Primary encryption algorithms in use today are so effective at protecting sensitive data that many, even security practitioners, may take them for granted.
Take, for instance, the symmetric and asymmetric encryption standards, which would require today’s supercomputers billions of years to eventually compromise. These algorithms are important in that they assist diplomatic facilities in secure communication with their capitals, help provide operational security for military units, and ensure corporations can protect their most valuable intellectual property (IP) assets.
The threats to these encryption standards from quantum computing are on the rise.
Hostile nation-state intelligence services and cybercriminals could use a quantum computer’s ability to decipher cryptographic keys to read or falsify data. In fact, a Department of Homeland Security press release states “as this technology advances over the next decade, it is expected to break some encryption methods that are widely used to protect customer data, complete business transactions, and secure communications.”
In response the US government is devising a roadmap to:
- Devise post-quantum encryption standards
- Develop transition plans to prepare for this eventuality
And the National Institute of Standards and Technology through its NIST Computer Security Resource Center, oversees a public competition to determine new encryption algorithms that are quantum secure and this initiative is aligned to bring much needed benefits to the private sector as well.
The Importance of Encryption
With advances in quantum computing, it is imperative for IT and security leaders to have more than a working knowledge of encryption as encryption tools have expanded from software to hardware and cloud-based capabilities. According to Gerald Emamali of ENS Solutions, an expert in public/private key infrastructure, “IT leaders need to understand the encryption software tools market and the encryption regulatory landscape, especially as remote work has now become ingrained in the workforce. Achieving higher levels of data security, integrity and assurance is a top priority.” Furthermore, it is important for IT leaders because encryption tools have expanded from software to hardware and cloud-based capabilities.
Many of these solutions have unique features that can help mitigate organizational risk today.
- Encryption-at-rest
- File Shredding (so that deleted files cannot be recovered)
- Stealth Mode (so that encrypted data is hidden)
- Self-decrypting Modes (allows decryption without running software)
- Protection of Private Keys (with Hardware Security Module (HSM)
These features can help organizations adhere to required regulatory standards such as Payment Card Industry (PCI), Data Security Standard (DSS), or the Health Portability and Accountability Act (HIPAA).
“IT leaders need to understand the encryption software tools market and the encryption regulatory landscape, especially as remote work has now become ingrained in the workforce. Achieving higher levels of data security, integrity and assurance is a top priority.”
Gerald Emamali
As mentioned earlier, the two types of encryption commonly used today, symmetric and asymmetric, have different uses. The Advanced Encryption Standard or AES symmetric encryption is a fast and highly secure form of encryption, using a single key for encryption and decryption. It is used for file-level encryption, wireless communications, and plays a part in protecting E-commerce activities.
Asymmetric encryption standards use a public/private key infrastructure based on factoring large prime numbers. Because of its large bit size, its uses are limited to encrypting email messages, HTTPS browser connections, and digital signatures. The large bit size makes this standard formidable against modern supercomputers to factor in large prime numbers.
However, quantum computing is a growing risk primarily to asymmetric encryption standards.
According to the Department of Homeland Security (DHS), the cryptographics systems Rivest, Shamir, Adleman, commonly known as RSA, as well as Elliptical Curve Cryptography (ECC), and Diffie-Hellmen key exchange will eventually have their public keys compromised by a quantum computer capable of factoring large prime numbers with Shor’s Algorithm.
Increasing the key size from 128-bit to 256-bit can mitigate the AES symmetric algorithm’s vulnerability. AES encryption is not based on factoring large prime numbers, but computing power and time are the only known ways to comprise this standard. Scientists believe a 256-bit AES key size is sufficient to resist quantum.
What is the Government Doing?
The US government is taking the threat of quantum computing seriously and is acting to prepare for a post-quantum cryptographic world. In conjunction with NIST, the Department of Homeland Security has developed a transition roadmap to research a new post-quantum encryption standard.
The DHS transition plan requires its components to:
- Inventory critical data
- Inventory cryptographic technologies
- Identify public key cryptography (and prioritize systems for replacement)
Corporations can mirror these actions, particularly by identifying public key cryptography systems and labeling them as quantum vulnerable.
Furthermore, DHS is stressing that organizations start the transition planning now as past experience has shown that large transitions of cryptographic technologies take time and are inherently complex.
The single greatest action corporations can take is to ensure they know which systems and software are quantum vulnerable.
DHS also advises organizations to follow NIST guidance and timelines since the creation of a post-quantum cryptographic standard is created. There will likely be a time of dual-use operation while OEMs and software firms develop products to meet the new post-quantum cryptographic standard.
What May Happen on Q-Day?
When a reliable, stable quantum computing machine is developed, and no post-quantum encryption standard is in use, encrypted data and networks can be compromised. Not only will today’s data be in jeopardy, but data created from the past will be in jeopardy as well.
Encrypted data exfiltrated from previously compromised networks or encrypted data transmitted over the public internet may be at risk. Hostile nation-state intelligence services likely have collected and stored encrypted data siphoned from exploited networks, routers, and servers worldwide. There may be petabytes of encrypted data sitting in data lakes waiting to be decrypted.
Because of this possibility, it is vital for organizations to seriously think about intellectual property, critical data, and how it is protected, accessed, and transmitted today.
Important questions to ask:
- Have we identified all critical data, and is it quantum-vulnerable?
- Which quantum-vulnerable data (at rest) should strong symmetric encryption protect?
- Is there a need for IP and critical data to transit over a public internet?
- How can the organization safely share symmetric encryption keys?
These are important questions to answer because, when Q-day does arrive, it may arrive like a zero-day in the wild. Hostile nation-states that have this new decryption capability will likely go to great lengths to hide the capability and will ensure public sources of attribution are available to maintain their capability. As a result, corporations that mitigate their risk by strengthening symmetric cryptography in their environment will be in a better position to withstand a Q-day scenario.
Overall, quantum computing will undoubtedly bring about advances in science, but the underbelly is the risk posed by hostile nation-states and cybercriminals. The competitive advantage of targeted corporations may diminish as hostile companies reap advancements without incurring R&D costs. However, the good news is that there is a plan in place by government agencies to address this growing threat.
As technology leaders we must remain vigilant and transparent to ensure our organizations are prepared for the post-quantum world.
