|
Information Security
< Previous Next >
re: Encryption Framework Discussion
Danny Shobrook / Apt Computer Systems Ltd
7 Apr 1998 4:58PM ETFirstly, any traffic analysis will give you alot of information of heavy trading. As dest and source IDs are not encrypted, putting a sniffer will give you a clue if someone is trying to split a large trade up amongst smaller guys.
Secondly, any encryption/signing will have to be resistant to differential cryptoanalysis as alot of the plaintext will already be known.
Thirdly, you have to ask yourself about the perfomance tradeoffs with double encryption at transport and app layer. It *might* make sense for large institutional trades, we deal with retail and this would put an unacceptable overhead for really rather little return.
Fourthly, you would need to make sure there was a way of negotiating any app level encryption. The current "agree before" was maybe OK when the FIX community was small, but increasingly it will be used between parties that have no fixed relationship. There would need to be the opportunity to adjust between the level Charles wants and the level retail customers are happy with.
Fifthly, the most common security flaws are bugs in implementation and people probs. Coming up with a new app level protocol faces both these complications.
Finally, it puts a stress on FIX implementers to be encryption experts as well.
Danny Shobrook
Apt Computer Systems
re: Encryption Framework Discussion
Danny Shobrook / Apt Computer Systems Ltd 7 Apr 1998 4:58PM ET
|
