Cyber Resiliency framework

  • by

Cyber Resiliency – Summary and Review

This is a summary of a paper on cyber resiliency in block chain [1] – I have tried to understand and summarise key messages from it. A bit behind why am I doing this is here http://paksha.info/summaries, mainly as an exercise to practice and challenge comprehension abilities, so any mistakes made are duly mine.

The paper’s focus has been mainly around public key infrastructure and impact of quantum computing advances on asymmetric cryptography components which could be potentially at risk. Symmetric cryptography systems like AES are quite safe from any QC advances. [6][8]

(a) What is the key message from this paper?

How to improve security in DLT systems especially in the back-drop of advances in quantum computing

(b) How is that message supported by the paper?

The author recommends testing of hybrid PKI that incorporates new PQC algorithms in existing systems – also aiming to reduce their public key size [5] *

(c) What is the background for this paper?

The rising prominence of DLT and plans to use it in critical infrastructure. Security is critical and the stakes have become higher for enterprises in the back-drop of GDPR and other privacy laws, so need to factor in threats to current cryptography systems.

(d) What is the evidence behind this paper?

The author gives examples of existing hacks of crypto-exchanges and  makes the point that with increasing computing capabilities, it’s easier to repeat these.

(e) Conclusions and Applications

Author raises a valid point. A lot of our encryption standards(mainly the asymmetric cryptographic components) are potentially under threat when quantum capabilities advance and that affects DLT built on current standards. When we review any new crypto platform, we should ascertain if there is a relevant road-map on security journey. Of particular interest are the public process NIST are following to adopt algorithms and digital signatures for PQC (Post Quantum Cryptography) [3],[4]. Interesting read and educated me quite a bit  on changes to our current security assumptions, many thanks to the author.

* Our standard public key algorithms (asymmetric) are potentially easy to crack for quantum computers. The specific algorithms used in PQC – they can have large public key sizes that prevents easy adoption, and they don’t need such large size to be secure, so there is effort in reducing that. [6][7][8][9][10]

REFERENCES / FOOTNOTES

1. [https://jbba.scholasticahq.com/article/12257-the-need-for-cyber-resilient-enterprise-distributed-ledger-risk-management-framework]

2. [ https://paragonie.com/blog/2019/03/definitive-2019-guide-cryptographic-key-sizes-and-algorithm-recommendations ] (Accessed 26.03.2020)

3. [https://csrc.nist.gov/news/2019/pqc-standardization-process-2nd-round-candidates] (Accessed 27.03.2020)

4. [https://csrc.nist.gov/Projects/post-quantum-cryptography] (Accessed 27.03.2020)

5. [https://jbba.scholasticahq.com/article/9902-transitioning-to-a-hyperledger-fabric-quantum-resistant-classical-hybrid-public-key-infrastructure] (Accessed 17.4.2020)

6. [https://nakedsecurity.sophos.com/2019/02/07/serious-security-post-quantum-cryptography-and-why-we-are-getting-it/] (Accessed 17.4.2020)

7. [https://www.post-quantum.com/quantum-resistant-encryption/] (Accessed 17.4.2020)

8. [https://www.ericsson.com/en/blog/2020/3/post-quantum-cryptography-symmetric-asymmetric-algorithms] (Accessed 17.4.2020)

9. [https://blog.trailofbits.com/2018/10/22/a-guide-to-post-quantum-cryptography/] (Accessed 17.4.2020)

10. [https://www.schneier.com/blog/archives/2018/09/quantum_computi_2.html] (Accessed 17.4.2020)

DISCLAIMERS

These are my personal notes and observations and do not reflect any official policy or announcement from any company or employers past and present. These notes are only provided for informational purposes.

Please read legal & other disclaimers here: https://paksha.info/standard-disclaimer/

Revisions:

Updated 17.4.2020 – I have updated the statement around key size and added more context thanks to feedback from my friend Derek. 19.4.2020 – added introduction to highlight that impact discussed is mainly on asymmetric components thanks to feedback from my friend Mark.