Tips for security in post-quantum computing

Avesta Hojjati, Head of R&D at DigiCert.

After decades of research in the “quantum” field, this new era is characterized by the emergence of quantum technologies with applications in different industries and impact on everyday life.

What can quantum computing help for? It will fundamentally increase processing power, which could mean exciting advancements from particle physics to machine learning to medical science.

Why are quantum computers so important? Some strategic points to understand the era of quantum computing are the following:

• It represents the next evolutionary step in quantum mechanics.
• Combines information theory with quantum mechanics.
• Process huge amounts of data at once.
• It has the ability to quickly arrive at non-linear responses.
• Prime number factors much faster than existing computers, threatening public key encryption when it is in the wrong hands.

Unfortunately, this last point is a disadvantage for organizations trying to keep their data safe. In this post-quantum computing (PQC) reality, today’s encryption algorithms will be no match for the rapid code-breaking possible with quantum computers. Cybercriminals will take advantage of this ability once quantum computers become more accessible.

According to the 2019 DigiCert Post Quantum Crypto Survey, 71% of IT professionals recognize the threat quantum computing poses to existing cryptography, respondents are concerned about this threat as it may emerge by 2022. Overall companies have doubts about the best way to respond to these threats.

This threat is imminent. Cybercriminals are likely to accumulate encrypted data in anticipation of the day when quantum computers are available to the general public and can be used to break modern cryptography, in this scenario companies should not wait therefore it is essential to identify knowledge from the company on the threat of quantum computing and its current level of readiness for a future PQC.

Avesta Hojjati, Head of R&D at DigiCert indicates: ‘Determining the degree of knowledge and the level of preparation of the company will determine the level of PQC maturity of the company. Once a business achieves mastery, it is in an excellent place to anticipate security needs and protect critical systems and applications. Each level carries its own risks, including dominance, as it could be tempting to become overconfident, relax security standards, and revert to a previous level.”

Tip No.1: Increase Crypto-agility: In crypto-agility, companies strive for an efficient method to effortlessly identify and replace outdated crypto algorithms when needed. First, it is important to identify all the servers (protocols, libraries, algorithms, and certificates) that use encryption within an organization. One way to do this is by adopting a certificate management platform that automates the management of the certificate lifecycle. Second, it is essential to document what has been learned as part of a plan that includes how encryption problems will be identified and resolved. Third, it is key to ask third-party vendors how they plan to protect against quantum threats and also verify that new vendors are well prepared.

Tip # 2: Identify the Right HSM: Organizations rely on Hardware Security Modules (HSMs) to protect the custom keys used in their Public Key Infrastructure (PKI). For this it is important that companies investigate how they are being used, if they can be upgraded to support quantum security encryption, and if so, how quickly those upgrades could occur. Digital security firms Gemalto and Ultimaco, among others, offer HSM with quantum security.

Tip No.3: Trust SSL Certificates: Several companies, including Google and Microsoft, have best practice for Always On SSL (AOSSL), according to the Internet Society blog post “Best Practice: Always On SSL (AOSSL)” . SSL / TLS certificates let website visitors know that the site is authentic and that the data they enter will be encrypted. With AOSSL, companies can enforce encryption on all websites (internal and external), reducing the company’s exposure to cyberattacks such as Man-In-The-Middle (MITM).

‘An important approach to preparing for post-quantum cryptographic threats is to gain encryption agility. A properly implemented AOSSL makes it easy to update encryption algorithms in response to future quantum computing threats, ” Avesta Hojjati added.

Tip No.4: Check the PQC Strategy: Companies that are best equipped for the PQC era regularly test their security to make sure it holds up in the event of a real threat. Usually that means observing how your certificates perform in a sandbox environment so that you can adjust your approach if something is not working effectively. Knowing your environment, having broad visibility into the organization, and taking the right action at the time of an actual treatment are essential steps to guard against the threat caused by quantum computers.

The threat quantum computing poses to encryption has loomed for years. Therefore, if companies have not taken action so far, it is very important to determine their level of knowledge, preparation and take steps to advance in both cases. The more that can be improved in both areas, the better it will be when cybercriminals start using quantum computers to crack cryptography that was previously difficult to crack.

Translator’s note: According to studies by prestigious cryptographers, quantum computers may eventually attack asymmetric methods but NOT symmetric ones.