Latest update to key security document recommends boost to encryption for CONFIDENTIAL, SECRET and TOP SECRET data

The latest version of the key document offering security guidance to government agencies — the Information Security Manual — has been updated to take into account the impending threat to encryption posed by quantum computing.

A key change to the 2016 edition of ISM is based on advice issued last year by the US Committee on National Security Systems (CNSS) — a group chaired by US Department of Defense CIO Terry Halvorsen.

The CNSS's Advisory Memorandum on Information Assurance 02-15 (CNSSAM 02-15), released in July 2015, drew on updated National Security Agency guidance and outlined approved encryption algorithms and key lengths to protect National Security Systems (NSS).

The advisory expanded on the CNSS’s National Information Assurance Policy on the Use of Public Standards for the Secure Sharing of Information Among National Security Systems (CNSSP 15).

“Based on analysis of the effect of quantum computing on Information Assurance (IA) and IA-enabled Information Technology (IT) products, the policy’s set of authorized algorithms is expanded to provide vendors and IT users more near-term flexibility in meeting their IA interoperability requirements,” the advisory states.

“The purpose behind this additional flexibility is to avoid vendors and customers making two major transitions in a relatively short timeframe, as we anticipate a need to shift to quantum-resistant cryptography in the near future.”

The ‘Suite B’ algorithms approved for use with NSS in CNSSP 15 were AES encryption, SHA-2 hashing, ECDSA digital signatures, and ECDH for key exchange.

The updated advice in CNSSAM 02-15 was to employ AES-256 encryption; SHA-384 hashing; ECDSA (P-384) or RSA (3072-bit or larger) digital signatures; and for key exchange Diffie-Hellman (3072-bit or larger), ECDH (P-384) or RSA (3072-bit or larger).

“The most significant change [to the ISM] involves giving preference to newer Suite B cryptographic algorithms with increased key lengths to provide greater resistance to quantum computing,” a Department of Defence spokesperson told Computerworld Australia.

A new security control added to the new edition of the ISM states: “Where possible, agencies should give preference to algorithms which meet the standards described in CNSSAM 02-15 to appropriately protect CONFIDENTIAL, SECRET and/or TOP SECRET information.”

The ISM is maintained by the Australian Signals Directorate.

Last year’s update to the document included major changes focused on ensuring security in a cloud-first policy environment.

Quantum computing is expected to have a massive impact on cyber security, rendering useless many current approaches to encryption.

“Many of our most crucial communication protocols rely principally on three core cryptographic functionalities: public key encryption, digital signatures, and key exchange,” states a document — Report on Post-Quantum Cryptography — published in April by US National Institute of Standards and Technology

“Currently, these functionalities are primarily implemented using Diffie-Hellman key exchange, the RSA (RivestShamir-Adleman) cryptosystem, and elliptic curve cryptosystems. The security of these depends on the difficulty of certain number theoretic problems such as Integer Factorization or the Discrete Log Problem over various groups.

“In 1994, Peter Shor of Bell Laboratories showed that quantum computers, a new technology leveraging the physical properties of matter and energy to perform calculations, can efficiently solve each of these problems, thereby rendering all public key cryptosystems based on such assumptions impotent. Thus a sufficiently powerful quantum computer will put many forms of modern communication—from key exchange to encryption to digital authentication—in peril.”

Australia is home to significant quantum computing research efforts, with the Commonwealth Bank of Australia and Telstra both interested in the potential of the technology.