Question

Company X has recruited a recent Harvard Computer Science graduate, Todd Johnsom, to improve its Information Security. Todd's proposal is to implement a new cutting-edge encryption algorithm that he recently developed. Todd claims this algorithm to be faster and more secure than TLS. How would you support this new security technology? Why or why not?

Answer 1

Before we are in a position to answer the question the key is to understand what TLS is and why it’s used industry wide.

TLS is a cryptographic protocol provided to secure end to end communications and transactions over networks. Many businesses rely on TLS for their daily running of operations because of its capability of securing communication where sensitive information is passed.

Currently we have TLS 1.3 in use, which was created in the wake of several attacks that have happened on TLS 1.2/SSL. Creating TLS 1.3 was the first major overhaul of the protocol as the Internet Engineering Task Force (IETF) set out to modernize it. Just to give a perspective of the amount of effort that was put in TLS 1.3 to make it safer, faster and more secure that the work on TLS1.3 started in April 2014 and it took four years and 28 drafts before it was approved in March of 2018.

Several key features on the new revised TLS 1.3 are

• Faster handshake with improved encryption process by sending all the authentication information at one trip.
• Getting rid of redundant algorithms that increased vulnerability in the previous protocols.
• Switching over to TLS 1.3 is easy as it can work with same keys and certificates as used by TLS 1.2 .
• TLS 1.3 is light weight consuming fewer resources thereby improving performance.

Now getting back into the question, the Company X should not support Todd new improved protocol in spite of the claims made by him. The following the list of reasons:

• If we look into the amount of effort that was taken by IETF to make TLS 1.3 safe and secure than we can surmise that it took a team 4 years to work to get rid of inherent deficiencies and add new features so it’s not practical to just give into Todd’s claims that his protocol is better since it might be having deficiencies that are left undetected, which could be used by hackers to fetch sensitive information detrimental to Company X.
• IETF created TLS 1.3 by taking into consideration the suggestions and ideas from various other stake holders too making the protocol more robust. One such incident was when IETF was in development phase of the protocol various financial institutions were opposed to the encryptions used in the protocol as is blinds them of the actual process going on in their network. This made IETF to make the protocol flexible enough so as to work harmoniously with monitoring tools. This kind of features would be missing in Todd’s protocol since this insight into the requirements of the industry couldn’t be had by Todd.
• IETF is an organization that would be quick to correct any future vulnerability that are detected leading to easy fix with less turnaround time whereas in case of Todd’s protocol it would be impossible to get the required fix in required time.
• Also any future development of the protocol would have to be taken up by Todd which makes it all the more unsuitable for future environments.