The director of cyber security at the National Security Agency inspired some smiles among cyber professionals last week when he told Bloomberg that the new encryption standards his agency is working with the National Institute of Standards and Technology (NIST) will have no back doors. . ,
In cyber security parlance, a backdoor is an intentional flaw in a system or software that can be secretly exploited by an attacker. In 2014, it was rumored that an encryption standard developed by the NSA included backdoors, resulting in the algorithm being dropped as a federal standard.
“Backdoors can aid law enforcement and national security, but they also introduce vulnerabilities that can be exploited by hackers and are subject to potential abuse by the agencies they are intended to assist,” John Gunn, CEO of Rochester, NY-based Token, maker of a biometric-based wearable authentication ring, told TechNewsWorld.
“Any backdoor into encryption can and will be discovered by others,” said principle threat hunter John Bumbank of Netenrich, an IT and digital security operations company in San Jose, Calif.
“You can trust the American intelligence community,” he told TechNewsWorld. “But will you trust the Chinese and the Russians when they get to the back door?”
trust but verify
Lawrence Gasman, president and founder of Inside Quantum Technology of Crozet, Va., said the public has good reason to be skeptical about NSA officials’ comments. “The intelligence community is not known for telling the absolute truth,” he told TechNewsWorld.
Mike Parkin, an engineer at Vulcan Cyber, said, “The NSA has some of the best cryptographers in the world, and well-founded rumors have circulated for years about their efforts to put backdoors into encryption software, operating systems, and hardware. ” SaaS provider for enterprise cyber-risk treatment in Tel Aviv, Israel.
He told TechNewsWorld, “Similar things can be said of software and firmware sourced from other countries, which have their own agencies with a vested interest in seeing that a network has What’s in the crossing traffic.”
“Whether it’s in the name of law enforcement or national security, officials have a long-standing disdain for encryption,” he said.
When it comes to encryption and security there should be a trust but verified approach, advised Dave Kundiff, CISO at Cyvatar, creator of an automated cybersecurity management platform in Irvine, Calif.
“Organizations may have the best of intentions, but fail to fully see those intentions,” he told TechNewsWorld. “Government entities are bound by law, but do not guarantee that they will not knowingly or unintentionally introduce backdoors.”
advertisement
“It is imperative for the community at large to test and verify any of these mechanisms to verify that they cannot be compromised,” he said.
taming prime numbers
One of the drivers behind the new encryption standards is the threat of quantum computing, which has the potential to break the commonly used encryption schemes used today.
“As quantum computers become mainstream, this will make modern public-key encryption algorithms obsolete and insufficient security, as demonstrated in Shor’s algorithms,” said Jasmine Henry, JupiterOne’s director of field security, Morrisville, cyber asset management. K’s North Carolina-based provider explained. and governance solutions.
Shor’s algorithm is a quantum computer algorithm for computing the prime factors of integers. Prime numbers are the foundation of the encryption used today.
“The encryption depends on how hard it is to work with really large prime numbers,” Parkin explained. “Quantum computing has the ability to find prime numbers that rely on encryption trivial. What used to take generations to compute on a traditional computer is now revealed in a matter of moments.”
This is a major threat to today’s public key encryption technology. “This is the reason why public-key cryptography is often used to supersede ‘symmetric’ key encryption. These keys are used for the transmission of sensitive data,” explained Andrew Barratt, at Coalfire The leading, Westminster, Colorado-based provider of cyber security advisory services for solutions and investigations.
“This has important implications for almost all encryption transmissions, but also for anything else that requires digital signatures such as the blockchain technologies that support cryptocurrencies like bitcoin,” he told TechNewsWorld.
Quantum Resistor Algorithm
Gunn said that most people misunderstand what quantum computing is and how it differs from today’s classic computing.
“Quantum computing will never be in your tablet, phone or wristwatch, but for tasks like searching and factoring large prime numbers using special algorithms for specific applications,” he said. “Performance improvements are in the millions.”
“Using Shor’s algorithm and the quantum computer of the future, AES-256, the encryption standard that protects everything on the web and all of our online financial transactions, will be breakable in a short period of time,” he said.
advertisement
Barratt stressed that once quantum computing becomes available for mainstream use, crypto will need to move from prime-number-based mathematics to elliptic curve cryptography-based (ECC) systems. “However,” he continued, “it is only a matter of time before the underlying algorithms that support ECC become vulnerable on the scale of quantum computing, especially by designing quantum systems to break them.”
NIST is developing quantum-resistant algorithms with the help of the NSA. “The requirements for quantum-resistant algorithms may include very large signatures, loads of processing, or massive amounts of keys that can present challenges for implementation,” Henry told TechNewsWorld.
“Organizations will face new challenges to implement quantum-resistant protocols without running into performance issues,” she said.
time of arrival?
It is unclear when a working quantum computer will be available.
“It doesn’t appear that we’ve hit the inflection point in practical application, yet haven’t been able to say with any certainty what the timeline is,” Kundiff said.
“However, that inflection point may be tomorrow, allowing us to say that quantum computing will be widely available in three years,” he told TechNewsWorld, “but until there is some point to move beyond the theoretical and practical.” No, even then it is possible a decade away.”
Gassman said he thinks the world will soon see quantum computers. “Quantum computer companies say this will happen in 10 years to 30 years,” he observed. “I think it will be before 10 years, but not before five years.”
Moore’s law – which predicts that computing power doubles every two years – does not apply to quantum computing, Gassmann maintained. “We already know that quantum evolution is proceeding at a rapid pace,” he said.
“I’m saying we’ll have a quantum computer sooner than 10 years later,” he continued. “You won’t find many people agreeing with me, but I think we should be concerned about it right now – not only because of the NSA, but because there are worse people than the NSA who want to take advantage of this technology. “