CyberSecurity news

FlagThis - #nist

Steve Zurier@scmagazine.com //
The National Institute of Standards and Technology (NIST) has announced that it will mark all Common Vulnerabilities and Exposures (CVEs) prior to January 1, 2018, as ‘deferred.’ This decision stems from the agency being overwhelmed by the surging volume of newly disclosed vulnerabilities and the agency will no longer prioritize updating National Vulnerability Database (NVD) enrichment for these older CVEs because of their age. This impacts a substantial number of CVEs, with estimates suggesting that over 94,000, or 34% of all CVEs, could be affected by this change. Despite this shift, NIST has stated it will continue to accept and review requests to update the metadata for these CVE records and prioritize updates if new information indicates it's appropriate, as time and resources allow.

This move has sparked concerns within the cybersecurity community. Many prolific cyber incidents have exploited older CVEs, like WannaCry, NotPetya, and the Colonial Pipeline attack. With limited resources, prioritizing newer vulnerabilities might protect a larger number of organizations. However, older vulnerabilities that are on the known exploited vulnerabilities KEV list will continue to be updated and worked on.

Experts are also worried about the potential for older CVEs to be revived using new AI-driven exploit techniques. Marc Gaffan, CEO of IONIX, noted the rapid advancement of AI capabilities and the concern that these techniques could catch organizations off guard, leaving them unprepared for re-emerging threats. Jon France, CISO at ISC2, emphasized the importance of keeping software patched and up-to-date. Despite the concerns, NIST's decision reflects the challenges of managing an ever-growing database of vulnerabilities with finite resources.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • www.scworld.com: NIST marks all CVEs prior to Jan. 1, 2018, as ‘deferred’
  • bsky.app: NIST gives up on enriching any CVE released before Jan 1, 2018
  • ComputerWeekly.com: NIST calls time on older vulnerabilities amid surging disclosures.
Classification:
@The Cryptography Caffe? ? //
The UK's National Cyber Security Centre (NCSC) has released a roadmap for transitioning to post-quantum cryptography (PQC), establishing key dates for organizations to assess risks, define strategies, and fully transition by 2035. This initiative aims to mitigate the future threat of quantum computers, which could potentially break today's widely used encryption methods. The NCSC’s guidance recognizes that PQC migration is a complex and lengthy process requiring significant planning and investment.

By 2028, organizations are expected to complete a discovery phase, identifying systems and services reliant on cryptography that need upgrades, and draft a migration plan. High-priority migration activities should be completed by 2031, with infrastructure prepared for a full transition. The NCSC emphasizes that these steps are essential for addressing quantum threats and improving overall cyber resilience. Ali El Kaafarani, CEO of PQShield, noted that these timelines give clear instructions to protect the UK’s digital future.

Researchers have also introduced ZKPyTorch, a compiler that integrates ML frameworks with ZKP engines to simplify the development of zero-knowledge machine learning (ZKML). ZKPyTorch automates the translation of ML operations into optimized ZKP circuits and improves proof generation efficiency. Through case studies, ZKPyTorch successfully converted VGG-16 and Llama-3 models into ZKP-compatible circuits.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • The Quantum Insider: UK Sets Timeline, Road Map for Post-Quantum Cryptography Migration
  • The Register - Security: The post-quantum cryptography apocalypse will be televised in 10 years, says UK's NCSC
  • Dhole Moments: Post-Quantum Cryptography Is About The Keys You Don’t Play
  • IACR News: ePrint Report: An Optimized Instantiation of Post-Quantum MQTT protocol on 8-bit AVR Sensor Nodes YoungBeom Kim, Seog Chung Seo Since the selection of the National Institute of Standards and Technology (NIST) Post-Quantum Cryptography (PQC) standardization algorithms, research on integrating PQC into security protocols such as TLS/SSL, IPSec, and DNSSEC has been actively pursued. However, PQC migration for Internet of Things (IoT) communication protocols remains largely unexplored. Embedded devices in IoT environments have limited computational power and memory, making it crucial to optimize PQC algorithms for efficient computation and minimal memory usage when deploying them on low-spec IoT devices. In this paper, we introduce KEM-MQTT, a lightweight and efficient Key Encapsulation Mechanism (KEM) for the Message Queuing Telemetry Transport (MQTT) protocol, widely used in IoT environments. Our approach applies the NIST KEM algorithm Crystals-Kyber (Kyber) while leveraging MQTT’s characteristics and sensor node constraints. To enhance efficiency, we address certificate verification issues and adopt KEMTLS to eliminate the need for Post-Quantum Digital Signatures Algorithm (PQC-DSA) in mutual authentication. As a result, KEM-MQTT retains its lightweight properties while maintaining the security guarantees of TLS 1.3. We identify inefficiencies in existing Kyber implementations on 8-bit AVR microcontrollers (MCUs), which are highly resource-constrained. To address this, we propose novel implementation techniques that optimize Kyber for AVR, focusing on high-speed execution, reduced memory consumption, and secure implementation, including Signed LookUp-Table (LUT) Reduction. Our optimized Kyber achieves performance gains of 81%,75%, and 85% in the KeyGen, Encaps, and DeCaps processes, respectively, compared to the reference implementation. With approximately 3 KB of stack usage, our Kyber implementation surpasses all state-of-the-art Elliptic Curve Diffie-Hellman (ECDH) implementations. Finally, in KEM-MQTT using Kyber-512, an 8-bit AVR device completes the handshake preparation process in 4.32 seconds, excluding the physical transmission and reception times.
  • The Quantum Insider: ETSI Launches New Security Standard for Quantum-Safe Hybrid Key Exchanges
  • billatnapier.medium.com: Xmas Coming Early: OpenSSL Finally Enters a Quantum World
Classification: