NIST Paper declares modern cryptography obsolete
In one broad stroke, a NIST IR draft released in February of 2016 has declared much of the current cryptographic system that underpins modern communication obsolete.
There appears to be a problem with the paper though, it has no real foundation for the claims that quantum computing will obsolete essentially all of the existing crypto schemes out there. Another issue with the claim is the idea that AES-256 will require higher key. Apparently the authors do no understand what AES-256 really is.
Here is a link to the draft, and you are welcome to review it and comment.
http://csrc.nist.gov/publications/drafts/nistir-8105/nistir_8105_draft.pdf
Table 1 - Impact of Quantum Computing on Common Cryptographic Algorithms
There appears to be a problem with the paper though, it has no real foundation for the claims that quantum computing will obsolete essentially all of the existing crypto schemes out there. Another issue with the claim is the idea that AES-256 will require higher key. Apparently the authors do no understand what AES-256 really is.
Here is a link to the draft, and you are welcome to review it and comment.
http://csrc.nist.gov/publications/drafts/nistir-8105/nistir_8105_draft.pdf
Cryptographic Algorithm
|
Type
|
Purpose
|
Impact from large-scale
quantum computer
|
AES-256
|
Symmetric key
|
Encryption
|
Larger key sizes needed
|
SHA-256, SHA-3
|
Hash functions
|
Larger output needed
|
|
RSA
|
Public key
|
Signatures, key
establishment
|
No longer secure
|
ECDSA, ECDH
(Elliptic Curve Cryptography) |
Public key
|
Signatures, key
exchange
|
No longer secure
|
DSA
(Finite Field Cryptography) |
Public key
|
Signatures, key
exchange
|
No longer secure
|
Table 1 - Impact of Quantum Computing on Common Cryptographic Algorithms
Multivariate Security
Information Security is a multi-faceted challenge. In the simplest of high level terms we often have to consider the people, policy and technology facets. Within those three facets, there are several layers of additional facets. For example, people have education and experience factors, cultural and organizational factors, and to make it even more fun there is the interplay between people, policies and technologies.
Technology facet can range from infrastructure to configuration integration and interconnectedness and everything in-between.
Of course, all of these are directly driven by the requirements within the given environment, such as privacy, confidentiality, availability and integrity. Each of these core requirements are all affected by sub-requirements or components such as authentication, authorization, accounting (auditing), encryption, vulnerability detection, change detection, malware and incident response among many others.
The depth of complexity and variability is one of the many reasons security experts throw their hands in the air and conclude that security is immeasurable. But when we step back a bit and scan the problem and organize it into sub-modules, we begin to understand a few basic principles:
1) There is deep multidimensional relationship between blocks.
2) We can deconstruct each block deeply enough to get to a set of measurable components
3) Some of the base components are best described by probabilistic metrics
4) Most security sub-component will not be describable using simple probability functions or distributions such as normal distribution or gaussian distribution.
So, accepting the inherent complexity essential to measuring security is a first step towards creating a framework for measuring cyber security for any organization or enterprise, but it si not the only one. We have to identify a mathematical framework that can help us design a metric or set of metrics that will meet a set of mathematical smell test:
i) repeatable - a real metric must be provide similar result for similar inputs, and follow a consistent and expected path given a set of criteria.
ii) commutative - there must be a function that enables us accumulate (increase or reduce) the value of the metric
iii) bounded - there must be a minimum and a maximum value.
Information security, when broken into it's composites, can be shown to meet each of these three criteria [see 1], and there exists functions that can be used to determine single or set of metrics (depending on our preference ) for overall security.
At the base component level, the value determined may provide some insight, but for enterprise value, a cumulative view off enterprise security is usually more helpful. A good transpose for security is risk. By determining the risk of an adverse incidence, we can calculate the converse. The aggregate risk will help us determine the aggregate security.
Because of the wide variety of components, and their interconnectedness, multivariate mathematics is an essential tool for measuring cyber security, and is one of the cornerstones of our security metrics practice at 6igma associates.
Technology facet can range from infrastructure to configuration integration and interconnectedness and everything in-between.
Of course, all of these are directly driven by the requirements within the given environment, such as privacy, confidentiality, availability and integrity. Each of these core requirements are all affected by sub-requirements or components such as authentication, authorization, accounting (auditing), encryption, vulnerability detection, change detection, malware and incident response among many others.
The depth of complexity and variability is one of the many reasons security experts throw their hands in the air and conclude that security is immeasurable. But when we step back a bit and scan the problem and organize it into sub-modules, we begin to understand a few basic principles:
1) There is deep multidimensional relationship between blocks.
2) We can deconstruct each block deeply enough to get to a set of measurable components
3) Some of the base components are best described by probabilistic metrics
4) Most security sub-component will not be describable using simple probability functions or distributions such as normal distribution or gaussian distribution.
So, accepting the inherent complexity essential to measuring security is a first step towards creating a framework for measuring cyber security for any organization or enterprise, but it si not the only one. We have to identify a mathematical framework that can help us design a metric or set of metrics that will meet a set of mathematical smell test:
i) repeatable - a real metric must be provide similar result for similar inputs, and follow a consistent and expected path given a set of criteria.
ii) commutative - there must be a function that enables us accumulate (increase or reduce) the value of the metric
iii) bounded - there must be a minimum and a maximum value.
Information security, when broken into it's composites, can be shown to meet each of these three criteria [see 1], and there exists functions that can be used to determine single or set of metrics (depending on our preference ) for overall security.
At the base component level, the value determined may provide some insight, but for enterprise value, a cumulative view off enterprise security is usually more helpful. A good transpose for security is risk. By determining the risk of an adverse incidence, we can calculate the converse. The aggregate risk will help us determine the aggregate security.
Because of the wide variety of components, and their interconnectedness, multivariate mathematics is an essential tool for measuring cyber security, and is one of the cornerstones of our security metrics practice at 6igma associates.
Risk, Policies and Security
As an IT governance practitioner, a common question from CIO and CISO clients is which comes first, Risk Analysis or Security Policy? This is like a chicken and egg question really, and here is why.
Risk Analysis is the process of identifying, quantifying (qualitatively or quantitatively) and ranking the exposures an organization faces in the deployment of assets towards attain it's goals. Sometimes called Risk Assessment, Risk Analysis takes into account various aspects of the organization's operating environment -- including compliance environment, infrastructure, people and other resources, as well as the threat environment to determine an organization's risk exposure.
One outcome of Risk Analysis is Risk Mitigation and one of the tools for effective Risk Mitigation is the development, deployment and enforcement of policies. So in this analysis, Risk could be said to drive policy.
Policy, in the Cyber Security parlance are the set of rules or parameters that guide the routine operation and consumption of Cyber resources and infrastructure. IT policies are (or at least should be) based on the operational environment of the organization. In some cases, the framework identified within the IT policy become the backbone of an IT Risk Assessment. It is easy to see the confusion.
Indeed, the confusion deepens in light of the fact that more organizations have developed and deployed cyber security policies long before risk assessment became a regular IT term. Increasingly though, organizations are gearing toward a risk based IT security, and that in turn often mean letting the outcome of Risk Assessment drive the construction of Cyber Security policies.
As the concepts of IT Risk Management, and IT governance by and large become integral part of organizational operational frameworks, IT policies, including IT Security policies will be driven more as holistic part of IT Governance, and work more in-tandem with IT Risk Management, both as a complement, and a feeder of an beneficiary from the Risk Assessment process.
It is a great time to be a an IT governance practitioner, albeit a challenging time for IT operational professionals in general
Risk Analysis is the process of identifying, quantifying (qualitatively or quantitatively) and ranking the exposures an organization faces in the deployment of assets towards attain it's goals. Sometimes called Risk Assessment, Risk Analysis takes into account various aspects of the organization's operating environment -- including compliance environment, infrastructure, people and other resources, as well as the threat environment to determine an organization's risk exposure.
One outcome of Risk Analysis is Risk Mitigation and one of the tools for effective Risk Mitigation is the development, deployment and enforcement of policies. So in this analysis, Risk could be said to drive policy.
Policy, in the Cyber Security parlance are the set of rules or parameters that guide the routine operation and consumption of Cyber resources and infrastructure. IT policies are (or at least should be) based on the operational environment of the organization. In some cases, the framework identified within the IT policy become the backbone of an IT Risk Assessment. It is easy to see the confusion.
Indeed, the confusion deepens in light of the fact that more organizations have developed and deployed cyber security policies long before risk assessment became a regular IT term. Increasingly though, organizations are gearing toward a risk based IT security, and that in turn often mean letting the outcome of Risk Assessment drive the construction of Cyber Security policies.
As the concepts of IT Risk Management, and IT governance by and large become integral part of organizational operational frameworks, IT policies, including IT Security policies will be driven more as holistic part of IT Governance, and work more in-tandem with IT Risk Management, both as a complement, and a feeder of an beneficiary from the Risk Assessment process.
It is a great time to be a an IT governance practitioner, albeit a challenging time for IT operational professionals in general
Subscribe to:
Comments (Atom)