Joe Biden signed a letter in May 2022 that set the timer for the elimination of our current public ways. The deprecation of RSA and ECC techniques is expected to occur in the next years and result in one of the biggest transformations in cybersecurity history!
Public key encryption forms the basis of Internet security and trust in general. While symmetric key encryption is the mainstay, asymmetric approaches, often known as public key encryption, orchestrate the majority of the essential components. Thus, even if the encryption key you use was probably obtained using Elliptic Curve techniques, the privacy of our access to this website is probably achieved using AES or ChaCha20. Furthermore, it’s likely that an RSA or ECDSA signature was used to generate the check for the site’s legitimacy.
The Foundation of Internet Privacy: ECDH
Whitfield Diffie and Marty Hellman devised a technique for creating a shared encryption key by transmitting public values more than 40 years ago. Here, discrete logarithms were used:
Discrete logs are no longer effective, thus we now frequently utilize elliptic curve approaches (with the ECDH key exchange method):
Digital signatures are the foundation of online trust.
Thus, the PKI (Public Key Infrastructure), which is where we digitally sign data, lies at the heart of confidence on the Internet. Because Bob can produce an RSA or ECC key pair, hash the data, and then sign it with his private key. Alice then uses the corresponding public key to verify this signature. Alice cannot trust Bob to give the public key, which is a crucial aspect of this, so Trent encrypts it with a digital signature and signs it with his own private key:
The three primary digital signatures in FIP 186-5 are RSA, ECDSA, and EdDSA. A quantum computer will be able to decipher all of them and separate the secret key from the public key.
Public key encryption is being phased out
As you may be aware, Peter Shorr’s algorithm puts our current public key encryption techniques in jeopardy. So, in May 2022, Joe Biden approved a document committing the US to strengthening its leadership in quantum computing and protecting against the threats posed by current public key encryption techniques [here]:
You should pay attention to the warning that has just been issued by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Institute of Standards and Technology (NIST). A Cybersecurity Information Sheet (CSI) on Quantum Readiness is relevant here:
A set of PQC (Post Quantum Cryptography) algorithms are currently being finalized by NIST and are anticipated to be completed in 2024. For key exchange and public key encryption, the techniques that are moving toward standardization include CRYSTALS-Kyber; for digital signatures, the methods are CRYSTALS-Dilithium and SPHINCS+. While SPHINCS+ allows a hash-based signature technique, both Kyber and Dilithium and Kyber are lattice-based approaches. NIST has also made a fresh batch of techniques available.
The definition of a Quantum-Readiness Roadmap (CRQC) and discussion of the optimum migration paths with technology providers form the basis of the suggestions. Additionally, they advocate for the identification of all business sectors that utilize public key encryption technologies, particularly those that employ sensitive data or are a part of essential infrastructure.
Conclusions
Therefore, be ready. I will be giving presentations on PQC at the following events, if that interests you:
Thank you for reading this post, don't forget to follow my whatsapp channel
Discover more from TechKelly
Subscribe to get the latest posts sent to your email.