If the science of quantum computing feels a lot like black magic to you, you are not alone. The technology—which seems to almost mystically just “know” the answer—allows us to solve problems previously thought impossible, like quickly factoring multiples of large primes. And it is capabilities like this that have IT security people very worried, since a large portion of modern cryptography is based on exactly the principle of leveraging hard-to-compute math problems.
So, here’s the nightmare scenario: we have built our security infrastructure on the use of hard math problems used to encrypt our private and sensitive data; someone builds a quantum computer that can quickly decrypt that data and can learn all our secrets. Panic in the streets! Will all secure websites have to stop operating? Will we have to start actually walking into physical banks again?
Well, no. Quantum computing isn’t exactly news, and there are already several efforts underway to create cryptographic algorithms that are “quantum safe”—meaning they can’t be cracked by quantum computing. In fact, we are pretty close to having some of them approved by National Institute of Standards and Technology (NIST) and the European Union Agency for Cybersecurity (ENISA), and efforts have already started to code them into the common cryptographic libraries. But this process will take some time, and of course even once that is done it can take a very long time, for all the real-world implementations to actually start using (much less requiring) these updated libraries. Heck, even a full year after the critical Log4j vulnerability was disclosed, many major packages still haven’t updated the version they use.
Hence, a lot of the risk comes down to how long it will take for quantum technology to advance to the point where it can actually solve these hard math problems, a capability that will require lots of logical qubits – it often takes hundreds or thousands of physical qubits to produce a single reliable logical qubit).So far quantum computers are only up to double digits. And although some people think that a secret government lab somewhere might have something better hidden away, and there have been some claims of large numbers being factored (usually depending on a lot of tricks), most people think we are at least a couple years away from general-purpose cracking of our current crypto algorithms.
So, are we totally safe then? Well… not quite. Although it is very likely that common systems like web servers and browsers will roll out quantum safe crypto in time, there will be a lot of systems that drag their feet. Transport Layer Security (TLS) 1.3 was published in 2018, and it took three full years for it to get rolled out to more than 50% of websites. On top of that, even if we can secure new connections, our old encrypted data might be lying around waiting for someone to decrypt it (like, say, in that enormous US government facility in Salt Lake City).
So, what can you do to mitigate the potential threats posed by quantum computing, and its anticipated ability to break current crypto? Here are some thoughts:
● Make sure you update to the latest versions of the software you run in your organisation, particularly anything that can accept a network connection or stores anything encrypted. This is good security practice anyway, but it is particularly important for anything that uses encryption.
● If your software vendors seem to be lagging in adding support for quantum safe crypto, ask them to get cracking.
● Just having up-to-date software isn’t enough. Make sure you review the configuration of that software and disable the use of older or less secure protocols. This may require some testing of the clients that use your services, and may require updating those client systems as well, to support modern encryption. Continue this process as quantum safe crypto is rolled out.
● Where possible, increase the length of any keys used for encryption. A 2048-bit key will be a lot stronger than a 1024-bit key, and quantum computers will have to develop even further to factor those longer keys.
● If you don’t need to store private or sensitive data, don’t store it. If you do need to store it and it has already been stored with an older protocol or a shorter key, consider exporting, re-encrypting, and re-storing that data, then deleting the old data that has weaker encryption.
Naturally, everything listed above is already industry standard practice, but these items have particular significance in the face of quantum computing and will become much more relevant as we approach the decryption event horizon. How aggressively you pursue these will depend on your risk profile, but every organisation should at least be keeping their software up to date. There’s no need for panic, but some due diligence would be a good idea.
About the author
David Corlette is the Vice President of Product Management for VIPRE Security Group. For the past two decades, David has worked with customers and partners to design and build best-of-breed IT security using innovative threat detection and response solutions. He has broad experience in advanced threat, SIEM, networking, cloud services, security standardisation, open source, agile development and technology policy.