In this Help Net Security podcast, Avesta Hojjati, Head of R&D at DigiCert, talks about the security implications of post quantum computing.
Here’s a transcript of the podcast for your convenience.
Good morning. Good afternoon everyone. My name is Avesta Hojjati, I’m the Head of R&D at DigiCert. Today we would like to talk about post quantum crypto.
Recently we have done a survey, done by ReRez Research. The survey took place within 400 enterprises of 1000 or more employees in the United States, Germany and Japan, and a number of questions where specifically asked in regard to the threat that quantum computers are going to cause or are currently causing.
But in order to be able to answer that question, first we need to understand how quantum computers are functioning and why they are going to be a threat, specifically when it comes to encryption and a derivative of those, such as authentication.
When you’re talking about quantum computers, they are functioning quite differently than a regular or classical computer that we have. Quantum computers are able to utilize the properties of quantum physics and quantum mechanics. This by itself allows them to be good at doing certain things, and obviously not great at other things.
Unfortunately, breaking encryption algorithms such as RSA and ECC is one of those categories that quantum computers are quite good at. This is specifically due to the fact that quantum computers are able and very powerful at factorizing. For classical computers multiplication is quite simple, but when it comes to factoring certain numbers, the task becomes quite complex and obviously time-consuming and computationally quite hard. And contradictory, on the other side, for quantum computers this is different because they’re very good at doing that.
When we ran the survey, a number of questions were asked, and it was quite interesting to see the results from the survey. For example, there was a broad awareness of post quantum crypto. 71% of organizations who were part of the survey were actually responding back that they are aware of the threats that quantum computers are causing.
But that by itself doesn’t really mean that these organizations are going to be prepared for the era that a quantum computer, or shall I say a stable quantum computer, is available, and that is going to cause immediate threat to encryption algorithms that you’re having today.
I often use this analogy which is, when you’re purchasing a car, are you purchasing a car with an airbag or you’re just going to say that “I’m a good driver and the chances that I might get into an accident are probably closer to 0%, therefore there’s no need for an airbag”.
This is a game of probability and it directly applies to cybersecurity as well. The probability of an adversary being able to compromise your infrastructure, your communication lines or the user data is certainly more than 0%. As security professionals, what you’re able to do is we are able to take the proper measurements to decrease this probability and make it obviously closer to zero, which is quite impossible because 100% security is impossible.
From the survey, 60% of the organizations chose the correct description of what PQC actually was. This is more than 50%, so it’s quite intriguing to see that they actually had some type of understanding of what post quantum crypto is and how it could apply to their environment.
On the other hand, there is a very broad knowledge gap because 59% say that they currently deploying PQC certificates in a hybrid model. That means post quantum crypto in conjunction with RSA or ECC. This is quite an interesting approach because, as many security professionals know, and obviously Internet users might know, security and Internet aren’t like a switch. You are not able to turn the switch on and off, and now you have a completely new technology.
For this platform, and by platform I mean the Internet that has been around for many years, is very hard to actually turn things around. An approach such as a hybrid certificate or hybrid solution in this case, will allow you to utilize the classical algorithms, such as RSA and ECC, in conjunction with post quantum crypto, which will guarantee that your systems will be still active and are able to create the handshakes, utilizing the current algorithms. And in the case that there was a post quantum era happening, you’re able to switch to post quantum crypto.
This is the approach that has been taken and this by itself is mentioning that based on the survey, eight out of 10 IT professionals were mentioning that it is very important for their IT team to learn about quantum security practices. Our enterprise is beginning to prepare for post quantum crypto.
The result of the surveys was mentioning that yes, there are actually allocation of teams. For example, 56% of organizations are discussing budget at this time for post quantum crypto solutions, 35% are actually having a budget for this specific approach, and 59% either have or are expecting to have some type of budget to be able to protect their infrastructure and environment against this dominant threat.
One question might be asked is, what is it that I’m able to do right now? We talked about a hybrid solution that is available. We talked about different types of algorithms that NIST or National Institute of Standard and Technology is going through the review process. Matter of fact, as of January of this year, the Second National Institute of Standard and Technology Conference on Post Quantum Crypto took place, which reduced the number of submitted algorithms from the previous round.
This by itself shows that academia, industry and the standard teams are actively working on number of solutions. But what does that really mean right now for IT specialists and security specialists? Their top five findings from the survey, number one says monitoring. Knowing your environment is definitely one of the most important approaches that you’re able to take as of right now.
If you know your environment, if you know where all of your certificates are, what type of cryptographic algorithms you are utilizing from your servers to your clients, what type of algorithm and certificates you’re using to cryptographically sign your applications, and basically creating this inventory that is always accessible to you, it’s quite important.
Secondly, understanding that level of crypto agility will provide the flexibility in the case that the problem will happen with previous algorithm and allows you to be agile in a sense that you’re able to switch to a different algorithm with no hassle. Again, this knowledge and this visibility into the environment provides the complete package for your environment and for yourself to be secure in the case that a problem happens.
One question and the final question of this survey was, what should you do if you’re worried about your crypto infrastructure? That’s public infrastructure, or web servers that you have, and we have sets of recommendations for that from DigiCert.
Number one is risk. Know your risk and establish a quantum crypto maturity model. If you are able to monitor and assess and understand what type of risk your organization is going through, this will obviously allow you to have a better visibility and be prepared in the case that something improper will happen in infrastructure.
Second is agility. Understand the importance of crypto agility in your organization and establish it as a core practice. You need to talk to your developers, different teams, different departments and make sure that they always have that crypto agility in mind when it comes to designing, maintaining and monitoring the infrastructure.
And finally, is the best practice. You should work with leading vendors to establish your certificates best practice and ensure that you are tracking the progress of the post quantum crypto industry and staying ahead of the curve. This by itself provides connection to the industry, enterprises and researchers, and it will guarantee that the security that you’re designing today is going to last for the next 20, 30, 40 and 50 years instead of just for a year from now.
Security is something that is quite important. Security by design is something that every organization needs to have in mind, and that by itself will ensure the security of your users and your organization, in case that a catastrophic attack might take place.