Two implementation flaws have been identified in the Kyber key encapsulation mechanism, an encryption standard intended to safeguard networks from future attacks by quantum computers.
The encryption standard Kyber key encapsulation mechanism, designed to protect networks from future assaults by quantum computers, has two implementation vulnerabilities.
On December 1st, Franziskus Kiefer, Goutam Tamvada, and Karthikeyan Bhargavan-all researchers at the cybersecurity firm Cryspen-reported the vulnerabilities to Kyber's development team.
The encryption standard had a patch released immediately, but since it wasn't classified as a security vulnerability, Cryspen started notifying projects in advance that they needed to implement the fix as of December 15.
Google, Signal, and Mullvad VPN have all adopted versions of the Kyber post-quantum encryption standard; however, Mullvad VPN has since confirmed that the vulnerability does not affect their services.
Kyber was first submitted for assessment to the US National Institute of Standards and Technology in 2017, as part of the organisation's competition to test and approve an encryption standard capable of safeguarding networks against future quantum computer attacks.
Several algorithms put into the NIST competition were demonstrated to be susceptible to conventional attacks.
These include the Rainbow and SIKE standards, the latter of which was overcome by KU Leuven researchers in 2022 in less than an hour using an average computer.
In February 2023, a team from Sweden's KTH Royal Institute of Technology used highly complex deep learning-based side-channel attacks to destabilise Kyber's official implementation, CRYSTALS-Kyber.
This approach was one of six for which NIST published draft standards last summer, with plans to finalise the competition later this year.
The Kyber KEM has been adopted by a number of major organisations.
Google announced in August 2023 that it will be employing Kyber-768 as a part of a hybrid system to safeguard Chrome browser traffic at the transport layer security level.
This hybrid approach to leveraging post-quantum encryption standards is intended to safeguard network traffic against attack in case that new vulnerabilities are discovered.
Since the KyberSlash vulnerabilities were identified, the researchers say that patches have been implemented by the Kyber development team and AWS. The team also cited a GitHub library written by Kudelski Security.
When approached by a local media outlet, the cybersecurity firm stated that the listed code was not utilised in any of its commercial products and should not be used in production, but that it had still incorporated a patch for the KyberSlash vulnerabilities in a new version of the library.
Cheng believes it is a significant step forward for the post-quantum encryption community because its focus on flaws has shifted from vulnerabilities in the mathematics that underpins the standards to implementation attacks.
This Cyber News was published on www.cysecurity.news. Publication date: Thu, 11 Jan 2024 16:13:03 +0000