Integrity and Security: E-mail, Encryption, and Passphrases/Passkeys
-
APNIC ☛ The D(M)ARC side of the email reporting system
In our study on DMARC published in the Proceedings of the 2024 Passive and Active Measurement Conference (‘Spoofed Emails: An Analysis of the Issues Hindering a Larger Deployment of DMARC‘), we scanned 280.3 million active domain names looking for DMARC records and found that only 15.9 million (5.4%) domains adopted DMARC.
-
Cyble Inc ☛ NIST Shields Against Quantum Computing Threat With New Encryption
The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has taken a step forward in securing the future of digital communications by finalizing its primary set of encryption algorithms designed to withstand the unprecedented challenges posed by quantum cyberattacks.
This move marks a milestone in NIST’s post-quantum cryptography (PQC) standardization project, an initiative that has been in development for nearly a decade.
-
The Register UK ☛ NIST finalizes trio of post-quantum encryption standards
One – ML-KEM [PDF] (based on CRYSTALS-Kyber) – is intended for general encryption, which protects data as it moves across public networks. The other two – ML-DSA [PDF] (originally known as CRYSTALS-Dilithium) and SLH-DSA [PDF] (initially submitted as Sphincs+) – secure digital signatures, which are used to authenticate online identity.
A fourth algorithm – FN-DSA [PDF] (originally called FALCON) – is slated for finalization later this year and is also designed for digital signatures.
NIST continued to evaluate two other sets of algorithms that could potentially serve as backup standards in the future.
-
Silicon Angle ☛ NIST releases new standards for post-quantum cryptography
The three new standards have been designed to ensure that digital communications remain secure against future threats while strengthening current cryptographic practices. The standards are also being released at a time when encryption vulnerabilities are becoming more urgent because of the rise of artificial intelligence-driven attacks.
-
Federal News Network ☛ White House to require post-quantum encryption plans from agencies
NIST earlier today released three finalized post-quantum encryption standards. The algorithms are the first completed standards under NIST’s post-quantum cryptography standardization project. NIST launched the effort eight years ago. Officials are continuing to evaluate two other sets of algorithms that could serve as backup standards.
NIST officials said the three standards are ready for immediate use.
-
Integrity/Availability/Authenticity
-
CBC ☛ 2024-08-04 [Older] Man thought he was paying power bill by phone; he got a scammer instead
-
Adam Newbold ☛ Passkeys are not passwords
I understand the desire here, but passkeys are not passwords. They’re also not SSH keys. They’re something truly unique, because baked into their design is the requirement that they be unphishable. And the only way you can have something that’s completely resistant to phishing is to make it impossible for a person to provide that data to someone else (via copying and pasting, uploading, etc.). That you can’t export a passkey in a way that another tool or system can import and use it is a feature, not a bug or design flaw. And it’s a critical feature, if we’re going to put an end to security threats associated with phishing and data breaches.
We’re used to having access to our private keys for things like PGP/GPG and SSH keys. And we’re not used to carrying around data that we’re not allowed to access or back up by design. Because passkeys go against the grain of these expectations, it’s natural to want to change how they work. But what we really need to do is change our expectations.
-