December 6, 2023 at 11:41AM
At Black Hat Europe 2023, a team from Microsoft, GitHub, and Banco Santander unveiled open source tools to detect weak cryptography, urging updates for quantum computing security. Their study found widespread use of outdated algorithms like RSA and SHA-1 in open source projects. The tools enable developers to assess and upgrade cryptographic components to robust standards.
Meeting Takeaways:
1. **Event:** Black Hat Europe 2023 held in London.
2. **Participants:** Daniel Cuthbert from Banco Santander, Mark Carney from Quantum Village, Niroshan Rajadurai from GitHub, and Benjamin Rodes from Microsoft.
3. **Purpose:** Release of open source tools designed to identify weak cryptography in software, preparing for post-quantum computing threats.
4. **Findings:**
– Scanned 4,500 open-source repositories on GitHub.
– Approximately 50% use the outdated RSA algorithm.
– Around 25% use SHA-1, also outdated.
5. **Implications:** With the arrival of quantum computing, predicted as early as 2030, current encryption methods like RSA and SHA-1 are vulnerable to being broken. The US has already started addressing this with the Quantum Computing Cybersecurity Preparedness Act and NIST’s post-quantum encryption standards.
6. **Tools and Methods:**
– A Cryptographic Bill of Materials (CBOM) was created for software projects, documenting cryptographic algorithms and security status.
– Tools are based on GitHub’s CodeQL static code analysis for scanning codebases and generating CBOMs.
– The CBOM helps identify the cryptography used and prompt necessary updates to secure algorithms.
7. **Application and Impact:**
– These tools guide developers and security teams in identifying and upgrading insecure encryption.
– The CBOM informs developers if an application uses unsafe cryptography, enabling them to correct it.
– Over 90% of code in enterprise applications comes from open source, making it crucial to understand the cryptographic security of these components.
8. **Current Status and Future Work:**
– The project aims to scan all GitHub repositories.
– Future work includes studying post-quantum impacts on encryption for embedded hardware and low-power devices, an area not yet explored.
9. **Support for Open Source:**
– The initiative also supports open source developers by providing tools and insights to help improve encryption in code.
10. **Accessibility:**
– Tools and findings are open source and available for community use to identify and rectify weak cryptography.