<div dir="ltr">Ian, <div><br></div><div>thanks for sharing your very interesting point of view. </div><div><br></div><div>General question to this mailinglist: is there a public archive available? At Apache, we use Markmail - eg.: <a href="http://markmail.org/search/?q=Couchdb">http://markmail.org/search/?q=Couchdb</a> . It's very nice to be able to search in the ML and also share some info - if not protected but that should be on a private list anyway.</div><div><br></div><div>Thanks </div><div><br></div><div>Andy </div></div><div class="gmail_extra"><br><div class="gmail_quote">On 2 September 2015 at 17:45, ianG <span dir="ltr"><<a href="mailto:iang@iang.org" target="_blank">iang@iang.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 2/09/2015 12:43 pm, Alan Orth wrote:<br>
</span><span class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I'm not sure if you folks saw this, but a few weeks ago the NSA updated<br>
their Suite B recommendations. They now recommend AES-256, curve P-384,<br>
and SHA-384. Here's a before and after of their "Suite B" cryptography<br>
recommendations:<br>
<br>
Before (web archive):<br>
<br>
<a href="https://web.archive.org/web/20150403110658/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml" rel="noreferrer" target="_blank">https://web.archive.org/web/20150403110658/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml</a><br>
<<a href="https://web.archive.org/web/20150403110658/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml" rel="noreferrer" target="_blank">https://web.archive.org/web/20150403110658/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml</a>><br>
<br>
After:<br>
<br>
<a href="https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml" rel="noreferrer" target="_blank">https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml</a><br>
<<a href="https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml" rel="noreferrer" target="_blank">https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml</a>><br>
<br>
Now you need to decide to yourself if this is worth updating your<br>
infrastructure configuration. :)<br>
</blockquote>
<br>
<br>
<br></span>
My understanding of the facts (?) is this.<br>
<br>
1. NSA has mandate to protect USG agencies. It also has a mission to breach everyone (else) but let's ignore that for the moment.<br>
<br>
2. NSA knows more about quantum than anyone else, in the sense that it has the budget to know, and has been spending that budget.<br>
<br>
3. (we suspect) NSA is worried about quantum.<br>
<br>
4. NSA guidelines protect out to a 25 years. So if NSA can't rule out a quantum attack in the 25 year++ horizon, then they have to protect against a quantum attack.<br>
<br>
5. Current understanding is that a quantum attack reduces the bit-strength of an algorithm by the square-root - much like a birthday attack.<br>
<br>
6. So in essence, take previous minimum strengths (128, etc) and double (to baseline 256, etc).<br>
<br>
<br>
<br>
So, what does this mean for everyone else? Not a lot.<br>
<br>
The problem is that NSA is mandated to protect US government agencies and not the rest of the world. Following standard threat modelling, they built their list of threats, not your list of threats. Their list of threats include a very well funded Chinese / Russian attack. Eg, state of the art, monster-grade quantum supercomputer. Which is only going to be used against the juciest of targets - the USA. Lets call this the Bletchley Park Attack.<br>
<br>
Our list of threats doesn't include that computer. Because, if any government wants our data, they'll spend $1000 to hire a local thief, not $1000000000 to deploy their monster machine on us.<br>
<br>
The NSA, by its own methodology and logic and customer, cannot afford to be wrong on this. We can afford to wait, and we can afford to be wrong. Wait and see. When ordinary people (botnet operators) can buy quantum computers that can crack keys, we'll know about it.<span class="HOEnZb"><font color="#888888"><br>
<br>
<br>
<br>
iang<br>
</font></span><br>
<br>
ps; the key flaw in this debate is this: using someone else's threat model and not realising it's wrong for you. A common failing.<div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
Ach mailing list<br>
<a href="mailto:Ach@lists.cert.at" target="_blank">Ach@lists.cert.at</a><br>
<a href="http://lists.cert.at/cgi-bin/mailman/listinfo/ach" rel="noreferrer" target="_blank">http://lists.cert.at/cgi-bin/mailman/listinfo/ach</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">Andy Wenk<br>Hamburg - Germany<br>RockIt!<br><br><a href="http://www.couchdb-buch.de" target="_blank">http://www.couchdb-buch.de</a><br><a href="http://www.pg-praxisbuch.de" target="_blank">http://www.pg-praxisbuch.de</a><br><br><div><div>GPG fingerprint: <span style="color:rgb(0,0,0);white-space:pre-wrap">C044 8322 9E12 1483 4FEC 9452 B65D 6BE3 9ED3 9588</span></div></div><div><span style="color:rgb(0,0,0);white-space:pre-wrap"><br></span></div><div><font color="#000000"><span style="white-space:pre-wrap"><a href="https://people.apache.org/keys/committer/andywenk.asc" target="_blank">https://people.apache.org/keys/committer/andywenk.asc</a></span></font><br></div></div></div>
</div>