加密敏捷性是在今年的 Gartner炒作周期, an annual analysis released for data security and emerging technologies. Gartner added both crypto-agility and post-quantum cryptography for the first time this year. The presence of data-in-use technologies in the Hype Cycle reflects the focus on data-in-transit security.
It is imperative that organizations watch this space closely and upgrade encryption algorithms used in real time, because sovereign data strategies and digital communications governance are crucial areas to develop. 事实上, 网络安全和基础设施安全局 was already urging organizations to prepare for the dawn of this new age in August.
对于对称密钥就不那么担心了. 当使用足够大的密钥大小时, the symmetric key cryptographic systems like AES are already resistant to attacks. Key management systems and protocols that use symmetric key cryptography instead of public key cryptography are in在这里ntly secure against attacks by a quantum computer. The expanded use of Kerberos-like symmetric key management is an alternate means to achieve post-quantum cryptography over the need to rely on the newer asymmetric cryptography.
然而,公钥加密系统需要迎头赶上. NIST已经发布了一些候选密码. 今年是NIST审查候选算法的第七年, 将80个算法提交减少到几个. 一个最终的算法, SIKE加密算法, 用笔记本电脑在62分钟内被黑了吗. 他们在六核英特尔至强处理器上使用了一个单核.
我们必须担心“现在收获,以后解密”的攻击. NIST的预计 completed post-quantum standards will replace the three existing public key cryptographic standards deemed most vulnerable: FIPS 186-5 (DSS), NIST SP 800-56A (ECC CDH)和NIST SP 800-56B (RSA).
Given the potential for quantum computers to break cryptographic standards more easily, we need to move from determining which algorithms are quantum-proof to determining algorithms that are quantum-resistant. 因为找到持久的健壮密码变得越来越具有挑战性, 我们需要灵活地适应未来的加密威胁.
这种能力, 或者像Gartner所说的“加密敏捷”, has actually already manifested itself in some of the well-known software we are using today. To this end, a number of software companies have already made their moves. Google and Signal are some of the technological companies that have demonstrated crypto-agility. 为了克服“现在就收获”, 解密以后的“威胁”, they have developed hybrid mechanisms which increase the difficulty for attackers to crack multiple ciphers, 至少有一个是抗量子的.
今年8月,谷歌推出了一款 抗量子混合密码机制 X25519Kyber768在Chrome 116,加密TLS连接. 谷歌也发布了第一款 量子弹性FIDO2密钥实现, which uses a unique ECC/Dilithium hybrid signature schema co-created with ETH Zurich. Dilithium is a quantum-resistant cryptographic standard which is acclaimed for its security and performance. This hybrid implementation supports the FIDO U2F and FIDO2 standards.
今年9月,Signal补充道 quantum-resistant加密 到它的E2EE消息协议. Signal explains that its X3DH (Extended Triple Diffie-Hellman) key agreement protocol has been upgraded to PQXDH (Post-Quantum Extended Diffie Hellman). PQXDH is a combination of X3DH’s Elliptic Curve (EC) key agreement protocol and post-quantum key encapsulation called CRYSTALS-Kyber, which is also one of the NIST-approved quantum-resistant cryptographic algorithms that is suitable for general encryption and speedy operations that rely on small encryption keys.
To sum up what we need to accomplish in order to protect our organizations from emerging threats, the very first thing we need to do is to establish crypto-agility. 为了达到这个目的, we should follow 中钢协’s recommendation that all organizations start following the post-quantum cryptography roadmap, 也就是在 以下七个步骤:
- Increase engagement with post-quantum standards developing organizations.
- Take inventory of the most sensitive and critical datasets that must be secured for extended time.
- Take inventory of systems using cryptographic technologies to facilitate a smooth transition in future.
- Identify acquisition, cybersecurity, data security standards that require updating.
- Identify w在这里 and purpose public key cryptography is used and mark as quantum vulnerable.
- Prioritize systems for cryptographic transition based on functions, goals, and needs.
- Develop plan for systems transitions upon publication of post-quantum cryptographic standard.
So, while we continue to watch this quantum entanglement space ever more closely, let’s keep ourselves crypto-agile with quantum-resistant (or resilient) cryptography. 这些概念不是一个问题 if or 当 但 现在.
编辑器的 注意: 从ISACA找到更多网络安全月的博客和资源 在这里.
