Quantum physics meets IT security

It's hard enough for IT security managers to keep with the latest in conventional computing. Cloud Security Alliance and the US government are trying to make sure you don't need a physics degree, too.

Image: iStock/agsandrew

Quantum physics is coming to an IT security product near you.

That's the message published recently by the Cloud Security Alliance in its new white paper, Quantum Random Number Generators (PDF), by the CSA's Quantum-safe Security Working Group.

The research is about standalone hardware devices that provide random number generation to data encryption applications—such devices use quantum mechanics and laser beams to accomplish their task. It's not quantum computing per se, but it's still far-out for ordinary businesses vs. the first wave of defense customers.

SEE: Quantum computing: The smart person's guide

There are three major benefits to quantum number generators, explained Jane Melia, co-chair of the CSA's working group and a vice-president at quantum security company QuintessenceLabs, of Canberra, Australia. There's no known brute-force method of cracking them with conventional computers—even supercomputers; the output is truly random; and they work exceedingly fast.

"Until recently, simple and low-cost quantum random number generators did not exist, preventing quantum physics from becoming the dominant source of randomness," the white paper states. "However, a number of manufacturers have now been able to address this challenge, leveraging quantum effects in a variety of ways to deliver the highest quality randomness, at high rates and at competitive costs."

The working group members are planning to work with the US government's National Institute of Standards and Technology (NIST) quantum security group to continue educating their members, Melia added.

NIST in April 2016 released its own Report on Post-Quantum Cryptography (PDF), concluding:

"NIST is taking the following steps to initiate a standardization effort in post-quantum cryptography. NIST plans to specify preliminary evaluation criteria for quantum-resistant public key cryptography standards. The criteria will include security and performance requirements. The draft criteria will be released for public comments in 2016 and hopefully finalized by the end of the year. At that time NIST will begin accepting proposals for quantum-resistant public key encryption, digital signature, and key exchange algorithms. NIST intends to select at least one algorithm providing each of these functionalities for standardization. NIST will establish a submission deadline late in 2017 for algorithms to be considered, allowing the proposals to be subject to 3 to 5 years of public scrutiny before they are standardized."

NetDocuments, a cloud-based document management company targeting law firms, purchased the QuintessenceLabs product last winter. "Because of the changing environment and increasing requirements for security by our customers... we undertook an effort to move to a new level of security encryption," explained David Hansen, director of compliance, in the Salt Lake City suburb of Lehi, Utah.

Some of NetDocuments' customers are major law firms whose client data would be compelling to hackers sponsored by nation-states, Hansen said. "They see their law firms being hacked every day. Major law firms are hacked every week," he said. It's good that Quintessence does not have access to the security keys, although it would be better if clients could access the system directly so that NetDocuments itself also wouldn't need the keys, he added.

Also see

About Evan Koblentz

Evan Koblentz began covering enterprise IT news during the dot-com boom times of the late 1990s. He recently published a book, "Abacus to smartphone: The evolution of mobile and portable computers". He is director of Vintage Computer Federation, a 50...

Editor's Picks

Free Newsletters, In your Inbox