pogonici - Fotolia
Microsoft released a new cryptographic library that is reportedly faster and more secure than existing options. What can you tell me about FourQLib, and is this cryptographic library something enterprises should look into using?
Encryption is one of the most effective ways to keep data secure, but as new discoveries in cryptanalysis are made and computing power increases, older algorithms need to be retired and replaced. For example, DES was once the standard algorithm used for encryption, but now, a regular desktop computer can break it. MD5 and SHA-1 were widely used hash algorithms, but they are now considered weak and are being replaced by SHA-2; The National Institute of Standards and Technology (NIST) has already published its successor, SHA-3.
New encryption algorithms have to be both secure and efficient, as a higher level of security requires more computing resources. For example, the algorithm selected for SHA-3, called Keccak, was notably faster than the other algorithms under consideration. Microsoft Research published an elliptic curve library, called FourQLib, which it claimed is considerably faster than currently approved elliptic curve-based algorithms. Elliptic curve cryptography is gaining favor with many security experts as an alternative to RSA for implementing public-key cryptography. It's based on the algebraic structure of elliptic curves over finite fields that can create faster, smaller and more efficient cryptographic keys.
FourQ, outlined in an International Association for Cryptologic Research paper, targets the 128-bit security level, which is the level NIST recommends or requires for federal government systems. Keccak instances with a capacity of 256 bits offer a generic security strength level of 128 bits against all generic attacks.
Cryptographic algorithms provide different strengths of security, depending on the algorithm and the key size used. Security bits estimate the computational steps or operations that are required to decrypt a ciphertext, and are used as a guide to a cipher's ability to protect data based upon an adversary's estimated potential capabilities over time. This is not to be confused with key length, the size measured in bits of the key used in a cryptographic algorithm.
Microsoft's tests showed FourQ is around four to five times faster than the original NIST P-256 curve, and between two and three times faster than curves that are currently under consideration as NIST alternatives, such as Curve25519. (As simplicity tends to deliver better security, some speed enhancements were sacrificed to keep the FourQ algorithm simple to read and easy to audit.)
The cryptographic library is largely written in portable C, and is available for public download. Further independent verification will be needed before enterprises should consider incorporating FourQ into their own software. Speed can be tested using SUPERCOP, a toolkit developed by the VAMPIRE Lab for measuring the performance of cryptographic software, but it will take longer for the global cryptographic community to conduct detailed analysis of FourQ's cryptographic security.
Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Find out why there are concerns about the Diffie-Hellman key exchange
Learn about the security issues with the RC4 cipher
Dig Deeper on Disk and file encryption tools
Related Q&A from Michael Cobb
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
By performing ongoing risk assessments, organizations can keep their SSH vulnerabilities at a minimum and ensure their remote access foundation is ... Continue Reading