Next-generation encryption: What it will look like, and why we'll need it
Threats to current encryption techniques are on the horizon. The National Institute of Standards (NIST) predicts that within the next few years, the most credible of these technologies, sufficiently capable quantum computers, will become a viable threat. The concern is that these systems will be built to break essentially all asymmetric encryption schemes in use, effectively rendering public key infrastructure (PKI) encryption useless.
While fully functional quantum computers may still be several years away, recent technological strides potentially have accelerated the timeline. Advances include the claim that researchers have achieved quantum supremacy, where a quantum computer can perform a calculation beyond the capability of even the currently most powerful classical supercomputers.
Quantum computing algorithms that are a threat to public key encryption, or asymmetric encryption algorithms, have been developed. One bright spot is that symmetric encryption algorithms, such as Advanced Encryption Standard (AES), are thought to be more resistant to quantum computing algorithms, and an efficient quantum computing algorithm is not yet known to break these encryption technologies.
This means that protocols that use asymmetric algorithms at any point are vulnerable. It is why a state actor could capture all Transport Layer Security (TLS) traffic in the hope of one day being able to decrypt the data. This would likely be too expensive for cybercriminals—currently, the costs outweigh the benefits.
If the scientific world is that much closer to building a fully functional quantum computer, cybersecurity specialists may need to start rethinking how encryption will work in a post-quantum computing world. This is the goal of the process NIST has initiated to solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms.
Post-quantum cryptography: The coming standards
Preparing for the worst-case scenario, even with the unlikelihood of it becoming an issue in the near term, NIST recognizes the importance of post-quantum cryptography (PQC), stating, "Historically, it has taken almost two decades to deploy our modern public key cryptography infrastructure. Therefore, regardless of whether we can estimate the exact time of the arrival of the quantum computing era, we must begin now to prepare our information security systems to be able to resist quantum computing."
To that end, NIST has been requesting submissions for PQC standards and working with industry leaders to come up with a methodology to address the future threats posed by quantum computing-powered attacks. That process has recently entered round three, where proposed PQC algorithms will be further evaluated for their resiliency against quantum computers. The third-round finalists may very well set the stage for what will become a set of standards for PQC and redefine how PKI, digital signatures, and other encryption techniques are deployed.
Keep security current by looking ahead
Although new NIST standards are being worked out, businesses can still ready themselves for when the need for these standards becomes a reality. Potentially, the threats are imminent, and cybercriminals may already be hoarding encrypted data in the hope of using quantum computers to break into that data. Experts from numerous digital security firms, such as DigiCert, Gemalto, Ultimaco, and several others, are offering intelligence and advice on how to prepare for a post-quantum world. While most point to their own services or products, all agree to several basic ideas in the quest to ready businesses for a post-quantum world:
- Improve crypto-agility: Crypto-agility, as the name implies, is the process of identifying and managing cryptographic algorithms. Pretty much any connected organization uses some type of crypto, and if it is using a secure environment, there is some type of cryptography involved. Organizations must identify every element—such as servers, protocols, libraries, algorithms, and certificates that utilize encryption—and then be able to manage those. The key here is to be able to manage the lifecycle of crypto technologies. Organizations can turn to a certificate management platform to achieve much of that. It is also critical to create a plan about how to identify and resolve encryption issues, such as expired certificates or weak algorithms. Once all crypto resources are identified, organizations will need to work with their third-party vendors to determine how those vendors plan to protect against quantum threats.
- Catalog all hardware security modules (HSMs): Many organizations use HSMs to safeguard and manage digital keys. HSMs also perform encryption and decryption functions for digital signatures, strong authentication, and other cryptographic functions. Most important, HSMs are often found in card payment systems or smart card access systems and are becoming ubiquitous in many organizations. It is critical to identify all HSMs, understand how they are being used, and determine if the HSMs can be upgraded to support the next set of threats to encryption. That will require contacting the HSM vendors and verifying if there is an upgrade or replacement path.
- Maintain best practices for TLS deployments: These are the most vulnerable points of attack in the post-quantum encryption world. Best practices will keep you on the leading edge of security and encryption updates. When somebody builds a viable quantum computer, we'll all need to upgrade our TLS libraries.
- Have a plan and test it: Identifying the parts and pieces that are subject to a quantum threat is only the beginning of a plan. Organizations will also need to define what to do if a potential threat is encountered, which is already a best practice in the realm of cybersecurity. The key here is to identify critical elements and build a plan that addresses those elements. The plan should also be frequently tested. For example, if an organization is notified of a certificate compromise, it may want to be immediately ready to deploy a replacement certificate, and the only way to be fully ready is to have tested such a scenario in the first place. Many organizations create sandboxes or build non-production test systems for the purpose of validating changes before applying those changes to a production network.
Next-generation computing technologies and quantum computing present threats to the current encryption technologies in place. However, the most ominous threat may not materialize for some time, with some experts suggesting that a fully functioning quantum computer could still be decades away while others claim that quantum computing will become viable in just a few short years. Either way, there is no harm in preparing for the next generation of hardware threats now instead of later. After all, improving one's crypto-agility offers real-world benefits today and helps to mitigate current cybersecurity attack vectors while helping organizations to be more prepared for other threats as well.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.