After a day jam-packed with insightful presentations and discussions, atsec’s FIPS ‘n’ Chips crypto module bootcamp came to a close, and we couldn’t be happier with how it went!
We started hosting these bootcamps because the ballooning cost to attend a professional conference puts them firmly out of reach for aspiring cryptographers, who benefit from them the most. With over 350 registered attendees, many of whom were students, we’re considering that mission accomplished this year.
A recording of the presentations is available on the FIPS ‘n’ Chips website along with the presentation materials, but we’d also like to take a moment to summarize the wealth of information presented over the course of the day.
Dr. Yi Mao, atsec US’ CEO, got the ball rolling for the day – almost literally, using a fun new video about atsec’s involvement in cryptography over the years. With thanks to our co-host UT Austin, the speakers, and the audience, she handed things over to the presenters to kick off a day of crypto conundrums, AI and PQC insights, and standardization primers.
Crypto Conundrums
Over the course of the bootcamp, we got a crash course on three cryptography concepts that can move forward the field in parallel with the later topics of AI and Post Quantum Cryptography (PQC).
First up, Professor Brent Waters asked the question “What if we could encode access control directly into our encryption algorithms?”, which would offer efficiency at scale, late-binding access control, and privacy for receivers. He detailed the structure – and math – for such cryptosystems in his talk, making for a presentation that had both accessible concepts and a dive into highly technical details.
Later in the day, NXP’s federal security certifications expert Marc Ireland joined atsec’s Renaudt Nunez to discuss the rocky road hybrid modules on a single-chip have experienced in certification. These modules are increasingly prominent, making recent hurdles frustrating, as it’s left vendors scrambling for alternative solutions. Their presentation ended on a happy note, though, as they announced the combined efforts of vendors, labs, and validation bodies will soon pay off, with draft implementation guidance being submitted to the CMVP for review at the end of the week!
To wrap up the conundrums, John Traver, a principal member of technical staff at AMD’s Product Security Office, went deep on the Caliptra Project, an integrated Root of Trust block. John covered the inner workings of that block, showing how it runs at boot, how it connects to other components, and what enhancements have been made for Caliptra 2.0.
Being integrated into the chip itself provides fewer attack surfaces, which was a resonant topic, as attack surfaces were one of the key points in an earlier talk about the risks AI faces, which brings us to one of the big themes that was at least mentioned in almost every presentation.
AI: An Omnipresent Topic
It’s hard to escape the topic of AI these days, and it was an energizing force at FIPS ‘n’ Chips because of how it promises to both be a significant threat to security but also a major component of security defenses.
Dr. Jeff Crume, an IBM Distinguished Engineer, took the stage to address the security concerns of AI, revealing the lurking specter of integrity attacks against AI systems, where AI is most vulnerable. To ward off this looming threat, he provided a framework for AI security that could help the industry secure AI models – if it is followed.
Whether or not the industry follows such a model is yet to be seen, but we got some insights into how academia, standardization bodies, and industry professionals think about the topic in a panel discussion about chips with built-in security and AI.
atsec’s Stephan Müller moderated the panel with three experts: UT Professor, Quantum Computing expert, and AI safety thought leader Scott Aaronson; Dr. Lily Chen, a NIST Fellow; and Jeff Andersen, a Senior Staff Software Engineer at Google. Questions from both Stephan and the audience bounced between the three in a stimulating discussion, with all three having meaningfully different views and approaches given their backgrounds.
How AI can be implemented both to efficiently attack and defend systems became a prominent point, with Professor Aaronson acknowledging it’s usually easier to attack – meaning security professionals must be even more creative with this new tool moving forward.
AI isn’t the only transformational technology on the block, though, and the topic of Post Quantum Cryptography also made the rounds during the panel – fitting, as it was a major focus of multiple other presentations!
PQC: The Cutting Edge
PQC has been on many cryptographers’ minds lately, with the impending capabilities of quantum computers threatening to make a lot of existing infrastructure obsolete.
Jon Rolf, the director of NIAP, joined virtually and presented alongside atsec’s Joachim Vandersmissen; they shared timelines and process updates for how Post Quantum Cryptography will be increasingly required in products NIAP evaluates, looking forward to things like the CNSA 2.0 update. Jon noted that it’s likely going to be a costly transition, but one that needs to happen over the next decade to keep sensitive data secure as quantum computers become more widely available.
And while quantum resistant algorithms may be limited to three options currently, George Mason University’s Professor Kris Gaj gave a glimpse into academia’s pursuit to satisfy the desire for additional variety. To spur innovation, competitions are held to ruthlessly test algorithms; each round, a batch of those algorithms is eliminated from the running. This passion for progress has yielded the three algorithms already standardized, meaning they withstood the pressure of both academics and validation bodies, and the competition for the next batch is already underway.
Getting an algorithm standardized is not simple, though, requiring rigorous testing and validation – even if academia is enamored with it, standardization bodies may have different requirements. Understanding those different requirements was another important topic of discussion among speakers, with labs, vendors, and government officials providing insights into standards and security.
Standardization and Security
The unfettered push toward the bleeding edge in academia and the drive for cost-effective and perfect solutions in industry are both tempered and married through standardization, which sets important requirements for stability, security, and safety.
Sal Francomacaro provided a look into the world of standardization at NIST, a key player in cybersecurity worldwide. As an IT specialist in the Secure Systems and Applications group, Sal was well positioned to take everyone through the ins and outs of how NIST approaches creating standards, what the goals of standard makers are, and how everyone benefits from the standards that get created.
To drill into the details, atsec’s CST lab manager Swapneela Unkule blitzed through a legion of updates to the ISO/IEC 19790, which forms the base for the FIPS 140-3 standard used to validate cryptographic modules. Swapneela covered everything from new definitions to specific updates to requirement language, providing a valuable summary of the biggest changes for vendors to reference.
And to speak to business considerations around security, Distinguished Architect at Rivian Automotive Ting Lu shared key insights from 25 years of professional experience designing security for integrated circuits. The core of his learnings was to make sure you have a deep understanding of what your assets are, how they can be attacked, and what the costs of both aspects are. If you’re spending more on security than your assets are worth, you may have a problem!
Winding Down and Wrapping Up
A networking session wrapped things up after a day full to bursting with information, offering an opportunity to meet, mingle, and make connections. Over some slices of pizza, students had opportunities to connect with potential employers, colleagues had time to catch up, and different sectors had a relaxed space to talk a bit of shop.
For attendees who were looking for either a quiet retreat or a visual treat, the Visual Lab accommodated both – it was just out of the way enough to dodge the din of the Connector Lounge, and inside was an array of all the informative posters made for the bootcamp. As a bonus, atsec had past videos relevant to FIPS and cryptographic modules playing for some light entertainment.
None of this would have been possible without the support of UT Austin, who provided an amazing space for this event, or the participation of our expert speakers, who took the time to prepare for and present at the bootcamp – to everyone involved in making our second crypto bootcamp such a success, thank you, from the bottom of our hearts!
And to everyone who attended, thank you, too, for joining us to explore the present and future of cryptography!
