Quantum Computers – Boon or Bane?
Quantum computers can perform operations much more quickly and efficiently even with the use of less energy than conventional computers, but that’s bad news for encryption — a process which scrambles data according to a massively complex mathematical code.
In theory, quantum computers can break almost all the existing encryption algorithms used on the
Mike Mimoso and Chris Brook discuss the news of the week, including a wireless keyboard vulnerability – KeySniffer, NIST’s statement on 2FA, a LastPass remote compromise bug, and a new Tor paper.
SMS-based Two-Factor Authentication (2FA) has been declared insecure and soon it might be a thing of the past.
Two-Factor Authentication or 2FA adds an extra step of entering a random passcode sent to you via an SMS or call when you log in to your account as an added layer of protection.
For example, if you have 2FA enabled on Gmail, the platform will send a six-digit passcode to your mobile
The U.S. National Institute for Standards and Technology (NIST) said SMS-based two factor authentication would soon be deprecated.
Red Hat achieved its latest successful FIPS 140 validation back in April 2013. Since then, a lot has happened. There have been well publicized attacks on cryptographic protocols, weaknesses in implementations, and changing government requirements. With all of these issues in play, we want to explain what we are doing about it.
One of the big changes was that we enabled support of Elliptic Curve Cryptography (ECC) and Elliptic Curve Diffie Hellman (ECDH) in Red Hat Enterprise Linux to meet the National Institute of Standards and Technology’s (NIST’s) “Suite B” requirements taking effect this year. Because we added new ciphers, we knew we needed to re-certify. Re-certification brings many advantages to our government customers, who not only benefit from the re-certification, but they also maintain coverage from our last FIPS 140 validation effort. One advantage of re-certification is that we have picked up fixes for BEAST, Lucky 13, Heartbleed, Poodle, and some lesser known vulnerabilities around certificate validation. It should be noted that these attacks are against higher level protocols that are not part of any crypto primitives covered by a FIPS validation. But, knowing the fixes are in the packages under evaluation should give customers additional peace of mind.
The Red Hat Enterprise Linux 6 re-certification is now under way. It includes reworked packages to meet all the updated requirements that NIST has put forth taking effect Jan. 1, 2014, such as a new Deterministic Random Bit Generator (DRGB) as specified in SP 800-90A (PDF); an updated RSA key generation technique as specified in FIPS 186-4 (PDF); and updated key sizes and algorithms as specified in SP 800-131A (PDF).
Progress on the certification is moving along – we’ve completed review and preliminary testing and are now applying for Cryptographic Algorithm Validation System (CAVS) certificates. After that, we’ll submit validation paperwork to NIST. All modules being re-certified are currently listed on NIST’s Modules in Process page, except Volume Encryption (dm-crypt). Its re-certification is taking a different route because the change is so minor thus not needing CAVS testing. We are expecting the certifications to be completed early this year.