Pervasive encryption may enhance network traffic security, but the use of encryption also exposes users to threats from malicious traffic.
You would think encryption would enhance the security of network communications. However, the fact that network traffic is encrypted also exposes users to threats from malicious traffic.
To highlight this, standards body ETSI has published an initial report identifying the problems arising from pervasive encrypted traffic in electronic/digital communications networks. It looks at the issues that might be encountered by different stakeholders, with a view to guiding future standards development in mitigating the negative impacts of encryption.
The use of encryption as the default approach to enhance the security of communications has become increasingly common. While there are often benefits, in many scenarios, the use of encryption exposes users to threats from malicious traffic which, since it is not recognized because it is hidden by encryption, can no longer be filtered out by the network operator to protect the end user. The use of end-to-end encryption can restrict the ability of network management, anti-fraud, cybersecurity, and regulatory monitoring systems to manage data and communications flowing into, through, and out of networks.
Encryption protects traffic flowing through a network from unauthorized inspection. Nevertheless, encryption in itself does not protect the communicating end points from attack and reduces the ability of firewalls, in combination with other network management systems, to remove malicious traffic. Without being over-dramatic, the rise of a pervasive encryption model allows many of the worst elements of societal and human behavior to go unobserved, because trusted networks are not able to help to protect users.
ETSI’s industry specification group on encrypted traffic integration (ISG ETI) has concluded the early part of its work, by identifying problems arising from pervasive encrypted traffic in communications networks. In the group’s first report, ETSI GR ETI 001, entitled Encrypted Traffic Integration (ETI); Problem Statement, ISG ETI identifies the impact of encrypted traffic on stakeholders and how these stakeholders’ objectives interrelate. The rise of the use of encryption places networks and users at risk, whilst offering promises of security.
The role of encryption of information being transported between two end-points has three widely recognized positive purposes depending on the context:
However, encryption may have a negative impact on third parties who do not have access to the encryption keys used and therefore do not have access to the content, but may have operational or legal responsibilities that require or is dependent on some level of knowledge of the information transported. Critical factors include how the keys were generated, who has knowledge of them, and how are they protected or shared.
Having produced this initial problem statement, ETSI said the next step is to develop a set of requirements for the use of encryption, to offer a balance that allows network operation, while giving the user an assurance of confidentiality. It added that this requirements analysis should be ready by the end of 2021.