analysis and demon- stration of attacks on 3DES. Karthik Bhargavan and Gaetan Lewrent of Inria, France, unveiled an attack on 3DES called Sweet32. Messages are sent in a block size that is the size of the plaintext that can be encrypted. 3DES uses a 64-bit block size that is not considered a large block. By exploiting the Sweet32 vulnerability, collision attacks in 3DES and other 64-bit block cipher suites were realized. The collision attacks occur most often during lengthy transmissions due to the small bit block utilized. What does this all mean? The attacker could obtain plaintext information that the encryption is designed to prevent. As a result, when using 3DES, NIST has significantly lowered the block size to be processed with one key bundle (from 232 to 220) until 3DES is ultimately retired. AES allows for a larger block size, making it a more secure (and more difficult to compromise) algorithm. In addition, there are tools that are available where an attacker can determine if an organization is using 3DES (i.e., showdan.io) . Overall Impact. The financial institutions' industry is not the only industry using 3DES. The usage is widespread, including various United States cities. When considering known flaws in other technologies in combination with the 3DES issues, many industries and users could be impacted. Those users may and most likely will include bank customers. Increased exposure to man-in-middle attacks exists where an attacker could inject code in web browsers and alter messages being transmitted between the sender and receiver. 3DES Encryption Is Being Retired: What That Means for Your Bank By Chris Joseph, Arnett Carbis Toothman, LLP Continued on page 10