Accenture's Insights on Crypto-Agility

This article discusses Accenture’s insights on crypto-agility that were derived from its recent research report on preparing for post-quantum decryption.

Security experts continue to issue warnings that quantum computing will soon be here. While it brings many advantages to business, there is great concern that this technology will have the capability of cracking encryption models that are in current use. At the highest risk for this are the banking sector, public infrastructure, and government agencies. But in actuality, any organization that uses cryptography to protect its data is at risk for post-quantum decryption.

IT security experts from Accenture Federal Service recently published their insights regarding the need for organizations, including government agencies to become crypto-agile as a way of future-proofing systems against the expected cyber-attacks that will surely come post-quantum. Here we will discuss Accenture’s insights on crypto-agility.

Quantum Computers Expected to Break Current Encryption Key Standards

For four decades, the RSA cryptographic algorithm was considered the gold standard because it was considered to be completely impenetrable. However, the discovery of Shor’s algorithm brought forth the possibility that quantum computers could crack RSA and other asymmetric public-key encryption systems. Because RSA uses asymmetric keys, it is vulnerable to brute force attacks.

Advanced Encryption Standard (AES), another encryption algorithm, relies on symmetric cryptography and is currently considered safe against a quantum computer. However, AES could also be vulnerable to being cracked through a brute force attack if an accelerator like Grover’s algorithm were used. The good news is that an attacker would need to use a much more sophisticated quantum computer than what could be used to crack RSA. Currently, AES-256, which is the most current AES standard with the longest keys, is thought to be quantum-safe for now. AES-256 is used to protect top-secret government data. But unfortunately, it is not suitable to replace all public key cryptography used by the government because it would require large-scale key distribution.

The threat is Already Here with Harvest Now, Decrypt Later

Many projections have put the arrival of quantum computing in the neighborhood of 2030 or later. But that does not mean encrypted data is not at risk from quantum computing before then. The imminent threat right now is that hackers are stealing (harvesting) protected data now with the intention that they will decrypt it later (“Hack Now, Crack Later” strategy) when quantum computing arrives.

Now is no time to let your guard down about protecting encrypted data from being stolen. While it might not be possible to decrypt it now, once cyber-criminals have access to quantum computers, it will be compromised. This is particularly of concern for organizations that hold data with a long shelf-life.

Y2K Déjà vu with Y2Q Prep

It was not too long ago the IT world was concerned about the Year 2000 (Y2K) bug. At least back then, there was a more definitive target date. With Y2Q, “years to quantum,” there is no specific data for when quantum computing will arrive. This has led some IT leaders to put off preparations because they do not completely see the need for urgency for something that might not happen for five, ten, or maybe more years.

The problem with delaying action now to be prepared by being crypto-agile is that quantum computing could arrive before preparations are complete. For some sectors, especially large-scale ones, like government agencies, it could take years to secure their information systems. Therefore, the time to move toward quantum-safe cryptography is now.

Preparing for a Post-Quantum World

Today, quantum computers are in existence. However, they are multi-million-dollar installations that require precision technology and super-cooled environments to function. In the United States, the National Quantum Initiative Act was launched in 2018 to accelerate quantum research development.

In preparing for a post-quantum world, the National Institute of Standards and Technology in 2016 began its search for quantum-proof public-key algorithms. NIST selected four algorithms during its third round of evaluations in July 2022:

• CRYSTALS-Kyber for encrypting publicly exchanged data
• CRYSTALS-Dilithium, FALCON and SPHINCS+ for verifying digital signatures

NIST is reviewing four additional algorithms that may be included with the 2024 release of the already approved algorithms.

Transitioning to a Crypto-Agile Platform Now is Wise

No one is sure exactly when commercially available quantum computing will arrive. But no one should be caught by surprise. And while the new algorithms chosen by NIST are not expected to be released for public use until sometime during 2024, it is wise to be prepared sooner than later. Becoming crypto-agile now allows organizations to switch between algorithms, cryptography, and encryption mechanisms. It also allows compromised keys and certificates to be replaced without compromising mission-critical infrastructure. Thus, a crypto-agile platform can be applied now for current and future threats, like quantum computing.

Moving to a crypto-agile platform now is a wise decision and easier than you think with Cryptomathic’s Crypto Service Gateway (CSG). It is a valuable tool for gaining the crypto agility that companies need now and in a post-quantum world. CSG will allow you to rapidly switch to the newest algorithms recommended by NIST to keep your data safe from post-quantum cyberattacks.

References

• Crypto-agility: Preparing for post-quantum decryption (September 2022) by Garland Garris