Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

02:00 PM
Scott Totzke
Scott Totzke
Connect Directly
E-Mail vvv

Quantum-Safe Cryptography: The Time to Prepare Is Now

Quantum computing is real and it's evolving fast. Is the security industry up to the challenge?

Media reports that Google may have used a quantum computer to crack a problem even the fastest supercomputers could not solve is a significant milestone on the journey to large-scale quantum computing. For cybersecurity professionals who have been waiting for this milestone, this should be the proverbial starting pistol to begin ensuring their infrastructure is agile and resilient.

Quantum supremacy — the point at which a quantum computer can solve a problem that classical computers cannot — is the long-chased milestone that proves that quantum computing can be more than just a science project. In a paper briefly posted on the NASA website — and then taken down — Google engineers reportedly described using a quantum processor to solve a specific calculation in three minutes and 20 seconds that would have taken the most advanced classical supercomputer 10,000 years. Quantum computers process information with qubits, which behave according to quantum mechanics and offer a new bag of tools — such as superposition and interference of states, quantum entanglement, and the uncertainty principle. This makes them fundamentally different, and more powerful than classical computers.

While scientifically and technologically significant, the real-world relevance of Google's potential achievement is extremely limited. We're still far from the large-scale, noiseless quantum computer that will break current encryption standards. And that's good, because it provides organizations around the world — from enterprises and governments to security solution providers and original equipment manufacturers — the time necessary to begin protecting their networks, connected devices, and confidential data. But it is a wake-up call — and the time to prepare may be shorter than some think.

Because quantum computers can solve problems that confound classical computers, they will also be capable of cutting through some of the most common public key cryptographic algorithms used globally. This means all the data — from financial records and medical charts to military orders and diplomatic communiques — that moves safely around the world today, as well as connected devices that rely on embedded security to remain trusted and protected, will be vulnerable to exposure with a large-scale quantum computer.

Such data is already vulnerable to a "harvest and decrypt" attack, in which a hacker steals encrypted data with long-term value — Social Security numbers, military information — and sits on it until a quantum computer can crack the encryption and unlock the secrets. Likewise, it's quite possible that many connected devices with long useful lives — including cars and smart sensors being designed today — will still be in use when quantum computers are widespread. For these reasons, the need to think about quantum-safe computing is now — and not something to put off for a few more years. Think about how rapidly the digital age advanced and overtook industries that did not adapt.

The good news: There are robust cryptographic approaches that are resistant to the capabilities of a quantum computer. (Disclosure: ISARA is among of handful of teams working to make these mathematical approaches practical in commercial applications.) Implementing them, though, is likely to take several years. The time to prepare is now, even though we do not know for certain when a quantum computer will be powerful enough to break current encryption.

What every good IT manager does know is that there rarely is a system upgrade that goes exactly as planned. And for many organizations, changing cryptography is logistically challenging, costly, and time consuming. Encryption is embedded so deeply into most systems that upgrading it will require a full risk assessment to identify all of the parts of a company's infrastructure that use cryptography and where the most vulnerable components of a network are so that a proper migration plan can be established.

Cryptographic agility — commonly defined as the ability to respond and adapt to the ever-changing cybersecurity environment, needs, and threats — allows organizations and OEMs to easily change cryptographic algorithms without major changes to the surrounding infrastructure. Although not a field that has been at the forefront of the technology industry, it will be vital in the coming years. The National Institute of Standards and Technology advocates this type of agility.

The computer industry has been able to depend on current standards for decades; however, we now know that, as in so many areas of technology, flexibility is the key to long-term success when it comes to maintaining the effectiveness of our underlying security. Being nimble in the quantum age will be essential as powerful quantum computers undoubtedly unlock entirely new fields of research and potentially drive the need for even more rapid responses in the future.

Google has shown us that another major milestone on the road to large-scale commercial quantum computing may have been achieved. The message here is that quantum computing development is real and it's evolving fast. We should react by developing our crypto-agility strategies so that we're ready to implement quantum-safe security when the time is right.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Inestimable Values of an Attacker's Mindset & Alex Trebek."

Scott Totzke is chief executive officer and cofounder of ISARA Corporation, a Waterloo, Ontario-based security solutions company that offers production-ready quantum-safe tools and agile technologies needed to enable simplified and seamless cryptographic migrations. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.