Protecting Encrypted Data in a Quantum Computing World
Dave Krauthamer, Co-Founder and CEO of QuSecure | Federal News Network | 10 June 2022
In today’s globally connected world, encryption keeps you, your finances, your personal “secrets,” and your information safe.
Encryption is used everywhere today: social media, shopping, banking, email and more. Many other essential applications rely upon cryptography, or the practice of turning plaintext information into a scrambled ciphertext to keep private data secret and secure. When a bad actor successfully decrypts data, your information can be used to steal your identity, send emails pretending to be you, transfer your money, or worse. Here is the unwelcome news: Technology experts and security leaders believe this type of crime will be regularly committed by the end of the decade.
With today’s computers, sometimes called “classical computers,” it would take approximately 300 trillion years to break an RSA-2048-bit encryption key. A new type of computer called a “quantum computer” will perform the same calculation in 10 seconds. Because of the development of this new class of computers, keeping our information, financial details and personal secrets protected is at risk today.
On the plus side, quantum computers also offer many new and exciting possibilities. They will be able to help identify new pharmaceuticals, enable banks to provide better financial returns, and reduce the time and energy needed to manufacture and ship goods.
So how did we end up in this precarious state? Today’s economy and habits have resulted in all of our sensitive personal data being transferred on the internet and stored in vast encrypted repositories. Social media, email, cloud storage and health records encourage us to trust businesses with the secure storage and transmission of our information.
Most businesses believe their approach to encryption keeps your information out of unauthorized hands. Overall, today this works well; encrypted webpages (shown with a padlock in the address bar) are secure and have become default under a scheme known as “HTTPS Everywhere.” Encrypted web traffic now accounts for approximately 89% of all traffic traveling over the public internet. This includes banking and shopping, but also web pages where you are less likely to have sensitive information, such as those sites for local restaurants.
To understand how encryption has come to be “everywhere” today, we must know why it is used and how it has been used historically to protect sensitive data.
As with many inventions, the first types of encryptions were a product of war. The ancient Spartans wrote a message with a certain periodicity that, when wrapped around a rod of the correct dimensions, would correctly space out the intended message. Any rod of the wrong size would cause incorrect spacing and cause the message to become scrambled and illegible. Julius Caesar used the first cyphertext via the “Caesar Cipher” that simply shifted characters by three positions: A goes to D, B becomes E, etc. Naturally, this was not an exceedingly difficult code to crack, so increasingly sophisticated versions of ciphers have been developed to secure the sensitive contents of the underlying message.
IBM pioneered modern cryptography (digital encryption) in the early 1970s. Known as the Data Encryption Standard, or DES, it became the U.S. national standard for encryption. DES remained in use until it was cracked in the late 90s and was replaced by the Advanced Encryption Standard (AES), which is still in use today. Another equally significant event was also derived in the 1970s when Diffie-Hellman published its seminal work on key exchange. Soon, the RSA cryptosystem leveraged the Diffie-Hellman exchange to support secure exchange as an algorithm. Today, AES combined with RSA’s algorithm allows for the secure transfer of information on the public internet via an interaction of Public Key encryption to send the shared symmetric key privately between two parties.
Using both algorithms helps overcome weaknesses: Public Key is slow whereas AES is quick; AES requires both parties to know the key to decrypt data while adding Public Key enables the shared secret symmetrically between both parties. This is overwhelmingly today’s most popular encryption approach, protecting the world’s vast amounts of private data.
Public Key Infrastructure (PKI) has stood the test of time, protecting data for many decades, and will continue to do so for many decades to come. It has not been static either, as the PKI algorithms have been adjusted to increase security as computers have become more powerful and are more likely to crack less sophisticated encryption.
There is a massive upgrade to PKI that will cause almost every internet-connected device to update and change its underlying algorithms to a more secure encryption scheme. The governing body for encryption, The National Institute of Science and Technology, the National Security Administration, Congress and the White House have all demanded action on accomplishing this upgrade as soon as possible.
Why now? The answer is quantum computing. Scientists anticipate that quantum computing will compromise the Public Key cryptosystem used by PKI for the initial key exchange in a few years. Even Alphabet’s (Google’s parent company) CEO Sundar Pichai has stated that “[I]n a five to ten-year time frame, quantum computing will break encryption as we know it.”
The fallout from PKI encryption being broken would be massive. A recent study by the Hudson Institute has estimated that a successful quantum attack could cause up to $2 trillion in damage to the U.S. economy alone. Collateral damage would certainly expand beyond these vast numbers. Government, financial institutions, healthcare and critical infrastructure represent only a tiny fraction of sectors at risk.
This upgrade is not a simple process. The need to protect against quantum computer risks was not anticipated, so there is not an easy way to upgrade a device that is using current PKI. Systems will have to be patched either by appropriately skilled internal corporate networking professionals for on-premises deployments or by the hosting company for those in the cloud.
As with many new technologies, there are multiple solution designs and no standard for how a given device talks to other devices on the network and the internet; a one size fits all option will not work for devices. It may not be feasible to upgrade all devices on a network simultaneously; a one size fits all option for networks also will not work.
Companies need to start planning for this near-horizon risk today. Fortunately, there is a burgeoning post-quantum encryption market where companies recognize these challenges and are rising to address them. Any solution in the post-quantum networking space must be able to solve the short-sighted approach to current network security that caused this lurch in the upgrade and the highly variable device and network needs for each organization and business sector. Software-only update approaches allow for this upgrade’s endlessly flexible and extensible management to meet the needs of today’s diverse organizations.