New NIST Encryption Guidelines

NIST has published a draft of their new standard for encryption use: “NIST Special Publication 800-175B, Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms.” In it, the Escrowed Encryption Standard from the 1990s, FIPS-185, is no longer certified. And Skipjack, NSA’s symmetric algorithm from the same period, will no longer be certified.

I see nothing sinister about decertifying Skipjack. In a world of faster computers and post-quantum thinking, an 80-bit key and 64-bit block no longer cut it.

ETA: My essays from 1998 on Skipjack and KEA.

Tags: algorithms, encryption, key escrow, NIST

Posted on March 17, 2016 at 9:54 AM • 15 Comments

Comments

gerald • March 17, 2016 12:21 PM

As usual, Terms and Definitions are problematic, as is the Glossary in other documents. Several definitions are circuitous which I find indicative of presumption. Not sure why this is allowed to continue.

Remember SP800-90 • March 17, 2016 5:50 PM

But when your organization is not stuffed with NSA moles, you wind up with different guidelines, guidelines like this:

http://www.ohchr.org/Documents/Issues/Privacy/A-HRC-31-64.doc

Guidelines that take human beings into account.

Clive Robinson • March 17, 2016 8:10 PM

@ Bruce,

In a world of faster computers and post-quantum thinking, an 80-bit key and 64-bit block no longer cut it.

The question arises of “Just how long our other crypto standards going to last?”.

DES did not make it to the quater century mark and several stream ciphers and hashes likewise.

Realistically we can only say that history has taught us that crypto standards will be secure for less time than many infrastructure components minimum expected working life.

As I’ve mentioned befor it realy is time for NIST, ISO or other international standards organisation to come up with “upgradable framework standards” that can be required for inclusion in all products. Otherwise the usuall free market failing that gives a “race for the bottom” will produce a tsunami of security failings in infrastructure components that are all well within their expected life time. The cost of replacing such components will be prohibitive, thus infrastructure will be vulnerable. It would not be unfare to call this lack of upgradable framwork standard “a ticking time bomb”.

Jonathan Wilson • March 18, 2016 4:01 AM

I haven’t seen anything to suggest AES is going to be unusable anytime soon (unless there is some sort of big quantum computing progress I have yet to hear of…). Ditto with SHA2/SHA3. Even RSA has no real attacks if the key length you are using is strong enough.

Morris • March 18, 2016 5:56 AM

@Clive Robinson

There’s a site ‘Keylength’ which compares the various worldwide governmental standards against the dates they’re considered secure until. It takes into account whether the encryption is symmetric, the factoring modulus, the discrete logarithm, if it’s elliptic curve and if it’s used as a hash.

https://www.keylength.com/

I recall Bruce writing an essay on how he predicts the length of time an algorithm is secure for:

What algorithms are considered secure today? What about the future? Predictions are dicey at best, but they are essential in the business of cryptography.

https://www.schneier.com/essays/archives/1998/05/the_crypto_bomb_is_t.html

gerald • March 18, 2016 9:25 AM

I attempted to explain previously why this is similar to the password problem.

http://blogs.scientificamerican.com/roots-of-unity/psa-do-not-use-the-new-prime-number-for-rsa-encryption/

SchneieronSecurityFan • March 18, 2016 9:33 AM

There have been recent improvements in decryption from graphics processing unit (gpu)- based password crackers – both cluster based and cloud based systems.
I wonder if this document takes that into account.

David Leppik • March 18, 2016 9:49 AM

@SchneieronSecurityFan: For state actors, you have to assume they are not simply using GPUs, but special-purpose microchips designed to crack specific algorithms.

Either way, if you are vulnerable to a 100x hardware speedup, you should probably be using a longer key.

chopper • March 18, 2016 9:58 AM

@Clive
Otherwise the usuall free market failing that gives a “race for the bottom” will produce a tsunami of security failings in infrastructure components that are all well within their expected life time.

That’s a legitimate business model for all kinds of IT companies.

On the other side, there is no perfectly upgradeable solution. One thing we can be certain, things change.

z • March 18, 2016 3:48 PM

I always thought Skipjack was fascinating. As far as I am aware, it was the first block cipher designed by the NSA to be publicly released, which was pretty remarkable given the attitude of the US government toward encryption in the 90’s. It seemed to do a lot of things very well and efficiently compared to many of its contemporaries, particularly DES. I wonder if it would have been a better choice than 3DES as a stopgap solution until AES was adopted.

Jay • March 20, 2016 5:53 PM

Oh, the irony that the government continues to pursue better security while suggesting that citizens who want secure phones are criminals or fetishists.

My only response to the demand to weaken encryption standards is just two short words…

“You first.”

Whatever their excuse is for not reducing the effectiveness of their encryption is my justification as well.

Scott Arciszewski • March 21, 2016 1:23 PM

I see they’ve still christened AES-ECB and DSA, but no mention of deterministic ECDSA or EdDSA. I guess the takeaway here is that FIPS thinks unsafe symmetric-key encryption and US government ECDSA private keys compromised through implementation errors like the one Sony made are fine?

Scott Arciszewski • March 21, 2016 1:25 PM

@Jonathan Wilson:

Even RSA has no real attacks if the key length you are using is strong enough.

Unless you’re using textbook RSA, or encrypting with PKCS1v1.5 padding, or signing with e=3 and PKCS1v1.5 padding.

little person • March 21, 2016 9:42 PM

@Jay

The explanation is simple: Like the great kings of old, Obama thinks he’s a cut above the rest of us peons that he rules over. That’s why it’s fine for him to do something (like have security) that is a “fetish” if the rest of us try the same thing. He’s not a person. He’s a ruler. Emperor. Almighty God. He is above the law, because his omnipotent word is LAW. This thinking has become pervasive among government leaders and their followers it seems, I think it should be called a religion. They think they are Atheists but they are really Theists with certain mere humans elevated as Gods. It is a combination of Church and State at its core. A state religion. And you must bow or suffer the consequences.

little person • March 21, 2016 11:09 PM

I’d just like to mention that the pervasiveness of this State Religion of Rulership together with the omniscience of mass surveillance does not bode well for the future. The Dark Ages called and declared a great comeback coming soon.

New NIST Encryption Guidelines

Comments

Leave a comment Cancel reply