Category: Encryption

In 2018, Australia passed the Assistance and Access Act, which—among other things—gave the government the power to force companies to break their own encryption.

The Assistance and Access Act includes key components that outline investigatory powers between government and industry. These components include:

  • Technical Assistance Requests (TARs): TARs are voluntary requests for assistance accessing encrypted data from law enforcement to teleco and technology companies. Companies are not legally obligated to comply with a TAR but law enforcement sends requests to solicit cooperation.
  • Technical Assistance Notices (TANs): TANS are compulsory notices (such as computer access warrants) that require companies to assist within their means with decrypting data or providing technical information that a law enforcement agency cannot access independently. Examples include certain source code, encryption, cryptography, and electronic hardware.
  • Technical Capability Notices (TCNs): TCNs are orders that require a company to build new capabilities that assist law enforcement agencies in accessing encrypted data. The Attorney-General must approve a TCN by confirming it is reasonable, proportionate, practical, and technically feasible.

It’s that final one that’s the real problem. The Australian government can force tech companies to build backdoors into their systems.

This is law, but near as anyone can tell the government has never used that third provision.

Now, the director of the Australian Security Intelligence Organisation (ASIO)—that’s basically their FBI or MI5—is threatening to do just that:

ASIO head, Mike Burgess, says he may soon use powers to compel tech companies to cooperate with warrants and unlock encrypted chats to aid in national security investigations.

[…]

But Mr Burgess says lawful access is all about targeted action against individuals under investigation.

“I understand there are people who really need it in some countries, but in this country, we’re subject to the rule of law, and if you’re doing nothing wrong, you’ve got privacy because no one’s looking at it,” Mr Burgess said.

“If there are suspicions, or we’ve got proof that we can justify you’re doing something wrong and you must be investigated, then actually we want lawful access to that data.”

Mr Burgess says tech companies could design apps in a way that allows law enforcement and security agencies access when they request it without comprising the integrity of encryption.

“I don’t accept that actually lawful access is a back door or systemic weakness, because that, in my mind, will be a bad design. I believe you can ­ these are clever people ­ design things that are secure, that give secure, lawful access,” he said.

We in the encryption space call that last one “nerd harder.” It, and the rest of his remarks, are the same tired talking points we’ve heard again and again.

It’s going to be an awfully big mess if Australia actually tries to make Apple, or Facebook’s WhatsApp, for that matter, break its own encryption for its “targeted actions” that put every other user at risk.

From the Federal Register:

After three rounds of evaluation and analysis, NIST selected four algorithms it will standardize as a result of the PQC Standardization Process. The public-key encapsulation mechanism selected was CRYSTALS-KYBER, along with three digital signature schemes: CRYSTALS-Dilithium, FALCON, and SPHINCS+.

These algorithms are part of three NIST standards that have been finalized:

NIST press release. My recent writings on post-quantum cryptographic standards.

EDITED TO ADD: Good article:

One – ML-KEM [PDF] (based on CRYSTALS-Kyber) – is intended for general encryption, which protects data as it moves across public networks. The other two –- ML-DSA [PDF] (originally known as CRYSTALS-Dilithium) and SLH-DSA [PDF] (initially submitted as Sphincs+)—secure digital signatures, which are used to authenticate online identity.

A fourth algorithm – FN-DSA [PDF] (originally called FALCON) – is slated for finalization later this year and is also designed for digital signatures.

NIST continued to evaluate two other sets of algorithms that could potentially serve as backup standards in the future.

One of the sets includes three algorithms designed for general encryption – but the technology is based on a different type of math problem than the ML-KEM general-purpose algorithm in today’s finalized standards.

NIST plans to select one or two of these algorithms by the end of 2024.

IEEE Spectrum article.

Slashdot thread.

This isn’t good:

On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022. In a public GitHub repository committed in December of that year, someone working for multiple US-based device manufacturers published what’s known as a platform key, the cryptographic key that forms the root-of-trust anchor between the hardware device and the firmware that runs on it. The repository was located at https://github.com/raywu-aaeon/Ryzen2000_4000.git, and it’s not clear when it was taken down.

The repository included the private portion of the platform key in encrypted form. The encrypted file, however, was protected by a four-character password, a decision that made it trivial for Binarly, and anyone else with even a passing curiosity, to crack the passcode and retrieve the corresponding plain text. The disclosure of the key went largely unnoticed until January 2023, when Binarly researchers found it while investigating a supply-chain incident. Now that the leak has come to light, security experts say it effectively torpedoes the security assurances offered by Secure Boot.

[…]

These keys were created by AMI, one of the three main providers of software developer kits that device makers use to customize their UEFI firmware so it will run on their specific hardware configurations. As the strings suggest, the keys were never intended to be used in production systems. Instead, AMI provided them to customers or prospective customers for testing. For reasons that aren’t clear, the test keys made their way into devices from a nearly inexhaustive roster of makers. In addition to the five makers mentioned earlier, they include Aopen, Foremelife, Fujitsu, HP, Lenovo, and Supermicro.

Computers blue-screen-of-death around the world! The Paris Olympics is at risk of attack! And the FBI pull off the biggest sting operation in history by running a secret end-to-end encrypted messaging app! All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by industry veterans Graham Cluley and … Continue reading "Smashing Security podcast #382: CrowdStrike, Dark Wire, and the Paris Olympics"

Asymmetric and symmetric encryptions are the modes of encryption typically used in cryptography. There is a single key involved with symmetric encryption used both for encryption and decryption. The key needs to be shared among the parties who are involved who wish to encrypt or decrypt data. Asymmetric encryption uses two separate keys related to one other mathematically. These are known as private and public keys. Typically, the certificate is often linked with a public key, which retains the information about the public key owners. 

The certificate consists of details like name, used algorithms, organization name, etc. However, symmetric and asymmetric encryption as ways of implementing cyber risk assessment may appear identical. Symmetric encryption is faster compared to asymmetric encryption, which is related to performance. Asymmetric encryption is slower, which is why symmetric encryption is specifically used in conjunction with asymmetric encryption. Let us now explore more related to this here.

Symmetric Encryption

As we have explained already, symmetric encryption utilizes an identical key for encryption and decryption; therefore, the sender will send the key to its receiver to decrypt the encrypted data. The key is often involved and needs to be protected and transferred securely. If anyhow the key is lost, then the data fails to get decrypted, and if the key is compromised, then it impacts encryption. Therefore, the symmetric keys get transferred among the parties who use the asymmetric encryption that ensures that the symmetric key stays encrypted. Two varied forms of keys get involved in encrypting and decrypting the data. Symmetric encryption is often comparably faster compared to asymmetric encryption, which is the reason why it gets used enormously.

Asymmetric Encryption

For managing third party risk, asymmetric encryption uses two distinctive keys that get mathematically involved with one another. The first one is known as the private as they are heavily protected. The key stays in an HSM or an air-gapped computer to ensure the protection of this key. The public key or the other one is derived from the private key that gets evenly distributed. The certificate is often created with the help of a public key that contains information about the owner of the key and a couple of details related to the key.

The key will often rely on the main number of the greater length. The public and private keys are simultaneously computed using similar mathematical operations, specifically the trapdoor functions. The trapdoor functions are easier to calculate in a single direction as they are troublesome to calculate in the reverse way. We can locate the public key; however, the private key never gets obtained through the public key using the private key.

Although asymmetric encryption offers greater protection to the keys, it is much slower than symmetric encryption. It is for this reason that asymmetric encryption is used for exchanging the secret key, which is used for establishing symmetric encryption for rapid data transfer and making encryption and decryption of the data rapid.

Integrating Encryption with Third Party Risk Management

In third party risk management, both symmetric and asymmetric encryption play pivotal roles. Companies should ensure that third-party vendors handle the key data and implement strong encryption practices to mitigate rapidly surfacing cyber risks and attacks.

Symmetric Encryption for Third Party Risk Management

  • Data Protection: Organizations will need third-party vendors to use symmetric encryption to safeguard the stored data to ensure that whenever data gets accessed for keeping it unreadable without the encryption key.
  • Secure Key Exchange: Implementation of the secure key exchange protocols remains critical while dealing with third parties. The encrypted channels for the distribution of keys and periodic key rotation would boost security.

Asymmetric Encryption for Third Party Risk Management

  • Secure Communications: Asymmetric encryption is the key to establishing secure communications with third-party vendors. The SSL/TLS protocols and the digital certificates ensure that the data gets transmitted between the parties in a tamper-proof and confidential manner.
  • Authentication and Integrity: Asymmetric encryption benefits the strong mechanisms behind authentication, verifying the identity of third-party vendors while ensuring the integrity of data.

Uses for Asymmetric and Symmetric Encryption

Asymmetric and symmetric encryption is used in a better way across a myriad of situations. Symmetric encryption with the use of a single key is better used for the data at rest. Data stored across the databases requires to be encrypted, ensuring that it does not get stolen or compromised. The data never needs two keys, just a single one offered by the symmetric encryption as it requires it to be safer until it gets accessed in the future. Alternatively, asymmetric encryption should be used on data that is sent across emails to the rest of the people.

Whenever symmetric encryption gets used on data in emails, the attackers take the key being used for encryption and decryption that gets compromised or stolen. The sender and recipient ensure that the recipient of the data can start decrypting the data since their public key gets used for data encryption with asymmetric encryption. These encryptions get used with different processes, such as digital signing or compression, offering greater data security.

Security and Trust

Making the right choice between symmetric and asymmetric encryption takes a lot of work to get a direct one. Asymmetric encryption is often used for establishing a secure connection between users who hardly met with the connection that was used for exchanging a symmetric encryption key. Whenever the entire process gets implemented in the SSL systems it will take a couple of milliseconds. As an outcome, numerous users will never find it. It is important for modern network infrastructure. For now, it is the ideal way to safeguard key data against corruption and theft.

Conclusion

Symmetric encryption is the fastest technique for encryption as the robust cybersecurity measures; however, the secret key should be exchanged securely for its real potential. Asymmetric encryption is thereby used for exchanging the key that gets involved for symmetric encryption. In both instances, asymmetric encryption is used briefly exchanging the parameters and establishing the symmetric encryption used for the remainder of the communication. Therefore, both of them get used together to achieve the perfect secure communication, achieving authenticity, maintaining privacy, proper authentication, and integrity of data.

 

The post Symmetric vs. Asymmetric Encryption in the Cloud: Choosing the Right Approach appeared first on Cybersecurity Insiders.