Preparing Your Enterprise For a Post-Quantum Future

Written by

Contrary to what you may have heard, the advent of quantum computing won’t spell the end to encryption as we know it. That is, if enterprises have taken the necessary steps to prepare for a post-quantum future.

Currently, the security of many cryptographic algorithms — which protect everything from online banking transactions to people’s online identities and private email messages — traditionally relies on RSA asymmetric keys. The RSA algorithm was created in 1976, and leverages the difficulty conventional computers have with factoring large prime numbers.

The current concern is that quantum computers should be able to solve these mathematical problems relatively quickly, which could break the most common public-key cryptography algorithms, including RSA and Diffie-Hellman. 

The big unknown is how long it will take until quantum computers are a reality. Google recently claimed it has achieved quantum supremacy, but the fact that others such as IBM researchers are disputing the claim indicates just how far quantum has left to go (or not). Although Google was able to demonstrate that its quantum computer could beat a conventional computer for a specialized physics problem, it has yet to show it can solve a useful task that cannot be done using current technology.

Without question, however, progress toward quantum computing is moving forward rapidly and there seems to be broad consensus that the problems currently facing quantum researchers will be overcome. Whether that day comes in 2020 or beyond, there’s too much at stake to merely sit on the sidelines. In fact, the majority of corporations around the world are seeing quantum computing as a major threat.

Post-quantum crypto is coming
To survive in a post-quantum world, algorithms must be based on different mathematical processes that can resist both quantum and conventional attacks. To that end, the National Institute of Standards and Technology (NIST) is currently evaluating 26 Post-Quantum Cryptography (PQC) algorithms to determine performance across everything from massive supercomputers to Internet of Things (IoT) devices.

Presuming that NIST’s and other researchers’ efforts are successful, quantum-safe cryptography should be available well before the arrival of large-scale quantum computers that can break RSA and other vulnerable algorithms.

Having new algorithms available is one thing. Implementing them is something else entirely. On that front, the industry’s track record for absorbing new algorithms is not great. For example, SHA1 depreciation was recommended five years before it went into effect and took 13 years from the recommendation stage until widespread change. However, SHA1 only dealt with signature integrity while post-quantum deals with the far greater exposure of sensitive data and signatures.
It also important to consider the life span of devices, systems and applications. Many infrastructure components – such as IoT sensors that depend on encryption to remain secure – are now being deployed and have a projected service life of 10 to 20 years. Without the use of PQC algorithms, every such device could potentially be an avenue for attack.

We’ve been here before
In many ways, the advent of quantum is similar to the Y2K problem, in that it represents an external event that impacts nearly every enterprise system. In the case of Y2K, enterprises heeded the warnings, implemented necessary changes, and were able to minimize disruption as a result.

The difference here is that with Y2K we knew the exact date and time of the impending problem and could work backwards from there. In this case, however, there is no easy way to know if you are behind the curve, on schedule, or moving too slowly. The safest approach is to prepare for the worst and hope for the best.
So, what does a worst-case scenario look like? Imagine a sudden report of “quantum supremacy” across the entire space of factoring of large prime numbers. You could wake up tomorrow and find out that all of the crypto-based identities securing your VPN access from anonymous adversaries around the world are now essentially a wide open door as cryptography now has little value against quantum computers.

This could especially impact organizations that must meet regulations for protecting personal identifiable information (PII), for example. Other worst-case scenarios could involve organizations using network encryption to send financial and other sensitive information across the internet that must now find new ways of conducting business.

Based on what we know currently, there’s likely no need to hit the panic button just yet. Yet sitting around worrying isn’t the answer either. Instead, here are six practical steps you can take now to prepare for the post quantum world of the future:

  1. Begin assessing what devices, system and applications in your environment are using crypto keys. Specially, focus on prime number based crypto – ECC and RSA.
  2. Once you’ve identified vulnerable applications and information, determine placement and exposure to risk. For instance, an external gateway or authentication device is a higher risk than an internal employee website used to sell concert tickets
  3. Determine what capabilities you have for improving “crypto-agility.” Look for the ability to implement new algorithms through optional purchases, features, or settings.
  4. For systems that lack the ability to handle PQC algorithms, begin collecting details and contacting manufacturers to discuss their timeline and plans.
  5. For manufacturers that are unable to provide timelines, guarantees, or expected deliverables, begin identifying potential alternate devices, software, and appliances that can provide crypto protection now and in the future.
  6. Rigorously define the timeline for implementing quantum-resistant algorithms across your entire organization. As noted above, focus on the most critical and vulnerable systems (external facing, authentication, critical systems and encrypted financials to name a few).

The good news here is that by following these steps, you most likely won’t need to change how you are managing and implementing keys and cryptography. Through careful planning – and the support of experienced PKI and cryptography experts – the move to a post-quantum world will be no more challenging than turning a page on the calendar was 20 years ago.

What’s hot on Infosecurity Magazine?