NIST Selects Winner of Secure Hash Algorithm (SHA-3) Competition

From NIST Tech Beat: October 2, 2012

Contact: Chad Boutin
301-975-4261

The National Institute of Standards and Technology (NIST) today announced the winner of its five-year competition to select a new cryptographic hash algorithm, one of the fundamental tools of modern information security.

The winning algorithm, Keccak (pronounced "catch-ack"), was created by Guido Bertoni, Joan Daemen and Gilles Van Assche of STMicroelectronics and Michaël Peeters of NXP Semiconductors. The team's entry beat out 63 other submissions that NIST received after its open call for candidate algorithms in 2007, when it was thought that SHA-2, the standard secure hash algorithm, might be threatened. Keccak will now become NIST's SHA-3 hash algorithm.

Hash algorithms are used widely for cryptographic applications that ensure the authenticity of digital documents, such as digital signatures and message authentication codes. These algorithms take an electronic file and generate a short "digest," a sort of digital fingerprint of the content. A good hash algorithm has a few vital characteristics. Any change in the original message, however small, must cause a change in the digest, and for any given file and digest, it must be infeasible for a forger to create a different file with the same digest.

The NIST team praised the Keccak algorithm for its many admirable qualities, including its elegant design and its ability to run well on many different computing devices. The clarity of Keccak's construction lends itself to easy analysis (during the competition all submitted algorithms were made available for public examination and criticism), and Keccak has higher performance in hardware implementations than SHA-2 or any of the other finalists.

"Keccak has the added advantage of not being vulnerable in the same ways SHA-2 might be," says NIST computer security expert Tim Polk. "An attack that could work on SHA-2 most likely would not work on Keccak because the two algorithms are designed so differently."

Polk says that the two algorithms will offer security designers more flexibility. Despite the attacks that broke other somewhat similar but simpler hash algorithms in 2005 and 2006, SHA-2 has held up well and NIST considers SHA-2 to be secure and suitable for general use.

What then will SHA-3 be good for? While Polk says it may take years to identify all the possibilities for Keccak, it immediately provides an essential insurance policy in case SHA-2 is ever broken. He also speculates that the relatively compact nature of Keccak may make it useful for so-called "embedded" or smart devices that connect to electronic networks but are not themselves full-fledged computers. Examples include sensors in a building-wide security system and home appliances that can be controlled remotely.

"The Internet as we know it is expanding to link devices that many people do not ordinarily think of as being part of a network," Polk says. "SHA-3 provides a new security tool for system and protocol designers, and that may create opportunities for security in networks that did not exist before."

For more on the SHA3 competition, see http://csrc.nist.gov/groups/ST/hash/sha-3/index.html.

The US government and all its military branches are naturally a prime target for cyber attacks, but exactly how bad is the situation? Those numbers aren't thrown around loosely, but Hewlett Packard on Wednesday inadvertently released some statistics for the US Navy's IT network, and they don't look pretty.

"For the US Navy we provide the network for 800,000 men and woman in 2,000 locations around the world, protecting them against 110,000 cyber attacks every hour," Mike Nefkens, the head of enterprise services at HP, told V3 at the company's Discover event in Frankfurt. "This means the attacks average out at about 1,833 per minute or 30 every second."

Those figures are simply astonishing. Extrapolating the other way, it means the US Navy is attacked some 96.36 billion times every year. If the last century was about world wars, this one is definitely all about cyber wars.

HP has this data because it has been managing the Navy Marine Corps Intranet (NMCI) contract, and its transition to a Next Generation Enterprise Network (NGEN). The $3.3 billion deal was signed back in October 2010.

Just two months ago, the FBI declared it has started working 24/7 to investigate hackers and network attacks. The US government has shown expertise in the field of Computer Science, but it has also made some glaring mistakes.

Yet it's not just governments that are being targeted by an increasing number of cyber attacks. Poor security practices are something that has the potential to affect everyone on the Internet, from the individual, to a small business, to an enterprise, to a government. Nobody is safe: not the public sector and not the private sector.

http://thenextweb.com/us/2012/12/05/us-navy-sees-110000-cyber-attacks-every-hour-or-more-than-30-every-single-second/?fromcat=all

LSEC plays leading role in Europe's cybersecurity strategy as partner in anti-botnet pilots

Europe bands together to fight against botnets

LSEC leads pilot developments in Advanced Cyber Defence Center with EU support

Cologne - Leuven, 13.02.2013 – LSEC - Association of information security companies in Europe and eco – Association the German Industry together with 28 partners from 14 European countries are launching a project against one of the biggest Internet security threats: Every fifth computer is currently estimated to be part of a botnet used by cyber criminals to infect end user computers with malware and gain remote access to them. Kicking off today in Frankfurt, the association begins its work as the coordinator of the Advanced Cyber Defence Center (ACDC) which is supported by the European Union.

The project will offer a full range of services for increased cyber security ranging from malware recognition to prevention. The campaign partners are large public network providers, software producers, scientific institutions, law enforcement and administrative bodies, banks, as well as certification authorities.
"Working together to combat botnets is fundamentally important: From providers to the police and all the way to the end users. We have seen how effective that can be at the national level with the Anti-Botnet-Advisory Center. We look forward to taking this effective approach to defy botnets in Europe together with our strong partners. With the Advanced Cyber Defence Center we are aiming to develop a series of activities to better cope with cyber threats, more in particulat botnets," says LSEC ceo Ulrich Seldeslachts
.
The Advanced Cyber Defence Center is an important building block for the cyber security strategy of the EU. At the launch press conference on February 7th, EU-Commissioner Neelie Kroes said: "We need to protect our networks and systems and improve their resilience. To this end we should ensure that all actors play their part in fighting botnets and malware. Cyber threats are not contained to national borders: nor should cyber security be." The Head of Unit DG Connect of the European Commission, Giuseppe Abbamonte, adds: "ACDC is the first initiative launched in the context of the EU Cyber Security Strategy. This project will improve protection of our networks and systems against botnets and malware."

On of the intended applications in the EU pilot project is the Clearing House which receives reports from the project partners on security issues like spam campaigns in their networks, stolen data, or DDoS attacks. Affected parties such as end users, mobile phone providers, and banks, providers of security solutions or hosting providers are then informed of the incidents and receive support via the central website http://www.botfree.eu (http://www.botvrij.be and http://www.sansbot.be) from national support centers to remove the malware. The support centers are supposed to offer the necessary downloadable tools. What's more, small and mid-sized companies receive support if their websites are infected with malware.

In addition, the Advanced Cyber Defence Center is committed to identifying infected websites and committed to removing malware programs. Participating providers will also detect anomalies in their networks, botnets in the cloud, and within mobile networks and report them to the Clearing House.
The pilot project has a total budget of 16 million Euros and is supposed to initially run for 30 months.
A fact sheet about the project is available at http://ec.europa.eu/information_society/apps/projects/factsheet/index.cfm?project_ref=325188.
The speech given by EU-Commissioner Neelie Kroes at the launch of the EU Cyber Security Strategy is available at http://europa.eu/rapid/press-release_SPEECH-13-104_en.htm.

LSEC (http://www.lsec.be) - Leaders in Security is an industry association of information security companies. Founded in 2002, LSEC organizes with and for the industry various information security events related to enterprise, government and end users, LSEC brings together the expertise in the industry in industrial research projects such as ACDC, FIRE, MOBES and the Eurtopean Security Innovation Network. LSEC's members include some of the largest expert companies and top security experts on a global level such as RSA, Vasco, Symantec, McAfee, Sophos, G-Data, Qualys, and many others.

Press contact:
LSEC – Leaders in Security
Kasteelpark 10 – 3001 Heverlee
http://www.lsec.be

Ulrich Seldeslachts, phone +32 16 32 8541, acdc at lsec.be

eco - Association the German Internet Industry
Lichtstr. 43h, 50825 Cologne, Germany
http://www.eco.de

Katrin Mallener, Phone.: +49 221/70 00 48 260, This email address is being protected from spambots. You need JavaScript enabled to view it.
Petra Greitschus, Phone. +49 221/70 00 48 261, This email address is being protected from spambots. You need JavaScript enabled to view it.

San Francisco, CA, US, February 26th, 2013

Congratulations to LSEC Member UCL, where Prof. Em. Jean-Jacques Quisquater receives 2013 RSA Award Excellence in field of Mathematics!

The award, presented during the annual RSA Conference in San Francisco, February 26th is yet another milestone of the Belgian expertise in information security on a global level.
The annual award has been given in the previous years to Eli Biham, Professor; Technion-Israel Institute of Technology, Computer Science; Dr. Mitsuru Matsui, Senior Researcher, Mitsubishi Electric Corporation; Charles W. Rackoff, University of Toronto, ...

Quisquater has been awarded for his works in the domain of cryptography and the development of smartcards and the use of cryptography for eID cards in Europe and around the world.

Congratulations from the industry!

Prof. Dr. Bart Preneel expresses his opinion on Terzake on the recent developments of the privacy infringements of the internet and how to cope with them.

http://www.iminds.be/nl/blog/p/detail/hoe-je-privacy-vrijwaren-op-het-internet