Transitioning the Use of Cryptographic Algorithms and Key Lengths
67 points
9 hours ago
| 3 comments
| csrc.nist.gov
| HN
tptacek
9 hours ago
[-]
One rationale seems to be the standardization of PQ cryptography and thus the ability to go directly from weaker cryptography to PQ, rather than in 2 steps (112->128->PQ).

On the chopping block:

* ECB (\o/)

* Triple DES (TDEA)

* Finite field DSA (for new signatures)

* ECDSA at strengths lower than 112 bits

* RSA below 2048 bits

* RNGs, HMACs, HKDF, PBKDF and hashes based on SHA1 and the truncated 224-bit SHA-2/3 modes

No big surprises. The 224's are interesting, because folklorically they have value in hash constructions where resistance to length extension is useful. In practice, everyone just uses HMAC anyways.

*

reply
deknos
3 hours ago
[-]
On the one hand i am glad that ECB dies officially as a mode on the other hand i wonder what NIST officially recommends when you want to encrypt data that's shorter than one block. xD

regarding finally transitioning away from SHA1: about fucking time :D

reply
tptacek
2 hours ago
[-]
Any other mode? You can't preserve the original length if you're authenticating anyways.
reply
js2
5 hours ago
[-]
PQ: post-quantum for anyone else who didn't know.
reply
sidewndr46
8 hours ago
[-]
Whew, I was getting nervous. A place I worked at had a developer implement Triple AES. I'd hate for them to have to refactor it.
reply
Joel_Mckay
8 hours ago
[-]
libgpg will have Kyber / FIPS 203 working soon.

SPHINCS+ / FIPS 205 should be available soon.

FALCON ...unknown FIPS draft TBA soon.

These are newer quantum resistant algorithms, and should be considered in your future maintenance cycle as they become available in the libraries.

NIST has some of the brightest minds in the world. When they suggest something, than one should probably take the advice very seriously. =3

reply
tptacek
8 hours ago
[-]
My understanding is that NIST has like 2 cryptographers sitting in a closet somewhere. They're good cryptographers, but there isn't much of them.
reply
cperciva
6 hours ago
[-]
NIST is basically the publishing arm of the NSA, so it really depends on whether the NSA is taking the "protect national information assets" or the "attack foreign information assets" part of its mandate more seriously from year to year.
reply
dfc
6 hours ago
[-]
NIST does a lot of really neat work outside of crypto standards. Judah Levine and all the other metrology folks are awesome. It's unfortunate that they get grouped together by comments like this.
reply
cperciva
5 hours ago
[-]
Sorry, yes I only meant in the context of cryptography of course. NIST is a great organization and it's really a historical accident that they do anything with crypto.
reply
Joel_Mckay
8 hours ago
[-]
One will find the pool of people that deal in esoteric problems tends to be rather small in every field. =3
reply
deknos
3 hours ago
[-]
What's libgpg? i only know libgpg-error and libgcrypt.
reply
Joel_Mckay
2 hours ago
[-]
In general, the stable build usually requires:

gnupg 2.4.3

libassuan 2.5.6

libgcrypt 1.10.3

libgpgerror 1.47

libksba 1.6.5

npth 1.6

pinentry 1.2.1

However, the Kyber algorithm was only committed recently in libgcrypt 1.11.0, and will not build on some platforms due to an libassuan 3.0.1 issue.

Did you have additional details on when a working packaged set of dependencies will be available for static .a builds that support Kyber?

Have a great day =3

reply
Joel_Mckay
8 hours ago
[-]
Rumors suggest a toy 22bit RSA cipher factorization was recently demonstrated in China on D-wave quantum annealing platforms, and several paper details of the scaling potential were censored.

i.e. the NIST advice to incorporate quantum resistant algorithms shouldn't be taken lightly. For some, transitioning means wrapping a well-tested RSA system in something newer like FIPS 203, 204, or 205.

We live in interesting times for certain, as gnugpg with Kyber support has static build fails on some platforms (libassuan 3.0.1 bug). =3

reply
tptacek
8 hours ago
[-]
I don't know of anyone working in the space that takes that demonstration seriously, but I didn't go digging much; let me know if you find someone. For a lot of cryptography engineers, the mention of "D-Wave" is enough to shut down the inquiry.
reply
Joel_Mckay
8 hours ago
[-]
That was my assumption as well for years, but when RSA starts to fall it raises more than 1 question.

We will be wrapping RSA 2048bit in Kyber in the next few weeks, because planning for the worst and hoping for the best is good policy. =3

reply
tptacek
8 hours ago
[-]
I'm referring to the specific D-Wave China RSA demonstration you're talking about, which I've been reading cryptographers dunking on.

Cards on the table, my position on quantum cryptanalysis remains: "Rodents of unusual size? I don't think they exist." It's a very big deal because it's a full employment program for people working on novel asymmetric schemes.

reply
upofadown
8 hours ago
[-]
This refers to the deprecation of 2048 bit RSA after 2030. I wrote an article attacking that policy:

* https://articles.59.ca/doku.php?id=em:20482030

The document specifies that SHA-1 in HMACs is the be entirely disallowed after 2030. That seems like it would cause needless reimplementation of systems with the associated chance of security problems and expense. SHA-1 used in an HMAC is generally known to be secure.

reply
tptacek
8 hours ago
[-]
In much the same sense that HMAC-MD5 is "secure". They deprecated all the lower-bit-strength SHA hash constructions.

The 2048 deprecation in 2030 seems to be about quantum resistance, not about a move to 4096 bit RSA.

reply
LegionMammal978
8 hours ago
[-]
> The 2048 deprecation in 2030 seems to be about quantum resistance, not about a move to 4096 bit RSA.

From [0], where the 112-bit 'security strength' of 2048-bit RSA is ultimately pulled from:

"The comparable security strengths provided below are based on accepted estimates as of the publication of this Recommendation using currently known methods. Advances in factoring algorithms, general discrete-logarithm attacks, elliptic-curve discrete-logarithm attacks, and other algorithmic advances as well as quantum computing may affect these equivalencies in the future. New or improved attacks or technologies may be developed that leave some of the current algorithms completely insecure."

Their recommendation is to switch to 3072-bit RSA or higher by 2031, since that has a 128-bit 'security strength' by their formula. So I don't think this has much to do with quantum resistance: as GP says, no reasonable RSA key size will help much with that.

[0] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S..., section 5.6.1

reply
tptacek
8 hours ago
[-]
I'm citing (paraphrasing) this more recent document, page 4, line 238. Let me know if I've got it wrong.
reply
deknos
3 hours ago
[-]
SHA-1 is around long enough, that they build precomputation tables. NSA and other state-backed organizations have the capacity to do that. The community should at least up the ante to 256 bit to make things harder.
reply
veggieWHITES
8 hours ago
[-]
We shouldn't be listening to the NIST for any sort of Cryptographic advice. [1]

[1] https://en.wikipedia.org/wiki/National_Institute_of_Standard...

reply
gruez
8 hours ago
[-]
So we should continue using ECB and RSA < 2048?
reply
y-curious
7 hours ago
[-]
Not if you want to get FedRAMP designation at any point.
reply
archgoon
1 hour ago
[-]
Ah, but that's a beauty of it. If you encrypt with ECB you can't be decrypted by a federally compliant organization!
reply