The U.S. Is Falling Behind on Encryption Standards – And That’s a … – eSecurity Planet

admin on July 25, 2023 Leave a Comment

eSecurityPlanet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

The U.S. National Institute of Standards and Technology (NIST) is charged with setting cybersecurity standards and certifying products, yet is woefully behind on both. As new threats emerge were looking at you, quantum computing continued delays could become a crisis.

Two areas that are particularly concerning are delays in FIPS 140-3 certifications and the development of post-quantum cryptography.

FIPS 140-3 sets encryption and protection standards for everything from software, SSDs and HDDs to network switches and new quantum encryption standards, yet product certifications have been running far behind historical norms. As quantum computing technology continues to develop, this problem will become a crisis if it cant be resolved now.

The FIPS 140 standard started in January 1994 with FIPS 140-1, developed by a government and industry working group composed of vendors and users of cryptographic equipment. FIPS 140-2 was issued in May 2001 and FIPS 140-1 was sunsetted a year later.

FIPS-140 became the main input to the international standard ISO/IEC 19790:2006, Security requirements for cryptographic modules, issued in March 2006, so NIST was leading the standards process for much of the world. Hundreds, if not thousands, of products were certified under FIPS 140-2. The vendor community knew how to develop and maintain those products for almost two decades, and historically, certification took from six months to at most 12 months, unless something egregious was found, which did not happen very often because the process was well known and vendors knew what to do and how to do it.

FIPS 140-3 was issued in March 2019 and certification submissions began in September 2020. The FIPS 140-3 standard did not change encryption algorithms or key size. What did change in FIPS 140-3 is that the standard now evaluates security requirements at all stages of cryptographic module creation, including design, implementation and final operational deployment. FIPS 140-3 also requires different authorization levels and users for management activities, similar to what SELinux requires with a SecAdmin user (security admin) and an AuditAdmin (the administrator of the audit files). So the vendor community had some changes to make, but hardware vendors most likely did not have to create a new ASIC with new algorithms and merely had to modify firmware.

Today we are almost three years into FIPS 140-3 submissions, and while we had a Covid shutdown during some of that time, it doesnt explain why there have only been seven FIPS 140-3 certifications as of last week, the last one nearly six months ago (chart below), and another 189 (and growing) in the certification process. I doubt the vendor community is so incompetent that they couldnt comply with the minor changes required to get products certified. Add to this that both hardware and software FIPS 140-2 products are likely gone, as the last submission to FIPS 140-2 was March 2022 and those products likely reached end-of-life some time ago.

FIPS 140-3 certified products as of July 18, 2023

The lack of FIPS 140-3 products is seriously hurting our security posture, and there are no public statements from NIST on when or if the certification process will catch up.

See theTop Enterprise Encryption Products

Those delays are coming at the same time the agency is overseeing a process to evaluate and standardize quantum-resistant public-key cryptographic algorithms.

The facts are pretty simple:

This process has been going on since 2016, and since that time there has been a huge increase in quantum technology and an equally large increase in quantum understanding and interest. Yet seven years later, we have only four algorithms, and one of those, SIKE, was cracked with a single core and one hour of CPU time. This does not give me warm fuzzies that the other NIST algorithms are solid, but I suppose since the others have not yet been publicly shamed, there is hope.

Related content: Confidential Computing Use Cases & Vendors

The delay in developing quantum-resistant algorithms is especially troubling given the time it will take to get those products to market.

It generally takes four to six years with a new standard for a vendor to develop an ASIC to implement the standard, and it then takes time for the vendor to get the product certified, which seems to be taking a troubling amount of time.

I am not sure that NIST is up to the dual challenge of getting the algorithms out and products certified so that vendors can have products that are available before quantum computers can break current technology. There is a race between quantum technology and NIST vetting algorithms, and at the moment the outcome is looking worrisome.

Since NIST is both the standards and certification body for standards for our nation and much of the world, I find the situation both disheartening and pretty scary. Not a week goes by without some new quantum announcement from vendors, and not a day goes by without another major cybersecurity incident.

We deserve and need standards that provide the nation a modicum of security, and we need a standards body that is looking ahead to the future and ensuring that we will be protected. At the moment we have neither, and can only hope that the Biden Administrations Cybersecurity Strategy can fix this.

Read next: Top Full Disk Encryption Software

Read the original post:
The U.S. Is Falling Behind on Encryption Standards - And That's a ... - eSecurity Planet

Related Posts
Posted in Encryption

Comments are closed.