The post-quantum world is often described as a doomsday scenario. One of the biggest fears about quantum computing is its ability to break the traditional encryption algorithms that have protected our data for decades. In response to this pending crisis, President Joe Biden signed two quantum computing presidential directives in 2022, signaling the time is now to figure out how to handle the emerging technology. If you are thinking about how to incorporate post-quantum security readiness into your IT strategy, consider this expert advice.
In this interview, Greg Wetmore, VP Software Product Development and Entrust Cybersecurity Institute member, shares what IT security teams need to know as they prepare for the post-quantum threats on the horizon.
Can you briefly explain what post-quantum cryptography is and how organizations can prepare for it? What steps must organizations take to properly defend themselves in a post-quantum world?
Post-quantum cryptography is a set of cryptographic systems that can protect data from attacks launched from either quantum computers or today’s classical computers. After a mathematician named Peter Shor demonstrated that a quantum computer could easily break the algorithm used for public key encryption (PKE), cryptographers around the world began to explore what a post-quantum cryptography system would look like.
Modern public key cryptography uses two common algorithms (RSA and Elliptic Curve) that scramble data into codes only reversible by the holder of the private key; however, quantum computers can reverse engineer this scrambled data without needing the keys. Quantum computers are steadily approaching the computing power and stability they’ll need to break the public key encryption protocols widely used in digital systems today to protect sensitive data, applications, and transactions. As a result, organizations must begin moving to quantum-resistant cryptography to protect mission-critical data.
Here’s a roadmap for infosec teams looking to get a head start on post-quantum migration:
- Inventory data: Map out where your most sensitive and long-life data resides.
- Inventory cryptographic assets: Gain in-depth visibility into what cryptographic assets already exist in your environment.
- Build a cryptographic agility strategy: Cryptographic agility will be critical for the PQ transition. Crypto agility is the ability to easily move from one algorithm to another – even a quantum-resistant one.
- Test and plan the migration: The technology behind quantum-safe cryptography is rapidly advancing. The NIST PQ Competition recently announced the 4 algorithms that will be standardized over the next year. Some security vendors are beginning to offer early access to quantum-safe crypto in their products.
When should organizations begin preparing for a post-quantum future? And how can IT security teams determine whether it’s urgent to act or not?
Quantum computing is advancing, and while experts are not sure when there will be a quantum computer powerful enough to break the RSA and ECC cryptographic algorithms that are currently in use, many are operating under the assumption that this can happen within a 10- to 15-year timeframe.
Last month, the NSA released the Commercial National Security Algorithm Suite 2.0 to provide timing parameters for specific areas and industries to migrate to quantum-resistant cryptography. They identified the first area to be addressed is software and firmware signing, and that transition should begin immediately.
The migration to quantum-safe algorithms could take several years, and for some industries – like healthcare and financial services – the transition is already underway due to technology lifecycles and long-life data that has to remain secure. To put it into perspective, the migration from SHA-1 to SHA-2 raised numerous alarm bells for the security and cryptography community and it was generally seen as a straightforward migration. But when the time came, organizations struggled with it and some are still figuring it out today. The transition to post-quantum will be more complex than cryptographic transitions in the past. This should be a call to action for organizations to begin considering the impacts to their digital infrastructure.
What are some of the most common threats associated with post-quantum computing?
Quantum computing promises to solve difficult problems — and create entirely new ones.
Quantum computers use the laws of quantum mechanics to process information in quantum bits, or qubits. A system built on qubits can exist in multiple states at the same time (called quantum superposition). This amazing property allows quantum computers to process data and solve some kinds of problems at an exponentially faster rate than classical computers. It has been proven that a scaled quantum computer will render modern public-key encryption algorithms useless. With many enterprise technologies currently dependent on public-key encryption, they’re placed at an elevated risk of brute-force attacks by malicious actors.
Keeping in mind the vast speed by which quantum computers can operate, we humans must begin the long migration to post-quantum readiness. It’s likely that adversaries are already harvesting encrypted data and storing it until quantum computers have enough qubits to crack the encryption algorithms. Don’t underestimate the effort needed to migrate to post-quantum cryptography – the effort will take years.
What types of software updates or security upgrades will be required to defend against the quantum threat? And how long could these take?
Software updates will be significant, and doing so securely will become a problem in and of itself. Think about large organizations with data centers and edge devices scattered across the globe. These updates will take time and require a carefully planned strategy, inventorying and expertise to be developed well in advance. Migrating to a cloud infrastructure offers some advantage but those still with a lot of physical machines and hardware will need time for updates; some machines might even be incapable of receiving updates and would have to be replaced – a situation that can be costly and time-consuming.
Now that we’ve discussed the bad. Can you give us a cool takeaway on quantum computers? Anything to get excited about?
Despite their impact on cybersecurity, quantum computers can offer a lot of benefits and solve a wide range of problems facing humanity. One area, in particular, is medicine and biopharma. We expect quantum computers to enhance our ability of drug discovery and development, and allow scientists to conduct new research for the benefit of raising efficacy and access. Quantum simulations could also play a role in developing the vaccines of the future to protect against widespread viruses and disease.
These simulations could also be unleashed for the benefit of conservation and environmental initiatives. Scientists predict these simulations could lead the way to new scientific breakthroughs and drastically enhance our ability to recycle carbon dioxide and other fuels essential to keeping society moving.
Overall, the ability of quantum computers to more efficiently perform calculations that model real physical systems with huge data sets will make them invaluable to many industries like: materials science, weather forecasts, natural language processing, financial modeling and more. However, if security teams are unable to secure their environments, then much of our everyday web interactions will be at risk. Take the proper steps now to avoid panic later on.
Source: CPO Magazine
