The Key To Future-Proof Encryption

Uploaded on 2024-05-21 in TECHNOLOGY-Key Areas-Quantum Computing, FREE TO VIEW

It is widely accepted that quantum computing will present a significant threat to current public-key cryptography (PKC), which many modern systems rely on for information sharing and trust mechanisms. 'Store Now, Decrypt Later' (SNDL) attacks are on the rise, as hackers harvest data for future decryption with quantum technology. 

As NIST prepares to publish a final version of PKC standards, there remains concerns about the security behind the underlying hard problems of lattice cryptograph. This is leaving many network operators in search of an effective defence.

With practical guidance for enterprises and governments, Arqit CEO David Williams explores how to harden network communications against current and future vulnerabilities.

Q: How concerning is the threat of quantum computing to digital security, and why is it important for organisations to take proactive measures now? 

Unlike classical computers, quantum computers can solve complex mathematical problems at an exponential rate, and this threatens to break encryption methods that are widely used across the world. Unfortunately, this threat isn’t getting the attention it deserves – and some senior commentators are still suggesting that the cryptographic transition will take ten-fifteen-year period. 

Meanwhile, Microsoft is making serious progress on a Universal Quantum Computer. It’s becoming harder to ignore the idea that Quantum Computers could be everywhere in the next five years, with the potential to render our current encryption useless. The US is moving quick on this, and the UK should offer similar guidance to its industries. We really can't afford to drag our feet on this.

Q: What is the scale of the Store Now, Decrypt Later (SNDL) threat? 

SNDL attacks pose significant financial, compliance, and reputational risks. As highlighted by The GSM Association (GSMA), these attacks challenge the security of data with enduring confidentiality needs, such as state secrets, corporate intellectual property or individual bio-data.

Hostile states are already capturing large volumes of data, by tapping undersea cable, interception units, and even collaboration with telecom providers. This data is earmarked for decryption later when powerful quantum computers are available. These SNDL attacks exploit the assumption that encryption keys, found alongside the data payload in packets, will eventually succumb to decryption by quantum computers, rendering the data accessible and compromised.

The encryption keys used in today’s PKC are based on mathematical principles that would take current technology billions of years to reverse-engineer. Quantum computers can accomplish this in hours or minutes.

Government bodies, whether directly or through intermediaries such as proxies or affiliated hacker groups, have been harvesting digital data for years. It’s believed that China maintains an extensive programme for harvesting data from undersea cables. According to the FBI, the volume of data stolen by China surpasses that of all other nations combined.

Q: How can organisations ensure their security measures remain effective against current and future encryption threats, without the need for constant upgrades?

Crypto-agility is critical to modernising cryptography. In the latter stages of NIST’s post-quantum standardisation process, a number of algorithms have been discovered to be easily attacked. 

Symmetric encryption is the gold standard for post-quantum protection.  The security of symmetric encryption is based on the overall complexity of its encryption transformations, which for AES involve a series of substitutions, permutations, and linear transformations. Public key algorithms however rely on a single hard mathematical problem, such a factoring large number or finding the shortest vector in a lattice.

By incorporating dynamic rotating authentication to symmetric key agreement, on cannot only prevents today’s man-in-the-middle attacks but also future-proofs against quantum risks. Even if a key is carelessly exposed by the user, the window of vulnerability is minimised because the key can rotate every second. 

When implemented as part of a zero-trust framework, this is completely future proof, helping enterprises avoid the disruption of constant upgrades as quantum computing advances.  

Q: How does Arqit integrate symmetric keys into its offering and what does this mean for enterprises and governments? 

The difficulty with symmetric key encryption has always been how streamline key agreement between two parties. In response, we developed a Symmetric Key Agreement (SKA) platform that can be used for any encryption task, without needing disruptive ‘rip and replace’ upgrades. With the ability to digitally rotate symmetric keys in real time and dynamically manage security groups, we offer a simple, yet effective, way to protect VPN-enabled data connections and digital assets against current and future threats like spoofing, harvesting, and tampering. Today, our platform is the only RFC 8784-compliant method of delivering symmetric keys for those wanting to avoid inflexible, expensive hardware crypto devices.

Q: Finally, are there any examples of the use of Arqit’s symmetric keys? 

Recently, Arqit and technology giant Intel joined forces to test a post quantum cryptography solution to enhance the safety of IPsec tunnels in high-performance computing environments. 

Currently, high-performance networking applications often use a software solution called VPP-SSwan, which is a combination of two open-source projects: FD.io VPP, a networking stack that makes incredibly fast packet processing possible on Intel processors, and strongSwan, an interface for setting up secure communications channels.

The key exchange method used by this solution is at risk of being cracked in the near future by quantum computers. That is, unless Arqit’s SKA-platform is integrated to provide a quantum-safe solution with lightweight endpoints that don’t compromise performance. Intel is endorsing this solution for networking applications in the face of the very real quantum threat.

Image: Ideogram

You Might Also Read: 

CISA's Post-Quantum Cryptography Initiative:

DIRECTORY OF SUPPLIERS - Post-Quantum Security:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Chatham House Cyber Conference
2024 and beyond: Top six cloud security trends »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CloudInsure

CloudInsure

CloudInsure is a Cloud Insurance platform designed to specifically address emerging liabilities within the Cloud environment.

Alarum Technologies

Alarum Technologies

Alarum Technologies (formerly Safe-T) is a global provider of cyber security and privacy solutions to consumers and enterprises.

Praetorian

Praetorian

Praetorian is an offensive cybersecurity company whose mission is to prevent breaches before they occur.

Early Warning Services

Early Warning Services

Early Warning is committed to providing awareness, education, and enablement around fraud prevention.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Netacea

Netacea

Netacea provides a revolutionary bot management solution that protects websites, mobile apps and APIs from malicious attacks such as scraping, credential stuffing and account takeover.

AiCULUS

AiCULUS

AiCULUS is a global technology company that specializes in API security and Risk Management products.

Responsible Cyber

Responsible Cyber

Protect yourself with Responsible Cyber’s 360° platform, IMMUNE, arming you with comprehensive support for your business.

Airtel Secure

Airtel Secure

Airtel Secure’s multi-layered, full service cybersecurity offerings are designed to safeguard enterprises against threats of various kinds and origins.

QA Consultants

QA Consultants

QA Consultants is North America’s largest software quality engineering services firm, an award-winning onshore provider of software testing and quality assurance solutions.

Entro Security

Entro Security

Entro is the first holistic secrets security platform that detects, safeguards, and enriches with context your secrets across code, vaults, chats, and platforms.

Flawnter

Flawnter

Flawnter is a security testing software that finds hidden security and quality flaws in your applications.

Attestiv

Attestiv

Attestiv puts authenticity into photos, videos and documents by utilizing advanced technologies in AI and tamper-proofing.

Silobreaker

Silobreaker

Silobreaker is a SaaS platform that enables threat intelligence teams to produce high-quality and relevant intelligence at a faster pace.

RAH Infotech

RAH Infotech

RAH Infotech is India’s leading value added distributor and solutions provider in the Network and Security domain. We are specialists in Enterprise and App Security and Application Delivery.

GrayHats

GrayHats

GrayHats is a platform-based cybersecurity company devoted to delivering comprehensive, scalable, and proactive protection for businesses in an ever-evolving threat landscape.