America's NIST Seeks Public Comments on Cybersecurity and Cryptography

An anonymous Slashdot reader writes: The National Institute of Standards and Technology has its own "Commission on Enhancing National Cybersecurity," and this week they issued a call for public comments on "current and future challenges" involving critical infrastructure cybersecurity, the concept of cybersecurity insurance, public awareness, and the internet of things (among other topics) for both the private and public sector.
Long-time Slashdot reader Presto Vivace quotes The Hill: it is specifically asking for projections on policies, economic incentives, emerging technologies, useful metrics and other current and potential solutions throughout the next decade... Comments will be due by 5 p.m. on September 9.
Internet services "have come under attack in recent years in the form of identity and intellectual property theft, deliberate and unintentional service disruption, and stolen data," writes NIST. "Steps must be taken to enhance existing efforts to increase the protection and resilience of the digital ecosystem, while maintaining a cyber environment that encourages efficiency, innovation, and economic prosperity."

Separately, NIST is also requesting comments on a new process to "solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms... If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use. This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere... NIST plans to specify preliminary evaluation criteria for quantum-resistant public key cryptography standards."

Why isn't symmetric crypto threatened by quantum c

[Anonymous Coward]

Quote from article: "If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use."

Public key cryptosystems refers to asymmetric cryptography. What is it about symmetric cryptography that makes it resistant to quantum attacks?

Re: Why isn't symmetric crypto threatened by quant

[Anonymous Coward]

Asymetric cryptography relies on mathematical problems, such as factoring very large numbers for security. In traditional algorithms, factoring large numbers (4096 bits) takes simply too long. However, there are KNOWN quantum algorithms that can tackle those problems quickly enough. Symmetrical algorithms do not rely on this class of problem for safety.

Re:Why isn't symmetric crypto threatened by quantu

[cryptizard]

Symmetric ciphers like AES are constructed in a fundamentally different way compared to public-key ciphers. Symmetric ciphers rely on confusion and diffusion, shuffling and mixing the bits of the input in such a way that it is very difficult to recover the plaintext unless you know the key that parameterized the process. Security is based on the complexity and non-linearity of the operations, but they are essentially very "messy" in how they transform plaintext into ciphertext. Take a look at a diagram describing AES and you will see what I mean.

Public-key ciphers on the other hand are conceptually simple but rely on the hardness of some fundamental mathematical operation, e.g. factoring, discrete log, etc. It turns out that there are quantum algorithms to solve some of these problems efficiently. It also turns out though that there is something called Grover's algorithm, which actually does let quantum computers break symmetric crypto faster than a standard computer. Fortunately, it only turns O(N) work into O(sqrt(N)), which is not that bad. Effectively this means that AES-128 only has 64 bits of security against a quantum computer, and AES-256 only has 128 bits.

Re:

[Antique Geekmeister]

These keys can be lengthened pretty simply. The length of these keys has been kept short through federal regulation, not through overwhelming technological difficulty in lengthening them.

Re:

[chill]

What federal regulation would that be? "Export grade encryption" restrictions were removed back in 1996. It has been 20 years already (OMG, I'm old).

There is no federal regulation that I am aware of that limits key length. Citation please.

Re:

[Antique Geekmeister]

I'm afraid you're mistaken. The first set of regulations were lifted s a violation of First Amendment rights, but they were effectively transferred the US Commerce department. They are still restrictive, and still prevent the activation of ubiquitous encryption at the NIC level.

https://www.federalregister.go... [federalregister.gov]
'
Permission to sell network equipment overseas often relies on the installation of backdoors for government access. These keys ha

Re:

[Antique Geekmeister]

On review, I was unclear. The arbitrary enforcement of the remaining regulations by the Department of Commerce effectively hinders, robust encryptyon, including the increase of key lengths. Only those technologies deemed "suitable" by the Department of Commerce are allowed export license. The standards are no longer so clear, but similar to those The licensing and approvals necessary to provide robust encryption as a general practice are so burdensome that network equipment vendors find themselves fiscally

Re:

[chill]

It has been a while since I've dug thru the DoC EAR, but from what I remember -- and what I seem to glean from digging thru your link to the Fed Reg -- is that most of this applies only if you're using proprietary encryption. The use of open source algorithms where you provide the relevant source code, such as using AES, Blowfish, or TwoFish, is an exemption.

To be clear, I'm talking about mass market stuff which gets the MMKT designation, nor crypto gear primarily sold to foreign governments.

If using only t

Re:

[cryptizard]

I don't think there is any pressure to keep keys small, we already have AES-256 which nobody uses because we don't actually need that much security. If quantum computers came around AES-256 would still be perfectly secure.

Re:

[cryptizard]

128-bits of security is enough for a very, very long time. The most powerful supercomputer in existence can execute 93 petaflops. It would take that computer 8400x the age of the universe to brute force one 128-bit key, assuming it can do an AES decryption in one operation (which it can't). AES-128 vs AES-256 is not that big of a distinction considering that a huge theoretical break on AES would be necessary to actually attack either of them.

Research has also shown that the construction of AES-256 is

Re:

[NotAPK]

My understanding is that due to problems with key schedules 256bit AES is less secure than 128bit. Ref [schneier.com].

Re:

[cryptizard]

For some definitions of "less secure". There are better attacks against AES-256, but even so the total amount of security against the strongest known attacks is still higher. In the link you posted from Bruce Schneier it says AES-256 has 176 bits of security vs 119 for AES-128.

Re:

[NotAPK]

Sure, but he then goes on to state: "And for new applications I suggest that people don't use AES-256. AES-128 provides more than enough security margin for the forseeable future."

But I don't want to quote him out of context, he then adds: "But if you're already using AES-256, there's no reason to change."

As usual with crypto it will come down to exactly what you are doing and what threat models you are prioritizing your defense against.

Re:

[cryptizard]

Yeah I have been saying that to other people here. There is no point in using AES-256 because it is barely more secure than 128, if at all. In exchange for being a lot slower. It just doesn't make sense.

Re:

[guruevi]

Asymmetric keys rely on factorization of huge numbers to generate a 'distributable' key. Factorization of a single number is relatively complex, it takes a really, really long time with our current computers to factor any number. If you have to factor numbers quantum computing is promised/theorized to be able to do this instantly or at least very quickly, if you can 'factor' any huge number instantly you can make quick guesses until you have a matching combination.

Symmetric keys rely on secrets. Everyone in

Re:

[cryptizard]

It's not twice as fast, it is sqrt(N) times as fast where N is the number of possible keys. You might be thinking 'half' because this implies that the security in bits of a scheme will be half as much against a quantum computer.

Re:

[AmiMoJo]

Their advice should start with "avoid using US encryption products, and UK ones too". Probably Russian as well.

More specifically, any scheme that has had anything to with the NSA or similar agencies should be avoided. There are plenty of well tested, strong crypto systems that were developed independently of them to choose from.

Re:

[cryptizard]

I hope you aren't using Linux then because a large part of the kernel was written by the NSA [wikipedia.org].

There are plenty of well tested, strong crypto systems that were developed independently of them to choose from.

Which are these exactly?

Re:

[Antique Geekmeister]

Besides RSA and DSA?

DSA has been failing tests over time. RSA, well tested over time, has kept being battered by regulatory hindrances and federal instance that all crypto must have back doors. That unacceptable insistence has continued to dominate all attempts to standardize encryption at a federal level, including such attempts as the Clipper Chip and (un)Trusted Computing.

Re: NIST

[emil]

The camellia symmetric cipher was developed in Japan, in theory free from NSA influence. The ripemd160 digest, developed in Belgium, is also a non-nsa component usable for secure communication. For asymmetric algorithms, pick something djb-approved, either p-512 or 25519.

Re:

[chill]

Yeah...Rijndael was developed by a couple of Belgian cryptographers, yet chosen through open and well participated public competition to be AES. What exactly is wrong with it, or the way NIST conducted the selection process?

Please differentiate between algorithms and actual implementation code.

Re:

[The New Guy 2.0]

If you don't trust NIST, turn off automatic time sync in your OS.

Keep shit offline

[HalAtWork]

Behind concrete walls, inside a Faraday cage, no mics, in fact just go back to paper.

Re:

[The New Guy 2.0]

That's a situation for backup... not the primary copies.

Serious replies only? Damn...

[destinyland]

I was going to suggest that they re-name their commission "Boaty McBoatface"

Warrant Canary

[jraff2]

Look up Warrant Canary and display one to ensure your activities and promotions are pure and not compromised. "Warrant canary" is a colloquial term for a regularly published statement that a service provider has not received legal process that it would be prohibited from saying it had received, such as a national security letter. - Canary Watch

Re:

[cryptizard]

The one thing I don't understand about warrant canaries is, what is the end game? Suppose I am a company that makes some kind of security product and I have a warrant canary posted on my website. If the government really doesn't like what I am doing they can just rustle up a warrant to get something from me, then I take down the canary and everyone stops using my system, effectively destroying it. How does that help anyone? It just exposes an easy button to DoS you.

Eliminate Ambient Authority

[ka9dgx]

If we eliminate ambient authority, it would go a long way towards fixing this whole mess. Having operating systems which blindly trust applications to do the right thing is just stupid. This was figured out back in the early 1970s, but nobody seems to have learned the lesson.

Capability Based Security is a way to never trusting applications, in a user friendly way... just raising awareness of it is a good first start.

NSA?

[EmperorOfCanada]

The NIST has been tainted by the NSA. So any comment must first ask, "How can we know that this taint is gone?"

Re:

[Sir Holo]

The NIST has been tainted by the NSA. So any comment must first ask, "How can we know that this taint is gone?"

This taint tastes a little bit like shit...

NIST is now stuck grasping at straws

[Sir Holo]

FTS: ... "current and future challenges" involving critical infrastructure cybersecurity ...

You secretly colluded with the NSA on back-dooring elliptical-curve cryptography (in effect, by not disclosing weaknesses).

Now you want us to offer you FREE suggestions on the current frontiers of mathematical cryptography?!?

Eat my shit. If I (or anyone else with a brain) had a body of work designed to out-smart quantum (annealing) computers, we would keep it very, very secret. We would not even disclose to USPTO or via a PCT disclosure.* Nuh-uh! It would be for sale to the highest bidder – a private transaction. NIST's recorded willingness to bend over and take it in the ass for the NSA has squandered the entire institution's integrity.

* It really does happen. An invention disclosure can be ruled by the USPTO to be so significant to National Security that they basically 'take it black,' usually at DOD behest. "Thanks for all of your hard work on that thing..."

Re:

[bytesex]

Huh? It was the RNG algorithm based on ECC, not ECC in itself, right?

How about ...

[Agripa]

We no longer trust you so go die in a fire.