Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Encryption Key. Show all posts

Implementation Flaws Identified in Post-Quantum Encryption Algorithm

 

Two implementation flaws have been identified in the Kyber key encapsulation mechanism (KEM), an encryption standard intended to safeguard networks from future attacks by quantum computers. Collectively known as "KyberSlash," these flaws could allow cybercriminals to discover encryption keys. 

The encryption standard Kyber key encapsulation mechanism (KEM), designed to protect networks from future assaults by quantum computers, has two implementation vulnerabilities. Collectively referred to as "KyberSlash," these flaws might make it possible for hackers to acquire encryption keys. 

“Timing attacks of this nature are a derivative of broader ‘side channel’ attacks, which can be used to undermine any type of encryption, including both classical and post-quantum algorithms,” Andersen Cheng, founder of Post-Quantum, explained. “With this type of attack, the adversaries send fake (and known) ciphertext and measure how long it takes to decipher. They can then infer the timings for each attempt and reverse engineer the actual key-pair.” 

On December 1st, Franziskus Kiefer, Goutam Tamvada, and Karthikeyan Bhargavan—all researchers at the cybersecurity firm Cryspen—reported the vulnerabilities to Kyber's development team. The encryption standard had a patch released immediately, but since it wasn't classified as a security vulnerability, Cryspen started notifying projects in advance that they needed to implement the fix as of December 15. 

Google, Signal, and Mullvad VPN have all adopted versions of the Kyber post-quantum encryption standard; however, Mullvad VPN has since confirmed that the vulnerability does not affect their services.

Post-quantum encryption rush

Kyber was first submitted for assessment to the US National Institute of Standards and Technology (NIST) in 2017, as part of the organisation's competition to test and approve an encryption standard capable of safeguarding networks against future quantum computer attacks. Though a machine with an adequate amount of qubits to use Shor's algorithm to break RSA encryption and similar standards has yet to be developed, recent breakthroughs in scaling quantum computers and mounting speculation about "Harvest Now, Decrypt Later" attacks have generated increased interest in adopting post-quantum standards among governments and large businesses. 

Several algorithms put into the NIST competition were demonstrated to be susceptible to conventional attacks. These include the Rainbow and SIKE standards, the latter of which was overcome by KU Leuven researchers in 2022 in less than an hour using an average computer. In February 2023, a team from Sweden's KTH Royal Institute of Technology used highly complex deep learning-based side-channel attacks to destabilise Kyber's official implementation, CRYSTALS-Kyber. However, this approach was one of six for which NIST published draft standards last summer, with plans to finalise the competition later this year. 

Kyber flaws 

Meanwhile, the Kyber KEM has been adopted by a number of major organisations. Google announced in August 2023 that it will be employing Kyber-768 as a part of a hybrid system to safeguard Chrome browser traffic at the transport layer security level. Similar to this, Signal secured its "Signal Protocol," which is also used to ensure end-to-end encryption in Google and WhatsApp conversations, in September by implementing Kyber-1024 in conjunction with an elliptic curve key agreement protocol. 

This hybrid approach to leveraging post-quantum encryption standards is intended to safeguard network traffic against attack in case that new vulnerabilities are discovered. Since the KyberSlash vulnerabilities were identified, the researchers say that patches have been implemented by the Kyber development team and AWS. The team also cited a GitHub library written by Kudelski Security. When approached by a local media outlet, the cybersecurity firm stated that the listed code was not utilised in any of its commercial products and should not be used in production, but that it had still incorporated a patch for the KyberSlash vulnerabilities in a new version of the library. 

Nevertheless, Cheng believes it is a significant step forward for the post-quantum encryption community because its focus on flaws has shifted from vulnerabilities in the mathematics that underpins the standards to implementation attacks. “It will be the responsibility of each organisation implementing new encryption to ensure the implementation is robust,” stated Cheng. “That’s why it is so important that teams working on the migration to post-quantum encryption have deep engineering understanding and ideally, existing experience in deploying the cryptographic algorithms. “

The Role of Cryptography in Data Safety

 

By using codes, the information security strategy of cryptography shields business data and communications from online threats. Security professionals describe it as the art of concealing information to guard against unauthorised access to your data. 

This technique employs mathematical principles and a series of calculations based on rules, known as algorithms, to alter messages in ways that are challenging to understand. It also refers to secure information and communication systems. 

Then, these algorithms are applied to the creation of cryptographic keys, digital signing, data privacy protection, internet browsing, and private email and credit card transactions. Confidentiality, integrity, authentication, and non-repudiation are only a few of the information security-related goals that are met by cryptography. In this article, we analyse what this tell us regarding cryptography. 

Safeguards data privacy 

In terms of cryptography, privacy is of utmost importance. It indicates that the transmitted information is secure from unauthorised access at all points in its lifetime and can only be accessed by those with the proper authorization. 

The privacy of individuals whose personal information is held in enterprise systems must be protected, which calls for confidentiality. Therefore, the only way to guarantee that the data is secure while it is being stored and delivered is through encryption. 

Without the proper decryption keys, encrypted data is practically useless to unauthorised individuals even when the transmission or storage media has been compromised. 

Data's integrity is ensured 

Integrity in the context of security refers to the accuracy of information systems and the data they include. Integrity refers to the ability of a system to transport and process data in a predictable manner. 

The data is unchanged even after processing. Data integrity is guaranteed by cryptography employing message digests and hashing techniques. 

The receiver is made certain that the data received has not been tampered with during transmission by supplying codes and digital keys to confirm that what is received is authentic and comes from the intended sender. 

Maintain information security using effective cryptography techniques

One of the primary concerns for firms trying to compete in the modern business environment is information security. Cryptography can help you protect your intellectual property by keeping it safe from hackers and other threat actors when used properly. 

You can also investigate additional techniques, such as online application penetration testing, internal network penetration testing, or cybersecurity awareness training, in the meantime and take preventative measures to safeguard important company resources.