The Key To Future-Proof Encryption

Uploaded on 2024-05-21 in TECHNOLOGY-Key Areas-Quantum Computing, FREE TO VIEW

It is widely accepted that quantum computing will present a significant threat to current public-key cryptography (PKC), which many modern systems rely on for information sharing and trust mechanisms. 'Store Now, Decrypt Later' (SNDL) attacks are on the rise, as hackers harvest data for future decryption with quantum technology. 

As NIST prepares to publish a final version of PKC standards, there remains concerns about the security behind the underlying hard problems of lattice cryptograph. This is leaving many network operators in search of an effective defence.

With practical guidance for enterprises and governments, Arqit CEO David Williams explores how to harden network communications against current and future vulnerabilities.

Q: How concerning is the threat of quantum computing to digital security, and why is it important for organisations to take proactive measures now? 

Unlike classical computers, quantum computers can solve complex mathematical problems at an exponential rate, and this threatens to break encryption methods that are widely used across the world. Unfortunately, this threat isn’t getting the attention it deserves – and some senior commentators are still suggesting that the cryptographic transition will take ten-fifteen-year period. 

Meanwhile, Microsoft is making serious progress on a Universal Quantum Computer. It’s becoming harder to ignore the idea that Quantum Computers could be everywhere in the next five years, with the potential to render our current encryption useless. The US is moving quick on this, and the UK should offer similar guidance to its industries. We really can't afford to drag our feet on this.

Q: What is the scale of the Store Now, Decrypt Later (SNDL) threat? 

SNDL attacks pose significant financial, compliance, and reputational risks. As highlighted by The GSM Association (GSMA), these attacks challenge the security of data with enduring confidentiality needs, such as state secrets, corporate intellectual property or individual bio-data.

Hostile states are already capturing large volumes of data, by tapping undersea cable, interception units, and even collaboration with telecom providers. This data is earmarked for decryption later when powerful quantum computers are available. These SNDL attacks exploit the assumption that encryption keys, found alongside the data payload in packets, will eventually succumb to decryption by quantum computers, rendering the data accessible and compromised.

The encryption keys used in today’s PKC are based on mathematical principles that would take current technology billions of years to reverse-engineer. Quantum computers can accomplish this in hours or minutes.

Government bodies, whether directly or through intermediaries such as proxies or affiliated hacker groups, have been harvesting digital data for years. It’s believed that China maintains an extensive programme for harvesting data from undersea cables. According to the FBI, the volume of data stolen by China surpasses that of all other nations combined.

Q: How can organisations ensure their security measures remain effective against current and future encryption threats, without the need for constant upgrades?

Crypto-agility is critical to modernising cryptography. In the latter stages of NIST’s post-quantum standardisation process, a number of algorithms have been discovered to be easily attacked. 

Symmetric encryption is the gold standard for post-quantum protection.  The security of symmetric encryption is based on the overall complexity of its encryption transformations, which for AES involve a series of substitutions, permutations, and linear transformations. Public key algorithms however rely on a single hard mathematical problem, such a factoring large number or finding the shortest vector in a lattice.

By incorporating dynamic rotating authentication to symmetric key agreement, on cannot only prevents today’s man-in-the-middle attacks but also future-proofs against quantum risks. Even if a key is carelessly exposed by the user, the window of vulnerability is minimised because the key can rotate every second. 

When implemented as part of a zero-trust framework, this is completely future proof, helping enterprises avoid the disruption of constant upgrades as quantum computing advances.  

Q: How does Arqit integrate symmetric keys into its offering and what does this mean for enterprises and governments? 

The difficulty with symmetric key encryption has always been how streamline key agreement between two parties. In response, we developed a Symmetric Key Agreement (SKA) platform that can be used for any encryption task, without needing disruptive ‘rip and replace’ upgrades. With the ability to digitally rotate symmetric keys in real time and dynamically manage security groups, we offer a simple, yet effective, way to protect VPN-enabled data connections and digital assets against current and future threats like spoofing, harvesting, and tampering. Today, our platform is the only RFC 8784-compliant method of delivering symmetric keys for those wanting to avoid inflexible, expensive hardware crypto devices.

Q: Finally, are there any examples of the use of Arqit’s symmetric keys? 

Recently, Arqit and technology giant Intel joined forces to test a post quantum cryptography solution to enhance the safety of IPsec tunnels in high-performance computing environments. 

Currently, high-performance networking applications often use a software solution called VPP-SSwan, which is a combination of two open-source projects: FD.io VPP, a networking stack that makes incredibly fast packet processing possible on Intel processors, and strongSwan, an interface for setting up secure communications channels.

The key exchange method used by this solution is at risk of being cracked in the near future by quantum computers. That is, unless Arqit’s SKA-platform is integrated to provide a quantum-safe solution with lightweight endpoints that don’t compromise performance. Intel is endorsing this solution for networking applications in the face of the very real quantum threat.

Image: Ideogram

You Might Also Read: 

CISA's Post-Quantum Cryptography Initiative:

DIRECTORY OF SUPPLIERS - Post-Quantum Security:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Chatham House Cyber Conference
2024 and beyond: Top six cloud security trends »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Clearpath Solutions Group

Clearpath Solutions Group

Clearpath Solutions Group expertise covers virtualization and data storage technologies, networking, security and cloud computing.

Red Hat

Red Hat

Red Hat is a leader in open source software development. Our software security team proactively identifies weaknesses before they become problems.

DeviceLock

DeviceLock

DeviceLock is a leading provider of endpoint device/port control and data leak prevention software.

ControlCase

ControlCase

ControlCase provide solutions that address all aspects of IT-GRCM (Governance, Risk Management and Compliance Management).

CERT-PA

CERT-PA

CERT-PA is the national Computer Emergency Response Team for Italian government institutions.

Towergate Insurance

Towergate Insurance

Towergate Insurance is a leading UK specialist insurance broker. Business products include Cyber Liability Insurance.

Communications Security Establishment (CSE)

Communications Security Establishment (CSE)

CSE is Canada's national cryptologic agency, providing the Government of Canada with IT Security and foreign signals intelligence (SIGINT) services.

Medigate

Medigate

Medigate is a dedicated medical device security platform protecting all of the connected medical devices on health care provider networks.

Consensys

Consensys

ConsenSys is a global blockchain company. We develop enterprise applications, invest in startups, build developer tools, and offer blockchain education.

Technology Innovation & Startup Centre (TISC)

Technology Innovation & Startup Centre (TISC)

TISC is a startup incubator at the Indian Institute of Technology Jodhpur (IITJ) and we back deep-tech startups.

TotalAV

TotalAV

TotalAV Antivirus is a free-to-use app packed with all the essential features to find and remove malware, keeping you safe.

Private Client Cyber Security (PCCS)

Private Client Cyber Security (PCCS)

PCCS provides enterprise-grade cybersecurity consulting and services to professional practices, executives, athletes, and high net worth families.

Tailscale

Tailscale

Tailscale is a VPN service that makes the devices and applications you own accessible anywhere in the world, securely and effortlessly.

Quantum eMotion (QeM)

Quantum eMotion (QeM)

Quantum eMotion is a Montreal-based advanced developer leading the way towards a new generation of quantum-safe encryption for the quantum computing age.

Mogwai Labs

Mogwai Labs

Mogwai Labs deliver cutting-edge penetration tests, security assessments and trainings, to safeguard your applications, networks and cloud environments from cyber threats.

BlackSwan Technologies

BlackSwan Technologies

BlackSwan Technologies is reinventing enterprise software through Agile Intelligence for the Enterprise – a fusion of data, artificial intelligence, and cloud technologies.