Avesta Hojjati, Head of R&D at DigiCert.
After decades of research in the "quantum" field, this new era is characterized by the emergence of quantum technologies with applications in different industries and impact on everyday life.
How can quantum computing help? It will fundamentally increase processing power, which could mean interesting advances from particle physics to machine learning and medical science.
Why are quantum computers so important? Some strategic points to understand the quantum computing era are as follows:
- It represents the next evolutionary step in quantum mechanics.
- It combines information theory with quantum mechanics.
- It processes enormous amounts of data at once.
- It possesses capabilities to quickly reach nonlinear answers.
- It factors prime numbers much faster than existing computers, threatening public key encryption when in the wrong hands.
Unfortunately, this last point is a disadvantage for organizations trying to keep their data safe. In this post-quantum computing (PQC) reality, current encryption algorithms will be no match for the rapid code decryption possible with quantum computers. Cybercriminals will exploit this capability once quantum computers become more accessible.
According to the survey DigiCert Post Quantum Crypto Survey of 2019 , 71% of IT professionals recognize the threat that quantum computing represents to existing cryptography; for respondents, this threat concerns them since it could emerge by 2022. In general, companies have doubts about the best way to respond to these threats.
This threat is imminent. It is likely that cybercriminals will accumulate encrypted data in anticipation of the day when quantum computers are available to the general public and can be used to break modern cryptography. Given this scenario, companies should not wait. Therefore, it is essential to identify the company's knowledge of the quantum computing threat and its current level of preparedness for a PQC future.
Avesta Hojjati , Head of R&D at DigiCert indicates: 'Determining the degree of knowledge and the level of company preparedness will determine the company's PQC maturity level. Once a company achieves mastery, it is in an excellent position to anticipate security needs and protect critical systems and applications. Each level carries its own risks, including mastery, as it could be tempting to become overconfident, relax security standards, and revert to a previous level'.
Tip No. 1: Increase crypto-agility: In crypto-agility, companies strive to obtain an efficient method to identify and effortlessly replace obsolete cryptographic algorithms when necessary. First, it is important to identify all servers (protocols, libraries, algorithms, and certificates) that use encryption within an organization. One way to do this is by adopting a certificate management platform that automates the certificate lifecycle management. Second, it is paramount to document what has been learned as part of a plan that includes how encryption issues will be identified and resolved. Third, it is key to ask external vendors how they plan to protect themselves against quantum threats and likewise verify that new vendors are well prepared.
Tip No. 2: Identify the correct HSM: Organizations rely on hardware security modules (HSM) to protect the custom keys used in their public key infrastructure (PKI). For this, it is important that companies research how they are being used, whether they can be updated to support quantum-safe encryption, and if so, how quickly those updates could occur. Digital signature firms Gemalto and Ultimaco , among others, offer HSM with quantum security.
Tip No. 3: Trust in SSL Certificates: Several companies, including Google and Microsoft , have the best practice for Always On SSL (AOSSL), according to the Internet Society blog publication "Best Practice: Always On SSL (AOSSL)". SSL/TLS certificates allow website visitors to know that the site is authentic and that the data they enter will be encrypted. With AOSSL, companies can apply encryption across all websites (internal and external), reducing the company's exposure to cyberattacks such as Man-In-The-Middle (MITM).
'An important approach to preparing for post-quantum cryptographic threats is to gain agility in encryption. A correctly implemented AOSSL makes it easy to update encryption algorithms in response to quantum computing threats that may arise in the future,' added Avesta Hojjati.
Tip No. 4: Check your PQC strategy: Companies that are better equipped for the PQC era regularly test their security to ensure it remains secure in case of a true threat. Usually, that means observing how their certificates work in a sandboxed environment so they can adjust their approach if something does not work effectively. Knowing your environment, having broad visibility of the organization, and taking the right steps at the time of a real incident are essential steps to protect yourself against the threat posed by quantum computers.
The threat that quantum computing poses to encryption has been looming for years. Therefore, if companies have not taken measures by now, it is very important to determine their level of knowledge, preparedness, and take steps to advance in both cases. The more you can improve in both areas, the better it will be when cybercriminals begin using quantum computers to decrypt cryptography that was previously difficult to decipher.
Translator's Note Según estudios de prestigiosos criptógrafos las computadoras cuánticas podrán eventualmente atacar a los métodos asimétricos pero NO a los simétricos.