The Key To Future-Proof Encryption

It is widely accepted that quantum computing will present a significant threat to current public-key cryptography (PKC), which many modern systems rely on for information sharing and trust mechanisms. 'Store Now, Decrypt Later' (SNDL) attacks are on the rise, as hackers harvest data for future decryption with quantum technology. 

As NIST prepares to publish a final version of PKC standards, there remains concerns about the security behind the underlying hard problems of lattice cryptograph. This is leaving many network operators in search of an effective defence.

With practical guidance for enterprises and governments, Arqit CEO David Williams explores how to harden network communications against current and future vulnerabilities.

Q: How concerning is the threat of quantum computing to digital security, and why is it important for organisations to take proactive measures now? 

Unlike classical computers, quantum computers can solve complex mathematical problems at an exponential rate, and this threatens to break encryption methods that are widely used across the world. Unfortunately, this threat isn’t getting the attention it deserves – and some senior commentators are still suggesting that the cryptographic transition will take ten-fifteen-year period. 

Meanwhile, Microsoft is making serious progress on a Universal Quantum Computer. It’s becoming harder to ignore the idea that Quantum Computers could be everywhere in the next five years, with the potential to render our current encryption useless. The US is moving quick on this, and the UK should offer similar guidance to its industries. We really can't afford to drag our feet on this.

Q: What is the scale of the Store Now, Decrypt Later (SNDL) threat? 

SNDL attacks pose significant financial, compliance, and reputational risks. As highlighted by The GSM Association (GSMA), these attacks challenge the security of data with enduring confidentiality needs, such as state secrets, corporate intellectual property or individual bio-data.

Hostile states are already capturing large volumes of data, by tapping undersea cable, interception units, and even collaboration with telecom providers. This data is earmarked for decryption later when powerful quantum computers are available. These SNDL attacks exploit the assumption that encryption keys, found alongside the data payload in packets, will eventually succumb to decryption by quantum computers, rendering the data accessible and compromised.

The encryption keys used in today’s PKC are based on mathematical principles that would take current technology billions of years to reverse-engineer. Quantum computers can accomplish this in hours or minutes.

Government bodies, whether directly or through intermediaries such as proxies or affiliated hacker groups, have been harvesting digital data for years. It’s believed that China maintains an extensive programme for harvesting data from undersea cables. According to the FBI, the volume of data stolen by China surpasses that of all other nations combined.

Q: How can organisations ensure their security measures remain effective against current and future encryption threats, without the need for constant upgrades?

Crypto-agility is critical to modernising cryptography. In the latter stages of NIST’s post-quantum standardisation process, a number of algorithms have been discovered to be easily attacked. 

Symmetric encryption is the gold standard for post-quantum protection.  The security of symmetric encryption is based on the overall complexity of its encryption transformations, which for AES involve a series of substitutions, permutations, and linear transformations. Public key algorithms however rely on a single hard mathematical problem, such a factoring large number or finding the shortest vector in a lattice.

By incorporating dynamic rotating authentication to symmetric key agreement, on cannot only prevents today’s man-in-the-middle attacks but also future-proofs against quantum risks. Even if a key is carelessly exposed by the user, the window of vulnerability is minimised because the key can rotate every second. 

When implemented as part of a zero-trust framework, this is completely future proof, helping enterprises avoid the disruption of constant upgrades as quantum computing advances.  

Q: How does Arqit integrate symmetric keys into its offering and what does this mean for enterprises and governments? 

The difficulty with symmetric key encryption has always been how streamline key agreement between two parties. In response, we developed a Symmetric Key Agreement (SKA) platform that can be used for any encryption task, without needing disruptive ‘rip and replace’ upgrades. With the ability to digitally rotate symmetric keys in real time and dynamically manage security groups, we offer a simple, yet effective, way to protect VPN-enabled data connections and digital assets against current and future threats like spoofing, harvesting, and tampering. Today, our platform is the only RFC 8784-compliant method of delivering symmetric keys for those wanting to avoid inflexible, expensive hardware crypto devices.

Q: Finally, are there any examples of the use of Arqit’s symmetric keys? 

Recently, Arqit and technology giant Intel joined forces to test a post quantum cryptography solution to enhance the safety of IPsec tunnels in high-performance computing environments. 

Currently, high-performance networking applications often use a software solution called VPP-SSwan, which is a combination of two open-source projects: FD.io VPP, a networking stack that makes incredibly fast packet processing possible on Intel processors, and strongSwan, an interface for setting up secure communications channels.

The key exchange method used by this solution is at risk of being cracked in the near future by quantum computers. That is, unless Arqit’s SKA-platform is integrated to provide a quantum-safe solution with lightweight endpoints that don’t compromise performance. Intel is endorsing this solution for networking applications in the face of the very real quantum threat.

Image: Ideogram

You Might Also Read: 

CISA's Post-Quantum Cryptography Initiative:

DIRECTORY OF SUPPLIERS - Post-Quantum Security:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Chatham House Cyber Conference
2024 and beyond: Top six cloud security trends »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

PSC

PSC

PSC is a leading PCI and PA DSS assessor and Approved Scanning Vendor.

BTWorks

BTWorks

BTWorks provides identity management and anti-phishing / smishing solutions for web and mobile apps.

Cyber8Lab

Cyber8Lab

Cyber8Lab provides cybersecurity training programmes simulating real world cybersecurity incidents such as web defacement, malware, phishing, digital forensics analysis and wireless intrusion.

Cyverse

Cyverse

Cyverse is a cyber-security firm which provides corporations with state-of-the-art cyber-security service-based and technological solutions made in Israel.

Platin Bilişim

Platin Bilişim

Platin Bilisim is an IT Security company providing consultancy, solutions and operational support services.

ST Engineering

ST Engineering

ST Engineering is a leading provider of trusted and innovative cybersecurity solutions.

SOOHO

SOOHO

SOOHO helps to detect security vulnerabilities earlier. Our blockchain security platform audits from smart contracts to on-chain transactions.

Stratum Security

Stratum Security

Stratum Security is an information security consulting company that focuses on providing clear and concise risk guidance to its clients through high quality assessment services.

Keysight Technologies

Keysight Technologies

Keysight is dedicated to providing tomorrow’s test technologies today, enabling our customers to connect and secure the world with their innovations.

Alibaba Cloud

Alibaba Cloud

Alibaba Cloud is committed to safeguarding the cloud security for every business by leveraging a comprehensive suite of enterprise security services and products on the platform.

Cyware

Cyware

Cyware is the only company building Virtual Cyber Fusion Centers enabling end-to-end threat intelligence automation, sharing, and unprecedented threat response for organizations globally.

Dropzone AI

Dropzone AI

Dropzone AI are creating a generational leap in SecOps by using AI to automate cyber expertise and tooling.

Astran

Astran

At Astran, we revolutionize data security by introducing a groundbreaking solution for data confidentiality headaches.

Staley Technologies

Staley Technologies

Staley Technologies is a US nationwide structured cabling, technology integrator, and Managed IT & Cyber Security provider.

CyberCure

CyberCure

CyberCure provide specialised roles and services to manage your organisations cybersecurity requirements and professional advisory services in governance, risk and compliance.

Syteca

Syteca

Syteca is specifically designed to secure organizations against threats caused by insiders. It provides full visibility and control over internal risks.