Indian stock exchange finally encrypting all trader messages

Summary: The Bombay Stock Exchange (BSE) has issued a directive requiring market participants to adopt encryption for certain messages sent to its trading platforms using the Enhanced Trading Interface (ETI).

Threat Actor: N/A
Victim: Market participants of the Bombay Stock Exchange (BSE)

Key Point:

  • The BSE has mandated the encryption of all messages exchanged between member applications and the trading engine, including price quote requests from brokers.

India’s Bombay Stock Exchange (BSE) has told market participants they need to adopt encryption – which, shockingly, isn’t already implemented – for certain messages sent to its trading platforms when using its Enhanced Trading Interface (ETI).

ETI is the bourse’s interface for traders, and sent out its directive last Monday.

“In this implementation, all the messages exchanged between member application and trading engine will require to be encrypted by the sender and decrypted by the receiver,” specified the notice.

“All” is the key word here. Sources familiar with BSE processes tell The Register that most communications between BSE and brokers were already encrypted – as one would expect in 2024.

The new policy covers brokers requesting price quotes from the platform – an act that is a potentially valuable source of info, as the mere fact of asking for a price indicates a possible trade that could move the market. It is therefore surprising that they were not already encrypted.

The order to market participants comes after India’s Securities and Exchange Board mandated encryption for comms with stock exchanges that fall under its purview.

BSE will use the AES 256 encryption algorithm for the price info. It began testing the protocol on March 28, making encrypted and non-encrypted channels available in parallel.

It then set a date to discontinue the non-encrypted channel on May 13, but that date came and went before being extended to June 8. Market participants who met the first deadline were encouraged not to wait before migrating applications to the encrypted channel.

“All existing applications working on non-encryption channel will not be able to connect to simulation post June 8, 2024. Thus, all member applications are requested to complete the development of encryption before the discontinuation date,” the bourse has advised participants.

“Encryption is important for trading because it keeps your data confidential between your company and the exchange,” co-founder of commodity trading platform Topaz, Jo Finnigan, told The Reg. She included prices at which traders wish to buy or sell securities among information that a broker might not want others to see.

She added that unencrypted data can be manipulated en route, so an attacker could change the information sent in requests.

According to Finnigan, encryption is certainly the norm when it comes to both stock exchange and commodity trading.

The COO and co-founder allowed it is possible BSE has used other layers of security to mitigate risks when it comes to the communications that were not included in encryption.

According to a December 2023 ETI manual, some encryption already provided includes TLS encrypted payload connections for its low frequency (LF) sessions via a dedicated TLS port. An ETI LF session is typically used for providing functionalities like order management, market data access, and trade confirmation.

But when it comes to the unencrypted exchanges, Deutsche Börse – the developer of the Xetra ETI platform behind BSE’s ETI platform – told The Register that component of the Indian exchange’s app is its own responsibility.

Industry insiders told The Reg “any encryption or decryption will require some time in terms of processing” – which was likely the main deterrent for not implementing encryption on all BSE messages until now. ®

Source: https://www.theregister.com/2024/05/30/bse_eti_encryption


“An interesting youtube video that may be related to the article above”