Large-scale quantum computing is coming soon, and with that comes new cybersecurity threats. One of these threats is "steal now, decrypt later," where attackers harvest encrypted data and wait for quantum technology advancements to decrypt it. This article explores the threats quantum computing has on current encryption algorithms, and how crypto agility can help you safeguard your digital assets from steal now, decrypt later attacks.
Cryptographic algorithms can be categorized into two broad categories, symmetric and asymmetric algorithms.
Symmetric algorithms are also referred to as secret key algorithms because they use a single secret key for encryption and decryption processes.
Public key or asymmetric algorithms incorporate a keypair (public and private key) which is alternatively used for different cryptographic processes (such as key exchange, signing or authentication). Currently, popular public key or asymmetric algorithms, such as the Rivest-Shamir-Adleman (RSA) algorithm, the Digital Signature Algorithm (DSA), and the Elliptic Curve Digital Signature Algorithm (ECDSA), have their security based on the following hard mathematical problems such as:
- Integer Factorization
- Discrete Log
- Elliptic Curve Discrete Log
Public key cryptography algorithms are dominantly used in various protocols such as TLS, IPSEC, SSH, Internet of Things (IoT), Document signing, and code signing.
How quantum computing impacts current cryptographic algorithms and cybersecurity
Quantum computing is the latest and fast-evolving field with a substantial effect on existing crypto solutions. Quantum computing will affect symmetric key algorithms in such a way that their key security will be reduced by about half, which means AES 256-bits will provide security approximately corresponding to AES 128-bits.
The situation is compounded in the case of asymmetric algorithms since quantum computing will solve the hard mathematical problems which are the backbone of the RSA algorithm, ECDSA, and DSA. In short, large-scale quantum computers will be able to break the majority, if not all, of the current asymmetric cryptographic standards that are used to protect online communications today.
As quantum computers continue to advance, they will eventually be able to break current public-key algorithms, thereby compromising the security of most current communication protocols and databases. This could result in sensitive information, such as financial or healthcare records, being accessible to malicious individuals with access to a powerful quantum computer.
What is post-quantum cryptography?
Post-quantum cryptography (PQC) is a form of cryptography that is designed to be resistant to quantum computing. It uses mathematical algorithms that are believed to be secure against attacks from quantum computers, even when they become powerful enough to break traditional encryption algorithms.
The timeline of post-quantum cryptography is a relatively short one, as the concept has only been around for a couple of decades. A major milestone in this research area was the publication of the NIST Post-Quantum Cryptography Standardization Process, which was started in 2016. The chosen winners of the NIST process are expected to become standardized within the next year or so.
Migration to post-quantum cryptography
Due to the risk posed by quantum computers, it is crucial for organizations to begin preparing for migration to post-quantum cryptographic algorithms now - before bad actors start harvesting sensitive data. To do this, organizations must upgrade their hardware, software, and services so that when it becomes necessary to switch over to post-quantum cryptography, there will not be any disruption of service. Doing this work now will provide organizations with much-needed peace of mind that their digital platforms are protected from future attack vectors.
"Steal now, decrypt later"
The concept of "steal/harvest now, decrypt later" occurs when attackers use existing technology to capture encrypted data while it is in transit, store it and then decrypt it at a later point in time when they can access a quantum computer powerful enough to break the encryption algorithm. In this way, attackers are able to access data with a long shelf life, which is currently protected by strong encryption.
The potential magnitude of information disclosure will be immense, posing a significant threat to everyone, especially defense and military communication systems. The technique to “steal now, decrypt later” may be heavily utilized by state-backed organizations to capture encrypted traffic of competitor countries to decrypt the traffic once a quantum computer is built.
How to protect against “steal now, decrypt later”
One way to protect against “steal now, decrypt later” attacks is to use post-quantum cryptography (PQC) in addition to existing encryption methods, which is referred to as hybrid encryption. PQC algorithms are designed to be resistant to quantum computer-based attacks, and therefore can provide a higher level of security if combined with traditional encryption algorithms. However, updating cryptographic algorithms is a very difficult and time-consuming task for most organizations that have numerous applications and instances of software that need to be migrated.
To ensure protection against “steal now, decrypt later”, modern enterprises and organizations must prioritize crypto agility and start incorporating PQC into their communication systems and technologies. It is a lengthy and time-consuming process, but shifting from current public-key/asymmetric algorithms to post-quantum cryptography will restrain later decryption of the organization’s encrypted traffic.
Post-quantum cryptography (PQC) and crypto agility
PQC deals with the study, design, development, and evolution of post-quantum asymmetric algorithms which will be safe from quantum computers. Organizations are actively involved in PQC research to design security solutions that should be secure against both classical and quantum computers and easily workable or integrated with existing network & communication protocols.
Practicing crypto agility is an important step for data protection in the face of quantum computing. Crypto agility means that organizations can quickly change their cryptography protocols when new attacks are identified, allowing them to stay ahead of any potential threats. This allows organizations to quickly adopt PQC standards when made available and remain secure and protect their data even as quantum computing advances.
Achieving crypto agility
Organizations need the capacity to quickly update cryptographic methods without significant change to information systems to retain regulatory compliance and mitigate security risks.
While adopting new methods of application development can facilitate crypto agility, the complete re-engineering of existing information systems is only possible in rare cases. Cryptomathic’s Crypto Service Gateway (CSG) can facilitate crypto agility in legacy and new IT systems by allowing organizations to immediately adopt new encryption methods without code updates in a comfortable and highly automated way. Cryptomathic's CSG delivers a policy engine that separates the process of developing, enforcing, and updating policies from the application side, and performs these tasks without service interruption - thereby providing true crypto agility to organizations that need to prepare for the threats of quantum computing.
For more information on Cryptomathic's encryption and crypto-agility solutions, please visit https://www.cryptomathic.com/products/key-management or get in touch with one of our experts.