Encryption & Key Management , Governance & Risk Management , IT Risk Management

Sen. Wyden Asks NIST to Develop Secure File Sharing Standards

Senator Says Current Methods Offer Inadequate Protections
Sen. Wyden Asks NIST to Develop Secure File Sharing Standards

U.S. Sen. Ron Wyden, D-Ore., is urging the National Institute of Standards and Technology to create new standards and guidelines for individuals and organizations to securely share sensitive documents online.

See Also: How Enterprise Browsers Enhance Security and Efficiency

Wyden notes in a letter to NIST Director Walter Copan that government employees still send and receive sensitive documents over the internet using insecure methods, such as zip files, which are easily hacked even when password protected.

Wyden also recommends implementing new technology and better training for government workers to help ensure that sensitive documents can be sent securely with better encryption.

"Many people incorrectly believe that password-protected .zip files can protect sensitive data," Wyden writes in the letter. "Indeed, many password-protected .zip files can be easily broken with off-the-shelf hacking tool. This is because many of the software programs that create .zip files use a weak encryption algorithm by default. While secure methods to protect and share data exist and are feely available, many people do not know which software they should use."

Wyden notes that the increasing number of data breaches, as well as nation-state attacks, point to the need to develop new standards, protocols and guidelines to ensure that sensitive files are encrypted and can be securely shared. He also asked NIST to develop easy-to-use instructions so that the public to take advantage of newer technologies.

A spokesperson for NIST tells Information Security Media Group that the agency is reviewing Wyden's letter and will provide a response to the senator's concerns and questions.

Concerns Over Encryption

Issues concerning encryption, cryptography and the secure sharing of documents remain a topic of great interest within the cybersecurity field and sparked one of the more illuminating conversations at this year's RSA conference in San Francisco (see: 10 Highlights: Cryptographers' Panel at RSA Conference 2019).

Wyden's letter to NIST, however, puts a spotlight on how many individuals rely on outdated methods to share sensitive information.

Matthew Daniel Green, a cryptography expert who’s an associate professor of computer science at Johns Hopkins University, took to Twitter after reading the letter to express concern that many people don't know how easy it is to crack encrypted and password-protected zip files.

"Right now on many ancient versions of Windows, when you 'encrypt' (password protect) a ZIP file using the OS default utility, you get encryption using the legacy ZIP scheme, which is totally broken," Green writes in one part of this thread.

Green also notes that there is a fairly well-known plaintext attack that targets the cipher of PKZIP, a legacy archiving program that makes zip files possible. The attack can recover the key and password to unlock the document. Green notes that even more modern versions of zip files, which use AES encryption, are susceptible to someone cracking the password.

"We cryptographers are arguing over PGP key sizes," Green writes. "Meanwhile government employees are emailing each other documents encrypted with a cipher that was handily broken in the 90s."

In March, Wyden, along with Sen. Tom Cotton, R-Ark, introduced the "Senate Cybersecurity Protection Act of 2019," which would give the Senate's sergeant at arms responsibility to help secure the personal devices and online accounts used by senators and their staff to help ward off cyberattacks and other threats (see: Bill Seeks to Aid Senators in Protecting Personal Devices).

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the GovInfoSecurity.com media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and DevOps.com.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.