There are a number of “post” worlds that people have to deal with during their life. Post college, post children or, for those with dim expectations, post apocalypse. While few may worry about the latter, everyone from chief information officers to consumers should start preparing on some level for the post-quantum computing world and the impact it could have on encryption.
That is according to security industry professionals who believe that even though quantum-level computers capable of slicing their way through complex encryption algorithms are at least 10 to 20 years away, the time to prepare is now. This is not because implementing the technology will be time consuming, but to ensure that the data currently being compiled by organizations – and even individuals – now will require protection against new threats down the road.
“The level of preparation for what some are calling the ‘cryptoapocalypse’ varies from hysteria to head in the sand,” says Jonathan Sander, vice president of product strategy for Lieberman Software. “Many are simply hoping the vendors will sort it all out and build in what’s needed.”
There are some steps that need to be taken now to prepare for the eventuality of quantum computing and the impact it will have on encryption. Steve Grobman, CTO of the Intel Security Group at Intel, points out that there are data sets being created in 2015 that will need to be able to withstand the quantum-level decryption that will be available in a few decades.
“Do you care if your credit card number is secure in 20 years from now?,” Grobman says. “Probably not. Compare that to your medical history. Then, having your records breached could affect you.”
Even when quantum computing becomes available the impact it will have on encryption will not be immediate as there are a few mitigating circumstances that will hold it back – and so limit its impact.
“The industry is constantly on the lookout for new technologies, and quantum computing is no exception,” says Igor Baikalov, chief scientist at Securonix. “I don’t expect it to be a major game changer though; more of a gradual improvement. Although quantum technology is drastically different, the cost of it will guarantee gradual progression. There will be no overnight adoption.”
OUR EXPERTS: Encryption
Igor Baikalov, chief scientist, Securonix
Craig Gentry, research scientist at the IBM T.J. Watson Research Center
Steve Grobman, CTO, Intel Security Group at Intel
Luther Martin, chief security architect, HP Security Voltage
Dwayne Melançon, CTO and VP, research and development, Tripwire
Jonathan Sander, VP of product strategy, Lieberman Software
Rod Schultz, VP of product, Rubicon Labs
Rod Schultz, vice president of product at Rubicon Labs, adds that the financial aspect should not be understated. “This change to quantum computer resistant algorithms will require incredible synchronization between industry and government and will make the money spent on Y2K look like a drop in the bucket. There is already movement by NIST to force this transition, but unlike Y2K, there is no finish line.”
Other industry insiders are even less worried that quantum computing will play much of a role when it comes to security, indicating that the technological hurdles that need to be overcome will take much longer to leap. “The engineering problems that need to be overcome are extremely daunting and may take several decades or more to solve,” says Luther Martin, chief security architect at HP Security Voltage. “But industry is already thinking about how to handle this extremely unlikely eventuality.”
Regardless of the impact quantum computing has, or does not have, going forward the need for encryption is not going to disappear no matter what new technologies come down the pike.
“Encryption isn’t everything in data security, but it’s about as important as plumbing is to a high rise building,” says Sander. “Would you want to live on the 23rd floor of a 50-story building with no indoor plumbing? That’s simply to say that without encryption to rely on data security will be a mess with data spilling out onto the floor all over the place.”
Securonix’s Baikalov points out that even though encryption may be one of the pillars on which good security is built, it is still only one element of the overall equation. “Current cryptosystems, if properly implemented and used, are practically unbreakable, yet data security is still a huge issue,” he says. “Key management and access control are the most common technological culprits in data breaches. It doesn’t matter how sophisticated and burglar-proof your lock is if you leave the key under the mat.”
The good news is there are encryption types now available that should safeguard data against any upcoming technological threat. Grobman (left) notes that public keys using asymmetric and hash function algorithms would likely be unsecure, but symmetrical, such as AES 256, as well as hashing functions such as SHA2, will remain safe.
“A subset of the cryptographic algorithms we depend on, such as RSA, could be cracked on a quantum computer once a scalable practical implementation is built,” he says. “Other algorithms, such as AES, do not depend on this class of world-load and are generally as difficult to crack on a quantum or standard compute platform.”
Craig Gentry, a research scientist at the IBM T.J. Watson Research Center, agrees that some algorithms will remain unbreakable despite the amount of raw processing power quantum computing will bring to the table. However, there are a couple of caveats that have to be discussed. The first being that encryption has to be instituted properly and, secondly, the human element will always be the weak link when using encryption.
“If encryption is correctly done it is pretty foolproof,” Gentry says, noting that security breaks down when humans become involved. So he believes in using cryptography whenever possible to help eliminate the human element.
What is quantum computing?
Quantum computing uses the laws of quantum physics to perform certain types of calculations much faster than a conventional computer. The quantum principles used are ‘entanglement’ and ‘superposition’ to achieve much greater levels of parallelism for certain classes of computation. It should be noted that many workloads are not accelerated by quantum computing and are more effectively executed on a classic computing platform.
– Steve Grobman, CTO, Intel Security Group at Intel
Lieberman’s Sander adds that even those who should know better still make very basic errors that totally subvert the excellent encryption that is protecting their data. “Some sophisticated folks know enough to look for ‘https’ in the URL before putting in their credit card, but many do not,” he says. “Major organizations still regularly forget to renew things like their root certificates to ensure their websites remain secure. This is all actually a credit to how well encryption tends to work. It just chugs along when we’re not paying attention.”
In order to boost employee and consumer abilities when it comes to security there will be no replacement for training. There’s also consensus around the need to create systems that eliminate as much of the human element as possible.
“The answer is in the design of the system, and the solution is to minimize any interaction the human has with data that is unsecured, and to prevent the human from actually knowing what keys were used to encrypt the data,” says Rubicon’s Schultz. His company is building zero-knowledge key systems for this very reason, and designing them so that only authenticated entities (humans included) can have access to the unencrypted data.
Martin at HPE Security has a more optimistic outlook believing that eventually people will become more savvy when it comes to security threats. “After a while, this particular issue should get a bit better. We’ll still be the weak link in the chain, but we won’t be as weak as we are today.”
As an example, he explains that back in the dot-com era, most PC users could not find the USB port on their computer, even with instructions. Today, that’s a very routine task that almost all PC users can easily accomplish.
A study conducted by the security firm Alertsec found small business owners appreciate the protection encryption delivers. “When asked what benefits of encryption as a service make it indispensable to SMBs and small business owners, 75 percent of respondents say that encryption gives them a peace of mind,” the study found, and half also stated that having everything on their hard drive encrypted, including the operating system, is important to them.
While there is no doubt encryption is needed to protect Big Data, there is also going to be a growing need for it as more and more, currently dumb devices become smart. The expected massive adoption the Internet of Things will scatter important consumer and corporate across a bevy of devices, each of which will need some level of encryption.
There is a practical limitation on how much encryption can be included on devices ranging from smartphones to smart thermostats to connected dishwashers. That is the device’s native processing power, Gentry says.
The other issue is a general lack of industry and governmental protocols for such products. “Encryption is so essential to the ability to communicate securely over the internet that it is a fundamental requirement in a wide range of government regulations designed to protect sensitive data from hackers, nation-state attackers and others with malicious intentions,” says Dwayne Melançon, CTO of Tripwire.
A brief history of encryption
According to the SANS Institute, the earliest example of encryption took place around 1900 BC in Egypt when an Egyptian scribe used non-standard hieroglyphs in an inscription. In 487 BC, the Greeks used what could be considered one of the first encoding devices. The gadget, called a Skytale, featured a wooden staff around which would be wrapped a strip of leather on which the message would be written. The leather was then worn as a belt and to properly decode the note one would have to have a staff of the same height. This period also saw the first use of simple substitution codes and, starting in the 1300s, ciphers and passphrases came into use.
The introduction of long-distance telegraphic and radio communications created a need for even more complicated coding and encryption as the end-result of having a nation’s communications intercepted and decoded could lead to battles won or wars lost. Two of the best known examples are the Allies capture of a German Enigma coding machine which enabled them to read German military radio traffic leading to the destruction of the U-Boat blockade of Great Britain, and the United States’ cracking of the Japanese military code leading to a stunning victory at The Battle of Midway in June 1942.