Encryption Update ** UPDATED **


(Update at the bottom)

So, the NSA and IAD just released an advisory memo directed at US government entities and NGOs/Corporations that deal with classified material. In a nutshell, they are raising the minimum required encryption level for top secret data effective immediately. So instead of referring to the NSA's Suite B cryptography, we will now refer to what they are calling the Commercial National
Security Algorithm Suite. The changes are as follows:

Former Suite B standards

- RSA-2048                                       (Key exchange/Digital Sig)
- ECDH/ECDSA P-256                    (Key exchange/Digital Sig)
- AES-128                                         (Symmetric encryption)
- Diffie-Hellman 2048                      (Key exchange)
- SHA-256                                        (Integrity check/hash)


New NSS standards

- RSA-3072                                      (Key exchange/Digital Sig)
- ECDH/ECDSA P-384                   (Key exchange/Digital Sig)
- AES-256                                        (Symmetric encryption)
- Diffie-Hellman 3072                     (Key exchange)
- SHA-384                                       (Integrity check/hash)

Okay great.....what does this mean to you?

Well, for one, if the NSA feels there is a threat great enough to warrant raising these standards to protect national security structure, then it only makes sense for the public to do the same. After all, I place I high value on my privacy and the sanctity of my "data".


Things you should be checking:

1. Your VPN provider (you are using a VPN, right?). Most of the providers I recommend already meet or exceed the new standards. There are, however, some that still employ RSA-2048 and AES-128. Find out what your provider is using and if it does not meet the standard as set forth above I would contact them and encourage them to implement it as soon as possible.....or move to a different provider.

2. Your PGP/GPG keys. More and more people are discovering and utilizing GPG encryption for their mail and personal file security. I have noticed though that many of the people that contact me via GPG are still using RSA-2048 keys. I would encourage you to switch to the stronger RSA-4096 keys (or better yet, ECC keys with non-NIST curves....if you are savvy with the terminal).


These couple of steps will greatly increase your personal/business security level and, frankly, are pretty painless to implement.



I should note that you will get hands on experience with these techniques at my GroundRod 2 course.

***  UPDATE ***

We looked at the Suite B standards and the new NSS standards above.....now, here are my recommendations:

For key negotiation/exchange:

      - RSA-4096
      - ECC Brainpool P-384 or P-512
      - ECC Curve25519
      - DH 4096

For symmetric (payload) encryption:

      - Twofish / Threefish
      - Serpent
      - AES-256

For integrity check/hash:

      - SHA-512
      - Whirlpool

 As you can see, I favor non-NIST standards as much as possible. For most VPN providers you are stuck with AES for channel encryption, however, Proxy.sh and a couple others are working on implementing Serpent and Twofish as an option.









Comments

Post a Comment

Popular posts from this blog

The Insecurity of "Push Notifications" and What to Do About It

Image
 By now it has been widely circulated that the US government (and their 5 Eyes friends) has been secretly snooping on phone user's messaging in the form of Push Notifications. Not only are they snooping, but they applied a legal gag order to Apple and Google to prevent them from alerting you the customer of this fact. What's that you say? You are using an end-to-end encrypted messenger such as Signal and therefore are safe from said intrusion? Not so fast... While there are indeed some well designed and audited secure chat apps out there, that is only part of the story. Most, if not all, messaging applications employ Push notifications as a way to let you know that someone just reached out to you, even if you didn't happen to have the corresponding application open at the moment. This is, of course, very convenient for the end user, but the problem lies in how this is facilitated on the back end. Apple and Google both employ proprietary servers that intercept a message head
Read more

Winter 2024 Courses (Updated FEB 29)

Image
  - Hard Target Traveler                Bozeman, MT                       JAN 13              $280 - Hard Target Traveler                CDA, Idaho                          FEB 17              $280 - GroundRod Level 1                   Kalispel, MT                        MAR 2-3           $475 - CQB/ Home Defense                 Midland,  TX                        TBD                  $800 - Gunfight Concepts                    N. Carolina                           MAR 22-24      $800 - Tactical Night Operations       N. Carolina                           MAR 25-27      $800 - GroundRod Level 1                  N. Carolina                            MAR 28-29      $475 - GroundRod Level 2                 N. Carolina                             MAR 30-31      $475 - GroundRod Level 4                  CDA, Idaho                           APR 12-14       $800 - Gunfight Concepts                   Three Forks, MT                   APR                 $800 - GroundRod Level 3               
Read more

GroundRod Level 1 in Missouri

Image
  We will be holding a GroundRod Level One tradecraft course in Hartville, MO June 15-16 2024. Course is $480 and seats will be limited. To register, you can visit the Store page and make a class deposit ($100) and then email us at comstugrp@protonmail.com to confirm, also feel free to email with any questions.
Read more