[Ach] NSA stops recommending AES-128, curve P-256, and SHA-256
Andy Wenk
andy at nms.de
Thu Sep 3 11:20:23 CEST 2015
Ian,
thanks for sharing your very interesting point of view.
General question to this mailinglist: is there a public archive available?
At Apache, we use Markmail - eg.: http://markmail.org/search/?q=Couchdb .
It's very nice to be able to search in the ML and also share some info - if
not protected but that should be on a private list anyway.
Thanks
Andy
On 2 September 2015 at 17:45, ianG <iang at iang.org> wrote:
> On 2/09/2015 12:43 pm, Alan Orth wrote:
>
>> I'm not sure if you folks saw this, but a few weeks ago the NSA updated
>> their Suite B recommendations. They now recommend AES-256, curve P-384,
>> and SHA-384. Here's a before and after of their "Suite B" cryptography
>> recommendations:
>>
>> Before (web archive):
>>
>>
>> https://web.archive.org/web/20150403110658/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
>> <
>> https://web.archive.org/web/20150403110658/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
>> >
>>
>> After:
>>
>> https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
>> <https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml>
>>
>> Now you need to decide to yourself if this is worth updating your
>> infrastructure configuration. :)
>>
>
>
>
> My understanding of the facts (?) is this.
>
> 1. NSA has mandate to protect USG agencies. It also has a mission to
> breach everyone (else) but let's ignore that for the moment.
>
> 2. NSA knows more about quantum than anyone else, in the sense that it
> has the budget to know, and has been spending that budget.
>
> 3. (we suspect) NSA is worried about quantum.
>
> 4. NSA guidelines protect out to a 25 years. So if NSA can't rule out a
> quantum attack in the 25 year++ horizon, then they have to protect against
> a quantum attack.
>
> 5. Current understanding is that a quantum attack reduces the
> bit-strength of an algorithm by the square-root - much like a birthday
> attack.
>
> 6. So in essence, take previous minimum strengths (128, etc) and double
> (to baseline 256, etc).
>
>
>
> So, what does this mean for everyone else? Not a lot.
>
> The problem is that NSA is mandated to protect US government agencies and
> not the rest of the world. Following standard threat modelling, they built
> their list of threats, not your list of threats. Their list of threats
> include a very well funded Chinese / Russian attack. Eg, state of the art,
> monster-grade quantum supercomputer. Which is only going to be used
> against the juciest of targets - the USA. Lets call this the Bletchley
> Park Attack.
>
> Our list of threats doesn't include that computer. Because, if any
> government wants our data, they'll spend $1000 to hire a local thief, not
> $1000000000 to deploy their monster machine on us.
>
> The NSA, by its own methodology and logic and customer, cannot afford to
> be wrong on this. We can afford to wait, and we can afford to be wrong.
> Wait and see. When ordinary people (botnet operators) can buy quantum
> computers that can crack keys, we'll know about it.
>
>
>
> iang
>
>
> ps; the key flaw in this debate is this: using someone else's threat
> model and not realising it's wrong for you. A common failing.
>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
--
Andy Wenk
Hamburg - Germany
RockIt!
http://www.couchdb-buch.de
http://www.pg-praxisbuch.de
GPG fingerprint: C044 8322 9E12 1483 4FEC 9452 B65D 6BE3 9ED3 9588
https://people.apache.org/keys/committer/andywenk.asc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20150903/8189ddde/attachment.html>
More information about the Ach
mailing list