Cryptography gadget of the day: Javascript Object Signing and Encryption (JOSE) https://datatracker.ietf.org/wg/jose/documents/ and the jose command line utility (h/t Nathan McCallum)

I appreciate this little set of (draft) standards because they codify quite a bit of best practice. The input and output formats (JSON or condensed base64url) are highly portable, and even printable, resulting in good crypto agility. The algorithm selections are limited to reasonable, recommended combinations, key sizes and padding. Proper key wrapping or key encryption is automatic and relatively effortless.

jose is such a better choice for the uninitiated than openssl and the vast troves of crap advice on Stackoverflow. It's also a decent learning tool. If there's any question about the algorithm in use, the JWA RFC7518 describes the details and operation of each in a manner more readable than most RFCs.

Looking for a tool to encrypt log files before shipping them off to NFS or S3 storage? How about creating a signed message? jose is probably going to be easier than openssl. Heck, openssl doesn't even do AEAD on the CLI anymore.

#cryptography #cli #tooloftheday #portability #cryptoagility

Maybe #quantumcomputing will change this from "HARD" to "NOT SO HARD" or even "EASY". 🤷‍♂️

No no, don't worry. Not today, not tomorrow. But like MD5 was "unbreakable" long time ago, technical advances are coming fast.

Source #xkcd https://xkcd.com/936/

#quantumsecurity #security #cryptoagility

I am afraid that if current encryption schemes are broken by #quantumcomputing it will more like being hit by a deadly meteroit then an earthquake. ☄️ This will not leave any technological component untouched.

"Quantum computing looms in our future like a technological earthquake, because quantum decryption threatens to compromise a foundational element of data encryption schemes."

#pqc #postquantum #cryptograhpy #cryptoagility

https://www.mondaq.com/unitedstates/fin-tech/1267752/quantum-computing-the-looming-threat-of-quantum-decryption

"Even if the Schnorr-based technique won’t break the Internet, quantum computers could eventually do so by running Shor’s algorithm. Security researchers have been busy developing a number of alternative cryptographic systems that are seen as less likely to succumb to a quantum attack, called post-quantum or quantum-safe. "

#security #quantumcomputing #pqc #postquantumcryptography #cryptoagility

Are quantum computers about to break online privacy?
https://www.nature.com/articles/d41586-023-00017-0#ref-CR1

Since it is often believed that replacing crypto is easy, #NIST shows here that it isn't. There are from now on 8 years for fixing software and hardware using sha-1. Maybe as a reminder for those who still believe that this is an easy job.

“Modules that still use SHA-1 after 2030 will not be permitted for purchase by the federal government,” Celi said.

#cryptography #cryptoagility #quantumcomputing

https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm

@WinstonSmith @tc Hopefully the companies are re-encrypting as well. I guess this is the big issue with companies: this won't happen fast if there is not some kind of -- lets call it -- #cryptoagility setup. And the appropriate #architecture to support this.

If not, it can talk years before an alternative storage encryption is setup up. I have seen this where a replacement of a DMS took almost 5 years. 😱

The threat: #QuantumComputer, the solution: #PQC by National Institute of Standards and Technology (NIST).

"In 2019, a team of researchers factored a 795-bit RSA key, making it the biggest key size ever to be solved." and "The researchers estimated that the sum of the computation time for both of the new records was about 4,000 core-years using Intel Xeon Gold 6130 CPUs (running at 2.1 GHz)."

https://arstechnica.com/information-technology/2022/07/nist-selects-quantum-proof-algorithms-to-head-off-the-coming-cryptopocalypse/ #cryptoagility #cryptography

Still some way to go but it is time to start to experiment with new algorithms and to get the hands dirty with #pqc. Expertise in #cryptoagility won't come over night. Changing systems will take years.

"Governments need to invest in cybersecurity that can defend against the future threat of bad actors using quantum computers that are exponentially faster than ordinary machines, a cryptography expert said."

https://www.bworldonline.com/sparkup/2022/11/16/487531/ibm-raises-cybersecurity-red-flag-warns-against-quantum-computing-threats/

"a strategy for the migration of information technology systems of the Federal Government to post-quantum cryptography is needed" ==> #cryptoagility 👍

“All we need to do is replace those algorithms with newer versions that are quantum-resistant,” said Marc Witteman , CEO of Riscure. “Unfortunately, that is easier said than done.”

Michael Osborne, CTO of IBM Quantum Safe, said during a recent webinar, “We understand quantum-safe as being safe in the quantum era. Part of that is replacing the cryptography that we use."

Less talk, more action + #cryptoagility 💯 #qkd #cryptography #QuantumTechnology #QuantumComputing

https://semiengineering.com/post-quantum-and-pre-quantum-security-issues-grow/

@roomey I am neither an expert in this area, but I haven't seen a suggestion to move to one of the possible candidates of the #NIST competition.

Why? Because they are still not the final candidates and as it was demonstrated in August with the SIKE, you can see, how quickly a possible winner can be cracked. I would really defer the move to one of the candidates.

But yes, #cryptoagility is a must nowadays. Not only because of #quantumcomputing. It is generally needed!

ANSSI views on the Post-Quantum Cryptography transition

https://www.ssi.gouv.fr/en/publication/anssi-views-on-the-post-quantum-cryptography-transition/

#cryptography #security #infosec #PQC #QKD #cryptoagility