Happy New Year, and welcome to the 19th edition!
Cybersecurity news quietened in the last couple of weeks, so today is a short edition. (I’m still aiming for quality not quantity). I’m sure things will pick up again next week.
My Encrypted Crystal Ball Says…
Keep your eyes on fully homomorphic encryption (FHE) in 2024.
FHE is a technique for processing encrypted data without decrypting it first. Among many use cases, this may revolutionise cloud security by preventing cloud providers from "seeing" the data they operate on.
Today, a major challenge for FHE is achieving bearable processing speeds. In some specific areas, such as machine learning, practical use cases are emerging. For general computation, however, FHE is many orders of magnitude slower than plaintext processing.
This may change in the years ahead.
Several hardware companies are working on new types of computer chips designed to accelerate FHE.
Four such companies, including Intel, are part of a DARPA programme called "DPRIVE", which launched in 2021. The goal of DPRIVE is to develop hardware that can run FHE only 10x slower than plaintext operations on normal chips.
The details of that programme are hard to find, but you can see the initial announcement here. And Intel's milestone one update (from Sep 22) is here.
Outside of DPRIVE, several other companies are exploring this space. You can read more about them in this IEEE article.
2024 will not be the year we see comparable performance for FHE. That will be several years away. However, FHE is certainly moving from a curiosity towards a meaningful technology.
Keep an eye out for interesting announcements next year.
The End of an Encryption Era
It's official: Triple-DES is banned for encryption in federal systems.
NIST withdrew SP 800-67 Rev. 2 on January 1st. Going forward, TDES can only be used for historical purposes, such as decrypting old messages, key unwrapping, and MAC verification.
It marks the end of an era, stretching back to 1981. However, it's not the end of TDES itself.
The payments industry remains a heavy user of the algorithm. As Jeremy King explained in his talk at the PKIC PQC conference, TDES is still seen as providing sufficient levels of security for now.
PCI-DSS defines "strong cryptography" as any industry-tested algorithm providing 112-bit security, as a minimum. It doesn't reference NIST standards or algorithms by name, so TDES still qualifies.
As usual, with cryptographic migrations, we can expect to see TDES in our lives for many years ahead. But we've certainly passed into the final stages of its life.
You can find a link to the NIST announcement here.
You can also find an FAQ entry, explaining that TDES is good enough for "strong cryptography" in PCI-DSS here.