Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Encryption Australia

Australia Moves To Drop Some Cryptography By 2030 (theregister.com) 23

An anonymous reader shares a report: Australia's chief cyber security agency has decided local orgs should stop using the tech that forms the current cryptographic foundation of the internet by the year 2030 -- years before other nations plan to do so -- over fears that advances in quantum computing could render it insecure.

The Land Down Under's plans emerged last week when the Australian Signals Directorate (ASD) published guidance for High Assurance Cryptographic Equipment (HACE) -- devices that send and/or receive sensitive information -- that calls for disallowing the cryptographic algorithms SHA-256, RSA, ECDSA and ECDH, among others, by the end of this decade.

Bill Buchanan, professor in the School of Computing at Edinburgh Napier University, wrote a blog post in which he expressed shock that the ASD aims to move so quickly. "Basically, these four methods are used for virtually every web connection that we create, and where ECDH is used for the key exchange, ECDSA or RSA is used to authenticate the remote server, and SHA-256 is used for the integrity of the data sent," he wrote. "The removal of SHA-256 definitely goes against current recommendations."

Australia Moves To Drop Some Cryptography By 2030

Comments Filter:
  • I'm all for replacing these 4 with more resistant algorithms... but are there any that are viable?

    When we started swapping out for Elypticals... we ran into a host of issues with implementations and hardware performance issues.

    Haven't heard much in terms of vendor support at the security appliance vendor side, or the cert providers side for anything we can migrate to without breaking things. Will need to caveat that with me not spending days looking into it. Just from cursory research for client lifecycle

    • I think they're trying to push vendors to support the preferred options (ML-KEM for key establishment, ML-DSA and SLH-DSA for digital signature algorithms). NIST IR 8547 [nist.gov] (still in draft) calls for the same algorithms but with a target date of 2035. OpenSSL is starting to implement these in their mainstream code (Github ticket for ML-KEM-2014 and ML-KEM-512 implementation [github.com]), but it will likely be a while until they're production ready. They've been experimenting with them in the open-quantum-safe project for

      • by Myria ( 562655 )

        They really should use quantum-resistant algorithms alongside a traditional algorithm for now so that you have to crack both. Quantum algorithms are very new compared to our old favorites. One of the NIST finalists for quantum-resistant crypto was cracked using classical computing near the end of the standardization process, highlighting the danger of relying on these alone.

  • The summary of this article would have benefitted from the mention that the algorithms mentioned are going to be replaced with post-quantum algorithms. Also, it's worth mentioning, as many governments move away from factorization and discrete-log methods of cryptography to, say, lattice and other methods of post-quantum cryptography, Bitcoin isn't.

    One reason that I suspect Bitcoin isn't is because post-quantum algorithm byte lengths are long, most are greater than 700. In comparison, BLS signatures, which E

  • Quoting a recent "EMVCo Position Statement, Quantum Computing and EMV® Chip Cryptography"

    > The most optimistic projections suggest that the earliest date that a cryptographically significant quantum computer could be built would be around 2040.

    Source: an expert report commissioned by EVMco, dated 2024/03/08, marked published 2024/09, online since 2024/12/17 at https://www.emvco.com/resource... [emvco.com] (requires click-thru approval of license terms). I second their opinion.

  • by ceoyoyo ( 59147 )

    Australia wants to replace all the cryptography algorithms on the secret systems they use to transmit highly classified data! But the web depends on thses algorithms!

    Fortunately, the web is not a secret Australian high security transmission system.

    It is interesting they want to replace SHA-256, but maybe they're just replacing it with SHA-512. Doubling key lengths IS a current recommendation.

    In such cases, care must be taken to ensure that an appropriate alternative hashing algorithm is being used, such as

    • Yeah, it was an interesting choice to include SHA-256 - since that's not thought to be particularly susceptible to quantum attack. But probably the actual review was broader, and (as you pointed out) the reviewers figured "if we're already looking at encryption standards because of quantum attack concerns, we might as well also mandate a move to SHA-512 since that has to happen eventually regardless".

      • by ceoyoyo ( 59147 )

        Most of the recommendations regard SHA (and AES) as "quantum resistant" which means that quantum computers could theoretically speed up cracking them, but not enough to "break" them. So to be safe the recommendation is to increase your key length, which restores your safety to many lifetimes of the universe instead of just a few.

        IIRC the quantum attack against hasing and symmetric encryption is search via Grover's algorithm, which optimistically gives you a quadratic speedup, rather than the exponential spe

      • I had a feeling SHA-512 was coming, sooner or later. It is a reliable, proven algorithm. Grover's Algorithm turns SHA-512 into SHA-256 pretty much, making it still quite secure.

        ZFS when deduplication is turned on, uses sha512, and I'm starting to see other things slowly move that way. It sucks having to have twice the hash length stored, but on the other hand, pretty much everything else in the hashing process can remain the same.

      • Sha-512 is not known to be a major improvement over 256. I have read many times to just use sha-256.
  • by FeelGood314 ( 2516288 ) on Wednesday December 18, 2024 @01:57PM (#65022821)
    This isn't about being secure the day that a quantum computer can break a TLS hand shake. The problem is I can record your TLS hand shake now, break it in the future and then read all the messages you sent today.
    • by gweihir ( 88907 )

      Only if you use short-ass keys for the DH. One reason to _not_ use ECDH, but DH is usually fine.

      Also, no relation to SHA-256.

  • x509 certs are written in ASN1. ASN1 is like (type, length, value) triplets on steroids. They are nested many layers deep and the length value can be set to variable. Most people think parsing them is straight forward but if the lengths of the nested elements don't match the length of the parent's most parsers have at least one instance where they won't catch the problem. Worse, for well crafted ASN1, this can be exploited such that different parsers will parse it differently. This means I can submit a
    • by gweihir ( 88907 )

      That really is not a problem of x.509. Limit cert structure or fix your ASN.1 parser.

  • Or inane, insane crap like this is the result. Yes, DSA (EC or not) is a pretty bad algorithm, but there is nothing wrong with the others and that is not going to change anytime soon.

    • Maybe it is a time to trim algorithms. For example, what does RSA offer above ED25519? ED25519's key size is a lot smaller, which makes it much easier to deal with. DSA is still useful for signing, and may even edge out RSA in this respect, so even though RSA has been around a long time, maybe it is time for it to be historical, just like RC4, MD5, and DES?

      • by gweihir ( 88907 )

        In case you did not notice, the small key-sizes of EC crypto _is_ the problem when it comes to Quantum Computing.

    • Literally no politicians are making these decisions. They come from the ASD (the Australian version of the NSA). Please get yourself a clue. Literally any clue. Just once surprise us by saying something intelligent.

      • by gweihir ( 88907 )

        You have no standing. I have been an expert in the use of cryptography for a few decades. You were saying?

"There... I've run rings 'round you logically" -- Monty Python's Flying Circus

Working...