As the scientific community continues to push towards achieving quantum computing on a mass scale, smart companies are busy making preparations for this inevitability. While scientists disagree on whether its 5 years away or 20 (or more), the reality is that the amount of time that organizations have to prepare is quickly slipping away. These preparations go far beyond just planning for new infrastructure investments. This is especially true when it comes to the use of cryptography and crypto keys. Whether you are just beginning to plan for the quantum future or are well down the path, here are three important steps that will help you achieve crypto-agility and prepare yourself for quantum computing.
Quantum and Cryptography
While quantum concepts will certainly have profound impacts on computing capabilities, there are also aspects of cryptography where quantum will have a great influence. Quantum key exchange AKA quantum key distribution (QKD) is one such area. By leveraging the properties of quantum physics, it becomes possible to effectively protect against the threat of man-in-the-middle attacks.
Another such aspect is that of quantum entropy which deals with the degrees of the chaos of a quantum system. It has direct impacts on generation of strong cryptographic keys. Finally, the security of asymmetric algorithms is at risk from quantum computing. It has been proven, at least theoretically, that a quantum computer is capable of breaking RSA-2048. This is considered impossible with classical computing due to the limitations of conventional transistors and the sheer amount of time required to process the calculation.
Given all this, it becomes clear that there is more at risk than the breaking of the cryptographic schemes using RSA and ECC algorithms. The impact spans the entire process of key management, exchange, encryption, decryption and storage.
Similarly, crypto-agility is a topic that needs to be understood if you're going to make a smooth transition into this new age of technology. It is the ability of your information security system to evolve to an alternative encryption method without requiring large-scale changes to the underlying infrastructure.
This becomes critical in the age of quantum computing because of the threat to the asymmetric algorithms.
While they are practically impossible for classic computing systems to solve, it has already been shown that the potential of quantum computers can exponentially increase the processing speed of factorizing primes. As a result, and according to NIST guidelines, becoming crypto-agile is no longer optional.
Crypto Control Center
As quantum concepts continue to infiltrate the cryptography space, organizations must be able to prepare for and be able to quickly respond to changes. The first step you can take towards crypto-agility is implementing a cryptographic control center that can function as both a cryptographic service and an interface to manage your crypto policies for all applications. By using centralized and agile crypto solutions, you should have the ability to control a wide range of crypto functions such as data encryption, key management, code signing and transaction authorization from a single system. Such a solution should also incorporate the use of a central policy file, allowing your security team to seamlessly maintain control of application privileges, security parameters and updates to crypto algorithms. This centralized approach keeps your teams agile as they can make rapid changes, such as migrating to quantum resistant algorithms, without the need to touch application code. This will be critical when quantum computing revolutionizes the approach to cryptography.
In addition to security concerns, most organizations must consider application programmers that work on their many software solutions. While these programmers may not be well versed in the details of cryptography, their transactional programs will make use of encryption to process securely. This means that you will need a method to allow these folks to continue development without being disrupted by changes to your encryption solutions.
This is where a crypto-abstraction layer can help you on your way to crypto-agility. An abstraction layer acts like an API (application programming interface) that holds and hides cryptographic information. Instead of your application developers needing to learn the complex details of cryptography, they can simply make use of the crypto-abstraction layer API calls when they need to encrypt transactional data. When your security team needs to update the encryption solution, they can then update the abstraction layer. The programmer will need little to no information on the security changes in order to continue using the API-like solution for their programs.
The final consideration for achieving crypto-agility is adapting your organizational processes and controls accordingly. While this includes the processes for implementing a centralized KMS and a crypto-abstraction layer, organizational evolution must go deeper than that. The process begins with a full assessment of the cryptography used by your various information systems. Your incident response, procurement and application development processes must also become crypto-agile. At the end of the day, your organizational evolution is all about gaining maturity and anticipating the impact of these impending changes. Taking this holistic approach will enable your organization to thrive in the age of quantum computing.
References and Further Reading
- Selected Articles on Quantum Cryptography (2017-today), by Dawn M. Turner, Rob Stubs, Terry Anton and more
- Selected Articles on Crypto-Agility (2017-today), by Dawn M. Turner, Jasmine Henry, Rob Stubs, Terry Anton and more
- Final Version of NIST Cloud Computing Definition Published by the National Institute of Standards and Technology, October 2011.
- Study on Cryptography as a Service (CaaS) by Yudi Prayudi and Tri Kunturo Priyambodo, November 2014.
- NISTIR: Report on Post-Quantum Cryptography by the National Institute of Standards and Technology, April 2016.
- Cryptomathic Answers Compliance-Driven Call for Crypto-Agility by Cryptomathic, May 2018.