Prepare for the ‘crypto break’ before it’s too late
Although the day is coming where quantum computers are likely to break most traditional public key asymmetric encryption and, along with that, every secret they protect, almost no one is doing anything to prepare.
So says Roger Grimes, Data-Driven Defence evangelist at KnowBe4, adding that there are several simple things organisations could be doing to prepare for this ‘crypto break’ that won’t cost a fortune either.
“If it hasn’t happened already, quantum computers are rapidly getting to the point where they will be able to quickly factor cryptography that relies on large prime numbers, such as RSA, Diffie-Hellman, Elliptic Curve Cryptography, TLS, HTTPS and more,” he says. “This will render these immediately worthless.”
He says most public cryptography depends upon the fact that even a practically infinite number of traditional computers cannot crack math problems involving large prime numbers. “There simply are not enough atoms in our universe to support the energy needed, or enough hard drives and memory spaces.”
On the other hand, quantum computers with double, plus a few more stable qubits (which are the basic units of quantum information, or the quantum version of the classical binary bit physically realised with a two-state device), will be able to solve the same equations, and do that extremely fast, he says.
In this way, as soon as quantum computers get 4099 stable qubits, they will have the ability to crack 2048-bit public encryption keys. “When they reach 8195 stable qubits, 4096-bit keys will fall, which means that the whole of the Internet as well as most organisations, will have a large problem on their hands.”
As to when this ‘crypto break’ will happen, the answer is simply: we don’t know. However, Grimes believes that there is a good chance it’s already happened and the governments or individuals who have done it aren’t owning up.
Another very real danger right now is that even if it hasn't happened yet, any bad actors who are sniffing (stealing or intercepting data by capturing the network traffic using a sniffer) an organisation’s IP or other data, could be saving that encrypted information for the day when the crypto break is a reality.
Any business that has secrets it would prefer the world not to know about should pay attention, he stresses.
It’s not all doom and gloom, though. Grimes says there are several quantum-resistant ciphers and digital signature schemes already in existence. In addition, there are several cryptographic algorithms that do not rely on large prime numbers in order to work, and many of these are being tested.
Within a couple of years, probably between 2022 and 2025, the majority of governments around the world will release new quantum-resistant cryptography standards that everyone can adopt.
Moreover, he says, there are several things businesses can start doing right now that don’t cost a fortune or involve ripping and replacing old ciphers with quantum-resistant ones. “The first step is to take a data-protection inventory to work out what is critical and what needs to be protected beyond the next few years. Look at the cryptography that is currently being used to protect it, the algorithms involved, and the key sizes. This means public key ciphers, symmetric ciphers, digital signatures, hashes, and key sizes.”
This is an onerous task, so get started and do it now, advises Grimes.
Next, he says, ensure that all symmetric keys and hashes are 256-bit or larger. “Increase the key sizes of anything smaller, and increase asymmetric key sizes to 4096-bit. When the crypto break happens, it will break all traditional public key crypto, but the smaller key crypto will be the first to fall and will fall fastest.”
Then Grimes says to take all the most critical data that is needed in the long term offline. Operate on the premise that attackers will try to sniff your network traffic and bypass your existing cryptography.
“Update any policies to reject data protection solutions that do not have quantum-resistant key sizes of at least 256-bit and 4096-bit, to control the problem going forward. There’s no point investing in any solution that will be obsolete in a few years, so from this point forward, you want to make sure that everything you buy is using a quantum-resistant cipher.”
Businesses should also start thinking about using quantum random number generators if they need random number generators. “You can get them all over the place, and they're actually fairly cheap. I think you can get one for under $100. They have been selling quantum random number generators for around two decades and you can buy them in very small form factors.”
Finally, he says, anyone who is interested in quantum computing should watch a couple of videos or visit his LinkedIn account where loads of free material is available. “Eventually those quantum computers are going to break traditional crypto and you're going to have to be prepared to avoid an unpleasant surprise.”