Cryptography is still Difficult to Implement

This is a recurring theme (see eg. this older post), how difficult it is to implement Cryptography in the “right” way. It requires a lot of knowledge and expertise in Cryptography, programming skills are not enough.

Recently I read this article “PRACTICAL BRUTEFORCE OF AES-1024 MILITARY GRADE ENCRYPTION” by Kudelski Security Research, in which they show how it was possible to brute force what was called “AES-1024 military grade encryption“. AES is not broken (and “AES-1024” does not really stand for AES with 1024-bit keys) but the main problem was the custom procedure adopted to transform a user chosen password into an AES encrypting key.

Which again shows how it is difficult to implement Cryptography to attain the expected security goals.

To Password or Not to Password…

It seems that in one year or so we could (or should I write “will”?) finally see the beginning of the demise of passwords. The FIDO Alliance is proposing an extension of their UAF protocol which should make it possible to access many online and company applications without a password. The trick is to use the user’s smartphone as the authenticating device with two significant requirements: the user should confirm her/his identity on the smartphone with a biometric authentication, and the smartphone should be directly connected to the device (PC) which is performing the authentication by eg. Bluetooth. More information can be found on the FIDO website (here) and other articles (eg. here and here).

Still I am worried about the security of smartphones: more and more information, functionalities and security features are based on them, but, for example, we haven’t yet solved the problem of patching the Android system which most smartphone use. And what about using just the smartphone (or tablet) and not a PC to access online / company applications?

Is “Post Quantum Crypto” Going Mainstream – part 2 ?

Openssh has released a few days ago version 9.0 (here the announcement) which features the “hybrid Streamline NTRU Prime + x25519 key exchange method by default.” In other words, the key exchange is performed by the standard X25519 ECDH key exchange algorithm (the previous default) paired with the NTRU Prime, a Post Quantum Crypto algorithm “believed to resist attacks enabled by future quantum computers.” If one of the two algorithms fails to protect the confidentiality of the encryption key, the other should continue to protect it, even if a quantum computer will be able to successfully attack X25519 ECDH alone.

Is “Post Quantum Crypto” Going Mainstream?

We do not know if or when Quantum Computers will arrive: 10 years “at best” for Quantum Computing, “at worst” for Cryptography.

Today Post Quantum Cryptography (PQC) aims to provide algorithms resistant to Quantum Computers but it is still in an development phase (see eg. NIST for details).

Concerning information security and Quantum Computer, today we should worry about at least two issues:

  1. how long it will take to perform the transition to Post Quantum Crypto algorithms;
  2. how to protect information encrypted today with standard algorithms but that should still be protected in 10 or more years.

For the second point, one possibility is to adopt already today the emerging PQC algorithms and “double encrypt” sensitive long-term data with a current algorithm and PQC-devel algorithm, with the hope that if one of the two fails the other will keep protecting the data. And based on this IBM announcement (see also here), this seems to be starting right now.

Defeating MFA with MFA Prompt Bombing

And the the weak link is … the human factor.

Not surprisingly, recent reports (see eg. here) describe how attackers abuse even MFA processes based on Authenticator Apps (on mobile phones). Of course it requires anyway some work, in a generic scenario it requires to know already the username and password of the account or service under attack and protected by MFA. But after that, bombing the user with second factor authentication requests on the mobile App (in the middle of the night) sometimes leads to receive access (by someone who actually would like to sleep).

This should not be possible with FIDO2 token or biometrics based MFA, but the “human factor” is often very little predictable…

 

Towards Web 3, but first: What is it?

I am sorry, but I am confused.

I am reading and hearing about “Web 3”, but I am not sure if I understand what it is all about. It is quite possible that I missed some information.

So, to what I understand:

  1. Web 1 seems to correspond to the first incarnation of the “WWW”, from the first years to the first e-commerce platforms (up to approx 2004)
  2. Web 2 seems to correspond to what we currently know as “WWW”, based on dynamic pages and services, or “Web as a platform” where most services are centralised (eg. Cloud) and/or users are also producers of contents (social media etc.)
  3. Web 3 is not here yet, but should be arriving soon and should be a “decentralised online ecosystem based on blockchain” (see Wikipedia) and should incorporate also some features envisioned by Tim Berners-Lee in his 1999 proposal of a “Semantic Web” (or Web 3.0, just to add to the confusion) which should be a web of data that can be processed by machines (that is to make Internet data machine-readable).

And 2021 should have been the year of the real beginning of Web 3, with crypto-currencies, NFTs and a general adoption of blockchain decentralised services. But opinions on this are quite diverging: from extremely optimistic to “marketing buzzword”.

I’ve tried to think about it and from the little I understand I see at least two points of view: as persons and companies. As personal use of WWW I do not think that much will change, still there will be services to use online, Apps to install (and update, but no pain please) and companies that will deliver all that (at a price or with other business models). From the company point of view, the only thing that comes to my mind is a parallel with the IT Out-sourcing / In-sourcing cycle: technologies and business models change, and approaches follow.

Still it is not really clear to me what Web 3 actually is or should be.

Managing Security “in the Clouds”

The number of Cloud security management platform solution categories (according to Gartner) continues to grow. As far as I know, this is the current list:

  1. Cloud Access Security Broker (CASB)
  2. Cloud Workload Protection Platform (CWPP),
  3. Cloud Security Posture Management (CSPM),
  4. Cloud Infrastructure Entitlement Management (CIEM),
  5. Cloud-Native Application Protection Platform (CNAPP)

(For details on what they are, look for example here.) And the list is growing… This means on one side that the market for Cloud security management solutions is growing rapidly, on the other side that Cloud security is really an issue and that we haven’t really yet found a good way to manage it.