NIST Seeks to Raise Its Cryptographic Profile

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/nist-seeks-to-raise-its-cryptographic-profile-a-7899/op-1

It's barely a drop in the bucket, but President Obama is earmarking $7
million of his nearly $4 trillion federal budget to help the National
Institute of Standards and Technology provide stronger cryptographic
solutions and enhance privacy tools.

If approved by Congress for fiscal year 2016, which begins Oct. 1, NIST
would hire 10 new fulltime employees to work on its cryptographic and
privacy initiatives.

Cryptographic research is a growing focus for NIST, in part because of the
prospect of quantum computing, with its expanded capabilities that would
make many of today's encryption methods obsolete.

A race is on to develop functioning quantum computers. According to NIST,
Britain is investing about $420 million over the next five years in quantum
technologies. In another part of the NIST budget, Obama is requesting
Congress to approve $26.6 million, a $5 million increase from 2015 levels,
for NIST to accelerate widespread use of quantum science and support
development of the next-generation of quantum devices. The National
Security Agency, according to documents leaked by former contractor Edward
Snowden, is spending $79.7 million to build a quantum computer to crack
cryptography.

Questioning the Need

But one cryptography expert questions the need to defend against quantum
computers in the foreseeable future. "I don't see quantum computing posing
a threat to current generations of systems in any reasonable time frame,"
says Phillip Rogaway, a computer science professor at the University of
California at Davis, adding a functioning quantum computer is decades away,
"if ever."

Still, interest is growing in quantum computing, and NIST wants to be ready
for it with appropriate cryptography when it arrives. In April, NIST will
hold a post-quantum world workshop following the IACR International
Conference on Practice and Theory of Public-Key Cryptography to be held
from March 30 to April 1 at its Gaithersburg, Md., campus. NIST isn't alone
in its interest in post-quantum cryptography; in September, the fifth
International Conference on Quantum Cryptography will be held in Tokyo.

"As we're investing in quantum research, others in world are as well, so
you want to be ahead of that and make sure that once that does becomes a
reality, we can be prepared," NIST spokeswoman Jennifer Huergo say.

Emphasis on Independence

In seeking the added money next fiscal year to improve cryptography, NIST
emphasizes that it wants to continue to "deliver robust and independence
cryptography capabilities." NIST has come under criticism for its
relationship with the National Security Agency, which was accused of
tampering with a NIST cryptographic algorithm (see Report: NSA Circumvented
Encryption). Federal law requires NIST to collaborate with the NSA on
cryptography and other security standards. To rely less on the NSA, NIST
would use the extra funding to foster cryptographic collaboration with
academia and industry, according to a summary of its cybersecurity budget
request for 2016.

Huergo cites the recently published second draft of NIST Cryptographic
Standards and Guidelines Development Process, which states: "In order to
make independent decisions, NIST stresses the importance of its access to
sufficient expertise, both from within NIST and from organizations and
individuals external to NIST."

NIST began drafting the report, also known as Interagency Report 7977, as a
result of the NSA meddling with its cryptographic algorithm, which it
eventually withdrew from its guidance (see NIST Revises Crypto Standards
Guide).

Protecting the Internet of Things

Besides developing post-quantum computing cryptography standards, NIST
would use the added money to create cryptography standards to address
so-called constrained environments, also known as lightweight cryptography,
that supports devices found on the Internet of Things. In July, NIST will
hold a lightweight cryptography workshop.

The privacy tools NIST intends to enhance with the new funding are aimed at
assisting information systems users, owners, developers and designers who
handle personal information. The tools and guidance NIST hopes to develop
could be used to decrease risks related to exposing private information,
according to the agency, and allow users to make meaningful decisions about
resource to allocate and security and privacy controls to implement.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!