Demystifying Cybersecurity: Post-Quantum Security, Part 2
In our last blog, we talked about the current challenges with cryptography that urgently need to be addressed, considering the exponential rise of quantum computing and the risk posed to the security of our communications. Today, we will review the existing technological approaches from the industry to solve these challenges and ensure our communications will remain secure for years to come from both traditional and quantum computer cyberattacks.
1) Quantum Rnadom Number Generator (QNRG)
One approach is to deal with the weak entropy currently used by the endpoints when generating encryption keys. These random numbers are not “random enough” and too predictable, especially when using legacy random number generators; not to mention the existing inner Random Number Generator (RNG) flaws. The current solutions to produce randomness, including Pseudorandom Number Generator (PRNG) or Cryptographic Pseudorandom Number Generator (CPRNG), all rely on algorithms, or mathematics. The Quantum Random Number Generator (QRNG) is a hardware-based technology that instead relies on physics to generate truly random numbers, referred to as quantum entropy. QRNGs have been in use for several years already, in businesses where a high level of randomness is required, for example, online casinos for their gaming and gambling services (e.g., slot machines).
QRNG are available as different hardware appliances, in some cases as little as a chipset on a mobile phone. They would typically contain a light-emitting diode (LED) and an image sensor. The LED emits a random number of photons (particle of light), which are then captured by the sensor and counted, providing a series of random numbers that can be distributed to applications, for example to create strong, quantum-safe encryption keys.
2) Quantum Key Distribution (QKD)
One of the issues with current cryptography is that key delivery/exchange between two parties occurs over the same, unsecure communication channel as the data.
Fig.: Traditional key distribution
That is precisely one of the problems that Quantum Key Delivery (QKD) is aiming to solve. It uses photons, sent over a dedicated fiber optical connection, to generate identical encryption keys at both ends of the connection. Due to the properties of quantum physics, including superposition and entanglement, these photons cannot be observed nor intercepted without changing their state, ensuring that said keys cannot be stolen nor tampered without said attempts being detected, thus preventing any possibility of a Man-In-The-Middle (MITM) attack.
Fig.: Quantum Key Distribution (QKD)
QKD is fully hardware-based, and this technology requires specific hardware appliances called quantum repeaters, connected between themselves using dedicated, point-to-point optical fiber link connection. One limitation is that the current maximum secure range for quantum key distribution is about 100km, however some vendors have already worked around it using other solutions in combination. Also, some foreign nation governments are currently investigating the use of satellites as relays, sending photons using line-of-sight (LOS) transmissions that would exceed that limitation and deliver over long-distances.
3) Post-Quantum Cryptography (PQC)
It is estimated that it would take about 300 trillion years using traditional computing to hack RSA asymmetric encryption using 2048-bit length key, making it in theory almost “unbreakable”. However, using quantum computing, some researchers have estimated that such time could be drastically reduced to only just 8 hours!
This has led to ongoing efforts from the National Security Agency (NSA) and the National Institute of Standards and Technology (NIST) to find a quantum-safe replacement for today’s encryption methods. Post-Quantum Cryptography (PQC) refers to next-generation, cryptographic algorithms designed to be resistant to cyberattacks performed using traditional and quantum computers.
One implementation is to harden the widely used Transport Layer Security (TLS) protocol, using Key Encapsulation Mechanism (KEM) to secure symmetric key exchanges using asymmetric encryption; one party uses the public key to “encapsulate” the symmetric key, while the other party uses its private key to “decapsulate” and retrieve the symmetric key, that is later used to encrypt all information they will exchange with each other. KEM work in a similar way as Public Key Encryption (PKE), as it also relies on a combination of public and private keys, however the difference is that asymmetric keys are not used here to protect an actual message, but an encryption key, that will later be used to protect a message.
Fig.: Key Encapsulation Mechanism (KEM)
PQC is not hardware, but software based so it does not require users invest in new hardware equipment, and easily integrates with existing communication mediums (e.g., optical fiber, satellite, 4G/5g, copper, etc.), network protocols (e.g., TCP/IP) and equipment (e.g., routers, switches). It can also be used on any type of endpoint, from mobile devices and desktop computers to back-end servers, located either locally or in the cloud.
Other Approaches
Quantum Secure Direct Communication (QSDC)
Unlike Quantum Key Delivery (QKD), which is used to securely exchange an encryption key, Quantum Secure Direct Communication (QDSC) aims to directly transmit information securely, using a quantum communication channel, like an optical fiber link or free space without the use of private encryption keys. There is no commercial implementation available yet, as the data rates currently achieved are still too low to make it practical for communicating entire messages, but it will definitely become an important alternative in the years to come.
Hardware Security Module (HSM)
Hardware Security Module (HSM) are tamper-resistant hardware appliances used to secure cryptographic processes, including generating, securely storing, and managing encryption keys, as well as creating digital signatures and certificates. They usually integrate with QKD and QRND systems.
Which Technology to Choose?
So far, all these approaches are mutually exclusive, and not easy to integrate for any organization as they would require changing/adapting the current cryptography protocols used throughout the organization. Also, the endpoints (desktop or laptop computer, mobile devices, etc.) are directly involved, which translates into a huge effort as well as an impact/downtime for the employees. However, some vendors are already working on combining them into a single, easy to integrate solution; we will present one of these solutions in the coming weeks.
The rise of quantum computing and the risk it poses to organizations’ security is concerning and sifting through the vast array of information on solutions, products, and best practices can be daunting. Please do not hesitate to reach out to the team at ISEC7. We can provide a security assessment to review your security posture and help you navigate the options available to protect your sensitive data and strengthen your infrastructure.
Contact
Find out more regarding ISEC7´s Services and Solutions.