Research shows encryption is not as secure as we might think

Sophia Antipolis, France

The Industry Specification Group on Encrypted Traffic Integration (ISG ETI) at the European Telecommunications Standards Institute (ETSI) has concluded the early part of its work, by identifying problems arising from pervasive encrypted traffic in communications networks. The initial findings conclude that the rise of the use of encryption places networks and users at risk, whilst offering promises of security.

In the group’s first report, ETSI GR ETI 001, entitled Encrypted Traffic Integration (ETI); Problem Statement, ISG ETI identifies the impact of encrypted traffic on stakeholders and how these stakeholders' objectives interrelate.

The use of encryption as the default approach to enhance the security of communications has become increasingly common. While there are often benefits, in many scenarios, the use of encryption exposes users to threats from malicious traffic which, since it is not recognised because it is hidden by encryption, can no longer be filtered out by the network operator to protect the end user. The use of end-to-end encryption can restrict the ability of network management, anti-fraud, cyber security, and regulatory monitoring systems to manage data and communications flowing into, through, and out of networks.

Encryption protects traffic flowing through a network from unauthorised inspection. Nevertheless, encryption in itself does not protect the communicating end points from attack and reduces the ability of firewalls, in combination with other network management systems, to remove malicious traffic. Without being over-dramatic, the rise of a pervasive encryption model allows many of the worst elements of societal and human behaviour to go unobserved, because trusted networks are not able to help to protect users.

The role of ETSI ISG ETI is to enable all the positive attributes of pervasive encryption to be enhanced, whilst allowing the networks to operate. This requires a deeper understanding of the problem, as evidenced in the GR ETI 001.

“The next step is to develop a set of requirements for the use of encryption, to offer a balance that allows network operation, while giving the user an assurance of confidentiality. This requirements analysis should be ready by the end of 2021”, adds Scott Cadzow, ETSI ISG ETI Vice-Chair.


Product Suppliers
Back to top