Getting ready for a post-quantum world

Read Time:6 Minute, 56 Second

Quantum computers are changing the cryptography rules

Under Data Encryption, the CISA Zero Trust Maturity Model v2.0 cites the criticality of “cryptographic agility” on the third (out of four) level of maturity. Cryptographic agility is the ability to change the underlying cryptographic algorithms in applications and communications channels. I believe this highlights the importance for organizations to be able to pivot their encryption algorithms to a post-quantum cryptographic world. As quantum computing becomes more widely available, the ability to crack strong encryption becomes weaker.

In August 2016, NIST published a request for comment on requirements and criteria for submission for nominations for Public-key Post-quantum Cryptographic (PQC) Algorithms. That means that 7 years ago, the hunt for a PQC started. In 2024, this is expected to be finalized. However, there are steps that organizations should be taking now to prepare for this. To understand why PQC is so important, it is important to follow the evolution of public-key cryptography.

Public-key cryptography

Public-key cryptography is what allows secure connections such as over the Internet. Without these secure connections, there would be no online banking, shopping, or private messaging. Public-key cryptography relies on algorithms that are essentially unbreakable with today’s technology.

This wasn’t always the case. Due to increasingly more powerful computers, older algorithms became more susceptible to brute-force attacks. For instance, RC5-64 was cracked in just under 5 years using 2002 technology –that’s essentially an Intel Pentium II running Windows NT– with groups of people donating personal computer cycles. Comparing current technology vs. 2002, we can just throw so much processing power, including renting from a cloud provide, that the auto-generated summary from that comparison link is astonishing:

“In single core, the difference is 8100%. In multi-core, the difference in terms of gap is 42425%.”

This is one of the reasons we moved from SSL to TLS1.0 and have continued to advance to TLS1.3. Older legacy algorithms become deprecated and are no longer in use.

Public-key cryptography isn’t just used for web servers for SSL/TLS. They are used to secure email, SSH/SFTP connections, digital signatures, Cryptocurrencies, and anywhere PKI (Public Key Infrastructure) is used including Microsoft Active Directory. If the current set of algorithms can be breached via brute force attack, the Internet could collapse, and this would have a devastating effect on the global economy and even reduce the effectiveness of military communications.

Fortunately, with many current “classical” technologies, we have been able to add more bits in algorithms to make them more difficult, making brute force attacks harder over time. For instance, SHA-2 went from 224 to 256 to 384 all the way to 512 before being largely replaced by SHA-3, which is more secure with same number of bits. At least, this was the path forward before quantum computing became a new viable way to crack these legacy algorithms.

What is a quantum computer?

You may be familiar with Diffie-Hellman key exchange, the RSA (Rivest-Shamir-Adleman) cryptosystem, and elliptic curve cryptosystems currently in use today. The security of these depends on the difficulty of certain number theoretic problems such as Integer Factorization or the Discrete Log Problem over various groups.

In 1994, Shor’s algorithm was developed that could efficiently solve each of these technologies. However, this algorithm relied on a completely different architecture: quantum computers. In the last 29 years, work has progressed to not only create new quantum algorithms but the actual hardware to run them on (initial quantum computers were emulated using classical computers and very slow). Recently, Google has developed a 70-qubit quantum computer. A qubit is the quantum computer equivalent of classical computer 1’s and 0’s, and more qubits mean a more powerful system. This Google system called the Sycamore Quantum Computer can solve a complex benchmark in a few seconds. The world’s current fastest classical supercomputer, called Frontier from Hewlett Packard, would take 47 years on that same benchmark.

While this is a highly specific test, it did demonstrate “quantum supremacy”: that quantum computers can outpace classical computing systems. If you are not concerned because these computers are expensive, know that cloud providers already have offerings you can use today:  Azure Quantum, IBM  and AWS Braket let you rent time at under $100 an hour. Google Quantum Computing Service appears to only allow access from an approved list, not (yet) giving access to the public. Recently. the Gemini Mine, which is a 2-qubit quantum computer, became available to buy directly for about $5,000. This is not a powerful machine but could be used to invisibly develop and test malicious quantum software.

However, the future is clear: Quantum computing breaks the current cryptographic algorithms.

What is a PQC and why do I need to use it?

Post-quantum Cryptography (PQC) is based on algorithms that will resist both classical and quantum computers. Since the current algorithms are not PQC, they are going to be targeted by bad actors and anything using them will no longer be effectively encrypted.

While quantum computers are still in their infancy, you might think that you can sit back and then when they go mainstream, simply move to a PQC algorithm when the risk becomes high enough. However, there is a need to move to a PQC as soon as possible: any encrypted data such as internet transmissions can be stored, and then later decrypted. Organizations must assume that anything using current encryption algorithms should be treated as cleartext.

Using PQC will then establish a line in the sand: even if transmissions are recorded or encrypted drives are stolen, they will not be able to be decrypted by quantum computers or classical supercomputers. Backups using old algorithms? Assume they are cleartext and erase them. Any secrets that were sent over the internet? Assume they are now in the public domain.

While governments have long isolated communications channels so even encrypted communications are hard to sniff, most private organizations do not – and should strive to move to PQC as soon as possible.

Table 1 from NIST IR 8105 shows the most popular cryptographic algorithms and the impact quantum computers will have on them.

NOTE: This was published in April 2016.

How should my organization prepare?

Although a PQC algorithm isn’t expected until 2024, organizations should prepare and take steps to make the migration a quick process:

Inventory all cryptographic algorithms currently in use.

What systems are used?
Is this data at rest or in transmission?

Prioritize this inventory so that when your organization needs to implement it, the high-risk resources are addressed first – such as Internet-facing systems or systems that house your most sensitive data.
Document for each system type the process required to modify the in-use algorithm.

Do we need to increase the key length (AES and SHA2 or SHA-3) or replace the algorithm entirely (RSA, ECDSA, ECDH, DSA)
System updates or PQC algorithm installation
Configuration file modification
Restarting essential services
Testing process to ensure PQC algorithms are preferred/prioritized between systems when they are negotiating which algorithm to use.

Review your supply chain and understand where you need third parties to deliver PQC.

For instance, if you are running accounting software SaaS, you want to be able to connect to it from your workstation securely. You are reliant on that SaaS to support PQC and should be asking for that as soon as possible. Depending on the risk profile, you may want to address that in any contractual negotiations to help ensure it happens.

These preparation steps should either be added to your normal governance processes or made into a project. Decide if you can use internal resources or if you should bring in a third party like AT&T Cybersecurity to help. In any case, make sure this is on your radar like it now is on mine. Once post-quantum cryptographic algorithms become available, all organizations should be looking to implement them.

Resources to learn more:

DHS: Preparing for Post-Quantum Cryptography Infographic (dhs.gov)

NIST: Report on Post-Quantum Cryptography (nist.gov)

CISA: Quantum-Readiness: Migration to Post-Quantum Cryptography (cisa.gov)

NSA: The Commercial National Security Algorithm Suite 2.0 and Quantum Computing FAQ (defense.gov)

Read More

RUOK Day – How to Get Help Online When You’re Not Feeling OK

Read Time:5 Minute, 20 Second

I’m such a fan of RUOK? Day. Started in 2009, it’s an Australian non-profit suicide prevention that is all about having conversations with others to address social isolation and promote a sense of community. What I love the most, is that RUOK? Day has become quite an event on the Australian calendar. You’d be hard-pressed to find a workplace that doesn’t host a morning tea or a retailer that’s not selling a ribbon or badge in support of the day. In my opinion, it has given many of us the confidence to talk about mental health and that, my friends, is a very good thing!

When You’re Not Feeling OK

You wouldn’t be human if you hadn’t ever felt a little down or anxious. It’s the natural ebb and flow of daily life. However, if these symptoms are hanging around and are affecting your ability to ‘do’ life then, it’s time to take some action.

Remember, it is incredibly common for someone to experience a dip in their mental health. Recent research shows that over 2 in 5 Aussies aged 16 to 85 will experience a mental disorder at some time in their life, with 1 in 5, experiencing a mental disorder in the previous 12 months.

If you’re not feeling OK, the most important thing to remember is that you do not need to deal with this all by yourself. Sometimes when you’re feeling really low, the thought of leaving the house and facing the world can feel too much. I totally get it! And that’s where the online world can play a huge role. There is an abundance of resources available online for anyone who needs mental health support which makes it so much easier to get the help you need when facing the world just feel a bit much.

Where To Go Online When You’re Not Feeling OK

Here is a list of organisations that offer online mental health services here in Australia. This list is not exhaustive however these are the most commonly used, and hence best funded, support services. If you are based in the US, please find details at the end of the post for organisations that can provide mental health support.

When Things Are Pretty Dire

The Suicide Call-Back Service offers free professional 24/7 counselling support to Aussies at risk of suicide, concerned about someone at risk, affected by suicide as well as people experiencing emotional or mental health issues. There is an option for telephone support as well as online chat and video counselling also.
If you need to speak to someone ASAP then contact Lifeline. They offer a free 24/7 confidential one to one counselling service that can help you in a crisis. You can, of course, choose to speak to someone on the telephone (13 11 14) but you also have the option of either messaging or texting (0477 13 11 14) with a counsellor also.
Beyond Blue is another great Aussie mental health and wellbeing support service that can help in an emergency. Again, it offers 24/7 confidential counselling services for anyone who is struggling. Telephone counselling is an option here (1300 22 4636) but if you’d prefer, you can use their web chat option here.

Online Help Specifically For Young People

Kids Helpline is a dedicated 24/7 support service for young people aged 5 to 25 who want to chat for any reason. It’s free (even from a mobile phone) and there is a choice of telephone counselling or support via web chat or email. You can also access support if you are an adult supporting a young person. Since it was established in 1991, the service has supported over 8.5 million people. The service offers everything from life-saving crisis intervention through to emotional support when young people just need someone to listen.
Headspace is Australia’s Mental Health Young Foundation. It also provides free online and telephone support from 9am to 1am AEST, 7 days a week for young people (12-25) and their families. In addition to its crisis support services, it also offers regular counselling options through its network of 150 centres around Australia.

Other Services

The Butterfly Foundation’s National Helpline is a free confidential service that provides information, counselling, and treatment referral for people (and their families) with eating disorders and body image issues. It operates between 8am and midnight, 7 days a week and offers support via telephone (1800 33 4673), email and web chat. This is not a crisis service.
Friendline is a telephone and chat support service for anyone who’s feeling lonely, needs to reconnect or just wants a chat. You can call them 7 days a week on 1800 424 287, or chat online with one of their trained volunteers. All conversations with FriendLine are anonymous. This is not a crisis service.
MensLine Australia is a professional telephone and online counselling service offering support to Australian men 24 hours/7days a week. Whether it’s addiction issues, domestic violence, anxiety or depression, the service is able to offer support on 1300 78 99 or via online or video chat.
Open Arms – Veterans and Families Counselling provides 24/7 free and confidential telephone and webchat counselling to anyone who has served at least one day in the Australian Defence Force, their partner, and their families. It isn’t a crisis service, but it can offer ongoing mental health treatment and services.

So, if you are not just yourself at the moment and are feeling really low – or you know someone that is – please know that there is help available online 24/7. So, make yourself a cuppa and get started because you are not alone.

Alex xx

P.S. For my US friends:

The 988 Suicide & Crisis Helpline provides 24/7 free and confidential support and crisis resources for people in distress, and their families. Simply text or call 988 to access help.

The Crisis Text Line is a free and confidential 24/7 support service for anyone who resides in the US. Support can be accessed by text message (text HOME to 741-741) and online chat.

The post RUOK Day – How to Get Help Online When You’re Not Feeling OK appeared first on McAfee Blog.

Read More