ENISA updates crypto guidelines

Under pressure from numerous organisations, the EU Agency for Network Information and Security (ENISA) released two reports this week, as an update to its 2013 crypto guidelines, designed to help developers protect personal information in line with EU law.

The first report, aimed at those who design and implement cryptographic protocols warns that problems arise more from legacy issues than the “underlying cryptographic components.” The report also notes that a protocol can easily be broken by a developer with an eye to improving things even when it meets the demands of formal proofs.

The second report, aimed at government and corporate decision makers, serves as a guide to choosing the types of protective protocols and its main complaint again highlights the “legacy issues” which render many protocols out of date.

"What is highlighted is the need for certification schemes in all phases of the technological life-cycle. 'Security by design or by default' built in processes and products, are basic principles for trust," Udo Helmbrecht, ENISA's executive director, commented to the press about the ENISA's list of recommendations. "Standardising the process is an essential element in ensuring the correct application of the data protection reform in the service of EU's citizens and its internal market. ENISA's guidelines strive to provide the correct framework in securing online systems."

Sign up to our newsletters