Chrome Switching To NIST-Approved ML-KEM Quantum Encryption (bleepingcomputer.com)
- Reference: 0175013255
- News link: https://it.slashdot.org/story/24/09/17/0455248/chrome-switching-to-nist-approved-ml-kem-quantum-encryption
- Source link: https://www.bleepingcomputer.com/news/security/chrome-switching-to-nist-approved-ml-kem-quantum-encryption/
> This change comes roughly five months after Google rolled out the post-quantum secure TLS key encapsulation system on Chrome stable for all users, which also caused some problems with TLS exchanges. The move from Kyber to ML-KEM though is not related to those early problems, that got resolved soon after manifesting. Rather, its a strategic choice to abandon an experimental system for a NIST-approved and fully standardized mechanism.
>
> ML-KEM was [2]fully endorsed by the U.S. National Institute of Standards and Technology (NIST) in mid-August, with the agency publishing the complete technical specifications of the final version at the time. Google explains that despite the technical changes from Kyber to ML-KEM being minor, the two are essentially incompatible, so a switch had to be made. "The changes to the final version of ML-KEM make it incompatible with the previously deployed version of Kyber," [3]explains Google. "As a result, the codepoint in TLS for hybrid post-quantum key exchange is changing from 0x6399 for Kyber768+X25519, to 0x11EC for ML-KEM768+X25519."
[1] https://www.bleepingcomputer.com/news/security/chrome-switching-to-nist-approved-ml-kem-quantum-encryption/
[2] https://it.slashdot.org/story/24/08/14/2150250/nist-finalizes-trio-of-post-quantum-encryption-standards
[3] https://security.googleblog.com/2024/09/a-new-path-for-kyber-on-web.html
Suspicious (Score:1)
Why do I get the feeling that the "approved" system has backdoors that are already known by interested parties and the experimental one didn't have them or was reluctant to implement them?
Re: (Score:3)
> Because you're paranoid?
Last time NIST told us to make a big change, they told us to change to a compromised system. It's not paranoid to think they might be doing it again .
Re: (Score:2)
> Because you're paranoid?
'Just because you're paranoid doesn't mean they aren't after you.' Joseph Heller, Catch-22
Re: (Score:3)
Because you're paranoid?
Nope. NIST is widely and demonstrably known for putting backdoored crypto into norms.
Being paranoid doesn't mean he's wrong. (Score:2)
I'm a UNIX Engineer - I get paid perfectly good money to be paranoid. It's not a great job, but it's a living!
Re: (Score:1)
> Why do I get the feeling that the "approved" system has backdoors that are already known by interested parties
Don't worry - everyone else will figure out a hack before long, and it will be back to equal-opportunity eavesdropping.
That is a very bad idea (Score:4, Informative)
Post-quantum encryption is _not_ ready for prime-time. At this time, it must be regarded as significantly less secure than conventional encryption. In addition, it is completely unclear whether QCs will ever amount to anything. The 12 error corrected QBITs that IBM proudly announced a few days back, are for example enough to factor RSA keys up to 15. That can be done manually with an Abacus. And that is after about 50 years or research. The transistor is about 80 years old at this time, and look what it has scaled too. For QCs it is unclear whether they will ever scale. Hence it is massively premature to rip out well-reviewed ciphers due to the "threat" of QCs and all it does is decrease security.
Re: (Score:2)
a sensible alternative would use both "old" and "new" algorithms in series (i.e. encrpt with one, then encrypt the result with the new one)
At least until proven.
Re: (Score:2)
That's exactly what they are doing: EC crypto wrapped in a post-quantum cipher.
Your paranoia is making me paranoid. (Score:2)
You seem fairly bent on discouraging the adoption of quantum-resistant cryptography. If I assume you're not just being atruistic and expressing real (if not valid) concerns here, what's your game?
Was any existing encryption actually broken? (Score:2)
I am far from knowing much about encryption and quantum computer capabilities today but I do not recall any such breach.
Are quantum technologies near such capability? I do not think so. So why now? Is it just an for bragging rights?
Re:Was any existing encryption actually broken? (Score:5, Informative)
There's concern about people engaging in what is called "Store Now, Decrypt Later" or "Harvest Now, Decrypt Later" [1]https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later [wikipedia.org] where powerful actors (such as various intelligence agencies and large criminal organizations) will store large amounts of encrypted information and then go back and decrypt it once the quantum computers are available. This is a legitimate concern. That said, one obvious concern in the other direction is that the encryption schemes which we are hoping to be resistant to quantum computing based attacks have had much less attention given to them (in part due to them simply being much younger), and thus we have less certainty that they are even classically good encryption. And we've had now multiple examples of supposedly quantum resistant algorithms being cracked by completely classical methods. See for example [2]:https://cacm.acm.org/news/nist-post-quantum-cryptography-candidate-cracked/ [slashdot.org]. So switching to these new algorithms may be creating new vulnerabilities to deal with a threat that has not yet substantially emerged. It might make sense to start having two tiers of encryption one for data where Store Now, Decrypt Later is a threat, and another for things where they are just not that time sensitive.
[1] https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later
[2] https://it.slashdot.org/story/24/09/17/0455248/:https://cacm.acm.org/news/nist-post-quantum-cryptography-candidate-cracked/
Too many passwords to remember. (Score:2)
That reminds me, I need to buy ink for my printer so that I can print out all my passwords in plain text and store them in a fireproof safe for later retrieval. "Store Now, Remember Later".
Re:Too many passwords to remember. (Score:4, Funny)
it's more secure if you print the passwords without any ink in the printer.
Re: (Score:1)
It is not necessarily more secure when considering the "C.I.A." triad. Confidentiality, Integrity, and Availability. Printing without ink will maintain data confidentiality, but it will not ensure Availability.
Re: Too many passwords to remember. (Score:2)
Confidentiality, Integrity, and Availability AND future proofing against sci-fi attacks from the future!
FOOL! Those are the wrong tools! (Score:2)
Use 3M Post-it notes and a black Sharpie marker.
Re: (Score:3)
Not all protocols can be easily wrapped. Also, there's a serious convenience/computational issue if people have to do more heavy duty computations.
Re: (Score:2)
> That said, one obvious concern in the other direction is that the encryption schemes which we are hoping to be resistant to quantum computing based attacks have had much less attention given to them (in part due to them simply being much younger), and thus we have less certainty that they are even classically good encryption. And we've had now multiple examples of supposedly quantum resistant algorithms being cracked by completely classical methods. See for example [1]:https://cacm.acm.org/news/nist-post-quantum-cryptography-candidate-cracked/ [slashdot.org]. So switching to these new algorithms may be creating new vulnerabilities to deal with a threat that has not yet substantially emerged.
Which is why no one is suggesting moving to a post-quantum algorithm alone. What Chrome is implementing is a hybrid key exchange, ML-KEM768+X25519 (the X25519 part is a standard elliptical curve cypher). Unless your implementation is absolutely terrible, you can't decrease security by layering on multiple encryption schemes, so even if ML-KEM is no more secure than ROT13, it still won't introduce any new vulnerability.
[1] https://it.slashdot.org/story/24/09/17/0455248/:https://cacm.acm.org/news/nist-post-quantum-cryptography-candidate-cracked/
Re: (Score:2)
> Are quantum technologies near such capability?
No.
> So why now?
[1]https://miracl.com/blog/backdo... [miracl.com]
[1] https://miracl.com/blog/backdoors-in-nist-elliptic-curves/
Re: (Score:3)
No, but you don't WAIT for your thing to be compromised when you know it's only a matter of time, when you can literally deploy an alternative now and have 10+ years of real-world testing of it by the time it's actually necessary.
Secure protocols.... secure things. It's dumb to wait until they're compromised before you do anything.
And we KNOW for a fact that AES etc. is vulnerable to quantum attacks, and that many governments and companies are producing viable quantum computers that are increasing in size
Re: (Score:2)
> you don't WAIT for your thing to be compromised when you know it's only a matter of time, when you can literally deploy an alternative now and have 10+ years of real-world testing of it by the time it's actually necessary
I want 10+ years of real-world testing before I adopt it to make sure that NIST isn't pushing us another compromised cryptosystem.
> And we KNOW for a fact that AES etc. is vulnerable to quantum attacks
Yes, if you use such a small key that you could do the decryption by hand. The question is, will quantum computers ever actually even scale up to the point that this is a real concern? And we don't know the answer, so that does merit some caution, but NIST's prior actions also merit caution.
Re: (Score:2)
Imagine classical encryption is cracked via commercially available methods in 2030.
Now imagine I can open up all of your banking transactions and emails (which I have intercepted and recorded) from the years 2020-2029, and decrypt them.
Do you think that information has value, or not?
Not broken, but considered vulnerable. (Score:2)
I'd rather fix my crypto before it's broken. I don't want to hear about how my data was stolen, I'd much rather be reasonably assured that it wasn't.