The National Institute of Standards and Technology has announced a new cryptography standard that's available for immediate use. The standard is designed to assure the protection of authenticated encryption with associated data (AEAD), which enables health systems to check the integrity of both the encrypted and unencrypted information being sent from small medical devices, sensors and electronics that create and transmit data.
Components of the standard also include tools that adjust the length of a fixed-size string of characters, or hashes, to defend networked electronic devices from cyberattacks.
WHY IT MATTERS
Internet of Things and Internet of Medical Things devices by nature have limited resources and require high levels of security with compact implementation, necessitating national standards for quantum safety.
The new Ascon-Based Lightweight Cryptography Standards for Constrained Devices, released as NIST Special Publication 800-232, offer algorithms for symmetric crypto applications that require AEAD or shorter hashes.
The lightweight crypto standard includes four variations:
- ASCON-128 AEAD is an algorithm designed to simplify creation of secure implementations that provide authentication and encryption, and could be useful for devices like RFID tags, medical implants and car transponders that may be vulnerable to side-channel attacks.
- ASCON-Hash 256 is a lightweight alternative to SHA-3 hash algorithms that creates a short, fixed-length hash of data. This version of the standard is aimed at data verification needs, such as protecting passwords and digital signatures or when updating software.
- ASCON-XOF 128 and ASCON-CXOF 128 are two specialized functions that generate shorter hashes, which require less time and energy and conserve device resources. CXOF 128 gives security teams the ability to attach customized characters to the hash to further protect encryption, where there is a small chance that two of the same type of device could output the same hash.
The standard "will benefit industries that build devices ranging from smart home appliances to car-mounted toll registers to medical implants," as NIST computer scientist Kerry McKay, who co-led the project, explained in the announcement.
"One thing these electronics have in common is the need to fine-tune the amount of energy, time and space it takes to do cryptography," she added. "This standard fits their needs."
NIST's lightweight crypto standard may also evolve to include additional functions, such as the ability to build a dedicated message authentication code.
THE LARGER TREND
The lightweight cryptography standard was built around the Ascon family, a group of cryptographic algorithms developed in 2014 by a team from Graz University of Technology, Infineon Technologies and Radboud University.
After withstanding years of examination by cryptographers worldwide, NIST selected the Ascon algorithms in 2023 as the basis for a lightweight cryptography standard that would be developed under a six-year effort to create public-key cryptographic algorithms capable of securing sensitive and protected information and defending against attacks from quantum computers.
Last year, NIST released three post-quantum cryptography standards – called FIPS 203, 204 and 205 – to safeguard existing cybersecurity protocols from easy decryption. The agency under the Department of Commerce is still developing a post-quantum signature scheme, FALCON, and a second set of alternative defense algorithms in anticipation of future weakness.
Successful organizations anticipate their level of risk, Scott Crowder, vice president of IBM's quantum-safe adoption and business development team, told Healthcare IT News at the time.
"The major factors in being prepared for cybersecurity risks and being ready to move to post-quantum cryptography include being agile – being able to pivot to another encryption method without significant disruption; having the necessary skilled workforce to enable the new post-quantum cryptography standards, and ultimately having cryptographic resiliency," he said.
ON THE RECORD
"We encourage the use of this new lightweight cryptography standard wherever resource constraints have hindered the adoption of cryptography," said McKay in a statement.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
