avatarTeri Radichel

Summary

The website content provides guidance on selecting appropriate ECC curves for GPG encryption keys based on NIST standards, emphasizing the importance of following expert recommendations for secure cryptographic configurations.

Abstract

The article discusses the importance of configuring encryption algorithms correctly, with a focus on using Elliptic Curve Cryptography (ECC) for GPG encryption keys instead of RSA due to vulnerabilities associated with the latter. It references a recent SSH vulnerability that underscores the need for secure encryption algorithms. The author, Teri Radichel, points to NIST's updated guidance from February 2023 for ECC, which includes specific recommendations on which curves to use and which to avoid. The article also provides a link to a document that details these recommendations and instructs readers on how to configure GPG to use ECC with acceptable curve choices. Additionally, Radichel's expertise in cybersecurity is highlighted, along with her company's services and her presence on various platforms for further engagement.

Opinions

  • The author acknowledges their reliance on expert guidance, particularly from NIST, for cryptography implementation due to not being a cryptography expert themselves.
  • There is an emphasis on the importance of following NIST's standards for cryptographic security, especially for those in the US.
  • The author suggests that some individuals may overestimate their expertise in cryptography, implying that one should be cautious in self-assessing their knowledge in this complex field.
  • The article implies that staying updated with the latest NIST guidance is crucial for maintaining strong encryption practices, as standards and recommendations can change over time.
  • By providing specific instructions and resources, the author conveys a proactive approach to cybersecurity, encouraging readers to take actionable steps to enhance their encryption configurations.

Reviewing NIST Guidance for ECC Curves for GPG Encryption Keys

Ensuring you are configuring encryption algorithms correctly using security standards

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: Encryption | Cybersecurity

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I had to revisit my GPG key today and wanted to make sure I’m using the appropriate configuration. I wrote in a prior post how to configure up a key for GPG to encrypt documents in email showing use of an RSA key but mentioned that some had stated that RSA was not the best choice. An ECC (Electric Curve Cryptography) key would be better.

After that post some researchers announced a new vulnerability involving SSH and RSA encryption.

I explained how to use ECC on AWS instead of RSA. AWS only gives you one choice when you are setting up your ECC key for encryption so you use it. I wrote about some ways to govern the SSH algorithm selection as well.

However, when you are using ECC there are actually different curves and ways to configure it. Because I am not a cryptography expert, meaning I don’t study the underlying math all day long (some people think they are experts who are not), I generally rely on the guidance of others when selecting and implementing cryptography. But which expert guidance should you use?

NIST (National Institutes of Standards and Technology) sets standards for the US government. Many security people (at least in the US) follow their guidance.

Different types of encryption algorithms serve different purposes. NIST provides guidance for all algorithms here:

You can find ECC under “Additional Security Research”

NIST updated its guidance for ECC in February 2023.

Here’s the executive summary for the document at the time of this writing. Check for updated documents if you are reading this at a later date. These guidelines call out curves you should specifically not be using.

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186.pdf

The document is a bit wordy but you can find the recommendations in section 3.

Here’s the table of the curves and their related strength, which unfortunately falls on a page break.

This table shows curves that have been deprecated.

If you’re reading this post long after I wrote it, check NIST for the most up to date guidance.

Now that you know how to find the latest NIST guidance for encryption algorithms, here’s how to configure GPG to use ECC with one of the acceptable curve choices.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Encryption
Ecc
Curves
Gpg
Nist
Recommended from ReadMedium
avatarRahul Sharma
I have Asked This SSH Question in Every AWS Interview — And Here’s the Catch

When I interview people, I always ask questions about problems that people face in the real world.

6 min read
avatarSatyam Pathania
Secret Linux Commands: The Ones Your Teacher Never Told You About

oh yeah — I m your teacher gg

6 min read
avatarAustin Starks
I used OpenAI’s o1 model to develop a trading strategy. It is DESTROYING the market

It literally took one try. I was shocked.

8 min read
avatarAnshul Kummar
Goodbye Gmail: The Hard Truth About Why It’s Time for a Change

The end of an era.

5 min read
avatarAlexander Nguyen
I Wrote On LinkedIn for 100 Days. Now I Never Worry About Finding a Job.

Everyone is hiring.

6 min read
avatarJoe Procopio
The Slow, Painful Death Of Agile and Jira

Agile has stopped being agile, so it’s time for Agile to go and take Jira with it

5 min read