sakkmesterke - stock.adobe.com
Cryptographic agility is key to post-quantum security
Although post-quantum security is not an issue for all organisations today, an expert believes that those needing to ensure data is secure for decades to come should aim to achieve cryptographic agility above all else
The threat of quantum computing being able to crack encryption methods currently used to protect critical data is being exploited by unscrupulous security suppliers, a cryptographic expert has warned.
“There are companies out there selling proprietary post-quantum secure encryption schemes that are not sanctioned by academic institutions that understand these things and that precede the standardisation of post-encryption algorithms,” said Yehuda Lindell, director of the Bar-Ilan University Center for research in applied cryptography and cyber security.
“These [proprietary] systems are often created by people who understand less about it than those proposing post-quantum algorithms for consideration by the US National Institute of Standards and Technology [Nist],” he told Computer Weekly.
Nist is currently evaluating post-quantum encryption algorithms submitted by cryptography experts and plans to publish a selection of the best that will be used as industry standards for the post-quantum era.
Lindell, who is also co-founder and chief scientist at security and privacy firm Unbound Tech, believes many organisations are being scared into spending lots of money on systems that are not secure and do not address the problem, including quantum key distribution (QKD) systems.
“QKD is solving the wrong problem because even if you have perfectly secure key distribution, you still have to encrypt with those keys,” he said.
“And the only way you can do that in a way that is more secure than using AES [advanced encryption standard] is using a one-time pad, but the volume of key material you need is enormous. In addition, QKD does not solve the problem of authentication and does not work with asymmetric encryption, which most of commercial encryption is based on.”
In a whitepaper on QKD, the UK’s National Cyber Security Centre (NCSC) explores the limitations of QKD systems, including security concerns, and makes the case for research into developing post-quantum public key cryptography as a more practical and cost-effective step towards defending real-world communications systems from the threat of a future quantum computer.
The whitepaper notes that QKD is distinct from post-quantum public key cryptography, which is based on classical mathematical problems that are hard to solve even in the presence of quantum computers.
“Post-quantum public key cryptography appears to offer much more effective mitigations for real-world communications systems from the threat of future quantum computers,” the whitepaper concludes.
Read more about quantum computing
- Post-quantum security on Airbus’s radar.
- Enterprise data encryption: Preparing for a post-quantum future.
- The time to think about post-quantum cryptography is now.
- Why this quantum computing breakthrough is a security risk.
Most public key cryptography uses asymmetric encryption, which relies on the fact that it would take years to carry out the mathematical calculations required to reveal the encryption keys, but even basic quantum computers will be able to determine encryption keys fast enough for attackers to use.
For big business, banking and other financial institutions that rely on cryptography to secure highly sensitive data, heavy investments in developing a post-quantum computing capability by countries such as China and Russia cannot be ignored, even though quantum computing is not expected to be a reality within the next five to 10 years or more.
“Organisations that need to ensure that data is kept secure for the next 20 to 30 years should be working to ensure that their systems are cryptographically agile, so they are ready to make that switch as soon as it is necessary,” said Lindell. “But for almost all organisations, there is no need to rush to do anything right now.
“However, in virtually all cases today, systems are not cryptographically agile, which means they do not have the ability to switch out the [encryption] algorithms and algorithm types they are currently using if vulnerabilities were discovered.”
Typically, this involves ensuring that specific algorithm types and names are not hard-coded into encryption systems and that program calls are made instead to centralised algorithm libraries.
“This means that program calls should be very high-level to a single library that provides cryptographic services to all the code run by an organisation, enabling them to switch to new algorithms throughout by simply making a single change in the library, which is the ultimate in cryptographic agility,” said Lindell.
Central library
This approach, using Open Source libraries, also reduces the potential for software developers to make mistakes because they are simply making calls to the central library rather than having to implement the algorithms in code, he said.
Also, said Lindell, organisations should ensure that the key length and message length are also not specified in code, so that systems will continue to work if these need to be changed.
Finally, for cryptographic agility, organisations need to ensure they have a method for upgrading software securely when vulnerabilities are discovered, he said.
“This involves not only the way an update is deployed to ensure that it is valid, but also ensuring that attackers cannot carry out roll-back [downgrade] attacks,” said Lindell. “This means ensuring that a man-in-the-middle attacker can’t force software to revert to older, broken systems.”
Hybrid approach
While ensuring the cryptographic agility of their systems is all organisation should be doing today, Lindell said that if they really want to do more, they should consider a hybrid approach.
“This means encrypting data in such a way that attackers would have to break both the standard encryption key in use today as well as a new post-quantum scheme by encrypting one on top of the other, for example,” he said.
Lindell recommended this hybrid approach in light of the fact that although post-quantum schemes are well understood, there is no working experience of them to indicate exactly what the right parameters and key lengths should be.
“So if you are doing TLS [transport layer security], generate a regular TLS secure channel and use it to share an additional public key that is post-quantum secure in order to hedge your bets,” he said, reiterating that he believes ensuring cryptographic agility would be a far more effective course of action.
Lindell said organisations must be rational and calm when it comes to the issue of post-quantum security and should guard against taking premature or hasty action and investing vast sums of money in proprietary technologies that do not have the support of experts in the field.
“Being well prepared and ensuring cryptographic agility will do much more for security overall and in a post-quantum era than anything else organisations can do today,” he said.