ST1 - session 5 - Crypto1 (1).pdf

Full Transcript

Secure Thinking
Session 5
The Crypto Wars – Part 1

Jeff Crume, PhD, CISSP, ISSAP
IBM Distinguished Engineer
NCSU Assistant Teaching Professor
[email protected]
 LAST ASSIGNMENT

Read:
– https://slate.com/news-and-politics/2020/03/
coronavirus-tsa-liquid-purell-paid-leave-rules.html
Do you agree or disagree with the position taken? Why?
CRYPTO BACKGROUND
 Crypto concepts
Cryptography is a method of secret
writing (encoding)
Elements:
– Plain text
– Key
– Algorithm
– Cipher text
 Crypto Success
Can’t be broken faster than brute
force
Kerckhoff’s Principle
– A cryptosystem should be secure
even if everything about the
system, except the key, is public
knowledge
– In other words, only the key should
be secret
“Every secret creates a potential
failure point.” – Bruce Schneier
 Cryptosystem
Typically comprised of 3 algorithms
“Anyone who attempts to generate
– Key generation
random numbers by deterministic
– Encryption means is, of course, living in a state
– Decryption of sin.” — John von Neumann
Key generation depends on
randomness
– Which is hard to achieve with a
deterministic system
– Pseudo Random Number
Generator (PRNG)
 Crypto Algorithms
Symmetric (secret key) Asymmetric (public key)
– Single key – Public key/Private key
Mathematically related
encrypts and decrypts Encrypt with one, decrypt with the
– DES: 56 bit key other
Freely distribute public key
Developed by IBM 1976
– RSA: 512/1024/2048 key
NIST standard 1978
– Elliptic Curve
– AES: 128/192/256 key – Can authenticate sender/
– Very fast receiver
– Requires key to be sent – 100-1,000 times slower
Symmetric Key Length Illustrated
Possible keys = 2n where n=key length

40 bits 56 bits 128 bits
References
 Crypto Quotes

“Cryptography is typically
bypassed, not penetrated.” –
Adi Shamir

“Anyone can create an
algorithm they can’t break.”
— Bruce Schneier
A type of lattice encryption that IBM has been working on since 2009. It makes it
possible to run analytics and machine learning on models and data sets while they
remain encrypted in an untrusted environment and provide answers back to trusted
source that can decrypt them in a secure environment.

Trusted environments Less trusted environments
How does it
work?
Data Data encoded Data encrypted
to plain text
Data
manipulated
while still
encrypted

Resultant Numbers Data decrypted
data decoded from
plain text
Quantum Computing and Cryptography
Quantum computers can
theoretically break current
asymmetric algorithms
Symmetric algorithms seem safe
with longer key lengths
NIST has been evaluating
quantum-safe algorithms since
2016
General consensus is that we are
safe for the foreseeable future but
work needs to be done
Scalable Fault-Tolerant Quantum Computers...

will crack most Public Key schemas (due to Shor’s Algorithm)
Public Key Encryption RSA DSA ECC

Digital Signatures ECDSA
Key Exchange Algorithms
DH

will weaken (halved) symmetrical crypto algorithms (due to Grover’s Algorithm)
Hashing SHA2 SHA3
Symmetric Encryption
TDES AES
Password derivation

Why is that a problem today?
IBM Quantum / © 2022 IBM Corporation
 The Quantum Threat
Situation Impact

There will be a time when the power of Quantum may crack Harvest now, decrypt later
public key cryptographic security protections schemes are underway to collect data now
for decryption when quantum computers
The advancement of Quantum technology and Quantum are powerful enough
algorithms (e.g., Shor’s, Grover’s) will break current crypto
algorithms. Replacing most of the
public-key systems
NIST predicts it may be possible to break 2000-bit RSA by currently in use will take 5 to 10 years
2030 – NIST report on Post Quantum Cryptography
Lifetime of data
This creates future exposure for network infrastructure,
means that sensitive data generated today
applications, data, identity management, legacy platforms that is not protected with quantum-safe
& devices, and B2B services. algorithms is at risk now

There is a 1 in 7 chance that fundamental public-key crypto will be It might seem as though cyber risk management leaders have time
broken by quantum by 2026, and a 1 in 2 chance of the same by to prepare, but the post-quantum cryptography era has already
2031.” begun for many companies, whether they realize it or not.
– Dr. Michele Mosca – McKinsey Digital
Institute of Quantum Computing When-and how-to prepare for post
IBM Quantum / © 2022 IBM Corporation University of Waterloo quantum crypto, May 4, 2022
How long do we have?
Common PK
Logical qubits required to break different algorithms Crypto
10000
x2.8 every
Schemes
x 2.0 every
two years
two years
The National Institute of Standards and Technology predicts (Moores law )

it may be possible to break 2000-bit RSA by 2030 – NIST
report on Post Quantum Cryptography ECC 256

Logical Qubits
x 1.6 every
two years ECC 224
1000 ECC 163 / RSA 512
“There is a 1 in 7 chance that some fundamental public-key ECC 110
crypto will be broken by quantum by 2026, and a 1 in 2 Progress
in
chance of the same by 2031” – Dr. Michele Mosca, Institute number
of Quantum Computing, University of Waterloo of qubits
Year

100

“Accenture believes the inflection point in quantum
2018 2020 2024 2026 2028 2030 2032 2034 2036 2038

computing is coming quickly and the ability to break
classical cryptography will be reached in the next 8 years.” Product Development Product Life Span
Time line
– Cryptography in a Post Quantum World, Accenture Product Security Lifespan

Data at Risk

Today Crypto – Clock hits 0

© 2021 IBM Corporation
 Journey to Quantum Safety - PQC Standardization
U.S. National Institute of Standards and Technology announced the first quantum-safe cryptography
protocol standards for cybersecurity (July 2022), three of which were created by IBM in collaboration with
industry and academic partners.

Purpose Algorithm Key differentiations with lattice cryptography:
Public-key Encryption and Key CRYSTALS-Kyber
Extremely efficient and fast implementations
establishment Algorithms
compared to RSA
Digital Signature Algorithms (DSA) CRYSTALS-DILITHIUM Support for widest range of applicability for hybrid
cloud & edge
DSA (alternate) Falcon

DSA (alternate) SPHINCS+ Building block for cryptographic advances (i.e., Fully
Homomorphic Encryption, Zero Knowledge Proofs, ID
NIST Selected Algorithms, July 5th
2022. NIST recommended two
based encryption)
primary algorithms to be
implemented for most use IBM z16, the industry’s first quantum-safe system,
cases: CRYSTALS-KYBER (key- uses CRYSTALS-Kyber and CRYSTALS-Dillithium as the
establishment) and CRYSTALS- underpinnings of its key encapsulation and digital
Dilithium (digital signatures). signature capabilities.

IBM
IBM Quantum
Quantum // ©
© 2022
2022 IBM
IBM Corporation
Corporation
https://www.schneier.com/blog/archives/2018/09/quantum_computi_2.html
ASSIGNMENT

Read these and be prepared to argue for and against the FBI’s demand of Apple

https://www.wired.com/story/the-time-tim-cook-stood-his-ground-against-fbi/
https://www.vice.com/en_us/article/8xeaep/who-has-bought-graykey-iphone-
unlocking-map