[Ach] NSA stops recommending AES-128, curve P-256, and SHA-256

Alan Orth alan.orth at gmail.com
Thu Sep 3 10:03:38 CEST 2015


Thanks for the interesting commentary, Ian! I have updated my personal
servers — because I control both the client and the server, run current
userspaces on both, and only stand to lose speed due to costlier cipher
suits — but not the ones I administer professionally.

Anyways, this is an interesting development to see. :)

Alan

On Wed, Sep 2, 2015 at 6:46 PM ianG <iang at iang.org> wrote:

> On 2/09/2015 12:43 pm, Alan Orth wrote:
> > I'm not sure if you folks saw this, but a few weeks ago the NSA updated
> > their Suite B recommendations. They now recommend AES-256, curve P-384,
> > and SHA-384. Here's a before and after of their "Suite B" cryptography
> > recommendations:
> >
> > Before (web archive):
> >
> >
> https://web.archive.org/web/20150403110658/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
> > <
> https://web.archive.org/web/20150403110658/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
> >
> >
> > After:
> >
> > https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
> > <https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml>
> >
> > Now you need to decide to yourself if this is worth updating your
> > infrastructure configuration. :)
>
>
>
> My understanding of the facts (?) is this.
>
> 1.  NSA has mandate to protect USG agencies.  It also has a mission to
> breach everyone (else) but let's ignore that for the moment.
>
> 2.  NSA knows more about quantum than anyone else, in the sense that it
> has the budget to know, and has been spending that budget.
>
> 3.  (we suspect) NSA is worried about quantum.
>
> 4.  NSA guidelines protect out to a 25 years.  So if NSA can't rule out
> a quantum attack in the 25 year++ horizon, then they have to protect
> against a quantum attack.
>
> 5.  Current understanding is that a quantum attack reduces the
> bit-strength of an algorithm by the square-root - much like a birthday
> attack.
>
> 6.  So in essence, take previous minimum strengths (128, etc) and double
> (to baseline 256, etc).
>
>
>
> So, what does this mean for everyone else?  Not a lot.
>
> The problem is that NSA is mandated to protect US government agencies
> and not the rest of the world.  Following standard threat modelling,
> they built their list of threats, not your list of threats.  Their list
> of threats include a very well funded Chinese / Russian attack.  Eg,
> state of the art, monster-grade quantum supercomputer.  Which is only
> going to be used against the juciest of targets - the USA.  Lets call
> this the Bletchley Park Attack.
>
> Our list of threats doesn't include that computer.  Because, if any
> government wants our data, they'll spend $1000 to hire a local thief,
> not $1000000000 to deploy their monster machine on us.
>
> The NSA, by its own methodology and logic and customer, cannot afford to
> be wrong on this.  We can afford to wait, and we can afford to be wrong.
>   Wait and see.  When ordinary people (botnet operators) can buy quantum
> computers that can crack keys, we'll know about it.
>
>
>
> iang
>
>
> ps; the key flaw in this debate is this:  using someone else's threat
> model and not realising it's wrong for you.  A common failing.
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20150903/b581daa4/attachment.html>


More information about the Ach mailing list