animind - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Opportunistic encryption: The IETF's 50 shades of protection

The IETF is asking for help as it defines the opportunistic security standard. What does this mean to the enterprise?

Are you ready for a new security standard? Welcome, then, to opportunistic security. The standard is a new IETF specification, also known as RFC 7435. It even has a title tagline: "Some protection most of the time."

Despite the implications of a standard that promises less than 100% protection, opportunistic encryption -- a key part of the opportunistic security specification -- is a change in paradigm. Indeed, it's a fresh new look at security over the Internet; one that makes a lot of sense in our modern age.

Protection in current communications protocols

To understand why we need opportunistic security, we first need to understand the current state of our communications protocols. To date, there have been two options for securing communications: all or nothing, as the diagram below illustrates:

Current security options call for an all or nothing approach
Figure 1. Current security options call for an all or nothing approach.

Here's the problem. When the "best security possible" isn’t available, we downgrade to no security at all. In this scenario, when you browse the Internet, you either look at websites where everything is authenticated and encrypted (the lock icon at the navigation bar indicates that) or you look at websites where nothing is authenticated or encrypted.

The end result? Bank and ecommerce transactions work under their strict "best security possible" policy -- as it should be -- but almost anything else is unsecured.

While we all want the best security, it may not always be possible. And instead of settling for "best security possible," why can't we just settle for "best security available?"

That is the substance of opportunistic security: The IETF is aiming to create a set of guidelines and principles for designers of future communications protocols in order to define those protocols in a way that has more flexibility in user protection.

In a nutshell, opportunistic security splits protection into two separate tasks: encryption and authentication. Encryption offers the user passive security -- making sure no third party can eavesdrop on the communications just by looking into the line. Authentication adds active security -- trying to protect against man-in-the-middle attacks where someone intercepts all communications and replays them to both sides, in the process making himself privy to the exchange.

Why do we need opportunistic security?

There are several forces that make opportunistic security so important:

Today's all-or-nothing approach will not do. It assumes a world where a transaction either requires the best security or is not worth the effort. The world has a lot more shades of gray to it.
  • The introduction of services such as Apple Pay, which provides another option to the way business is transacted inside physical retail stores.
  • The rapid growth of mobile e-commerce, which has grown in five years from 5% to 50% of all online shopping traffic, according to statistics compiled by IBM.
  • Large, high-profile enterprise data breaches, such as those affecting Sony and Anthem Inc.
  • Massive scale government snooping of networks.

Simply, as we move more and more of our lives onto the Internet, we need better protection.

The underlying assumption of today's all-or-nothing approach will not do. It assumes a world where a transaction either requires the best security or is not worth the effort. The world has a lot more shades of gray to it.

Communications protocols supporting opportunistic security will be designed differently than they are today. For one thing, they will start off by assuming basic communication is never encrypted or authenticated, and is always sent in the clear: anything better is a welcome -- but optional --improvement.

With opportunistic security, each transaction attempts to get the best possible security
Figure 2. With opportunistic security, each transaction attempts to get the best possible security.

This approach means any interaction will attempt to negotiate for better security at the onset, making sure the best security available at that given moment is used.

To that end, if authentication cannot be guaranteed for a given session or transaction, then encryption without authentication will get negotiated and used -- thus providing the means to thwart eavesdroppers from the interaction.

If encryption isn't available -- due to the capabilities of the peers -- and authentication is possible, then this approach will be taken.

If both encryption and authentication are possible -- or if an underlying security policy enforces the use of both (a financial transaction for example), then the best security possible will be used (or mandated).

Why is this important?

As concerns about data and Internet privacy continue to grow, the IETF is working to ensure all of our digital communications benefit from the best security available.

Data encryption is on the rise. Whether it's 20% or 30% of Internet traffic is less important than the actual trend. Initiatives at the IETF-- such as encrypting HTTP/2 by default and introducing a paradigm shift such as opportunistic security -- means steps to secure and encode content will continue to gain traction in the years to come.

This was last published in February 2015

Dig Deeper on Network Security Best Practices and Products

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How would opportunistic security improve your organization's data protection strategies?
Opportunistic security comes with encryption and authentication, which means its security specific. Encryption brings on board the user passive security whereas the authentication is an addition of active security.  We need this kind of security because of the rapid growth in mobile transactions, current cybercrimes, governmental breaches, and high-end businesses insecurity. We either embrace opportunistic security or none at all. The current age is considerate on internet privacy with today’s digital communication benefits.
Opportunistic security addresses immediate threats and this provides upfront protection to data. This makes the approach a reliable solution to data in any organization.
What sort of a performance hit is a system going to take with this scheme compared with the present day? And if the IETF is just talking about it now, how soon are actually going to get to see it?
EMC backup and recovery data