Quantum computing has been on the rise in recent years, going from a conceptual, futuristic technology to becoming a reality. While this new branch of computing could be a major milestone in the evolution of computers and allow for processing more information faster than before with many applications, it could also possibly endanger the security of our data and communications, as the current encryption algorithms used to secure our data could become unsecure.
What Is Quantum Computing?
Traditional computer architecture is built around a binary system, where a bit or binary digit is used as the smallest unit of data, with two possible values (1 or 0). With quantum computers, qubit is used instead as the basic unit of quantum information and can represent a value of either 0, 1, or range of values between 0 and 1 simultaneously. The use of quantum mechanical phenomena like superposition, interference, and entanglement allows computing power that can solve problems exponentially faster than classical computers.
Like any major technological advance in the history of mankind, quantum computing will bring a lot of positive things, but it also poses a serious risk to the security of our communications, making them potentially vulnerable to new quantum-powered attacks performed by state-sponsored cybercriminals.
What Possible Security Threats Does It Pose?
Although today quantum computers are still at an early development stage, the threat to the security of communications is real already, as while most technologies used to secure our data were believed to be secure and “unbreakable” some years ago, they will certainly not be in the years to come. Quantum computing is accelerating things exponentially by tremendously reducing the amount of time required by some attacks to break current encryptions, thus rendering these attacks possible and feasible in real life. As a practical example, using the Shor algorithm, quantum computers could theoretically reduce the calculation time from trillions of years down to only a few hours! This would de facto render it possible to crack current encryption used to protect information in transit (e.g., VPN for remote connections), but also at rest (ex: BitLocker on desktop computers) in a timely manner.
With that in mind, there have been efforts and investigations to find secure, resilient alternative methods to ensure these communications remain protected in the future when quantum computers are everywhere. And for these reasons, it is critical for organizations to start taking protection measures today, as even though their communications might still be pretty much secured right now, a malicious actor could still collect them today to later decrypt them “tomorrow”, when computing computers have matured enough to break the encryption algorithms used to protect them, a very realistic scenario known as “harvest now, decrypt later” attack and which is a real concern in the quantum cryptography community.
Cryptography 101
There are mainly two types of encryption methods used to protect data, either in transit or at rest.
The first method, called symmetric encryption, relies on a single key, often referred to as “shared secret key,” both to encrypt and decrypt the data, allows for fast encryption/decryption processing and multiple parties to communicate with each other using the same key. It is used by Advanced Encryption Standard (AES) encryption algorithm, to secure both data transmission (“data in transit”) with Transport Layer Security (TLS) security protocol or data stored on a disk (“data at rest”).
However, since a unique key is used, it must be kept safe and rotated/replaced often, otherwise it could become comprised and used by a malicious third-party to read all the communications.
The second method, called asymmetric encryption, relies on different keys to encrypt, and then decrypts the data exchanged between two parties; a public key, shared with anyone, and a private key, only known to its owner. Both keys, mathematically related, compose a key pair; any of them can be used to encrypt data, that only the other one in the pair will be able to decrypt.
Unlike symmetric encryption, a unique key pair must be generated for each party so they can communicate with others securely. Authentication and verification are required and usually achieved using digital certificates, provided by Certification Authority (CA), either public or private, that must be trusted by both parties. This type of encryption is used, for example, by Rivest–Shamir–Adleman (RSA) cryptosystem to secure data transmissions.
Combining Symmetric and Asymmetric Encryption
While both methods work very differently and are employed for different scenarios and use cases, they can also be used in combination. For example, Transport Layer Security (TLS) protocol, primarily used for securing communication over computer networks, particularly the Internet, leverages both asymmetric and symmetric encryption to establish secure communication channels.
During the initial handshake, asymmetric encryption facilitates key exchange and server authentication:
1. The server sends its public key within a digital certificate.
2. The client verifies it using trusted Certificate Authorities (CAs).
3. The client then generates a symmetric session key.
4. Encrypted with server's public key, this session key is then securely sent back to server.
5. Using its private key, the server will decrypt and retrieve the session key.
6. Now both parties have a shared secret key to encrypt their communications.
Then symmetric encryption takes over for the bulk of data transmission, ensuring efficiency and confidentiality as it encrypts and decrypts data using the shared session key. This dual approach combines the security of asymmetric encryption for key exchange with the efficiency of symmetric encryption for secure data transfer within the TLS protocol.
Challenges
However, there are several challenges with current cryptography that need to be addressed.
Key Exchange Vulnerabilities
The primary challenge pertains to the exchange of encryption keys between two parties. The most widely used public-key encryption protocols, such as Diffie-Hellman (DH) and Rivest-Shamir-Adleman (RSA), are utilized to securely exchange keys. However, in both scenarios, encryption keys are transmitted alongside data over the same insecure communication channel, such as the Internet, exposing the keys to potential interception and alteration by malicious actors, enabling Man-in-the-Middle (MITM) attacks. These attacks could lead to eavesdropping, also known as "sniffing," allowing the interception of communications between the parties. The compromised keys can then be used to decrypt the intercepted data, enabling the extraction of sensitive information such as user credentials and credit card details from unsecured transmissions.
Weak Entropy in Key Generation
The second challenge resides in the fact that encryption keys are generated directly at the endpoints, including mobile phones, desktop computers, hardware-based back-end servers, and virtual or cloud-based systems. However, these endpoints often provide weak entropy, meaning the random numbers generated locally for creating encryption keys are insufficiently random, making them predictable and particularly vulnerable to exploitation by quantum technologies, as well as inherent flaws within Random Number Generators (RNGs) themselves. Furthermore, the widespread adoption of cloud computing makes it even worse, as numerous virtual machines running on identical hardware may produce overly similar random numbers, increasing the risk of security breaches. While the probability of occurrence may be low, any nonzero percentage poses a tangible risk to data security.
Pre-Shared Keys (PSKs) Risks
The third challenge concerns Pre-Shared Keys (PSKs), which serve as shared secrets or passwords exchanged between two parties via a secure channel, functioning as authentication keys, as they typically lack key rotation, which poses a significant security threat if stolen or intercepted by a third party, who could then decrypt all communications. While one option is to replace PSKs more frequently, this presents its own challenges, as securely redistributing the new key to all endpoints involved is not a straightforward task.
Harvest Now, Decrypt Later.
Finally, while today only a tiny percentage of the current known cyberattacks are quantum attacks, malicious actors could still intercept and collect data from encrypted communications to decrypt them later, when quantum computers are generally available and mature enough to break the encryption algorithms that were used to protect said data. Such scenario is known as the “harvest now, decrypt later” attack and is a real concern in the quantum cryptography community; while some information might only have value for a limited amount of time, other information does not (e.g., classified information).
Now that you know all about quantum cryptography and its challenges, stay tuned for our next blog post which will cover post-quantum security, the different approaches to it, and laws and regulations around it. The rise of quantum computing is undeniable and sifting through the vast array of information on solutions, products, and best practices can be daunting. Please contact the team at ISEC7 Government Services; we can provide a security assessment to review your security posture and help you navigate the options available to protect your sensitive data and strengthen your infrastructure.