Cryptography & Security Newsletter

Feisty Duck’s Cryptography & Security Newsletter is a periodic dispatch bringing you commentary and news surrounding cryptography, security, privacy, SSL/TLS, and PKI. It's designed to keep you informed about the latest developments in this space. Enjoyed every month by more than 50,000 subscribers. Written by Ivan Ristić.

The US National Institute of Standards and Technology (NIST) released its first three post-quantum cryptography (PCQ) standards earlier this month, on August 13, 2024. This release marks the first official results of the public competition that started eight years ago. Out of the three standards, one (ML-KEM, based on Kyber) is for key agreement, and the other two (ML-DSA and SLH-DSA) are for digital signatures. Another standard, which will be called FN-DSA, is expected by the end of the year. Because this type of encryption is fairly new, further backup standards are planned. For more details, read a blog post on the topic from Cloudflare.

If you haven’t been following the progress of PQC over the past eight years, clearly now is a good time to catch up and understand why we’re rushing to adopt new algorithms despite—so far as we know—there not being a working quantum computer.

To start, we need to understand that a lot of cryptography we use today is based on mathematical problems that we don’t know how to break using today’s best algorithms and technology. However, if someone invented a new algorithm, all hell would break loose. In fact, we already know about two algorithms that would break or significantly weaken today’s cryptography: Shor’s algorithm for public key encryption and Grovers’s algorithm for private key encryption. The catch is that they need quantum computers to work, and we don’t yet know how to build those.

If no one has a quantum computer, then what’s the rush? First, due to the potential for catastrophic breakage, it’s better to be early than late. Second, a lot of encryption has to survive for decades, and some believe that a working quantum computer is a couple of decades away. Thus, if you’re protecting serious secrets, you want to start using PQC now so that you remain secure for the foreseeable future. This is especially true for key agreement, which is why the industry has been testing Kyber with TLS even before the standardization.

In essence, there is no drama. The engineering community is doing its job to make sure “nothing happens,” in the same way that nothing happened as our calendars reached the year 2000, when the first working quantum computer is announced—or when an advanced alien civilization visits our planet and laughs at the state of our cryptography.

Short News

Here are some things that caught our attention since the previous newsletter:

• Pavel Durov, the CEO of Telegram, has been arrested on arrival in France and charged for not providing information to French authorities related to a variety of crime cases. Matthew Green is peeved that journalists refer to Telegram as an encrypted messaging service, which it is not.
• Ryan Castellucci discovered that GivEnergy, a UK-based energy management provider, was using a 512-bit RSA key. It took only $70 and 24 hours to factor the key and thus gain access to about 60,000 systems and control 200 MW of capacity.
• Proton VPN has deployed a new VPN protocol called Stealth, designed to evade blocking by appearing as standard HTTP traffic.
• Sectigo has published a meta-linter called pkimetal, which unifies several other prominent linters into a single tool.
• D. J. Bernstein criticized Clang for making it difficult to write safe crypto code, especially when it comes to timing attacks. A presentation from Bernstein that discusses vulnerable code snippets goes hand in hand with the critique.
• Bouncy Castle is now FIPS 140-3 certified.
• Mozilla has followed Google in distrusting Entrust.
• A group of researchers has looked into the security of Kerberos and found it lacking due to its support for legacy cryptography. Some problems cited include the Bleichenbacher attack, parts that continue to use plaintext, and lack of forward secrecy.
• Speaking of the Bleichenbacher attack, it’s useful to remind ourselves why so many cryptographers don’t like the RSA algorithm. Right or wrong, it’s also true that today we use many primitives that are equally fragile. RSA has had the problems of being deceptively simple, leading to many developers thinking they can implement it, and also being around for much longer than others and from the early days of cryptography. The ecosystems that came after learned from experiences with RSA.
• Due to a trivial technical omission in its domain-validation procedure, DigiCert had to revoke about 0.4% of its certificates. DigiCert’s hands were tied in this case because Baseline Requirements require prompt revocation for all and any misissuance, even in situations where the chances of real impact are small or nonexistent. In this case, according to DigiCert, the likelihood of a problem existing was about one in 2¹⁵⁰.
• A new open-source tool called RTLF is designed to help discover timing attacks. During its development, the researchers tested 823 versions of eleven TLS libraries.
• JP Aumasson and Chervine Majeri presented at Black Hat USA 2024 to discuss their experience with hardening hardware security modules (HSMs) to store crypto wallets.
• On the topic of HSMs, Keyfactor has two short episodes on FIPS and multitenancy, and Ryan Hurst discusses the HSM attack model.
• Researchers have published a passive attack that breaks 2G mobile protocols (GSM and GRPS).
• A Trail of Bits blog post by Opal Wright enumerates mistakes commonly made when developers decide to write their own cryptographic code for hashing, message authentication, and key derivation.