Imported from previous forum
Hi,
Is there any FIX engine currently in the market which supports 3DES session encryption? or any FIX engine that is customisable to support Triple DES encryption.
[ original email was from Ryan Pierce - rpierce@taltrade.com ]
> Hi, Is there any FIX engine currently in the market which supports 3DES
session encryption? or any FIX engine that is customisable to support
Triple DES encryption.
This draft document may be of help regarding FIX security issues:
http://www.fixprotocol.org/documents/3556/FIX%20Security%20White%20Paper.pdf
FPL is getting out of the security protocol design business. PGP/DES-MD5 was good when it was created, but advances in DES cracking technology have rendered it vulnerable. While replacing DES with 3DES might improve security, PGP/DES-MD5 is still a niche protocol specific to FIX, with the disadvantages of fewer implementation choices and little to no academic peer review. Using industry standards, like TLS, means plenty of commercial and open-source options, as well as peer review.
A better solution would be to wrap the whole session with SSL or TLS, which the draft document listed above recommends. Both of these do support 3DES.
In addition, TLS also supports 128 bit or 256 bit AES. I would imagine that AES would be the cipher of choice, given that it has substantially longer key lengths than 3DES.