El Instituto Nacional de Estándares y Tecnología (NITS, por sus siglas en inglés) de los EE.UU. publicó oficialmente las esperadas versiones finales de tres nuevos algoritmos de cifrado poscuántico , y se están preparando algoritmos adicionales más especializados. Todos ellos están diseñados para defenderse de futuros ataques informáticos llevados a cabo por ordenadores cuánticos, una amenaza no probada pero de rápido desarrollo que podría descifrar rápidamente los tipos de cifrado que se utilizan casi universalmente en la actualidad, incluidos los que se utilizan en los sistemas más sensibles del Pentágono.
WASHINGTON — This morning the National Institute of Standards & Technology officially released the long-awaited final versions of three new post-quantum encryption algorithms, with additional, more specialized algorithms on the way. They’re all designed to defend against future hacks carried out by quantum computers, an unproven but rapidly developing threat that could quickly crack the kinds of encryption used almost universally today, including those used in the most sensitive Pentagon systems.
While implementing the NIST standards is voluntary for most private companies (albeit strongly recommended), they’re mandatory for national security agencies, including the entire Defense Department. The official deadline set by the White House is not until 2035. But because the vulnerable algorithms have been so widely used for so many years, and are so deeply embedded in often obscure chunks of code, it may well take that long to root them all out and replace them.
“This is the starting gun for what may be the single largest overhaul of US government communication systems since the adoption of the Internet, as ordered by the President in National Security Memorandum 10,” said RAND scientist Edward Parker. “It will probably go on for decades and will cost billions of dollars: OMB estimated $7.1 billion over the next decade for civilian federal government agencies alone, not including national security systems. It will cost even more time and money from the private sector.”
“There’s no time to waste,” Parker told Breaking Defense. “Any organization that handles sensitive data should get moving on migrating to PQC [post-quantum cryptography] as soon as possible.”
Duncan Jones, the head of quantum cybersecurity at vendor Quantinuum, put it even more bluntly: “The release of the standards is a wake-up call to any organization that has been dragging its heels on quantum.”
In fact, many federal agencies and private companies have been at work for months or years. They haven’t been implementing the actual algorithms, which were only formally finalized today after years of extensive testing that saw many promising candidates discarded along the way as NIST, NSA, or independent researchers found hidden weak points. Instead, they’ve been laying the groundwork by taking inventory of their existing systems, hunting through deeply buried subroutines to find all the instances of oldschool encryption they’ll have to replace.
So, on the bright side, the three NIST standards formally released today — and a fourth expected to release by New Year’s — are familiar to cybersecurity professionals and thoroughly tested after almost a decade of often highly publicized development. On the dark side, though, there are plenty of nasty surprises lurking in networks, internet-of-things devices, and possibly even weapons systems, all of which will take time and technical talent to fix.
“I’m sure that organizations will discover plenty of practical surprises as they migrate their systems over to PQC — for example, discovering that certain devices have traditional cryptography algorithms unexpectedly hard-coded in,” Parker said. “But these issues should all be fixable. I don’t think there are any true deal-breakers lurking out there.”
Of course, “fixable” does not mean “easily” or “cheaply.”
Fuente: https://breakingdefense.com
