Can WhatsApp messages be secure and encryptedbut traceable at the same time? – EurekAlert

Cryptographers love an enigma, a problem to solveand this one has it all. Indestructible codes, secret notes, encryption and decryption.

Heres the puzzle: Someone wants to send a secure message online. It has to be so private, so secret, that they can deny they ever sent it. If someone leaks the message, it can never be traced back to the sender. Its all veryMission: Impossible. But theres a kicker: if that message peddles abuse or misinformation, maybe threatens violence, then anonymity may need to go out the windowthe sender needs to be held to account.

And thats the challenge: is there a way to allow people to send confidential, secure, untraceable messages, but still track any menacing ones?

Mayank Varia might have cracked the conundrum. A cryptographer and computer scientist, Varia is an expert on the societal impact of algorithms and programs, developing systems that balance privacy and security with transparency and social justice. Working with a team of Boston University computer scientists, hes designed a program called Hecatefittingly named after the ancient Greek goddess of magic and spellsthat can be bolted onto a secure messaging app to beef up its confidentiality, while also allowing moderators to crack down on abuse. The team is presentingits findingsat the31st USENIX Security Symposium.

Our goal in cryptography is to build tools and systems that allow people to get things done safely in the digital world, saysVaria, a BU Faculty of Computing & Data Sciences associate professor. The question at play in our paper is what is the most effective way to build a mechanism for reporting abusethe fastest, most efficient way to provide the strongest security guarantees and provide the weakest possible puncturing of that?

Its an approach hes also applying beyond messaging apps, building online tools that allow local governments to track gender wage gapswithout accessing private salary dataand enable sexual assault victims to more safely report their attackers.

When two people chat in a private room, what they talk about is just between themtheres no paper trail, no recording; the conversation lives on in memory alone. Put the same conversation onlineTwitter, Facebook, emailand its a different story. Every word is preserved for history. Sometimes thats good, but just as often its not. An activist in an authoritarian state trying to get word to a journalist or a patient seeking help for a private health issue might not want their words broadcast to the world or held in an archive.

Thats where end-to-end encryption comes in. Popularized by apps like WhatsApp and Signal, it scrambles sent messages into an unreadable format, only decrypting them when they land on the recipients phone. It also ensures messages sent from one person to another cant be traced back to the sender; just like that private in-person chat, its a conversation without a trail or recordeverything is deniable.

The goal of these deniable messaging systems is that even if my phone is compromised after weve had an encrypted messaging conversation, there are no digital breadcrumbs that will allow an external person to know for sure what we sent or even who said it, says Varia.

Amnesty International calls encryption a human right, arguing its an essential protection of [everyones] rights to privacy and free speech, and especially vital for those countering corruption or challenging governments. Like much in the online world though, that privacy can be exploited or bent to more sinister ends. There are specific times where this can be a bad thing, says Varia. Suppose the messages someone is sending are harassing and abusive and you want to go seek help, you want to be able to prove to the moderator what the message contents were and who said them to you.

A study of elementary, middle, and high school students in Israel, where more than 97 percent of kids reportedly use WhatsApp,found 30 percent had been bullied on the app, while UK prosecutors have said end-to-end encryption couldharm their ability to catch and stop child abusers. Extremist groups,from Islamic State to domestic terrorists, have leaned on encrypted apps like Telegram and Signal to spread their calls for violence.

The task for tech companies is finding a way to support the right to privacy with the need for accountability. Hecate offers a way to do bothit allows app users to deny they ever sent a message, but to also be reported if they say something abusive.

Developed by Varia and doctoral students Rawane Issa (GRS22) and Nicolas Alhaddad (GRS24), Hecate starts with the accountability side of that contradictorydeniable and traceablecombination. Using the program, an apps moderator creates a unique batch of electronic signaturesor tokensfor each user. When that user sends a message, a hidden token goes along for the ride. If the recipient decides to report that message, the moderator will be able to verify the senders token and take action. Its called asymmetric message franking.

The fail-safe, says Varia, the part that allows for deniability, is that the token is only useful to the moderator.

The token is an encrypted statement that only the moderator knows how to readits like they wrote a message in invisible ink to their future self, says Varia. The moderator is the one who builds these tokens. Thats the nifty part about our system: even if the moderator goes rogue, they cant show and convince the rest of the worldthey have no digital proof, no breadcrumbs they can show to anyone else.

The user can maintain deniabilityat least publicly.

Similar message franking systems already existFacebook parent Meta uses one on WhatsAppbut Varia says Hecate is faster, more secure, and futureproof in a way current programs are not.

Hecate is the first message franking scheme that simultaneously achieves fast execution on a phone and for the moderator server, support for message forwarding, and compatibility with anonymous communication networks like Signals sealed sender, says Varia. Previous constructions achieved at most two of these three objectives.

The team says Hecate could be ready for implementation on apps like Signal and WhatsApp with just a few months of custom development and testing. But despite its technological advantages, Varia suggests companies approach Hecate with caution until theyve fully investigated its potential societal impact.

Theres a question of can we build this, theres also a question ofshouldwe build this? says Varia. We can try to design these tools that provide safety benefits, but there might be longer dialogues and discussions with affected communities. Are we achieving the right notion of security for, say, the journalist, the dissident, the people being harassed online?

As head ofCDS Hub for Civic Tech Impact, Varia is used to considering the societal and policy implications of his research. The hubs aim is to develop software and algorithms that advance public interest, whether they help to fight misinformation or foster increased government transparency. A theme through recent projects is the creation of programs that, like Hecate, straddle the line between privacy and accountability.

During a recent partnership with theBoston Womens Workforce Council, for example, BU computer scientists built agender wage gap calculatorthat enables companies to share salaries with the citywithout letting sensitive pay data leave their servers.

Were designing tools that allow peopleit sounds counterintuitiveto compute data that they cannot see, says Varia, whos a member of the federal governmentsAdvisory Committee on Data for Evidence Building. Maybe I want to send you a message, but I dont want you to read it; its weird, but maybe a bunch of us are sending information and we want you to be able to do some computation over it.

Thats caught the interest of the Defense Advanced Research Projects Agency and Naval Information Warfare Center, which both funded the work that led to Hecate and have an interest in asking computer experts to crunch data without ever seeing the secrets hidden within it.

Varias approach to encryption could also benefit survivors of sexual abuse. He recently partnered with San Franciscobased nonprofitCallistoto developa new secure sexual assault reporting system. Inspired by the #MeToo movement, its goal is to help assault victims who are frightened of coming forward.

They report their instance of sexual assault into our system and that report kind of vanishes into the ether, says Varia. But if somebody else reports also being assaulted by the same perpetrator, thenand only thendoes the system identify the existence of this match.

That information goes to a volunteer attorneybound by attorney-client privilegewho can then work with the victims and survivors on next steps. Just like Hecate, Varia says it finds a balance between privacy and openness, between deniability and traceability.

When we talk about trade-offs between privacy, digital civil liberties, and other rights, sometimes there is a natural tension, says Varia. But we can do both: we dont have to build a system that allows for bulk surveillance, wide-scale attribution of metadata of whos talking to who; we can provide strong personal privacy and human rights, while also providing online trust and safety, and helping people who need it.

See the original post:
Can WhatsApp messages be secure and encryptedbut traceable at the same time? - EurekAlert

Why 2023 is the year of passwordless authentication – TechTarget

The explosion of available services has overwhelmed users with accounts and passwords to remember, which has led to them creating simple passwords and reusing passwords across multiple accounts.

Unfortunately, short and easy-to-remember passwords are insecure. Using brute-force methods, a hacker can determine an eight-character password in under an hour. Malicious hackers also create dictionaries with hundreds of millions of existing usernames and passwords stolen during data breaches.

Threat actors may also masquerade as a trustworthy source to force users to inadvertently reveal their usernames and passwords. Known as phishing, these social engineering attacks target email, malware, typosquatting -- for example, a malicious website using the URL gogle.com instead of google.com -- and SMS texts.

To protect against brute-force and dictionary attacks, passwords need to use uppercase and lowercase letters, numbers and symbols, and be at least 14 characters long. Following these guidelines makes passwords harder to remember, leading to password reuse. This, in turn, leads to credential stuffing attacks, where malicious hackers take advantage of password reuse and a known username to attempt to log in to multiple services.

Passwords are a form of knowledge-based authentication. For a user to prove they are who they claim to be, they need a secret -- the password -- that has been previously stored by the service.

Multifactor authentication (MFA) is a technique designed to strengthen the authentication process by adding possession-based authentication to knowledge-based authentication. A service can only authenticate a user when they prove they have knowledge of the shared secret in addition to something they have or are.

The ubiquity of smartphones makes the phone the ideal physical item for possession-based authentication. To prove a user is in physical possession of the device, the service sends a message -- a challenge -- to the phone, which the user must then interact with.

While MFA serves as an improvement over traditional password-based authentication, many MFA techniques have their own security issues:

MFA also increases friction by requiring the user to go through a multistep process: entering the password, waiting for a challenge and then entering the challenge.

Eliminating shared secrets removes the intrinsic weakness of password-based authentication and MFA. A secure form of possession-based authentication is the best alternative. Passwordless authentication based on FIDO standards is considered the archetype.

FIDO passwordless authentication is based on public-key cryptography. This asymmetric cryptography uses pairs of keys; any system can encrypt a message using the public key, and the message can only be decrypted with the private key. This system also works in the reverse direction: Any message encrypted by the private key can only be decrypted by the public key. As long as the private key remains private, the public key can be shared without compromising security.

With FIDO passwordless authentication, when a user registers with a service, the user generates a public/private key pair. The public key is shared with the service, and the private key is kept in a hardware-based vault on the device.

During the authentication process, the service sends a challenge to the user. The user encrypts the challenge with the private key and sends the encrypted challenge back to the service. If the service successfully uses the public key to decrypt the challenge, the user has proved who they are.

What prevents an attacker from using a stolen device to authenticate to the service? The user's hardware vault and private keys are protected by either a PIN or biometrics, such as a fingerprint or facial recognition. Biometrics or PINs never get shared or transmitted across the network. This ensures only the legitimate user can access the private keys and is in possession of the device.

Thus, FIDO passwordless authentication is more secure than password-based or multifactor authentication. FIDO passwordless authentication also removes friction from the process: Users only need to look at the phone's camera, swipe their finger or enter a PIN.

While FIDO protocols have been standardized since 2019, a passel of startups -- including 1Kosmos, Acceptto, Axiad, Beyond Identity, Hypr, Nok Nok Labs, Secret Double Octopus, Stytch, Transmit Security and Trusona -- are innovating products to add passwordless authentication to apps.

Identity and access management (IAM) providers haven't been idle, either. Auth0, CyberArk, ForgeRock, IBM, JumpCloud, Microsoft, Okta, OpenText, Oracle, Ping Identity, SailPoint, Saviynt and WSO2 have added passwordless authentication to their workforce and customer IAM products.

Thanks to the above, organizations can now transition to passwordless authentication. A survey from Enterprise Strategy Group (ESG), a division of TechTarget, revealed the following:

Of organizations transitioning to passwordless strategies, more than half experienced a significant positive impact to risk reduction and improved UX. Almost two-thirds reported increased efficiency for IT and security teams.

With these benefits and the ability for organizations to move to a passwordless approach for their IAM systems and applications, 2023 can and should be the year of passwordless authentication.

See the article here:
Why 2023 is the year of passwordless authentication - TechTarget

Sony unveils a new way to protect images from theft, manipulation – Popular Photography

Sony has a new anti-forgery feature coming to the a7 IV mirrorless camera that adds a crypto signature to imagesas soon as theyre shotto help prevent duplication or manipulation. Its designed for corporate customers, so dont expect your holiday snaps to be getting digitally signed any time soon. Still, its an interesting idea with a wide variety of potential uses.

Related: Meta launches NFTs on Instagram and they shimmer

Unfortunately, with any topic involving cryptography, its important to clarify that this has nothing to do with cryptocurrencies, NFTs, or any other Web3 thing. This is about cryptographically signing images at the point of capture so that their authenticity can be verified (not putting anything on the blockchain).

How it works is the cameras processor cryptographically signs the image as its taken. While Sony hasnt announced any specifics, this is something that has been talked about since at least the 1990s. The details might vary a little, but basically, some secret code gets embedded into the image that will break badly if something is changed.

So, if anyone modifies, tampers with, or edits the image, whether by shifting a few pixels or creating a total forgery, it will be obvious to anyone who knows how to check. Since its a cryptographic signature, this will involve some complex math similar to how passwords and passkeys work.

Not every photo needs to be verifiably authentic. If its just a selfie you shot on holiday, who cares if you put a filter on it? But in some fields, it is useful for an images authenticity to be quickly and easily verified.

Sony suggests that its particularly applicable for passports and ID verification, but also says that it could be used for tackling image manipulation in the media (a big concern with photojournalism). The other potential use cases it flags are in medicine, law enforcement, insurance assessment, and construction. These are all areas where being able to verify that an image was taken when and where its metadata implies and hasnt been manipulated in any way, is useful.

Yasuo Baba, Director of Digital Imaging and European Product Marketing at Sony, said in the press release, It is Sonys mission to strengthen business solutions with cutting-edge imagery technology and our in-camera digital signing is a real gamechanger for combatting image manipulation and forgery across multiple industries.

Sony says that, for now, the anti-forgery feature is limited to the Sony a7 IV though it will potentially be expanded to other models if it is warranted.

The signing mode is only available to business users and they have to apply to Sony for a license to enable it. Presumably, its this license that will also allow these customers to configure their servers to automatically verify an image was shot with a specific camera.

Other than that, we dont have a lot of details. Still, when so many stories are about how easy it is to fake photos, its nice to see another new method for securing them.

Read more here:
Sony unveils a new way to protect images from theft, manipulation - Popular Photography

Cameron Whitehead wins again, taking top honors in the CyberForce Program’s Conquer the Hill Reign Edition Competition – EurekAlert

The U.S. Department of Energys CyberForce Program hosts competitions such as Conquer the Hill Reign Edition to help the energy sector develop a pipeline of skilled cyber defenders who can counteract ever-evolving cyber threats.

Today, the U.S. Department of Energys (DOE) Argonne National Laboratory and DOEs Office of Cybersecurity, Energy Security, and Emergency Response (CESER) announced that Cameron Whitehead from University of Central Florida is the winner of the CyberForceConquer the Hill Reign Editioncompetition.

Whitehead was one of 100 competitors who traversed his way through server rooms, interacted withAIrobots and decrypted secret messages to solve puzzles in a simulation of real world challenges that a national laboratory or secure energy facility might face if it underwent a malicious cyberattack. He was also the winner of the 2021 Conquer the Hill Adventurer Edition Competition.

Conquer the Hill Reign Edition is the second mini competition created by the CyberForce Program for individual competitors. The program also hosted the Adventurer Edition in July 2021; itsCyberForce Competition, which pits small, collaborative teams from colleges and universities against one another, will take place on Nov. 5.

Since its inception in 2016, the CyberForce Program has also grown to featurea monthly webinar series, a virtual career fair and an online workforce portal where students can evaluate cyber skills, check job boards and learn about upcoming events and training. These expansions demonstrate DOEs support of the White Houses goal of building a pipeline of skilled cyber defenders to fill the nearly 500,000 currently-unfilled cybersecurity jobs in the United States. The program is led by Argonne.

The CyberForce competitions, such as Conquer the Hill Reign Edition, are ideal ways to engage and test the cyber skills of our countrys best and brightest students, said Amanda Theel, Director of the CyberForce Program and group leader of Workforce Development in Argonnes Strategic Security Sciences division. Reign is a unique way for the Department of Energy and Argonne to interact with and develop our future workforce utilizing an engaging platform. Im looking forward to seeing and hearing the participants thoughts and feedback.

In Conquer the Hill Reign Edition, individuals used their wits and cunning to progress through rooms of increasing difficulty to ultimately unravel the truth. Participants were tested on their knowledge of cybersecurity, computer science, mathematics, cryptography and critical thinking skills.

The CyberForce Program gives future cybersecurity talent the opportunity to engage with and learn from industry and national laboratory experts no matter where they live or where they are in their careers, said CESER Director Puesh Kumar. Competitions like the Reign Edition give the Department of Energy a front seat at innovating and developing the next generation of cybersecurity workers.

Students next opportunity to compete will be in the CyberForce Programs 2022CyberForce Competition, which will be held on Saturday, Nov. 5. This years competition will be a hybrid in-person and virtual event, where participants will test their cyber defense skills in real time. The in-person portion of the event will be held at the Q Center in St. Charles, Illinois. Student teams canapply to competeuntil mid-September. Teams are reviewed on the completeness of their application, diversity of knowledge and the thoughtfulness of their makeup of their team. Competing is free.

All participating students are also invited to attend CyberForcesVirtual Career Fair, which will be held on Oct. 12, 1 p.m. EST. This virtual event will be hosted on Brazen which will offer exhibitors the ability to customize booths, have multiple representatives, post jobs/internships and ask questions prior to speaking with any participants.

CyberForcebegan as a cyber defense competition in 2016 with eight competing teams. It grew to more than 100 teams in 2019, and added virtual participation as an option in 2020 and 2021, due to the COVID-19 pandemic. Today, the CyberForce Program offers many opportunities for the next generation of cyber professionals to advance their cyber skills. To learn more, visithttps://cyberforce.energy.gov/.

Disclaimer: AAAS and EurekAlert! are not responsible for the accuracy of news releases posted to EurekAlert! by contributing institutions or for the use of any information through the EurekAlert system.

Link:
Cameron Whitehead wins again, taking top honors in the CyberForce Program's Conquer the Hill Reign Edition Competition - EurekAlert

Criminals steal $4 million from Solana as theft trend hits its crypto blockchain – SC Media

Cryptocurrency exchanges and bridge sites have been suffering a spate of attacks aimed at stealing funds, personal credentials and account access. One of the latest victims: Roughly 9,000 crypto wallets on the Solana blockchain, which were reportedly robbed of more than $4 million late last week.

Tricky threat actors continuously finding new inroads to cryptocurrency systems, customers and employees through ever-more sophisticated webs of malicious downloads, trojans, social engineering and fraud exploited another wrinkle in this attack on Solana. Bad actors specifically accessed and drained funds held in both Solana and USD Coin currencies from account held, in most cases, on Slope mobile wallets.

The evidence in the investigation of this breach currently points to stolen private keys as the culprit for the attacks on Solana users who use specific wallet apps, according to Paul Bischoff, privacy advocate at Comparitech.

The passwords could have been stolen from a database, a supply chain attack that infected some wallet apps, or by phishing users for individual passwords, Bischoff added. Given the number of wallets affected, one of the former two seems more likely.

For its part, Solana is reserving judgment on how attackers were able to gain access.

The details of exactly how this occurred are still under investigation, but private key information was inadvertently transmitted to an application monitoring service, according to a statement Solana issued last week on Twitter. There is no evidence the Solana protocol or its cryptography was compromised.

A few of Solanas account holders with Phantom mobile wallets were also reportedly impacted, but Phantom tweeted that all of its customers issues were connected to importing accounts to and from Slope. In a statement issued by Slope last week, the mobile payments developer said it is still investigating the breach of its wallets, though the company stated it had some hypotheses as to the nature of the breach, but nothing is yet firm. Many of Slopes own employees and founders had their wallets emptied, as well, according to the statement.

We are actively conducting internal investigations and audits, working with top external security and audit groups, the Slope statement continued. We are working with developers, security experts, and protocols from throughout the ecosystem to work to identify and rectify.

Roger Grimes, data-driven defense evangelist at cybersecurity firm KnowBe4, pointed out that the Solana attack, along with the recent Nomad attack, attacks on Coinbase and a plethora of other blockchain and online currency breaches is just one of the latest crypto-related thefts.

Billions have been stolen so far this year alone, Grimes said. In general, the cryptocurrency industry is not securing their products as strongly as they could. They and their employees are often running and operating as a mainstream, much lower-level security operation might.

Cryptocurrency organizations and their software are essentially operating as financial trading organizations and banks, and as such, should treat their internal security and application security as any other high-security organization would, Grimes added. Hence all cryptocurrency and blockchain developers should be trained in security development lifecycle (SDL) techniques, use secure-by-default coding languages, and should test their applications extensively before release conducting multiple, internal code reviews, internal penetration testing, and external bug bounties and external penetration testing, until they can, to the best of their ability, decrease the risk of malicious bugs being present.

Follow this link:
Criminals steal $4 million from Solana as theft trend hits its crypto blockchain - SC Media

Post-quantum cryptography new algorithm gone in 60 minutes – Naked Security

Weve written about PQC, short for post-quantum cryptography, several times before.

In case youve missed all the media excitement of the past few years about so-called quantum computing

it is (if you will pardon what some experts will probably consider a reckless oversimplification) a way of building computing devices that can keep track of multiple possible outcomes of a calculation at the same time.

With a lot of care, and perhaps a bit of luck, this means that you can rewrite some types of algorithm to home in on the right answer, or at least correctly discard a whole slew of wrong answers, without trying and testing every possible outcome one-by-one.

Two interesting cryptanalytical speedups are possible using a quantum computing device, assuming a suitably powerful and reliable one can actually be constructed:

The threat from Grovers algorithm can be countered simply by boosting the size of the the numbers youre using by squaring them, which means doubling the number of bits in your cryptographic hash or your symmetric encryption key. (In other words, if you think SHA-256 is fine right now, using SHA-512 instead would provide a PQC-resistant alternative.)

But Shors algorithm cant be countered quite so easily.

A public key of 2048 bits would need its size increased exponentially, not simply by squaring, so that instead of a key of 22048=4096 bits, either youd need a new key with the impossible size of 22048 bits

or youd have to adopt a completely new sort of post-quantum encryption system to which Shors algorithm didnt apply.

Well, US standards body NIST has been running a PQC competition since late 2017.

The process has been open to everyone, with all participants welcome, all algorithms openly published, and public scrutiny not merely possible but actively encouraged:

Call for Proposals. [Closed 2017-11-30]. [] It is intended that the new public-key cryptography standards will specify one or more additional unclassified, publicly disclosed digital signature, public-key encryption, and key-establishment algorithms that are available worldwide, and are capable of protecting sensitive government information well into the foreseeable future, including after the advent of quantum computers.

After three rounds of submissions and discussions, NIST announced, on 2022-07-05, that it had chosen four algorithms that it considered standards with immediate effect, all with delighful-sounding names: CRYSTALS-KYBER, CRYSTALS-Dilithium, FALCON, and SPHINCS+.

The first one (CRYSTALS-KYBER) is used as whats called a Key Agreement Mechanism (KEM), where two ends of a public communication channel securely concoct a one-time private encryption key for exchanging a sessions worth of data confidentially. (Simply put: snoopers just get shredded cabbage, so they cant eavesdrop on the conversation.)

The other three algorithms are used for Digital Signatures, whereby you can ensuring that the data you got out at your end matches exactly what the sender put in at the other, thus preventing tampering and assuring integrity. (Simply put: if anyone tries to corrupt or mess with the data, youll know.)

At the same timeas announcing the new standards, NIST also announced a fourth round of its competition, putting a further four algorithms forward as possible alternative KEMs. (Remember that, at the time of writing, we already have three approved digital signature algorithms to choose from, but only one official KEM.)

These were: BIKE, Classic McEliece, HQC and SIKE.

Intriguingly, the McEliece algorithm was invented way back in the 1970s by American cryptographer Robert Mc Eliece, who died in 2019, well after NISTs contest was already underway.

It never caught on, however, because it required huge amounts of key material compared to the popular alternative of the day, the Diffie-Hellman-Merkle algorithm (DHM, or sometimes just DH).

Unfortunately, one of the three Round Four algorithms, namely SIKE, appears to have been cracked.

In a brain-twisting paper entitled AN EFFICIENT KEY RECOVERY ATTACK ON SIDH (PRELIMINARY VERSION), Belgian cryptographers Wouter Castryk and Thomas Decru seem to have dealt something of a deadly blow to the SIKE algorithm

In case youre wondering, SIKE is short for Supersingular Isogeny Key Encapsulation, and SIDH stands for Supersingular Isogeny Diffie-Hellman, a specific use of the SIKE algorithm whereby two ends of a communication channel perform a DHM-like cryptodance to exchange a bunch of public data that allows each end to derive a private value to to use as a one-time secret encryption key.

Were not going to try to explain the attack here; well just repeat what the paper claims, namely that:

Very loosely put, the inputs here include the public data provided by one of the participants in the key establishment cryptodance, along with the pre-determined (and therefore publicly-known) parameters used in the process.

But the output thats extracted (the information referred to as the isogeny above) is supposed to be the never-revealed part of the process the so-called private key.

In other words, from public information alone, such as the data exchanged opnely during key setup, the cryptographers claim to be able to recover the private key of one of the participants.

And once you know my private key, you can easily and undetectably pretend to be me, so the encryption process is broken.

Apparently, the key-cracking algorithm takes about an hour to do its work, using just a single CPU core with the kind of processing power youd find in an everyday laptop.

Thats against the SIKE algorithm when configured to meet Level 1, NISTs basic grade of encryption security.

Nothing!

(Thats the good news.)

As the authors of the paper suggest, after noting that their result is still preliminary, with the current state of affairs, SIDH appears to be fully broken for any publicly generated base curve.

(Thats the bad news.)

However, give that the SIKE algorithm isnt officially approved yet, it can now either be adapted to thwart this particular attack (something that the authors admit may be possible), or simply dropped altogether.

Whatever finally happens to SIKE, this is an excellent reminder of why trying to invent your own encryption algorithms is fraught with danger.

Its also a pointed example of why proprietary encryption systems that rely on the secrecy of the algorithm itself to maintain their security are simply unacceptable in 2022.

If a PQC algorithm such as SIKE survived persual and probing by experts from around the globe for more than five years, despite being disclosed specifically so that it could be subjected to public scrutiny

then theres no need to ask yourself how well your home-made, hidden-from-view encryption algorithms are likely to fare when released into the wild!

See the original post here:
Post-quantum cryptography new algorithm gone in 60 minutes - Naked Security

What Is The Affinity Among Blockchain And Cryptocurrency? – Inventiva

We all have been hearing about Blockchain and Cryptocurrency for a long time of Bitcoin investment , both these terms are quite popular. Also, the use of these two is connected. While these two technologies are different, they are inherently intertwined with each other. Essentially it is a decentralised, digitised, blockchain-linked information, public ledger, as well as it is understood to constitute a block, and is thereby stored along with the computer network that makes up the database. When a verifiable transaction is made, all the information is stored with the block and when it is complete, it is then combined with a chain. The same thing about cryptocurrency has been operated with blockchain, mainly because it is completely decentralised as well as a digital system. Virtual is also defined as a digital currency. If they want the security of crypto, then they can use cryptography for this as well as there is no ownership of any special authority in it, so it will be difficult for the government to manipulate it in any way.

Bitcoin (BTC) was the first and extremely popular crypto, but gradually its list has increased to more than 8000. If we talk about blockchain technology, then bitcoin is by far the most popular currency. There is no doubt that both these technologies are a very important part. A lot of changes have been seen in recent years which are considered quite advanced, but at the same time, it has many conditions due to which confusion still exists. This confusion needs to be reduced, which requires learning how to evaluate the feasibility of a crypto project with a cryptocurrency course.

The Future of Blockchain and Cryptocurrencies

It is estimated that blockchain world spending could reach $104.9 billion by 2030. Blockchain and cryptocurrencies are providing many disruptions to the financial services sector, seizing the rapid pace that blockchain technology has to offer traditional institutions. The development of blockchain technology has shown no signs of slowing down yet. Some people are still uncertain about its future. 2022 may prove to be a good and successful year for investment by the people. Whether it is considered a long-term investment or perhaps is still to be determined. Similar to those who view bitcoin as a fixed supply, blockchain platforms are being developed to enhance its value over a long period in an ecosystem with decentralised applications.

How Blockchain and Cryptocurrency Work Together

As opposed to being an elective technology to crypto, blockchain is a crucial component of it. At last, the development and improvement of blockchain have been powered by digital forms of money, as crypto relies upon its network to exist. However, blockchain goes past crypto applications. Not restricted to the financial area, innovation gives numerous arrangements that have and will keep on disturbing the generally assorted markets long into the future. Blockchain technology was first implemented in the year 2009, at that time no one knew it as much as it is now. The cryptographic form of blocks is completely secure, it was developed rapidly in the 1990s, but revolutionary cryptosystems came to prominence.

Conclusion

In conclusion, we would like to point out that some other industries and developers are still building to expand cryptocurrency and blockchain with their initial flexibility. It is a popular technology that is supporting other innovations such as IoT, AI and Big Data, and it has emerged with Blockchain. It is correct to say that with the changes and developments taking place in it, Blockchain has become the future of people, if you also want to have good career growth then you have to prepare yourself to invest in it.

Like Loading...

Related

See the original post here:
What Is The Affinity Among Blockchain And Cryptocurrency? - Inventiva

Quantum Cryptography Services Market 2021; Region Wise Analysis of Top Players in Market and its Types and Application – NewsOrigins

The demand for Quantum Cryptography Services Industry is anticipated to be high for the next six years. By considering this demand we provide latest Quantum Cryptography Services Market Report which gives complete industry analysis, market outlook, size, growth and forecast till 2026. This report will assist in analyzing the current and future business trends, sales and revenue forecasts.

The Quantum Cryptography Services market research report thoroughly analyzes this industry vertical while elaborating on the various market segmentations. Key aspects of the market including the current industry size as well as position as per revenue and volume predications are highlighted in the document. Furthermore, the report delivers information regarding the regional contribution as well as the competitive scenario of this business landscape.

This report shows the outstanding growth of Quantum Cryptography Services market as well as increasing the Production Price Cost Production Value of Quantum Cryptography Services Market. Given report is shows Export Market Analysis, main region analysis and upcoming demand of Quantum Cryptography Services market.

Request Sample Copy of this Report @ https://www.newsorigins.com/request-sample/40930

Underlining the primary details of the Quantum Cryptography Services market report:

From the regional frame of reference:

Unveiling the competitive spectrum of the Quantum Cryptography Services market:

Additional data highlighted in the research report:

Highlights following key factors:

Request Customization for This Report @ https://www.newsorigins.com/request-for-customization/40930

Visit link:
Quantum Cryptography Services Market 2021; Region Wise Analysis of Top Players in Market and its Types and Application - NewsOrigins

Lets grab some knowledge about the basics of bitcoin! – Star of Mysore

Bitcoin is often used as a monetary system, not an actual currency. Undeniably people have heard about bitcoin, but not many know about the basics of bitcoin. Behind every digital currency, such as BTC, a complete proof ecosystem of technical aspects exists. If you want to get better at bitcoin trading, you can visit; here, you can get beneficial tips to become a proficient independent trader. First, lets discuss the basics of bitcoin.

Bitcoin Blockchain!

Bitcoin uses cryptography for its security. In the cryptocurrency world, it is the unique signature that identifies each user, which is called a public key and a private key to access the funds. A transaction between two users, signed with their private keys, becomes a block and has to be added to the ledger called a blockchain.

The blockchain can be considered a record or ledger of all transactions within a digital currency system since its inception. In other words, it can be considered a public database which keeps a record of all trading activities ever performed by any user at any time.

What is Bitcoin Mining?

Usually, in a public ledger system (blockchain), if each user can make changes, its prone to manipulation. To avoid this, bitcoin adjusts the difficulty of the cryptographic puzzle so that one block is generated every 10 minutes.

Mining is a process by which transaction data is verified and added to the blockchain ledger. As a reward for new bitcoins, miners acquire exchange charges and freshly formed bitcoins. This activity is also known as mining because its a costly procedure for Bitcoin miners in terms of computing power and electricity required for solving mathematical puzzles.

Bitcoin Wallet!

A bitcoin wallet is like your bank account for bitcoin. You can send/receive bitcoin and make payments to merchants with it! A wallet is a store of value (such as cash) and a means of payment (such as debit cards, credit cards, PayPal) in which bitcoins are stored.

There are many different types of wallets available

Hardware Wallet: This type of wallet stores the private keys locally on a physical device like a USB or an external hard drive. It can be kept offline and used for cold storage if you lose your computer.

Mobile Wallet: This type of wallet allows user to access their bitcoins from any smartphone mobile app or web application on smartphones. There are numerous other types of wallets.

Cryptography!

Data secured using cryptography can have decoded only with the private key. It is also known as encryption. Data needs to be encrypted with pairing keys before transmission between computers. This type of data security is called asymmetric encryption.

Private Key: A secret number used to encrypt information which can decrypt or unlock something. Public Key: A cryptographic key or random number used by a person to encrypt something and make it public. Anyone can use a cryptographic public key to encrypt something. Still, it can only have decryption with a corresponding private key that only the owner of the corresponding private key possesses.

Bitcoin Halving!

Bitcoin has an important date in its history called Halving. When the reward for mining new bitcoins halves, mining becomes more and more complex and to compensate for this mining difficulty, the bitcoin price increases.

When does the halving happen?

The first of two Bitcoin halves occurs roughly every four years. The second last one happened on Jul 9th, 2016, after which the reward will be 12.5 bitcoins per block (currently 10). As of now, the third halving occurred on Aug 5th 2017. Finally, the most recent having occurred in March 2020.

Private Keys!

A private key is a secret code that one can use to encrypt and perform decryption of cryptocurrency exchange. A digital signature is a private key that enables its associated digital signature algorithm to verify the integrity of a message or file.

The private key may be public only to the person who created it, or it may be known by anyone who knows how to find it. It may be kept on paper, written down on an electronic device, or stored in a computers memory or as an electronic file.

Read more from the original source:
Lets grab some knowledge about the basics of bitcoin! - Star of Mysore

Thanks To Apple, Microsoft And Google, Passwords Will Finally Die – Forbes

As a vignette to illustrate the state of the digital identity world in 2022, I can do no better than you tell you that when I was in San Diego recently (at a gathering of some of the brightest stars in the digital identity universe) I had need to change my flight. I opened up my airline app and (presumably because I was logging in from a new location) was required to complete an additional authentication step, which was to tell them my favourite breed of dog.

Now I am sure that some years ago, when setting up this account, I had been asked to choose a couple of additional security questions that must have included a canine conundrum, but of course I had forgotten all about it. The good news was that after a couple of guesses, I went for "Spaniel" and I was in (don't worry, I've changed it now so there's no need to email me about this gross security violation). While I was doing this, one of my fellow digital identity experts was taking a photograph of his passport to e-mail to someone so that he could check in. It was all very 1994, except we were being annoyed and confused with much smaller screens.

Password "Security".

The state of internet security is pathetic. It's no wonder that fraud is at such epic levels when vast swathes of the internet still depend on passwords for security. Passwords are just not security and password security is no such thing.

This is hardly news and this must be the ten millionth column pointing it out, since it must have been evident about a week after the world went online and smart people demanding the end of the password ever since.

Just to give one example, at the dawn of the millennium Bill Gates was saying that smart cards should replace passwords and then in 2004 he told the RSA Security Conference that the password must go because it cannot "meet the challenge" of keeping us secure. It was true in 1994, it was true in 2004 and 2014 and it will still be true in 2024!

So we all agree that passwords are a bad idea but we are all forced to use them. I just had to reset the password for one of my hotel apps because the password stored in my handy password manager was somehow wrong and after three attempts to log in to try and book at hotel room I got locked out.

(As for many other services, they may as well just automatically send me straight to the "I forgot my password" page to save time when I try to log in.)

Interestingly, the short term result of this was that I opened one of my other hotel apps and used that to book a room. Weird to think that in this modern world, my choice of hotel for a business trip was based on which password I can remember, rather than loyalty points or tea and coffee facilities.

Passwords are well beyond their sell-by date. Last year, the top five passwords used in the USA, according to password manager Nordpass, were "123456", "123456789", "12345", "qwerty" and "password". It's hardly surprising that there are so many hacks, frauds, account takeovers and all sort of other shenanigans that stem from the outdated view that passwords are some sort of security solution. They are not, and we (ie, the digital financial services sector) have known for years that they must die.

They should be replaced by real cryptography, preferable where the cryptographic keys are stored in tamper-resistant hardware rather than in software. A great many people already have suitable devices. Last year more than half of US teens and adults had tablets and smartphone penetration, which continues to rise, will be almost 90% this year. These devices are near-prosthetic. The average smartphone user will tap the device 2,617 times a day. Around half of US smartphone users say they "couldn't live without their devices" and a third of them look at their phones more than 50 times every day.

So if most people are most of the time attached to a device capable of strong authentication of keys in tamper-resistant hardware why are we still using passwords?

Well, we may not be in this bind for too much longer. I think that the recent announcement from the FIDO Alliance and Microsoft MSFT , Apple and Google GOOG that they will support the expansion of the common passwordless standard created by FIDO and the World Wide Web consortium (W3C) is really significant and should have attracted more media attention.

The three internet giants have said that they will be using the new multi-device FIDO credentials, sometimes referred to as "passkeys", to begin to rid the world of passwords. They have committed to support passwordless sign-in that will work across all the desktop, mobile, and browser platforms that they control. That is a large portion of modern technology, covering everything from laptops and desktops to smartphones, tablets, and smartwatches. The announcement covers the most used operating systems (Android, iOS, Windows, and macOS) as well as the three most used web browsers (Chrome, Edge and Safari).

A passkey is a credential, tied to what is known as an "origin" (which means a website or an application that you want to log in to) and a physical device (an authenticator). Passkeys allow users to authenticate without having to enter a username, password, or provide any additional authentication factor. These credentials follow the FIDO and W3C Web Authentication (WebAuthn) standards. Websites and apps can request that a user create a passkey to access their account.

The authenticators are FIDO-compliant devices which are used to, as you might imagine, authenticate the user. This includes special purpose devices (eg, USB sticks), as well as mobile phones and other computers which meet the authenticator requirements (they have to have secure tamper-resistant storage for cryptographic keys, essentially).

Apple got behind FIDO a couple of years ago. It calls its own implementation "Passkeys in iCloud Keychain" and what that boils down to is that in the future when I log in to my airline app or my hotel website in the future, it will authenticate me through my iPhone. Kind of like how "Log in with Apple" works today, except it will work everywhere that implements the FIDO standard.

Similarly, Microsoft announced a while back that some of its customers could go passwordless, and it followed up last year by telling people to start to get rid of their passwords altogether. You can already use Windows Hello to sign in to any site that supports passkeys but in the near future you will be able to sign in to your Microsoft account with a passkey from an Apple or Google device.

The ability to log in to Windows using an Apple Watch, to Google using a Microsoft tablet and to Apple using Android phone is surely a game changer and a step towards ending the fragmentation of identity solutions that leaves the typical user struggling with password managers, sticky notes and mnemonics.

Microsoft Co-Founder Bill Gates has been calling for the end of passwords for many, many years. ... [+] (Photo by Doug Wilson/CORBIS/Corbis via Getty Images)

Two decades on and Bill Gates call for smart cards to replace passwords is about to be answered, although the smart cards will be inside mobile phones and laptops and tablets rather than sitting in wallets. As the MIT Technology Review commented recently, these alternatives to passwords are finally winning. It's not before time.

The rest is here:
Thanks To Apple, Microsoft And Google, Passwords Will Finally Die - Forbes