Slashdot Mirror
America's NIST Seeks Public Comments on Cybersecurity and Cryptography (thehill.com)
An anonymous Slashdot reader writes:
The National Institute of Standards and Technology has its own "Commission on Enhancing National Cybersecurity," and this week they issued a call for public comments on "current and future challenges" involving critical infrastructure cybersecurity, the concept of cybersecurity insurance, public awareness, and the internet of things (among other topics) for both the private and public sector.
Long-time Slashdot reader Presto Vivace quotes The Hill: it is specifically asking for projections on policies, economic incentives, emerging technologies, useful metrics and other current and potential solutions throughout the next decade... Comments will be due by 5 p.m. on September 9.
Internet services "have come under attack in recent years in the form of identity and intellectual property theft, deliberate and unintentional service disruption, and stolen data," writes NIST. "Steps must be taken to enhance existing efforts to increase the protection and resilience of the digital ecosystem, while maintaining a cyber environment that encourages efficiency, innovation, and economic prosperity."
Separately, NIST is also requesting comments on a new process to "solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms... If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use. This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere... NIST plans to specify preliminary evaluation criteria for quantum-resistant public key cryptography standards."
Long-time Slashdot reader Presto Vivace quotes The Hill: it is specifically asking for projections on policies, economic incentives, emerging technologies, useful metrics and other current and potential solutions throughout the next decade... Comments will be due by 5 p.m. on September 9.
Internet services "have come under attack in recent years in the form of identity and intellectual property theft, deliberate and unintentional service disruption, and stolen data," writes NIST. "Steps must be taken to enhance existing efforts to increase the protection and resilience of the digital ecosystem, while maintaining a cyber environment that encourages efficiency, innovation, and economic prosperity."
Separately, NIST is also requesting comments on a new process to "solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms... If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use. This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere... NIST plans to specify preliminary evaluation criteria for quantum-resistant public key cryptography standards."
Asymetric cryptography relies on mathematical problems, such as factoring very large numbers for security. In traditional algorithms, factoring large numbers (4096 bits) takes simply too long. However, there are KNOWN quantum algorithms that can tackle those problems quickly enough. Symmetrical algorithms do not rely on this class of problem for safety.
I was going to suggest that they re-name their commission "Boaty McBoatface"
Symmetric ciphers like AES are constructed in a fundamentally different way compared to public-key ciphers. Symmetric ciphers rely on confusion and diffusion, shuffling and mixing the bits of the input in such a way that it is very difficult to recover the plaintext unless you know the key that parameterized the process. Security is based on the complexity and non-linearity of the operations, but they are essentially very "messy" in how they transform plaintext into ciphertext. Take a look at a diagram describing AES and you will see what I mean.
Public-key ciphers on the other hand are conceptually simple but rely on the hardness of some fundamental mathematical operation, e.g. factoring, discrete log, etc. It turns out that there are quantum algorithms to solve some of these problems efficiently. It also turns out though that there is something called Grover's algorithm, which actually does let quantum computers break symmetric crypto faster than a standard computer. Fortunately, it only turns O(N) work into O(sqrt(N)), which is not that bad. Effectively this means that AES-128 only has 64 bits of security against a quantum computer, and AES-256 only has 128 bits.
The one thing I don't understand about warrant canaries is, what is the end game? Suppose I am a company that makes some kind of security product and I have a warrant canary posted on my website. If the government really doesn't like what I am doing they can just rustle up a warrant to get something from me, then I take down the canary and everyone stops using my system, effectively destroying it. How does that help anyone? It just exposes an easy button to DoS you.
If you don't trust NIST, turn off automatic time sync in your OS.
I'm afraid you're mistaken. The first set of regulations were lifted s a violation of First Amendment rights, but they were effectively transferred the US Commerce department. They are still restrictive, and still prevent the activation of ubiquitous encryption at the NIC level.
https://www.federalregister.go...
'
Permission to sell network equipment overseas often relies on the installation of backdoors for government access. These keys have even been published wolrwide for various network hardware.
http://www.defenseone.com/tech...
I'm afraid to believe that network hardware and software vendors do _not_ install backdoors at government insistence is to ignore the long history of the major network vendors.
The NIST has been tainted by the NSA. So any comment must first ask, "How can we know that this taint is gone?"
You secretly colluded with the NSA on back-dooring elliptical-curve cryptography (in effect, by not disclosing weaknesses).
Now you want us to offer you FREE suggestions on the current frontiers of mathematical cryptography?!?
Eat my shit. If I (or anyone else with a brain) had a body of work designed to out-smart quantum (annealing) computers, we would keep it very, very secret. We would not even disclose to USPTO or via a PCT disclosure.* Nuh-uh! It would be for sale to the highest bidder – a private transaction. NIST's recorded willingness to bend over and take it in the ass for the NSA has squandered the entire institution's integrity.
* It really does happen. An invention disclosure can be ruled by the USPTO to be so significant to National Security that they basically 'take it black,' usually at DOD behest. "Thanks for all of your hard work on that thing..."