security standards – WindowsTechs.com

NIST Releases First Post-Quantum Encryption Algorithms

Posted on August 15, 2024 by Bruce Schneier

After three rounds of evaluation and analysis, NIST selected four algorithms it will standardize as a result of the PQC Standardization Process. The public-key encapsulation mechanism selected was CRYSTALS-KYBER, along with three digital signature schemes: CRYSTALS-Dilithium, FALCON, and SPHINCS+.

These algorithms are part of three NIST standards that have been finalized:

FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard
FIPS 204: Module-Lattice-Based Digital Signature Standard
FIPS 205: Stateless Hash-Based Digital Signature Standard…

Continue reading NIST Releases First Post-Quantum Encryption Algorithms→

Data Wallets Using the Solid Protocol

Posted on July 25, 2024 by Bruce Schneier

I am the Chief of Security Architecture at Inrupt, Inc., the company that is commercializing Tim Berners-Lee’s Solid open W3C standard for distributed data ownership. This week, we announced a digital wallet based on the Solid architecture.

Details are here, but basically a digital wallet is a repository for personal data and documents. Right now, there are hundreds of different wallets, but no standard. We think designing a wallet around Solid makes sense for lots of reasons. A wallet is more than a data store—data in wallets is for using and sharing. That requires interoperability, which is what you get from an open standard. It also requires fine-grained permissions and robust security, and that’s what the Solid protocols provide…

Continue reading Data Wallets Using the Solid Protocol→

Detecting Malicious Trackers

Posted on May 21, 2024 by Bruce Schneier

From Slashdot:

Apple and Google have launched a new industry standard called “Detecting Unwanted Location Trackers” to combat the misuse of Bluetooth trackers for stalking. Starting Monday, iPhone and Android users will receive alerts when an unknown Bluetooth device is detected moving with them. The move comes after numerous cases of trackers like Apple’s AirTags being used for malicious purposes.

Several Bluetooth tag companies have committed to making their future products compatible with the new standard. Apple and Google said they will continue collaborating with the Internet Engineering Task Force to further develop this technology and address the issue of unwanted tracking…

Continue reading Detecting Malicious Trackers→

Apple Announces Post-Quantum Encryption Algorithms for iMessage

Posted on February 26, 2024 by Bruce Schneier

Apple announced PQ3, its post-quantum encryption standard based on the Kyber secure key-encapsulation protocol, one of the post-quantum algorithms selected by NIST in 2022.

There’s a lot of detail in the Apple blog post, and more in Douglas Stabila’s security analysis.

I am of two minds about this. On the one hand, it’s probably premature to switch to any particular post-quantum algorithms. The mathematics of cryptanalysis for these lattice and other systems is still rapidly evolving, and we’re likely to break more of them—and learn a lot in the process—over the coming few years. But if you’re going to make the switch, this is an excellent choice. And Apple’s ability to do this so efficiently speaks well about its algorithmic agility, which is probably more important than its particular cryptographic design. And it is probably about the right time to worry about, and defend against, attackers who are storing encrypted messages in hopes of breaking them later on future quantum computers…

Continue reading Apple Announces Post-Quantum Encryption Algorithms for iMessage→

You Can’t Rush Post-Quantum-Computing Cryptography Standards

Posted on August 8, 2023 by Bruce Schneier

I just read an article complaining that NIST is taking too long in finalizing its post-quantum-computing cryptography standards.

This process has been going on since 2016, and since that time there has been a huge increase in quantum technology and an equally large increase in quantum understanding and interest. Yet seven years later, we have only four algorithms, although last week NIST announced that a number of other candidates are under consideration, a process that is expected to take “several years.

The delay in developing quantum-resistant algorithms is especially troubling given the time it will take to get those products to market. It generally takes four to six years with a new standard for a vendor to develop an ASIC to implement the standard, and it then takes time for the vendor to get the product validated, which seems to be taking a troubling amount of time…

Continue reading You Can’t Rush Post-Quantum-Computing Cryptography Standards→

New US Executive Order on Cybersecurity

Posted on May 13, 2021 by Bruce Schneier

President Biden signed an executive order to improve government cybersecurity, setting new security standards for software sold to the federal government.

For the first time, the United States will require all software purchased by the federal government to meet, within six months, a series of new cybersecurity standards. Although the companies would have to “self-certify,” violators would be removed from federal procurement lists, which could kill their chances of selling their products on the commercial market.

I’m a big fan of these sorts of measures. The US government is a big enough market that vendors will try to comply with procurement regulations, and the improvements will benefit all customers of the software…

Continue reading New US Executive Order on Cybersecurity→

7 Challenges that Stand in the Way of Your Compliance Efforts

Posted on November 16, 2020 by Ehab Nour

Compliance is very important to any organization. Organizations have many standards to choose from including PCI, CIS, NIST and so on. Oftentimes, there are also multiple regulations that are applicable in any country. So, organizations need to commit … Continue reading 7 Challenges that Stand in the Way of Your Compliance Efforts→

Ordell Robbie, Tripwire and Security Configuration Management.

Posted on November 2, 2020 by Mitch Parker

ORDELL: Take the keys, man. Listen to music. LOUIS: Which one is for the car? (Ordell finds it. While he goes through the keys, Vicki comes back on the line.) (Max speaks with her as he fills out his papers.) ORDELL: (holding a key) This one’s for the … Continue reading Ordell Robbie, Tripwire and Security Configuration Management.→

The UK’s Minimum Cyber Security Standard: What You Need to Know

Posted on July 12, 2018 by Tripwire Guest Authors

In June 2018, the UK Government, in collaboration with NCSC (National Cyber Security Centre), produced a new security standard that all Government “Departments”, including organisations, agencies, arm’s length bodies, and contractors … Continue reading The UK’s Minimum Cyber Security Standard: What You Need to Know→

Putting PCI-DSS in Perspective

Posted on April 17, 2018 by Tripwire Guest Authors

Much attention and excitement within the security world has recently been focused on the lucrative surge in crypto-mining malware and hacks involving or targeting cryptocurrency implementations themselves. Yet the volume of ‘real world’ tra… Continue reading Putting PCI-DSS in Perspective→