Summary:
There are great risks involved in keeping your personal data online, so it seemed to be a win-win situation when several tech companies announced that their users could keep their data encrypted with a key that only they (the individuals users) knew. This relieved the tech companies of having to keep the data secure from malware and cyberespionage, and it gave the users peace of mind about their privacy. But law enforcement in the US has become accustomed to unlocking the data on seized cell phones as part of normal investigations, and they are not happy about the situation.

As reported in previous Cipher issues, the US government believes that China is behind several serious disclosures of personal data kept by US companies and government agencies. A US response may be forthcoming, including some or all of "diplomatic engagement, trade policy tools, law enforcement mechanisms, and imposing sanctions on individuals or entities".

It has not been a great year for student innovation. A Harvard undergrad developed "a browser app called Marauder's Map that exposed, on a map, the geo-location data" being collected by the Facebook Messenger app. Facebook took offense at the scrutiny and canceled a summer internship for the student.

This was followed by the "cool clock" caper this month. Is there a mixed message being sent to America's youth about curiousity and innovation?

Biometrics seem like a security panacea. Nothing to remember, no involved set of interactions, just a simple examination of your fingerpad by an impersonal and secure computer. Bingo, you're in. Simple as it sounds, keeping the fingerprint information secure is as difficult as any other data protection problem. FireEye researcher Yulong Zhang revealed that some mobile devices seem to do an especially bad job of this. Authenticator beware!

According to ESET, a Slovakian online security company, online poker players need to keep their computers clean if they want to keep their cards hidden from opponents. Some players may have had their machines afflicted with malware designed just for the purpose of revealing those cards to other players. Online gambling cheaters? Is nothing sacred?

The US National Security Agency has issued revisions to its recommendations for protecting classified and unclassified National Security Systems (NSS). The original recommendations were issued in 2009, but they have now revised them for transitioning to "quantum resistant algorithms". What this means in practice is that keys should use a lot more bits. For public key algorithms, this translates into substantially more running time. Observers are interested to see that the NSA is taking quantum computation seriously. To date, no quantum computers exist.

NIST requests comments on a revision of Special Publication (SP) 800-57, Part 1, Recommendation for Key Management, Part 1 (Rev. 4). This Recommendation provides general guidance and best practices for the management of cryptographic keying material. A list of changes is provided in Appendix D of the document.

Please send comments to keymanagement@nist.gov keymanagement@nist.gov by October 31, 2015.