The recent advances and attention to quantum computing have raised security concerns among IT professionals. The ability of a quantum computer to efficiently solve (elliptic curve) discrete logarithm, and integer factorization problems poses a threat to current public key exchange, encryption, and digital signature schemes. Such schemes are widely used in protocols and products that offer encryption. These include VPN devices, routers and switches, media products that encrypt media communication and practically all offerings that encrypt and/or authenticate data in-transit or at-rest. Thus, the industry and academia have been working on coming up with post-quantum schemes that would be secure against a quantum computer as we have discussed before. At Cisco, we have been looking into PQ signatures and their use-cases for almost five years. At the ETSI/IQC Quantum Safe Cryptography Workshop 2019 last month, we presented some of our experimental results related to two PQ signature use-cases, software signing and TLS authentication. We summarize them below.
We considered Hash-Based Signatures (HBS) for software signing and secure boot. We have discussed HBS before. In our most recent work, we evaluate LMS and SPHINCS+ HBS schemes for use in image signing. We propose suitable parameters and show that their acceptable performance makes them good candidates for the software signing use-case.
We then considered PQ signatures in TLS 1.3. Using PQ signatures in TLS is essential in a PQ future. PQ Key Exchange is admittedly more urgent because of potential “store-and-decrypt later when a quantum computer is available” scenarios. Some of our industry peers like AWS, Cloudflare, Google, and Microsoft have been focusing on PQ Key Exchange. On the other hand, migrating to new algorithms for TLS authentication usually takes a long time and should not be neglected indefinitely. In the past, we have looked into HBS for use in X.509 PQ certificates. Given their challenges, we recently evaluated the NIST PQ Project candidate signature schemes for TLS authentication. Our experiments show that Dilithium and Falcon are the best available options but come with some impact on TLS performance. We also analyze challenges and potential solutions introduced by these algorithms.
Our ETSI presentation can be found in the ETSI workshop slides and our companion write-up paper is in eprint. We will continue working on these topics to address open questions and confirm our early results with further testing. We will share more detailed results in due time.
Other than our presentation, the three-day ETSI/IQC Quantum Safe Cryptography Workshop 2019 included many interesting presentations on quantum-secure cryptography that triggered interesting private discussions. We would like to thank ETSI for organizing the workshop and AWS for hosting it.
Hi All, I am currently lab testing TrustSec and I have a question regarding the use and configuration of SGACLs. For basic testing I have an SGT named 'Monitoring_Servers' and an SGT named 'Clients'. I want to configured an SGACL and Policy to a...
Having a weird issue with a new turn up of AnyConnect off an FTD 1100 managed by FMC. Periodically when users login to VPN, they will get placed into the Default Group Policy on the FTD and not into their correct gro...
Hello! I'm looking for a bug listing for AMP. Specifically, where new bugs are acknowledged to exist by Cisco. The most recent example of the IOC for chrome.exe is an example. I did receive an email, but I'm searching for where this bug is listed along si...
I´m integrating the SMS in a guest portal in ISE 3.1 and my SMS provider doesn´t admit country code in the value sent by ISE.
In my case the variable sent by ISE is $mobilenumber$ and the value is +34 XXXXXXXXX but my provider only accept XX...
After migrating from ASA to FTD (version 7.0.1), we discover an issue with connections being dropped. We started to get complains from remote workers using RDP to connect to their local workstations.
Looking in the FTD log and searching for ...