<div dir="ltr"><div>Thanks for the interesting commentary, Ian! I have updated my personal servers — because I control both the client and the server, run current userspaces on both, and only stand to lose speed due to costlier cipher suits — but not the ones I administer professionally.<br><br></div><div>Anyways, this is an interesting development to see. :)<br></div><div><br></div>Alan<br></div><br><div class="gmail_quote"><div dir="ltr">On Wed, Sep 2, 2015 at 6:46 PM ianG <<a href="mailto:iang@iang.org">iang@iang.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 2/09/2015 12:43 pm, Alan Orth wrote:<br>
> I'm not sure if you folks saw this, but a few weeks ago the NSA updated<br>
> their Suite B recommendations. They now recommend AES-256, curve P-384,<br>
> and SHA-384. Here's a before and after of their "Suite B" cryptography<br>
> recommendations:<br>
><br>
> Before (web archive):<br>
><br>
> <a href="https://web.archive.org/web/20150403110658/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml" rel="noreferrer" target="_blank">https://web.archive.org/web/20150403110658/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml</a><br>
> <<a href="https://web.archive.org/web/20150403110658/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml" rel="noreferrer" target="_blank">https://web.archive.org/web/20150403110658/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml</a>><br>
><br>
> After:<br>
><br>
> <a href="https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml" rel="noreferrer" target="_blank">https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml</a><br>
> <<a href="https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml" rel="noreferrer" target="_blank">https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml</a>><br>
><br>
> Now you need to decide to yourself if this is worth updating your<br>
> infrastructure configuration. :)<br>
<br>
<br>
<br>
My understanding of the facts (?) is this.<br>
<br>
1. NSA has mandate to protect USG agencies. It also has a mission to<br>
breach everyone (else) but let's ignore that for the moment.<br>
<br>
2. NSA knows more about quantum than anyone else, in the sense that it<br>
has the budget to know, and has been spending that budget.<br>
<br>
3. (we suspect) NSA is worried about quantum.<br>
<br>
4. NSA guidelines protect out to a 25 years. So if NSA can't rule out<br>
a quantum attack in the 25 year++ horizon, then they have to protect<br>
against a quantum attack.<br>
<br>
5. Current understanding is that a quantum attack reduces the<br>
bit-strength of an algorithm by the square-root - much like a birthday<br>
attack.<br>
<br>
6. So in essence, take previous minimum strengths (128, etc) and double<br>
(to baseline 256, etc).<br>
<br>
<br>
<br>
So, what does this mean for everyone else? Not a lot.<br>
<br>
The problem is that NSA is mandated to protect US government agencies<br>
and not the rest of the world. Following standard threat modelling,<br>
they built their list of threats, not your list of threats. Their list<br>
of threats include a very well funded Chinese / Russian attack. Eg,<br>
state of the art, monster-grade quantum supercomputer. Which is only<br>
going to be used against the juciest of targets - the USA. Lets call<br>
this the Bletchley Park Attack.<br>
<br>
Our list of threats doesn't include that computer. Because, if any<br>
government wants our data, they'll spend $1000 to hire a local thief,<br>
not $1000000000 to deploy their monster machine on us.<br>
<br>
The NSA, by its own methodology and logic and customer, cannot afford to<br>
be wrong on this. We can afford to wait, and we can afford to be wrong.<br>
Wait and see. When ordinary people (botnet operators) can buy quantum<br>
computers that can crack keys, we'll know about it.<br>
<br>
<br>
<br>
iang<br>
<br>
<br>
ps; the key flaw in this debate is this: using someone else's threat<br>
model and not realising it's wrong for you. A common failing.<br>
_______________________________________________<br>
Ach mailing list<br>
<a href="mailto:Ach@lists.cert.at" target="_blank">Ach@lists.cert.at</a><br>
<a href="http://lists.cert.at/cgi-bin/mailman/listinfo/ach" rel="noreferrer" target="_blank">http://lists.cert.at/cgi-bin/mailman/listinfo/ach</a><br>
</blockquote></div>