Welcome to the 18th edition. As luck would have it, today is Christmas. To those who celebrate it - have a wonderful day. Let’s dive into the content…

Crypto Discovery is… Muddled

Hot off the press! NIST just released a draft document about cryptographic discovery for PQC migration.

SP-1800-37-B was drafted by a consortium of cyber companies, along with NIST. It's not a short read at 56 pages, but there are probably only 20 pages of meaningful content, so I recommend skim-reading familiar sections.

The document describes a fictitious company, Zeta, which is planning its quantum-safe migration. It then describes a set of lab experiments that simulate the crypto discovery challenges faced by Zeta.

Three discovery methodologies are explored: network scanning, file scanning, and code scanning. A generalised architecture is presented for each approach, which may be helpful for understanding how these tools fit into typical IT systems.

The authors also note that existing scanning tools produce proprietary output formats, which makes life hard for users. They present a draft of a common output format that all tools should adhere to in future.

Overall, it's a slightly muddled document that flits between definitions, advice, scenarios, and vendor briefings. It's not an easy read, and those looking for a how-to document on discovery will be disappointed.

Hopefully, it will evolve in the right direction. I will certainly be contributing some feedback to try and help it along. You can read the document and do the same at this link: https://csrc.nist.gov/pubs/sp/1800/38/iprd-(1).

Second Time Lucky

NIST post-quantum documents are like buses. Nothing arrives for ages, and then two come at once!

Last week, NIST also released SP-1800-38-C. It's a fascinating document describing interoperability testing between PQC-ready products.

The authors explore how different implementations of SSH, TLS, QUIC and X.509 are compatible with one another, including performance testing. They also explore compatibility between HSM vendor implementations.

The takeaways are broadly positive. For SSH and TLS, in particular, the implementations generally played well with each other. Which is pleasing given that we don't yet have fully ratified standards.

The document is well structured, and each section provides lessons learned that can help protocol implementers to minimise errors in the future. However, unless you are seriously keen on protocol implementation, this might be a document to leave to the crypto geeks.

You can see the latest version here: https://csrc.nist.gov/pubs/sp/1800/38/iprd-(1).

A Little Fun to Finish

As it's Christmas week, I'll round things off with two fun items.

First up is GCHQ's Christmas challenge, which poses eight cryptographic challenges for friends and family to tackle. Or perhaps for more serious crypto folks to tackle after a few glasses of wine:

https://www.gchq.gov.uk/news/xmaschallenge2023

Second is a fascinating 5-minute video about the whacky world of "speedrunning". It describes the insane efforts players make to set world record times on old console games.

It even has a nod to random number generators (which is why I'm sharing it):

https://www.tiktok.com/@jasonkpargin/video/7315261788369538346.