Cybersecurity: Bullet-proof your applications from Quantum computers and Algorithmic failures

The scope and reach of cybersecurity is beginning to change. As quantum computing becomes more realistic, this movement would impact our applications going forward in a very significant way.

We have lots of applications that depend at some layer on crypto. When our crypto is in a vulnerable state, when the algorithm gets broken; when the algorithm becomes weak, we want to replace it cleanly into the application with the new algorithm that is stronger against the threat and works in a seamless way; with similar compute time; and similar behaviour in terms of key generation. We want this process to be invisible to the end user and still want the application behaviour to be same. This is crypto-agility, the ability to switch algorithms within our business and IT infrastructure without disrupting business, an important aspect to develop and to prepare for cryptographic changes that are due to come in our way.

Impact of Quantum computing on security

One of the aspects of impact is the type of keys. Symmetric keys are subjected to Grover’s algorithm and they can be solved by quantum computers but we can mitigate it by lengthening the key sizes. For example: AES – 256 can be made quantum safe if we start to make key sizes larger. This is similar with hashing algorithms such as SHA-2, SHA-3. They can also be made better by making longer hashes.

On the other hand, the RSA algorithms, the elliptic curve algorithms are subject to Shor’s algorithm that allows them to be broken in real time with quantum computing. These keys cannot be made long enough to be safe.

However, the size of the quantum computers that we need to break those algorithms is fairly large; the amount of entanglement that we need is also fairly large. This would happen when qubit becomes commercially available. The current state of engineering of quantum computers is still on a one-off basis with no large scale manufacturing. Quantum computing uses quantum mechanics to find solutions (superposition and entanglement). With 300 qubits, it can do 2300 things at once because of the information that those qubits can share.

Vulnerabilities across technologies

Public Key Infrastructure

Applications: Certificates and Key Management

Impact: PKI need to be moved to quantum safe cryptography. Existing PKIs will probably need to be depreciated and projects that involve PKI will need to be depreciated as well. Credentials will need to be reissued.

Digital Signatures

Applications: Contracts (mortgages, agreements) that extend beyond 2022, Secure email, Timestamps, Hashed-linked logs and records

Impact: Hash values will need to be lengthened. Assess the key size and certificates that we are going to use to sign so that when quantum computing is available cheap and easy, we ensure that it isn’t broken and rewritten.

Cryptographic Hash Functions

Applications: Integrity checks, Logs, Password security

Impact: We got to lengthen cryptographic hash functions

Blockchain / Public Ledgers

Applications: Contracts, Cryptocurrency, Proof of work

Impact: Blockchain can be vulnerable to quantum computers if they come along at a speed that doesn’t allow us to remand them. If we have a contract that will last for few years in public domain with no central control, that could be problematic in quantum computing era. When the algorithm gets broken, Blockchain may need to be resigned, credentials reissued, hashes lengthened.

Data Security

Applications: Stored/Encrypted Data, SSL/TLS

Impact: Key storage and exchange will need new protocols

Possible steps to be Quantum Ready

1.      Look at the applications that you are using and its impact. If you are in financial services, you would have a lot of cryptographic things that has expiry dates 5, 10, 20 years more. Those are the applications that needs attention and must be tagged.

2.      Have a modular crypto architecture so that we have an abstract way to update the cryptography without impact to the overall application.

3.      Move to quantum safe algorithms as providers make them available.

4.      Prepare for quantum computing and algorithmic compromise through crypto agility

5.      Minimize risk by utilizing quantum as a service technique

We have to understand the fundamental reality that we can’t fix everything today. We can’t control and protect everything in the manner we would like. We can do some level of protection and control over the things that matter and the things that are critical. We can’t make our assets fully secure but we can prioritize and provide the best security for high value assets.