The Key To Future-Proof Encryption

Uploaded on 2024-05-21 in TECHNOLOGY-Key Areas-Quantum Computing, FREE TO VIEW

It is widely accepted that quantum computing will present a significant threat to current public-key cryptography (PKC), which many modern systems rely on for information sharing and trust mechanisms. 'Store Now, Decrypt Later' (SNDL) attacks are on the rise, as hackers harvest data for future decryption with quantum technology. 

As NIST prepares to publish a final version of PKC standards, there remains concerns about the security behind the underlying hard problems of lattice cryptograph. This is leaving many network operators in search of an effective defence.

With practical guidance for enterprises and governments, Arqit CEO David Williams explores how to harden network communications against current and future vulnerabilities.

Q: How concerning is the threat of quantum computing to digital security, and why is it important for organisations to take proactive measures now? 

Unlike classical computers, quantum computers can solve complex mathematical problems at an exponential rate, and this threatens to break encryption methods that are widely used across the world. Unfortunately, this threat isn’t getting the attention it deserves – and some senior commentators are still suggesting that the cryptographic transition will take ten-fifteen-year period. 

Meanwhile, Microsoft is making serious progress on a Universal Quantum Computer. It’s becoming harder to ignore the idea that Quantum Computers could be everywhere in the next five years, with the potential to render our current encryption useless. The US is moving quick on this, and the UK should offer similar guidance to its industries. We really can't afford to drag our feet on this.

Q: What is the scale of the Store Now, Decrypt Later (SNDL) threat? 

SNDL attacks pose significant financial, compliance, and reputational risks. As highlighted by The GSM Association (GSMA), these attacks challenge the security of data with enduring confidentiality needs, such as state secrets, corporate intellectual property or individual bio-data.

Hostile states are already capturing large volumes of data, by tapping undersea cable, interception units, and even collaboration with telecom providers. This data is earmarked for decryption later when powerful quantum computers are available. These SNDL attacks exploit the assumption that encryption keys, found alongside the data payload in packets, will eventually succumb to decryption by quantum computers, rendering the data accessible and compromised.

The encryption keys used in today’s PKC are based on mathematical principles that would take current technology billions of years to reverse-engineer. Quantum computers can accomplish this in hours or minutes.

Government bodies, whether directly or through intermediaries such as proxies or affiliated hacker groups, have been harvesting digital data for years. It’s believed that China maintains an extensive programme for harvesting data from undersea cables. According to the FBI, the volume of data stolen by China surpasses that of all other nations combined.

Q: How can organisations ensure their security measures remain effective against current and future encryption threats, without the need for constant upgrades?

Crypto-agility is critical to modernising cryptography. In the latter stages of NIST’s post-quantum standardisation process, a number of algorithms have been discovered to be easily attacked. 

Symmetric encryption is the gold standard for post-quantum protection.  The security of symmetric encryption is based on the overall complexity of its encryption transformations, which for AES involve a series of substitutions, permutations, and linear transformations. Public key algorithms however rely on a single hard mathematical problem, such a factoring large number or finding the shortest vector in a lattice.

By incorporating dynamic rotating authentication to symmetric key agreement, on cannot only prevents today’s man-in-the-middle attacks but also future-proofs against quantum risks. Even if a key is carelessly exposed by the user, the window of vulnerability is minimised because the key can rotate every second. 

When implemented as part of a zero-trust framework, this is completely future proof, helping enterprises avoid the disruption of constant upgrades as quantum computing advances.  

Q: How does Arqit integrate symmetric keys into its offering and what does this mean for enterprises and governments? 

The difficulty with symmetric key encryption has always been how streamline key agreement between two parties. In response, we developed a Symmetric Key Agreement (SKA) platform that can be used for any encryption task, without needing disruptive ‘rip and replace’ upgrades. With the ability to digitally rotate symmetric keys in real time and dynamically manage security groups, we offer a simple, yet effective, way to protect VPN-enabled data connections and digital assets against current and future threats like spoofing, harvesting, and tampering. Today, our platform is the only RFC 8784-compliant method of delivering symmetric keys for those wanting to avoid inflexible, expensive hardware crypto devices.

Q: Finally, are there any examples of the use of Arqit’s symmetric keys? 

Recently, Arqit and technology giant Intel joined forces to test a post quantum cryptography solution to enhance the safety of IPsec tunnels in high-performance computing environments. 

Currently, high-performance networking applications often use a software solution called VPP-SSwan, which is a combination of two open-source projects: FD.io VPP, a networking stack that makes incredibly fast packet processing possible on Intel processors, and strongSwan, an interface for setting up secure communications channels.

The key exchange method used by this solution is at risk of being cracked in the near future by quantum computers. That is, unless Arqit’s SKA-platform is integrated to provide a quantum-safe solution with lightweight endpoints that don’t compromise performance. Intel is endorsing this solution for networking applications in the face of the very real quantum threat.

Image: Ideogram

You Might Also Read: 

CISA's Post-Quantum Cryptography Initiative:

DIRECTORY OF SUPPLIERS - Post-Quantum Security:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Chatham House Cyber Conference
2024 and beyond: Top six cloud security trends »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ON-DEMAND WEBINAR: Gen AI for Security: Adoption strategies with Amazon Bedrock

ON-DEMAND WEBINAR: Gen AI for Security: Adoption strategies with Amazon Bedrock

Watch this webinar and get a comprehensive roadmap for securely adopting generative AI using Amazon Bedrock, a fully managed service that offers a choice of high-performing foundation models (FMs).

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Nordic IT Security

Nordic IT Security

Nordic IT Security is a cyber security business forum in Scandinavia bringing together the converging worlds of IT, Cyber and Information Security.

SQA Service

SQA Service

SQA Service provide independent software and process Quality Assurance services.

ControlCase

ControlCase

ControlCase provide solutions that address all aspects of IT-GRCM (Governance, Risk Management and Compliance Management).

Italian Association of Critical Infrastructure Experts (AIIC)

Italian Association of Critical Infrastructure Experts (AIIC)

AIIC acts as a focal point in Italy for expertise on the protection of Critical Infrastructure including ICT networks and cybersecurity.

Proact IT Group

Proact IT Group

Proact is Europe's leading independent data centre and Cloud services enabler. We deliver flexible, accessible and secure IT solutions and services.

Meiya Pico Information Co

Meiya Pico Information Co

Meiya Pico is the leading digital forensics and information security products and service provider in China.

Keynetic Technologies

Keynetic Technologies

Keynetic focuses on developing cybersecurity solutions for Industry 4.0.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Granted Consultancy

Granted Consultancy

Granted Consultancy is a business consultancy that specialises in securing funding to support companies with the development and commercialisation of new and innovative products and technologies.

Guardara

Guardara

Guardara's mission is to help our customers to continuously improve in every aspect of software development.

RevBits

RevBits

RevBits provides high-performance cybersecurity solutions including email security, endpoint security, deception technology and PAM solution to enterprise companies and public sector organizations.

Char49

Char49

Char49 specialize in Penetration Testing, Red Team Assessment, Social Engineering and Security Research.

Fusion Risk Management

Fusion Risk Management

Fusion Risk Management focuses on operational resilience encompassing business continuity, risk management, IT risk, and crisis and incident management.

Ermetic

Ermetic

Ermetic’s identity-first cloud infrastructure security platform provides holistic, multi-cloud protection in an easy-to-deploy SaaS solution.

Moonlock

Moonlock

Cybersecurity tech for humans. At Moonlock, we make software that seamlessly protects you and has your back as you live your life.

Digital.ai

Digital.ai

Digital.ai empowers organizations to scale software development teams, continuously deliver software with greater quality and security.