Friday, 7th August 2020

Fighting cryptosloth and getting to quantum safety

Quantum is coming as a powerful challenge to cryptography and all of the information modern encryption keeps safe. Many understand that but view it as a distant threat. What they don’t realise is how far they’ll have to go to prepare for it. By Tim Hollebeek, Industry and Standards Technical Strategist, DigiCert.

Post quantum cryptography (PQC) is rightly being heralded as our main defence. PQC algorithms that can effectively protect against Quantum attack and plug into existing Public Key Infrastructures (PKI) are being eagerly awaited by governments and enterprises alike.

According to DigiCert’s 2019 survey, 35 percent of enterprises don’t yet have a PQC budget. Two out of five respondents claimed that it would be extremely difficult to upgrade their encryption from current standards and many worried about the high cost of doing so.

These are just some of the reasons that quantum threats will likely prosper. The slow pace of PQC adoption will be the downfall of many.

Quantum computing will likely defeat much - if not most - of the modern encryption on which network computing relies in this decade. We speak, of course, of the 2048 bit RSA keys and the Elliptic Curve Cryptography that keep everything protected from the range of threats that data experiences on a day-to-day basis. That’s the opinion of the US National Institute of Science and Technology (NIST) - one of the world’s foremost authorities on the subject.

Quantum’s edge is its ability to solve multiple problems at once. Classical computers speak in bits - a series of 1s and 0s which act as its language. Quantum’s version of bits - Qubits - can be 1s and 0s too, but they can also be a third state of indeterminate value. It’s with that edge that quantum computers can solve multiple problems at once and put themselves light years ahead of classical computers, no matter how powerful.

For encryption, that means every conversation, transaction, dataset, identity, device and endpoint protected by those keys will be easy prey for a quantum ready-adversary.

Were you to throw a classical computer at a 2048 bit RSA key, for example, it would take several quadrillion years for the computer to guess every part of that key. With a scalable quantum computer, that would take a mere matter of months.

Quantum computing has hit an acceleration point in the last year. In 2019, both IBM and Google claimed that it had reached quantum supremacy with their respective quantum projects, definitively proving their superiority over classical computing. In March 2020, Honeywell announced it would be bringing “the world’s most powerful quantum computer” to market in the near future. In the meantime, funding has poured into the quantum field and public interest has spiked. Quantum has just come over the horizon.

The availability of commercial quantum computing is, by many estimates, a ways off. In 2015, the European Telecommunications Standards Institute predicted commercial quantum computing would arrive within 10 years.Five years later, widespread quantum computing still seems five to ten years off according to DigiCert and ISARA’s research. That might allay some people’s fears about their ability to prepare for quantum - after all, a decade is a long time and more than enough to prepare for just about anything. Right?

A few human years is more like a few days in cryptography. Even if it does take a decade for quantum to pose a widespread threat to data protection, that will still be far too short for many. Think of the IoT devices manufactured today and expected to still be in use five, ten or many more years from now. These could include automobiles, transportation systems, medical devices, industrial systems, 5G deployments, smart grids and so on.

The difference between the moment that new cryptography is needed and the moment enterprises adopt it on a large scale stretches far wider than anyone should be proud of. We call that Cryptosloth. The time between those two points is boom years for cybercriminals.

The history of cybersecurity is littered with just such examples. The Diffie Hellman key exchange was invented in the mid-1970s. While it is now a central part of modern cryptography, computational power could not accommodate it for decades after its inception. Even after it was possible, Elliptic Curve cryptography took years to be widely adopted.

EternalBlue - A Windows vulnerability - is a further example of that sloth. When WannaCry hit in May 2017, it used EternalBlue to launch a global cyberattack - one of the largest ever recorded. In June, NotPetya spread around the world, causing similar havoc. The tragedy was that Microsoft had released a widely available patch to EternalBlue earlier in the year. It could only do as much damage as it did because many had ignored patching advice. EternalBlue continues to threaten Windows machines today for the same reason.

If organisations have had such a problem simply patching - then implementing PQC will be considerably harder. That instinct to ignore the problems or delay the solutions, or relax because the threat seems years away, will only exacerbate that sloth and the inevitable threat.

When it comes to quantum, fighting crypto sloth is about more than just quickly adapting the PQC algorithms needed to head off quantum threats. It’s about preparing your environment to be crypto agile. Quantum threats will likely need a variety of cryptosystems and keys in order to resist the threats. Enterprise PKIs and those designed to secure IoT devices will need to be able to quickly switch between different algorithms on the fly.

Companies need to deploy crypto agility to ensure they can replace mass quantities of cryptography and digital certificates should the need arise. The organisations that are preparing now are getting to know their own environments, gathering intelligence and understanding how they already use encryption. They can then move to automate much of their cryptographic activity by creating systems to manage keys as well as discover, remediate, revoke, renew and reissue certificates.

One thing is for sure, the quantum race has already begun. Microsoft, Google and IBM, as well as the governments of the world, have already started accelerating down the admittedly long road to quantum supremacy. Venture Capital funding is pouring into quantum projects and Gartner says that 20 percent of all companies will be investing in quantum in the next five years. Cybercriminals are likely just as excited and Quantum threats will be with us sooner than many may expect. If organisations want to stay ahead of threats they need to take their first steps towards crypto-agility.

By Azeem Aleem, Vice President Cyber Security Consulting NTT Ltd.
Most mid-sized to large enterprises have already moved some of their infrastructure, data, and workl...
Digital transformation needs security at heart, says Jonathan Whiteside, Principal Technical Consult...
Cybersecurity is a worry for cloud users. Market research company Vanson Bourne, in conjunction with...
Dania Ben Peretz, Product Manager at AlgoSec, discusses the steps needed for organizations to achiev...
By Tim Bandos, VP Cybersecurity, Digital Guardian.