Is everything you thought you'd done right for security about to be at risk?

It may still be early days for quantum computing, but there has been significant progress recently. What does that mean for today's 'unbreakable' encrypted data?

Encryption  >  A conceptual technological lock and encrypted code.
MF3D / Getty Images

Nearly every digital system in use today is protected by systems that are based on standardized cryptographic algorithms (e.g., RSA, ECC, AES) that "scramble" the data so unless you have the decryption keys, it can’t be read. This is true of encrypted data at rest in a database, as well as encrypted data being moved in a network operation. It is also used extensively in user and device authentication. Nearly every network, whether wired or wireless, has some form of cryptography at its core (e.g., IPsec, SSL, WPA). Further, cryptography is at the heart of financial systems like electronic payments and credit card authorizations, is critical to digital signatures and crypto finance systems, is used to secure health records, government and military systems, and is even used in email and social media applications. Nearly every app or electronic product in use has crypto in some form as a key component.

Over the years, cryptography solutions have become more secure as faster processors have allowed us to increase the number of bits employed in the process. The theory is that if you have enough bits (say 128 or 256) then it will take a typical computer decades to brute-force break the security keys and decode the data. But that assumes using the typical digital computer of today. New computing architectures based on quantum computing are very different in how they compute based on probabilistic states versus specific ones and zeros in a traditional computer. It gives them the ability to process very large data sets and do massively parallel computing very efficiently. This changes the game for things like simulations and forecasting. And it especially affects the safety of cryptography. As a result, much of what we currently rely on as secured communications and encrypted data is at risk.

Quantum computing is still in its infancy, but has been making significant strides of late. Companies like IBM, Intel, Google, Microsoft, Honeywell and others have major initiatives underway to produce a viable production quantum computing machine. Quantum computers are hard to build, but that doesn't mean they aren’t being built successfully. All of the above companies now have operating small scale quantum machines in use, and developers have access to them as a service. It’s also probable that "state actors" are working on such systems in secret.

The power of Quantum computers is rated based on the number of Qbits they have. Current generation machines are generally in the 50-100 Qbits class. But truly useful devices for things like weather simulation, organic system simulations, and breaking encryption will require thousands of Qbits. It’s likely to be at least 5-10 years before we reach that level of scale, although some startups argue we may be there much faster. But that does not mean there is no risk for companies now from this technology.

Post Quantum Cryptography

Realizing this is an issue, several companies (e.g., Utimaco, Isara) are working on quantum safe solutions, and government agencies are working on approving a new set of quantum safe cryptography algorithms to replace many of the ones in use today. NIST is working with companies to define standards for quantum-proof algorithms, and the first draft standards for post quantum cryptography should be available in the next 12-18 months. But there is a significant time lag between setting a standard and getting products into the marketplace. We expect it to be at least 2-3 years after standards are defined before actual commercial products become fully available.

Time is not our friend

The biggest problem is that it takes a very long time for new technology to be integrated into existing infrastructure. It could take decades before all of the current crypto algorithms are updated, particularly in the diverse world of the internet. As an example, virtually every network today uses IP addressing to determine where to send the data and identify nodes. IPv6, which dramatically increased the number of possible addresses available and enabled all the connected devices of the modern era, was invented in 1998. But it’s only been in the past couple of years that most of the change over from the older IPv4 has taken place, and there are still some networks that rely on the older addressing scheme. Updating a huge infrastructure is difficult.

There is even a bigger challenge for many companies, and that is with their data. Many forms of data are useful for many years, and most is currently protected by existing encryption algorithms. What if we record today's encrypted data that is considered unbreakable, but 10 or 15 years from now we are able to decrypt that data through quantum systems? Secret financial files, medical records, company secrets and many other types of data will eventually be able to be decoded. Many digitally signed documents have a 25-50 year life. Storage is very inexpensive and lots of data can be captured and stored for a long period of time at an economical price. Think of a nation state actor being able to capture now and decode at a future date secret government documents or corporate proprietary information. This is a huge potential liability.

What we need to do

There is some time before the quantum threat becomes fully viable and therefore there is no need to panic. But there is no reason to not start looking at your requirements now. Build an inventory of what crypto is in use. This includes devices, networks, data encryption protocols, etc. Assess which algorithms are in use and whether or not they are quantum safe, and/or if they need to be updated. Quantum safe generally means that the existing crypto needs a very large bit length (probably at least 256 bits but 512 would be even better).

This is a long-term project for the next 3-5 years, and it is a major amount of effort. For those systems not quantum safe, you need to assess how to migrate them to a new algorithm. It’s unlikely there will be a single optimum algorithm, rather it's likely that various vendors will support multiple algorithms based on the use case. Discuss with your app and equipment vendors what their plans are to shift to a modern quantum safe crypto environment and if they can help retrofit to limit exposure for existing data/systems. Finally, assess which data/documents need to have an updated algorithm applied to prevent it from being decrypted in the future. With the huge number of documents most companies have in place, this could be the most daunting task of all.

Bottom line: While not immediately available, the potential threat posed by quantum computing will dramatically change the amount of security most enterprises have in place in the not too distant future. Companies must start to assess what the new world of security-breaking quantum computing may do to their environment, and develop a strategy to upgrade over the next several years, or risk having all data and systems vulnerable to penetration.