SIKE, DuckDuckGo's Blocklist and F5's QSN - F5 SIRT This Week in Security - July 31st-Aug 6th 2022

Post-Quantum Encryption Candidate Algorithm Cracked, DuckDuckGo added Microsoft to Blocklist and the F5 August Quarterly Security Notification

F5 SIRT This Week in Security

July 31st - Aug 6th

Editor's introduction 

Hello Everyone, This week, your editor is Dharminder.

One of the important tasks in our day to day work in F5 SIRT is to keep ourself updated with important security news. As they say "sharing is caring" so this time I would like to share three important and interesting security news articles which are about Post-Quantum Encryption Candidate Algorithm, DuckDuckGo added Microsoft to Blocklist and F5's Aug quarterly security notification.

Another important task of F5 SIRT is to understand the frequently changing behaviour of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT.

 

Single-Core CPU Cracked Post-Quantum Encryption Candidate Algorithm in Just an Hour

US Department of Commerce's National Institute of Standards and Technology (NIST) is running a campaign to replace algorithms like RSA, Diffie-Hellman, and elliptic curve Diffie-Hellman, which are unable to withstand attacks from a quantum computer. Last month, four potential candidate algorithms were moved to fourth round. 

SIKE (Supersingular Isogeny Key Encapsulation), one of the algorithm entered fourth round of campaign, is made to withstand decryption by powerful quantum computers has recently been cracked in just an hour’s time by using a computer running on intel Xeon CPU.

To give you some background on SIKE, SIKE (Supersingular Isogeny Key Encapsulation) is a post-quantum cryptography collaboration between researchers and engineers at Amazon, Florida Atlantic University, Infosec Global, Microsoft Research, Radboud University, Texas Instruments, Université de Versailles, and the University of Waterloo. SIKE is a family of post-quantum key encapsulation mechanisms based on the Supersingular Isogeny Diffie-Hellman (SIDH) key exchange protocol.

The algorithms use arithmetic operations on elliptic curves defined over finite fields and compute maps, so-called isogenies, between such curves. The security of SIDH and SIKE relies on the hardness of finding a specific isogeny between two such elliptic curves, or equivalently, of finding a path between them in the isogeny graph. The SIDH protocol was first introduced by Jao and De Feo in 2011. 

The research paper shows how SIDH (Supersingular Isogeny Diffie-Hellman) is vulnerable to “glue-and-split” theorem developed by mathematician Ernst Kani in 1997 and some other tools devised by mathematicians Everett W. Howe, Franck Leprévost, and Bjorn Poonen in 2000. 

As per, Jao It is possible that SIDH can be patched or fixed up to avoid the new attack, but more analysis of the new attack is required before he can confidently make a statement about any possible fixes. Since SIKE is out from NIST’s PQC replacement campaign, I am hoping that remaining candidate in NIST campaign will pass all remaining rounds, and we will have the most secure algorithms.

• Single-Core CPU Cracked Post-Quantum Encryption Candidate Algorithm in Just an Hour (The Hacker News)
• Supposedly Quantum-Proof Encryption Cracked by Basic-Ass PC (Gizmodo)

 

Microsoft Trackers Run Afoul of DuckDuckGo, Get Added To Blocklist

DuckDuckGo was founded by Gabriel Weinberg in the year 2008. Because of its privacy protection it became favourite search engine for many internet users. The DuckDuckGo website even says, 

"We don’t store your personal information. Ever.

Our privacy policy is simple: we don’t collect or share any of your personal information."

In May this year users of DuckDuckGo were upset, when security researcher Zach Edwards published a report finding that the DuckDuckGo browser blocks Google and Facebook trackers but it allows Microsoft trackers. Research also showed that DuckDuckGo also allowed trackers related to Bing and LinkedIn. 

DuckDuckGo’s CEO and founder Gabriel Weinberg responded to the researcher saying that their browser intentionally allows Microsoft trackers third-party sites due to a search syndication agreement with Microsoft but the restriction is only in their browser and does not affect the DuckDuckGo search engine. 

Weinberg also mentioned that “We are working with Microsoft to remove this limited restriction the article refers to. We're also working on updates to our app store descriptions to have more information. Hope this is helpful context”

I am not sure how many were expecting a fast solution for the reported issue but seems DuckDuckGo team took it very seriously. I am hoping that with this announcement users trust which broke before will be gained back by DuckDuckGo again.

• Microsoft trackers run afoul of DuckDuckGo, get added to blocklist (ArsTechnica)
• More Privacy and Transparency for DuckDuckGo Web Tracking Protections (DuckDuckGo)

 

F5 Quarterly Security Notification (August 2022)

Since November 2021, F5 has been publishing information on vulnerabilities on quarterly basis using Quarterly Security Notification (QSN) which includes the date of next vulnerability release. A more predictable vulnerability release cycle has given enough time to customers for upgrade/update planning.

F5's most recent security announcement was on August 3, 2022 and total 22 security issues were announced. Out of 22 security issues, 21 are vulnerabilities and 1 is security exposure. Here's a break down of the vulnerabilities based on severity: 0 critical, 12 High, 8 medium and 1 low severity vulnerabilities.

Details of the security issues can be found here: K14649763: Overview of F5 vulnerabilities (August 2022). It provides brief information about the published CVEs and security exposure, with a quick look at the overview advisory, users are able to see information, such as CVE title, CVSS score, affected products, affected version and fixed versions. Hyperlink to individual CVE is also available on the advisory. which a user can use to find out detailed information such as vulnerability description, impact, vulnerable component, recommended action, acknowledgment etc. of each CVE. 

In case you would like to find out the next schedule of quarterly security notification you may check K12201527: Overview of Quarterly Security Notifications which shows next quarterly security notification is scheduled on Oct 19, 2022.