Quantum technology that the world’s superpowers are developing, if successful, will render many current encryption algorithms obsolete overnight. Whoever has access to this technology will be able to read almost any encrypted data or message.
Organizations need to pay attention to this emerging technology and take stock of the encryption algorithms in use, while planning to eventually upgrade these. Quantum computers already exist as proof-of-concept systems. For the moment, none are powerful enough to crack current encryption, but the private and public sectors are investing billions of dollars to create powerful systems that will revolutionize computing.
Nobody knows when a powerful quantum computer will become available, but we can predict the effects on security and prepare defenses.
What is a quantum computer?
Classical computers operate using bits of information. These bits exist in one of two states, either “1” or “0.” Quantum computers operate in a different, but analogous way, operating with “qubits.” A qubit exists in a mixed state that is both partly “1” and partly “0” at the same time, only adopting a final state at the point when it is measured. This feature allows quantum computers to perform certain calculations much faster than current computers.
Applications to security
Quantum computers cannot solve problems for which current systems are unable to find solutions. However, some calculations take too long for practical application with current computers. With quantum computing’s speed, these calculations could become trivial to perform.
One example is finding the prime factors of large numbers. Any number can be expressed as multiples of prime numbers, but finding these prime numbers currently takes an incredibly long time. Public-key encryption algorithms rely on this fact to ensure the security of the data they encrypt.
It is the impractical amount of time involved, not the impossibility of the calculation, which secures public-key encryption. An approach named “Shor’s algorithm” can rapidly find such prime factors but can only be executed on a sizable quantum computer.
We know that we can break current public-key encryption by applying Shor’s algorithm, but we are waiting for a suitably powerful quantum computer to become available to implement this. Once someone develops a suitable quantum computer, the owner could break any system reliant on current public-key encryption.
SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)
Creating a working, sizable quantum computer is not a trivial matter. A handful of proof-of-concept quantum computing systems have been developed in the private sector. Although quantum research has been identified as a strategic priority for many countries, the path forward is less clear. Nevertheless, China has made quantum technology part of their current five-year plan and is known to have developed functional quantum systems to detect stealth aircraft and submarines, and have deployed quantum communication with satellites.
Are we already post-quantum?
We know the difficulties in creating a sizable quantum system. What we don’t know is if one of the global superpowers has overcome these and succeeded. We can expect that whoever is first to create such a system will be keen to keep it secret. Nevertheless, we can anticipate clues that will indicate a threat actor has developed a functional system.
Anyone possessing the world’s most powerful decryption computer will find it difficult to resist the temptation to put it to use. We would expect to see a threat actor seeking to collect large quantities of encrypted data in transit and data at rest, possibly by masquerading as criminal attacks.
Currently, experts do not observe the volume of network redirection attacks that would be expected for the large-scale collection of data, nor do we see the large-scale exfiltration of stored encrypted data. This is not to say that such attacks don’t happen, but they are less frequent or audacious than might be expected if a state-sponsored threat actor was collecting data at scale.
Preparing for the post-quantum world
Nobody knows when current encryption techniques will become obsolete. But we can prepare by upgrading encryption algorithms to those believed to be resistant to quantum attack. NIST is preparing standards for post-quantum encryption. In the meantime, the NSA has produced guidelines that offer guidance before relevant standards are published.
Encrypted, archived data is also at risk. Organizations may wish to consider if old data is still required. Wiping obsolete data may be the best defense against having the data stolen.
Until a sizable quantum computer is built and made available for research, we cannot be certain about the capabilities of such a system. It is possible that physical constraints will mean that such a system is not practical to build. Certainly, programming quantum computers will require new software engineering practices. It is also possible that programming shortcuts will be found that allow the practical breaking of encryption with a smaller quantum computer than currently expected.
Post-quantum standards and advice from governmental entities are welcome to guide organizations in transitioning to a quantum-secure environment. However, such advice may not reflect the state-of-the-art of malicious actors.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
At some point, many current encryption algorithms will become instantly vulnerable to attack. In anticipation of this moment, organizations should take stock of the encryption algorithms they use and the associated key lengths. Where possible, systems should migrate to use AES-256 encryption, use SHA-384 or SHA-512 for hashing, and extend key lengths beyond 3072 bits as an interim measure.
Anyone implementing encryption software should consider the algorithm life span and provide users with the ability to change encryption strength and algorithm as necessary.
Securing quantum computing for the future
Quantum computing is a major focus of research and investment. Physical constraints mean that current chip architectures are difficult to advance further. Practical quantum computer systems will bring large gains in computing power and allow new computational techniques to be applied to solve problems that are currently impractical to calculate.
One application of a new quantum computer will be breaking encryption. When such a system is developed, its existence is likely to be kept secret. However, there are likely to be indicators in the actions of sophisticated threat actors that will betray the system’s operation.
Reviewing and improving encryption implementations well in advance of the deployment of a functional quantum computer is vital to ensure the continued confidentiality of information. Take stock of encryption currently in use and plan how to upgrade this if necessary.
We might not be able to predict when such a system will be deployed against us, but we can prepare in advance our response.
For more information, visit the Cisco Newsroom’s Q&A with Martin.
Author Martin Lee is technical lead of security research within Talos, Cisco’s threat intelligence and research organization. As a researcher within Talos, he seeks to improve the resilience of the Internet and awareness of current threats through researching system vulnerabilities and changes in the threat landscape. With 19 years of experience within the security industry, he is CISSP certified, a Chartered Engineer, and holds degrees from the universities of Bristol, Cambridge, Paris and Oxford.