Quantum resistance and good crypto algos (#305)

This commit is contained in:
Than Harrison 2023-06-15 10:20:13 +00:00 committed by GitHub
parent 1213b96488
commit 0ddd743812
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -1523,11 +1523,17 @@ Here are some examples:
- Hashes: - Hashes:
- Prefer: SHA-3 or BLAKE2[^265] - Prefer: SHA3-224, SHA-384 or BLAKE2[^265] (these are considered very Quantum Resistant based on an instance of the KECCAK algorithm), SHAKE128 and SHAKE256 (referred to as [extendable-output functions](https://csrc.nist.gov/publications/detail/fips/202/final) (XOFs) via FIPS 202);
- Still relatively ok to use: SHA-2 (such as the widely used SHA-256 or SHA-512) - **Most digital signature algorithms are quantum-broken**;
- Avoid: SHA-1, MD5 (unfortunately still widely used), CRC, MD6 (rarely used) - **Highly suspicious RBGs such as MS_DRBG still exist in standards such as ISO 18031**;
- **The AES and SHA2 based DRBGs in current NIST standards are fine**
- Still relatively safe to use: SHA-2 (e.g., SHA-256 or SHA-512, which are still considered mostly quantum-safe)
- Avoid: SHA-0, SHA-1, MD5 (unfortunately still widely used), CRC, MD6 (rarely used); i.e., anything with known collisions, and/or a history of extensive, not one-off, cryptographic failures
- File/Disk Encryption: - File/Disk Encryption:
@ -1547,18 +1553,18 @@ Here are some examples:
- Password Storage: - Password Storage:
- Prefer: Argon2, scrypt - Prefer: Argon2
- If these aren't options, use bcrypt, or if not possible at least PBKDF2 (only as a last resort) - If these aren't options, use bcrypt, then scrypt (in that order)
- Be skeptical of Argon2d, as it's vulnerable to some forms of side-channels. Prefer Argon2i or Argon2id - Be skeptical of Argon2d, as it's vulnerable to some forms of side-channels. Prefer Argon2i or Argon2id.
- Avoid: SHA-3, SHA-2, SHA-1, MD5 - Avoid: SHA-3, SHA-2, SHA-1, MD5; PBKDF2 due to [concerns regarding brute-force](https://tails.boum.org/security/argon2id/index.en.html) <sup>[[Archive.org]](https://web.archive.org/web/20230613161809/https://tails.boum.org/security/argon2id/index.en.html)</sup>
- Browser Security (HTTPS): - Browser Security (HTTPS):
- Prefer: TLS 1.3 (ideally TLS 1.3 with ECH/eSNI support) or at least TLS 1.2 (widely used) - Prefer: TLS 1.3 (ideally TLS 1.3 with ECH/eSNI support) or at least TLS 1.2 (widely used)
- Avoid: Anything Else (TLS =<1.1, SSL =<3) - Avoid: Anything Else (TLS <=1.1, SSL <=3)
- Signing messages/files with PGP/GPG: - Signing messages/files with PGP/GPG:
@ -1572,6 +1578,8 @@ Here are some examples:
- ED25519 (preferred) or RSA 4096 Bits* - ED25519 (preferred) or RSA 4096 Bits*
- But refer to [Attacking Deterministic Signature algorithms](https://eprint.iacr.org/2017/1014.pdf), which details fault injections "(varying the voltage supply) - mainly a threat to tamper-proof hardware and hardware security modules" such as Rowhammer, or templating attacks, etc.
- Avoid: RSA 2048 bits - Avoid: RSA 2048 bits
* **Warning: RSA and ED25519 are unfortunately not seen as "Quantum Resistant"**[^271] **and while they have not been broken yet, they probably will be broken someday into the future. It is just a matter of when rather than if RSA will ever be broken. So, these are preferred in those contexts due to the lack of a better possibility.** * **Warning: RSA and ED25519 are unfortunately not seen as "Quantum Resistant"**[^271] **and while they have not been broken yet, they probably will be broken someday into the future. It is just a matter of when rather than if RSA will ever be broken. So, these are preferred in those contexts due to the lack of a better possibility.**