atsec Adds FIDO Evaluation Qualification

atsec information security (branded as “atsec”) has been qualified by the FIDO Alliance as one of the FIDO Accredited Security Laboratories to evaluate the authenticator products. The accreditation has been listed on the official website of the FIDO Alliance: https://fidoalliance.org/certification/authenticator-certification-levels/accredited-security-laboratories/

In addition, atsec is also one of the FIDO members (https://fidoalliance.org/members/) and contributes to the industry.

Passwords are the root cause of over 80% of data breaches, making them the main problem of cybersecurity. With the average user having more than 90 online accounts, up to 51% of passwords are reused across those accounts. According to the research of FIDO Alliance, the average help desk labor cost for a single password reset is up to $70.

FIDO, short for “Fast IDentity Online”, is a series of authentication standards that help reduce reliance on passwords. As an accredited security laboratory by the FIDO Alliance,. atsec information security offers the following security evaluation services for your authenticator products:

• FIDO2: FIDO2 is comprised of the W3C Web Authentication (WebAuthn) and corresponding Client-to-Authenticator Protocols (CTAP) from the FIDO Alliance.
• WebAuthn: WebAuthn defines a standard web API that is being built into browsers and platforms to enable support for FIDO Authentication.
• CTAP2: CTAP2 allows the use of external authenticators (FIDO Security Keys, mobile devices) for authentication on FIDO2-enabled browsers and operating systems over USB, NFC, or BLE for a passwordless, second-factor or multi-factor authentication experience.
• CTAP1: Formerly known as “FIDO U2F”, CTAP1 allows the use of existing FIDO U2F devices (such as FIDO Security Keys) for authentication on FIDO2-enabled browsers and operating systems over USB, NFC, or BLE for a second-factor experience.
• FIDO UAF: FIDO UAF supports a passwordless experience for online service on users’ own device with local authentication mechanisms such as swiping a finger, looking at the camera, speaking into the mic, entering a PIN, etc.

The FIDO2 and FIDO UAF protocols have been identified within the common specification authenticator security goals. There are 16 Security Goals (SG) identified by FIDO, and 29 Security Measures (SM) that can be implemented to cover the security goals for FIDO authenticators. Ten Security Requirements are derived to support the Security Measures:

• Authenticator definition Derived Requirements
• Key Management and Authenticator Security Parameters
• Authenticator’s Test for User Presence and User Verification
• Privacy
• Physical Security, Side Channel Attack Resistance and Fault Injection Resistance
• Attestation
• Operating Environment
• Self-Tests and Firmware Updates
• Manufacturing and Development
• Operational Guidance

Passwords and other forms of legacy authentication, such as SMS OTPs, are knowledge-based, a hassle to remember, and easy to phish, harvest, and replay. FIDO helps shift from this legacy, knowledge-based authentication scenario to a modern, possession-based and phishing-resistant authentication scenario.

The security testing of the authenticator products against FIDO standards allows vendors to integrate their authenticators into modern and FIDO-enabled online services and provides their users with a flawless authentication experience. This also reduces the risk of a password being forgotten or stolen.

atsec is ready to partner with you to help you understand the requirements of the standard, test your authenticator products, and achieve the FIDO certification.

The products being compliant with the FIDO UAF, FIDO U2F, and FIDO2 specifications and evaluated by a security laboratory (e.g. atsec) can be certified and listed by FIDO alliance on the official website: https://fidoalliance.org/certification/fido-certified-products/.

For more information about atsec, please visit: https://www.atsec.com.

atsec AB first IEEE 2621 Accredited Medical Device Testing Facility

atsec AB Stockholm, Sweden is thrilled to announce:  We are the first IEEE Authorized Testing Facility!

We've officially been approved as an IEEE Authorized Testing Facility, making atsec AB Stockholm, Sweden the first company able to provide testing of medical devices according to the IEEE 2621 standard. Additional locations include atsec corporation Austin TX, USA and atsec GmbH Munich, Germany.

 

The IEEE, or Institute of Electrical and Electronics Engineers, is a globally recognized leader in developing technical standards. Earning their authorization as a testing facility demonstrates our capability to conduct rigorous and reliable security evaluations of medical devices according to the IEEE 2621 standard.

Importantly, the IEEE 2621 standard is recognized by the Food and Drug Administration (FDA), the leading regulatory body for medical devices in the United States. This recognition signifies that the FDA considers the standard to be a valuable tool in ensuring medical device security.

Proven Expertise Through Pilot Projects
"We enthusiastically embraced the opportunity to become a player in this domain when IEEE first contacted atsec in July 2022," said Sal La Pietra, President and founder of atsec.
We're particularly proud of this achievement because it follows the successful completion of two pilot projects that used the IEEE 2621 standard for medical device testing. These projects allowed us to refine our processes and demonstrate our expertise in applying this standard," added Rasma Mozuraite Araby, Managing Director of atsec AB in Stockholm, Sweden.

Looking Ahead: Medical Device Testing
As an IEEE Authorized Testing Facility with laboratories in Sweden, the U.S., and Germany, atsec is now positioned to offer our clients a suite of testing services that ensure their medical devices meet the industry's security benchmarks. If you're looking for a reliable partner to verify the security of your medical devices, contact us today to discuss your specific needs.

BREAKING NEWS: c@tsec information security Unveils Revolutionary Quantum Computer

April 1, 2024 – Austin, TX: In a groundbreaking announcement today, c@tsec information security, a subsidiary of atsec information security, and the leader in quantum computing technology, proudly unveils its latest innovation: the Quantum PurrProcessor™.

The Quantum PurrProcessor™ operates on a revolutionary principle, harnessing the power of Schrödinger's Cat to perform computations beyond the limitations of classical computers. By forming a matrix of 1024 by 1024 cardboard boxes, each containing a Schroedinger’s cat either alive or dead, we achieve a never before seen computing power of 1024² CuteBits.

"We are ecstatic to introduce the world to our feline-fueled quantum computing marvel," said Stephan Mueller, Principal Consultant and Chief Feline Officer at c@tsec. "Our approach not only pushes the boundaries of quantum mechanics but also provides a cozy home for these quantum kitties."

However, due to strict animal welfare regulations, c@tsec’s scientists had to make a few adjustments. Instead of furry felines who could be either alive or dead, our boxes are now filled with state-of-the-art RoboCats™ driven by the newest generation of AI, thus merging several cutting-edge technologies.

"Our RoboCats™ are programmed with the indecision of a real cat and the computational prowess of a quantum physicist," said Mueller. "And they don't shed – a win-win for both computing efficiency and office cleanliness!"

Once more atsec information security proves to the world that easy solutions to difficult problems are possible. The Quantum PurrProcessor™ will be available for purchase in the near future. Maybe 5 years from now. Or on April 1st 2025.

XDRGB - Random Bit Generator using any XOF

Resulting from a joint collaboration between John Kelsey (NIST), Stefan Lucks (Bauhaus-Universität Weimar, Germany) and Stephan Müller (atsec information security), a new deterministic random bit generator (DRBG) is published. The XDRBG was publicly presented at the 30th Fast Software Encryption Conference 2024 in Leuven, Belgium.

The XDRBG uses an extensible output function (XOF) as primitive which allows the use of SHAKE algorithm (FIPS 202), as well as Ascon, the finalist in the NIST lightweight cryptographic algorithm competition. In addition, other XOF functions are allowed to be used with the XDRBG specification.

The DRBG is significantly smaller compared to the DRBGs defined in SP800-90A. The XDRBG specification not only defines the algorithmic part of the XDRBG, but also provides a mathematical proof of its design. The security proof applies to all usable XOFs. In the not too far future, the XDRBG specification will also be supplemented by an appendix mapping it to the German AIS 20/31 specification. The specification also maps to the model defined in the NIST SP800-90A standard.

A standalone reference implementation is available at Github.

Crypto Module Bootcamp 2024

On Tuesday, February 27, 2024, atsec information security hosted a free day-long hybrid event on the Concordia University campus in Austin, TX. With 330 registered attendees, both in-person and remote, we have by far surpassed our original attendance estimate.

When atsec started the International Cryptographic Module Conference (ICMC) in 2013, we wanted to create a forum for the stakeholders in the crypto module world to come together. The ICMC has flourished over the last ten years and is now a well-established and highly regarded conference for IT security professionals. However, the cost involved in traveling and attending the conference has closed the door to students and attendees from academia.

It is important to us to make events like these easily available to college students. Those students will soon become laboratory testers, agency validators, and developers – the next generation of IT professionals. We have taken pride in educating and lifting up the IT security community, including those studying for the future.

The bootcamp is an event intended to carry out our idea of attracting a new group of attendees: the STEM students. We started with Concordia and UT Austin. We are pleased to have created the opportunity for students, who could be our future colleagues, to interact with industry and government leaders, as well as policy makers, without meeting and travel expenses.



The Crypto Module Bootcamp brought students together with experts from academia, industry, government, standards bodies and laboratories for an exchange on topics including artificial intelligence, quantum computers, cryptography, entropy and much more. We wanted to make sure the students got a glimpse of what the world of IT security entails and showcase the variety of ways it touches our lives.

The event opened with a welcome address by atsec president and co-founder Sal La Pietra, followed by an introduction of the first recipient of the Bertrand du Castel Memorial Scholarship. Keynote speaker Professor Scott Aaronson took the stage with a very informative and entertaining presentation about the use of cryptography for Safe AI.

This was followed by a panel discussion on Safe AI and Secure Cyberspace with Prof. Scott Aaronson; NIST Fellow Dr. Lily Chen; Eric Hibbard, Head of US INCITS delegation for ISO/IEC JTC1/SC27; and the Director of NIAP, Jon Rolf. Dr. Yi Mao, atsec US CEO, moderated the panel discussion.

 

The event was perceived as a combination of mini ICMC and mini ICCC, with topics ranging from AI safety to the connected car. An attendee commented, “Its significance is far beyond cryptographic modules. It touched on many aspects for the future cryptographic standards and validation program.” You can find the complete line-up of speakers and panelists, as well as a list of the presentations here at the event website.



After a full day of presentations and discussions, the day ended with a tour of the beautiful Concordia University nature preserve. The overwhelmingly positive feedback and questions about making this a recurring event showed us that we are on the right track. We would like to thank Concordia University, the guest speakers, and all of the participants for making the first bootcamp such a success.

This event was also put together in memory of our friend and colleague, Dr. Betrand du Castel. His wife, Christine, gave a heartfelt speech commemorating his life. We invite you to read our blog article on Bertrand du Castel and his exceptional contributions to the field of smart card security. We took the opportunity to collect some deeply touching stories and insightful quotes from a few of Bertrand’s former colleagues and friends.

On behalf of Concordia University, who generously opened their campus for this event, we invite you to donate to their STEM program.

Donations can be made online at www.concordia.edu/giving/
Please put “du Castel” in the comments.
 
Or you can mail a check to:
Concordia University Texas
11400 Concordia University Drive
Austin, Texas 78726
 
For more information, please contact
April Kerwin at april.kerwin@concordia.edu or 512-313-5101

Happy Valentine's Day!

Happy Valentine's Day to our customers, our partners, colleagues and communities around the world that we work with.

Happy Birthday, atsec!

As always on the 11th of January atsec celebrates its birthday.
This year it is the 24th! As they say: time flies when you're doing IT security!
Our best wishes and thanks to all of the contributors: our customers, our partners, and our colleagues.

Merry Christmas and a Happy New Year from atsec

The whole atsec team wishes our colleagues, customers, partners and suppliers a Merry Christmas and a Happy New Year.

CST Newsletter December 2023

We invite you to take a look at our current newsletter that contains information on algorithm transitions, updates to the FIPS IG and announcements for FIPS 140-2 and FIPS 140-3.

A FIPS 140-3 compliant hybrid KEM algorithm

Hybrid KEM - Kyber & X25519

In addition to the sole use of Kyber KEM, a hybrid mechanism using X25519 can be devised that acts as a drop-in replacement for Kyber KEM. In this case, a PQC algorithm is merged with a classic key establishment algorithm. The basis is the enhancement of the Kyber KEM encapsulation and decapsulation algorithms as follows.

When using the hybrid KEX algorithm, instead of the sole KEM encapsulation and decapsulation operations, the hybrid variants that are outlined in the subsequent subsections are used. In addition, the Kyber KEX data along with the X25519 data is exchanged in the same manner as outlined for the standalone Kyber KEX. Thus, the KEX operation is not re-iterated here.

The presented algorithm ensures that even if one algorithm is compromised, the resulting shared secret is still cryptographically strong and compliant with the strength of the uncompromised algorithm. However, it is to be noted that Kyber may have a cryptographic strength of up to 256 bits when using Kyber 1024. On the other hand, the cryptographic strength of X25519 is significantly lower - between 80 and 128 bits - depending on the analysis approach.

Hybrid KEM Key Generation

As part of the hybrid KEM key generation, the following steps are performed:

1. Generation of the Kyber key pair yielding the Kyber pk_kyber and sk_kyber.
2. Generation of the X25519 key pair yielding the X25519 pk_x25519 and sk_x25519.

Both public keys and both secret keys are maintained together so that every time the hybrid KEM requires a public key, the Kyber and X25519 public keys are provided. The same applies to the secret keys.

Thus the following holds:

• pk_hybrid = pk_kyber || pk_x25519
• sk_hybrid = sk_kyber || sk_x25519

Both, pk_hybrid and sk_hybrid are the output of the hybrid KEM key generation operation.

Hybrid KEM Encapsulation

The hybrid KEM encapsulation applies the following steps using the input of the hybrid KEM public key pk_hybrid:

1. Invocation of the Kyber encapsulation operation to generate the Kyber shared secret ss_kyber and the Kyber ciphertext ct_kyber using the pk_kyber public key presented with pk_hybrid.
2. Generation of an ephemeral X25519 key pair pk_x25519_e and sk_x25519_e.
3. Invocation of the X25519 Diffie-Hellman operation with the X25519 public key pk_x25519 provided via pk_hybrid and the ephemeral secret key sk_x25519_e. This generates the shared secret ss_x25519.
4. Secure deletion of the sk_x25519_e ephemeral secret key.
   The operation returns the following data:
   
   • Public data: ct_hybrid = ct_kyber || pk_x25519_e
   • Secret data: ss_hybrid = ss_kyber || ss_x25519

The data ct_hybrid is to be shared with the peer that performs the decapsulation operation.

On the other hand ss_hybrid is the raw shared secret obtained as part of the encapsulation operation and must remain secret. It is processed with a KDF as outlined in section Hybrid KEM Shared Secret Derivation below.

Hybrid KEM Decapsulation

The hybrid KEM decapsulation applies the following steps using the input of the hybrid KEM secret key sk_hybrid and the public data resulting from the hybrid KEM encapsulation operation ct_hybrid.

1. Invocation of the Kyber decapsulation operation to generate the Kyber shared secret ss_kyber by using ct_kyber present in ct_hybrid and the Kyber secret key sk_kyber found in sk_hybrid.
2. Invocation of the X25519 Diffie-Hellman operation with the X25519 secret key sk_x25519 provided via sk_hybrid and the ephemeral public key pk_x25519_e provided via ct_hybrid which returns the shared secret ss_x25519.

The operation returns the following data:

• Secret data: ss_hybrid = ss_kyber || ss_x25519

The data of ss_hybrid is the raw shared secret obtained as part of the encapsulation operation and must remain secret - it is the same data as calculated during the encapsulation step. It is processed with a KDF as outlined in the section Hybrid KEM Shared Secret Derivation below.
 

Hybrid KEM Shared Secret Derivation

To obtain a shared secret of arbitrary length that can be used as key material, a key derivation function is used as allowed by SP800-56C rev 2 section 2:

• The chosen and KDF is based on SP800-108 rev 1.
• In addition, the input to the KDF is formatted such that the entire hybrid KEM construction is compliant with SP800-56C rev 2 assuming that Kyber KEM is the approved algorithm and X25519 provides an auxiliary key agreement mechanism. Thus, section 2 of SP800-56C rev 2 with its requirement Z' = Z || T is fulfilled by defining the "standard" shared secret Z is provided by Kyber and that the auxiliary shared secret T is provided by X25519.

Considering that Kyber uses SHAKE / SHA-3 in its internal processing, the selected KDF is KMAC256 as defined in SP800-108 rev 1. KMAC is invoked as follows:

        KMAC256(K = ss_hybrid,
                X = ct_hybrid,
                L = requested SS length,
                S = "Kyber X25519 KEM SS")

When considering the structure of ss_hybrid and ct_hybrid, the KDF operates on the following specific data:

        KMAC256(K = ss_kyber || ss_x25519,
                X = ct_kyber || pk_x25519_e,
                L = requested SS length,
                S = "Kyber X25519 KEM SS")

The KMAC customization string S is selected arbitrarily and can contain any string including the NULL string.

The result of the KDF is intended to be usable as key material for other cryptographic operations. That derived key material now contains the individual security strengths of both Kyber and X25519. Both algorithms are used such that any security break of either algorithm will not impact the strength of the resulting shared secret of the respective other. By concatenating the individual shared secret values as input into the KDF, the result of the KDF will have the security strength of one algorithm even if the respective other algorithm is broken.

Hybrid KEX Algorithm

Using the hybrid KEM algorithm outlined in the preceding subsections, the hybrid KEX algorithm as specified in the documentation of the secure connection approach can be obtained by the following considerations: use of the Kyber KEX approach outlined at the beginning, but apply the following changes:

1. Replace all occurrences of pk with pk_hybrid.
2. Replace all occurrences of sk with sk_hybrid.
3. Replace all occurrences of ss with ss_hybrid.
   
4. Replace all occurrences of ct with ct_hybrid.
5. Replace all invocations of the Kyber standalone functions (key generation, encapsulation, decapsulation) with their respective hybrid variants outlined above.

This implies that the hybrid KEM as well as the hybrid KEX algorithms are usable as a direct drop-in replacement for the standalone Kyber algorithm use case. The only difference is that the resulting data is larger as it contains the X25519 data as well.

You can download a PDF version of the process here.

An implementation of both hybrid KEM and hybrid KEX is provided here.