pogonici - Fotolia
Microsoft released a new cryptographic library that is reportedly faster and more secure than existing options. What can you tell me about FourQLib, and is this cryptographic library something enterprises should look into using?
Encryption is one of the most effective ways to keep data secure, but as new discoveries in cryptanalysis are made and computing power increases, older algorithms need to be retired and replaced. For example, DES was once the standard algorithm used for encryption, but now, a regular desktop computer can break it. MD5 and SHA-1 were widely used hash algorithms, but they are now considered weak and are being replaced by SHA-2; The National Institute of Standards and Technology (NIST) has already published its successor, SHA-3.
New encryption algorithms have to be both secure and efficient, as a higher level of security requires more computing resources. For example, the algorithm selected for SHA-3, called Keccak, was notably faster than the other algorithms under consideration. Microsoft Research published an elliptic curve library, called FourQLib, which it claimed is considerably faster than currently approved elliptic curve-based algorithms. Elliptic curve cryptography is gaining favor with many security experts as an alternative to RSA for implementing public-key cryptography. It's based on the algebraic structure of elliptic curves over finite fields that can create faster, smaller and more efficient cryptographic keys.
FourQ, outlined in an International Association for Cryptologic Research paper, targets the 128-bit security level, which is the level NIST recommends or requires for federal government systems. Keccak instances with a capacity of 256 bits offer a generic security strength level of 128 bits against all generic attacks.
Cryptographic algorithms provide different strengths of security, depending on the algorithm and the key size used. Security bits estimate the computational steps or operations that are required to decrypt a ciphertext, and are used as a guide to a cipher's ability to protect data based upon an adversary's estimated potential capabilities over time. This is not to be confused with key length, the size measured in bits of the key used in a cryptographic algorithm.
Microsoft's tests showed FourQ is around four to five times faster than the original NIST P-256 curve, and between two and three times faster than curves that are currently under consideration as NIST alternatives, such as Curve25519. (As simplicity tends to deliver better security, some speed enhancements were sacrificed to keep the FourQ algorithm simple to read and easy to audit.)
The cryptographic library is largely written in portable C, and is available for public download. Further independent verification will be needed before enterprises should consider incorporating FourQ into their own software. Speed can be tested using SUPERCOP, a toolkit developed by the VAMPIRE Lab for measuring the performance of cryptographic software, but it will take longer for the global cryptographic community to conduct detailed analysis of FourQ's cryptographic security.
Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Find out why there are concerns about the Diffie-Hellman key exchange
Learn about the security issues with the RC4 cipher
Dig Deeper on Disk and file encryption tools
Related Q&A from Michael Cobb
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading
Explore the differences between symmetric vs. asymmetric encryption algorithms, including common uses and examples of both, as well as their pros and... Continue Reading