Saturday, January 28, 2017

Encryption Update ** UPDATED **

(Update at the bottom)

So, the NSA and IAD just released an advisory memo directed at US government entities and NGOs/Corporations that deal with classified material. In a nutshell, they are raising the minimum required encryption level for top secret data effective immediately. So instead of referring to the NSA's Suite B cryptography, we will now refer to what they are calling the Commercial National
Security Algorithm Suite. The changes are as follows:

Former Suite B standards

- RSA-2048                                       (Key exchange/Digital Sig)
- ECDH/ECDSA P-256                    (Key exchange/Digital Sig)
- AES-128                                         (Symmetric encryption)
- Diffie-Hellman 2048                      (Key exchange)
- SHA-256                                        (Integrity check/hash)

New NSS standards

- RSA-3072                                      (Key exchange/Digital Sig)
- ECDH/ECDSA P-384                   (Key exchange/Digital Sig)
- AES-256                                        (Symmetric encryption)
- Diffie-Hellman 3072                     (Key exchange)
- SHA-384                                       (Integrity check/hash)

Okay great.....what does this mean to you?

Well, for one, if the NSA feels there is a threat great enough to warrant raising these standards to protect national security structure, then it only makes sense for the public to do the same. After all, I place I high value on my privacy and the sanctity of my "data".

Things you should be checking:

1. Your VPN provider (you are using a VPN, right?). Most of the providers I recommend already meet or exceed the new standards. There are, however, some that still employ RSA-2048 and AES-128. Find out what your provider is using and if it does not meet the standard as set forth above I would contact them and encourage them to implement it as soon as possible.....or move to a different provider.

2. Your PGP/GPG keys. More and more people are discovering and utilizing GPG encryption for their mail and personal file security. I have noticed though that many of the people that contact me via GPG are still using RSA-2048 keys. I would encourage you to switch to the stronger RSA-4096 keys (or better yet, ECC keys with non-NIST curves....if you are savvy with the terminal).

These couple of steps will greatly increase your personal/business security level and, frankly, are pretty painless to implement.

I should note that you will get hands on experience with these techniques at my GroundRod 2 course.

***  UPDATE ***

We looked at the Suite B standards and the new NSS standards, here are my recommendations:

For key negotiation/exchange:

      - RSA-4096
      - ECC Brainpool P-384 or P-512
      - ECC Curve25519
      - DH 4096

For symmetric (payload) encryption:

      - Twofish / Threefish
      - Serpent
      - AES-256

For integrity check/hash:

      - SHA-512
      - Whirlpool

 As you can see, I favor non-NIST standards as much as possible. For most VPN providers you are stuck with AES for channel encryption, however, and a couple others are working on implementing Serpent and Twofish as an option.

1 comment:

  1. thanks for sharing such an amazing and useful update. your way of writing is so good and compelling. where you collect all the data. it seems that you have a good sense of research too.:)