Breaking Cryptography: Securing Machine Identities in a Post-Quantum World

We’ve reached a watershed moment for quantum computing. Last October, Google announced it achieved quantum supremacy – meaning a quantum computer performed a task no traditional computer could do in a practical amount of time or with a practical amount of resources.

With quantum supremacy, quantum computing, which Gartner defines as “a type of non-classical computing based on the quantum state of subatomic particles” has now moved from the theoretical to reality. So, what does this mean for security?

Gearing up for quantum

The rise of quantum computing opens new opportunities for security; particularly for quantum cryptography, which experts say is impossible to hack. Quantum computing relies on quantum bits (qubits) which, unlike the binary bits in traditional computing, can represent a range of values simultaneously – an algorithm could never predict the true randomness of qubits. This means the next quantum generation of machine identities – the cryptographic system of keys and certificates that enable secure communication between machines – could be unhackable.

Added to this, in a post-quantum world, man-in-the-middle attacks could be completely eradicated using the most well-known method of quantum cryptography: quantum key distribution (QKD). This works by carrying qubits of information through light signals, for example, by using fiber optic cables. These signals are very sensitive to disturbances, so if a bad actor attempts to view the encrypted information, not only will it be unsuccessful, but the user can also be alerted. So there are certainly some great wins to come from the increasing popularization of quantum.  

Organizations also need to understand the risks quantum computing poses for security professionals. Firstly, quantum computing will undermine the security of current encryption methods used to validate the identities of machines communicating with each other on a network.

While our current computers can take tens or even thousands of years to find the prime number used to create a cryptographic key, quantum computing has the power to calculate this in minutes. This means that the public key infrastructure (PKI) and digital signatures that rely on cryptographic algorithms will cease being secure. This could happen sooner than you think; research estimates a functional quantum computer capable of breaking our current cryptographic standards will be available by 2028.

As a result, quantum computing puts every machine identity relying current cryptographic standards at risk. From making payments to a retailer, to accessing a bank account securely, or receiving a message on your smartphone, anything secured with encryption will be up for grabs to those with quantum computing power. Not only will current information be vulnerable, but any historic encrypted data is also at risk. Those – like nation states – who have accessed and stored encrypted data prior to quantum computing will have free reign to decrypt and use it as they wish.

Quantum-proof security

So, what can security teams do to prepare? A first and important step is to make sure you know what machine identities you hold, where and how secure they are and how they impact applications, products and systems. This way, if we do face a situation where an encryption algorithm is broken, you will be able to know how the business will be impacted and have a roadmap to remediating the threat to lessen your exposure.

Given the speed machines operate at, automation is the key to keeping machine identities secure, even as the threat of quantum computing looms. Automation will allow companies to discover where their machine identities are held and enable them to be secured in a quantum-resistant way in the event of a vulnerability or breach.

As the rate of technological advancement increases post-quantum, automation will be more vital than ever. The ability to update cryptography at pace will be the only way to remain secure, keeping up with the speed of adversaries and making organizations quantum-proof.

Then, when transitioning to security for a post-quantum world, you have the opportunity to begin using quantum-resistant cryptography. Existing methods of cryptography, such as lattice-based and hash-based have been deemed unbreakable, even by quantum computers. Using these forward-looking methods of cryptography can help organizations to future-proof.

Quantum is coming

Quantum computing still has some way to go in order to scale – currently, the most powerful quantum computers that exist can only handle 72 qubits, which is far shorter than most cryptographic keys in use today.

IBM’s Senior Vice President of Cloud and Cognitive Software has predicted quantum computers will become mainstream in the next five years. Even by Deloitte’s more conservative estimates, the first commercial, general-purpose quantum computers are expected to appear in the 2030’s. A post-quantum world is already within reach.

As we’ve seen with previous cryptographic standards, organizations can be slow to make updates. After initial warnings about SHA-1’s vulnerability in 2005, it was officially depreciated by NIST in 2011 and broken in 2017. Yet even after all this, over 33 million publicly visible websites were still relying on SHA-1.

Once again, organizations don’t have time be complacent – they need to address how to remain secure in a post-quantum world. It’s vital that businesses start to prepare now, as the future will arrive all too fast. Those that ignore the serious security implications of a quantum future are putting their entire organizations at risk. It’s only through preparation and automation that we can manage the shift to quantum resistant cryptography and secure whatever future quantum holds.

What’s Hot on Infosecurity Magazine?