The draft publication features updates intended to help fight online crime, preserve privacy and promote equity and usability:
The U.S. Department of Commerce's National Institute of Standards and Technology (NIST) has drafted updated guidelines to help the nation combat fraud and cybercrime while fostering equity and preserving fundamental human rights. The guidelines support risk-informed management of people's personas online — their "digital identities" — often required to engage in everyday digital transactions from banking to ordering groceries.
"These guidelines are intended to help organizations manage risks related to digital identity and get the right services to the right people while preventing fraud, preserving privacy, fostering equity and delivering high-quality, usable services to all," said Under Secretary of Commerce for Standards and Technology and NIST Director Laurie E. Locascio. "We are actively seeking feedback not only from technical specialists, but also from advocacy and community engagement groups that have insight into the potential impacts these technologies can have on members of underserved communities and marginalized groups."
[...] NIST is accepting comments on the multivolume draft until March 24, 2023. NIST will host a virtual workshop on Jan. 12, 2023, to provide details on the major changes to the guidelines and the comment process. Interested parties can register online to attend. This will be the first step in a robust engagement process to gain feedback from public and private sector organizations, technology and professional services providers, academia, civil society, advocacy groups and many others on how to improve the draft guidance and achieve a more competitive, secure, private and inclusive identity ecosystem. Among several topics that NIST intends to address, a significant portion of the organization's engagement efforts will be dedicated to exploring emerging and alternative methods of identity verification, including technologies that do not rely upon facial recognition.
[...] New additions to the draft include:
- An updated section on use of biometric information for identity proofing, including performance and testing requirements;
- Authentication methods that are more resistant to phishing attacks, which commonly support fraud, identity theft and other contemporary cyberattacks;
- An updated set of recommendations on how to share and exchange identity information about a user between different systems, for example when using a previously registered email address to sign into a different website.
Originally spotted on The Eponymous Pickle.
Previously: The Cryptopocalypse is Nigh! NIST Rolls Out New Encryption Standards to Prepare
Related Stories
Decision will be binding on many companies and change the way they protect your data:
In the not-too-distant future—as little as a decade, perhaps, nobody knows exactly how long—the cryptography protecting your bank transactions, chat messages, and medical records from prying eyes is going to break spectacularly with the advent of quantum computing. On Tuesday, a US government agency named four replacement encryption schemes to head off this cryptopocalypse.
Some of the most widely used public-key encryption systems—including those using the RSA, Diffie-Hellman, and elliptic curve Diffie-Hellman algorithms—rely on mathematics to protect sensitive data. [...]
Researchers have known for decades these algorithms are vulnerable and have been cautioning the world to prepare for the day when all data that has been encrypted using them can be unscrambled. Chief among the proponents is the US Department of Commerce's National Institute of Standards and Technology (NIST), which is leading a drive for post-quantum cryptography (PQC).
On Tuesday, NIST said it selected four candidate PQC algorithms to replace those that are expected to be felled by quantum computing. They are: CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON, and SPHINCS+.
[...] While no one knows exactly when quantum computers will be available, there is considerable urgency in moving to PQC as soon as possible. Many researchers say it's likely that criminals and nation-state spies are recording massive amounts of encrypted communications and stockpiling them for the day they can be decrypted.
See also: NIST announcement, particularly if you have any digital signature algorithms you want to enter for consideration.
[Ed's Comment: AC Friendly withdrawn. You can blame you-know-who for the spamming]
US NIST Unveils Winning Encryption Algorithm for IoT Data Protection
The National Institute of Standards and Technology (NIST) announced that ASCON is the winning bid for the "lightweight cryptography" program to find the best algorithm to protect small IoT (Internet of Things) devices with limited hardware resources:
Small IoT devices are becoming increasingly popular and omnipresent, used in wearable tech, "smart home" applications, etc. However, they are still used to store and handle sensitive personal information, such as health data, financial details, and more.
That said, implementing a standard for encrypting data is crucial in securing people's data. However, the weak chips inside these devices call for an algorithm that can deliver robust encryption at very little computational power.
"The world is moving toward using small devices for lots of tasks ranging from sensing to identification to machine control, and because these small devices have limited resources, they need security that has a compact implementation," stated Kerry McKay, a computer scientist at NIST.
[...] ASCON was eventually picked as the winner for being flexible, encompassing seven families, energy efficient, speedy on weak hardware, and having low overhead for short messages.
NIST also considered that the algorithm had withstood the test of time, having been developed in 2014 by a team of cryptographers from Graz University of Technology, Infineon Technologies, Lamarr Security Research, and Radboud University, and winning the CAESAR cryptographic competition's "lightweight encryption" category in 2019.
More info at the algorithm's Website and the technical paper submitted to NIST in May 2021.
Related:
- NIST Drafts Revised Guidelines for Digital Identification in Federal Systems
- NIST Calls Time on SHA-1, Sets 2030 Deadline
(Score: 2) by Gaaark on Sunday December 25, @03:40PM (2 children)
Will they screw this up like they did the 911 investigation?
https://www1.ae911truth.org/evidence.html#Videos_by_AE911Truth [ae911truth.org]
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by mhajicek on Sunday December 25, @07:34PM
They were ordered to falsify the 9/11 investigation. Is there such motive here?
The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek
(Score: 0) by Anonymous Coward on Sunday December 25, @09:00PM
*truth anything is the new "moist"
(Score: 3, Interesting) by deimios on Monday December 26, @11:13AM
Brilliant. So in 10 years I will be banned from using all online services (which will be required to use this "digital identity") because of this post that is critical of the initiative.
Always wanted the government to track all my moves. Also I love how "equity" is the new "for the children", but with the added bonus of communism. Remember communism doesn't make everyone equally rich, it makes everyone equally poor. Except the party leaders. They are more equal than others.