The Key To Future-Proof Encryption

It is widely accepted that quantum computing will present a significant threat to current public-key cryptography (PKC), which many modern systems rely on for information sharing and trust mechanisms. 'Store Now, Decrypt Later' (SNDL) attacks are on the rise, as hackers harvest data for future decryption with quantum technology. 

As NIST prepares to publish a final version of PKC standards, there remains concerns about the security behind the underlying hard problems of lattice cryptograph. This is leaving many network operators in search of an effective defence.

With practical guidance for enterprises and governments, Arqit CEO David Williams explores how to harden network communications against current and future vulnerabilities.

Q: How concerning is the threat of quantum computing to digital security, and why is it important for organisations to take proactive measures now? 

Unlike classical computers, quantum computers can solve complex mathematical problems at an exponential rate, and this threatens to break encryption methods that are widely used across the world. Unfortunately, this threat isn’t getting the attention it deserves – and some senior commentators are still suggesting that the cryptographic transition will take ten-fifteen-year period. 

Meanwhile, Microsoft is making serious progress on a Universal Quantum Computer. It’s becoming harder to ignore the idea that Quantum Computers could be everywhere in the next five years, with the potential to render our current encryption useless. The US is moving quick on this, and the UK should offer similar guidance to its industries. We really can't afford to drag our feet on this.

Q: What is the scale of the Store Now, Decrypt Later (SNDL) threat? 

SNDL attacks pose significant financial, compliance, and reputational risks. As highlighted by The GSM Association (GSMA), these attacks challenge the security of data with enduring confidentiality needs, such as state secrets, corporate intellectual property or individual bio-data.

Hostile states are already capturing large volumes of data, by tapping undersea cable, interception units, and even collaboration with telecom providers. This data is earmarked for decryption later when powerful quantum computers are available. These SNDL attacks exploit the assumption that encryption keys, found alongside the data payload in packets, will eventually succumb to decryption by quantum computers, rendering the data accessible and compromised.

The encryption keys used in today’s PKC are based on mathematical principles that would take current technology billions of years to reverse-engineer. Quantum computers can accomplish this in hours or minutes.

Government bodies, whether directly or through intermediaries such as proxies or affiliated hacker groups, have been harvesting digital data for years. It’s believed that China maintains an extensive programme for harvesting data from undersea cables. According to the FBI, the volume of data stolen by China surpasses that of all other nations combined.

Q: How can organisations ensure their security measures remain effective against current and future encryption threats, without the need for constant upgrades?

Crypto-agility is critical to modernising cryptography. In the latter stages of NIST’s post-quantum standardisation process, a number of algorithms have been discovered to be easily attacked. 

Symmetric encryption is the gold standard for post-quantum protection.  The security of symmetric encryption is based on the overall complexity of its encryption transformations, which for AES involve a series of substitutions, permutations, and linear transformations. Public key algorithms however rely on a single hard mathematical problem, such a factoring large number or finding the shortest vector in a lattice.

By incorporating dynamic rotating authentication to symmetric key agreement, on cannot only prevents today’s man-in-the-middle attacks but also future-proofs against quantum risks. Even if a key is carelessly exposed by the user, the window of vulnerability is minimised because the key can rotate every second. 

When implemented as part of a zero-trust framework, this is completely future proof, helping enterprises avoid the disruption of constant upgrades as quantum computing advances.  

Q: How does Arqit integrate symmetric keys into its offering and what does this mean for enterprises and governments? 

The difficulty with symmetric key encryption has always been how streamline key agreement between two parties. In response, we developed a Symmetric Key Agreement (SKA) platform that can be used for any encryption task, without needing disruptive ‘rip and replace’ upgrades. With the ability to digitally rotate symmetric keys in real time and dynamically manage security groups, we offer a simple, yet effective, way to protect VPN-enabled data connections and digital assets against current and future threats like spoofing, harvesting, and tampering. Today, our platform is the only RFC 8784-compliant method of delivering symmetric keys for those wanting to avoid inflexible, expensive hardware crypto devices.

Q: Finally, are there any examples of the use of Arqit’s symmetric keys? 

Recently, Arqit and technology giant Intel joined forces to test a post quantum cryptography solution to enhance the safety of IPsec tunnels in high-performance computing environments. 

Currently, high-performance networking applications often use a software solution called VPP-SSwan, which is a combination of two open-source projects: FD.io VPP, a networking stack that makes incredibly fast packet processing possible on Intel processors, and strongSwan, an interface for setting up secure communications channels.

The key exchange method used by this solution is at risk of being cracked in the near future by quantum computers. That is, unless Arqit’s SKA-platform is integrated to provide a quantum-safe solution with lightweight endpoints that don’t compromise performance. Intel is endorsing this solution for networking applications in the face of the very real quantum threat.

Image: Ideogram

You Might Also Read: 

CISA's Post-Quantum Cryptography Initiative:

DIRECTORY OF SUPPLIERS - Post-Quantum Security:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Chatham House Cyber Conference
2024 and beyond: Top six cloud security trends »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Firebrand

Firebrand

Firebrand is the leader in Accelerated Learning in the field of IT and project management.

ESNC

ESNC

ESNC’s vulnerability management and real-time SAP security monitoring solutions help largest corporations in the world to effectively prioritize SAP security tasks and secure their business.

Cyberlitica

Cyberlitica

Cyberlitica (formerly iPhish) provides a Workforce Threat Intelligence application that significantly augments companies’ cyber threat prevention efforts.

Rezilion

Rezilion

Rezilion is a stealth mode cyber-security start-up developing a cutting edge technology that makes cloud environments self-protecting and resilient to cyber-attacks.

Scout Ventures

Scout Ventures

Scout Ventures is an early stage venture capital firm that is making the world a better, safer place by cultivating standout frontier technologies.

Upper Peninsula Cybersecurity Institute - Northern Michigan University

Upper Peninsula Cybersecurity Institute - Northern Michigan University

Upper Peninsula Cybersecurity Institute at Northern Michigan University offers non-degree and industry credentials relevant to emerging careers in cybersecurity.

Sabat Group

Sabat Group

Sabat Group provide relationship-driven information security & cyber security recruiting services.

Forever Group

Forever Group

Forever Group is a Managed Services Provider specialising in Telecommunications, IT Support, and Cyber Security.

Nineteen Group

Nineteen Group

Nineteen Group delivers major-scale exhibitions within the security, fire, emergency services, health and safety, facilities management and maintenance engineering sectors.

SensCy

SensCy

SensCy is a Trusted Guide for Sensible Cybersecurity for small and medium-sized organizations.

ALSCO

ALSCO

ALSCO is dedicated to bringing first class IT services, technical support, and solutions to goverment, companies and organizations worldwide.

Three Wire Systems

Three Wire Systems

Three Wire is a leader in innovative and efficient technology solutions for government agencies and large enterprise corporations.

Troye Computer Systems

Troye Computer Systems

Troye provide a complete range of digital workspace solutions that empower people to do their very best work in a safe and secure manner anywhere, anytime, using any device.

Ironblocks

Ironblocks

Ironblocks is a pioneering cybersecurity firm that specializes in delivering comprehensive, end-to-end security solutions for the rapidly evolving Web3 ecosystem.

Redpoint Cybersecurity

Redpoint Cybersecurity

Redpoint Cybersecurity is a human-led, technology-enabled managed cybersecurity provider specializing in Digital Forensics, Incident Response and proactive cyberattack prevention.

Sandfly Security

Sandfly Security

Sandfly focuses on Linux security that is high performance, high stability, high compatibility, and low risk.