THE QUANTUM THREAT
Cryptography is an essential part of enterprise security.
Want to protect the confidentiality of your data? Use symmetric or asymmetric cryptography.
Want to demonstrate that a file has not been maliciously altered in transit? Use cryptographic hashing.
Want undeniable proof of who sent a message? Use digital signatures . . . created using cryptography.
What then, would be the consequence of cybercriminals being able to crack the code? Suddenly online banking doesn’t sound so attractive.
How We Use Cryptography
Cryptography provides security to information and IT systems in three main ways - encryption, integrity and authentication.
Encryption can be thought of as scrambling data using a key and a complex algorithm. A key is usually a very big, very random number. An algorithm is just a step by step set of rules that determine how the data will be scrambled.
How Does Basic Encryption Work?
Step 1: Turn a message into a series of 1s and 0s (binary).
Step 2: Swap the bits around so you can’t remember what went where.
Step 3: Now turn some 0s into 1s and some 1s into 0s.
Step 4: Turn the key into binary, and throw that into the mix.
Step 5: Repeat steps 1-4 multiple times and turn the binary back into text.
Voilà – a message that looks like complete gobbledegook and which can only be turned back into plain text if you know what the key was and how it was used.
Today’s computers can’t calculate the original key in any meaningful time frame – it can be done, but you might have to wait a few billion years before you have your answer. Not true of quantum computing.
Why Is This A Problem
A malicious hacker could store an encrypted message to decrypt it sometime in the future – when a sufficiently powerful quantum computer exists.
Information with a medium or long lifespan (i.e. it will still require protection in 10 or more years) could therefore be at risk of decryption, as illustrated here.
Integrity is also important in business communications. It works like this:
Step 1: Take piece of text; an image, a sound file, a movie, or a piece of software and convert it into binary.
Step 2: Take a key - again this is a very big number - and turn that into binary too.
Step 3: Mash them together using a ‘hash’ algorithm.
Boom! You have a string of characters of a fixed length that looks like total gobbledegook (called the digest).
Now For The Important Bit:
If I change just one bit of the original message - just one tiny piece of it - then the output (or the digest) looks completely different. The gobbledegook looks nothing like it should.
The benefit of this, should be obvious, the recipient can run the message through the same hash algorithm to determine if someone has been changing the files whilst in transit – perhaps to plant malware, for example
So What’s The Problem?
Quantum computers should be able to crack these hashing algorithms quickly and easily. This means that a hacker could change the contents of a file or a message and you’d be none the wiser. The digest would look legit. If this sounds like pie in the sky, you should know that even without quantum computers we have already cracked MD5, SHA 1 and potentially SHA 2. These are, or have been, the most commonly used hashing algorithms to date. Indeed, they are also used to store usernames and passwords.
When businesses communicate they need some sort of assurance that they are not talking to an imposter.
Come to think of it, we all do. For example, when you visit the bank’s website, you need to know that you are actually talking to the bank. To confirm our identity, we therefore, use cryptography. It works like this:
Step 1: The website generates two keys that are inextricably linked together. One key they keep for themselves (called the private key), and the other is published for the world to see (called the public key).
Now for the weird bit: If you encrypt something with the private key, only the public key can decrypt it and vice versa. We can use this to our advantage:
Step 2: Take a message.
Step 3: Encrypt it with your private key (this is called a digital signature)
Step 4: If the recipient can decrypt the message with the public key, it means they must be talking to someone who has the linked private key. To add gravitas to this, we use a trusted 3rd party to confirm that the private key belongs to a particular person or organisation – like our bank
So What’s The Problem?
Using sufficiently powerful quantum computers, one could derive the private key from the public one – something that is not currently feasible. That means a hacker could easily impersonate a trusted organisation or vendor.
For example, what if a hacker impersonates Microsoft and pushes out updates with a malicious code embedded into it? Mmm – not good!
1. Evaluate the sensitivity of your organization’s information and determine its lifespan to identify information that may be at risk. Never keep information longer than it is required.
2. Review your IT lifecycle management and develop plans to transition to quantum-resistant cryptography when available. This is known as QKD.
3. Budget for potentially significant software and hardware updates, as the timeframe for necessary replacement approaches.
4. Educate yourself and your teams on the emerging quantum threat and future quantum technologies.
5. Ask your vendors about their plans to implement quantum safe cryptography (e.g. do vendors plan to include quantum-safe cryptography in future updates, or will you need to acquire new hardware or software?).
6. Ensure that your vendor is using standardized, validated cryptography. The most popular standard are shown in the Federal Information Processing Standards (FIPS).
7. Determine how and when you will be able to implement post-quantum algorithms in your life-cycle plan.
See something not quite right? Email: EMSOUCyberProtect@leicestershire.pnn.police.uk