Companies are already preparing to deal with quantum threats. Tim Hollebeek, Industry and Standards Technical Strategist, DigiCert, explains how Quantum Key Distribution (QKD) has been hailed as a potentially effective solution to quantum threats.
Quantum computing is on its way, as are quantum threats. Such technology in the wrong hands promises to break most of modern encryption. But just as attackers are looking ahead with excitement, defenders are preparing in earnest.
DigiCert released a report in 2019 which shed some light on enterprise’s road to quantum safety. We surveyed 400 IT decision makers (ITDMs) across North America, Germany and Japan. Respondents came from a range of positions – from directors to security staff – and a range of industries including financial, healthcare and transportation sectors among others.
The survey produced a number of intriguing results – respondents registered several worries and challenges around quantum – not just of quantum threats but of some of the more challenging issues around quantum protection. Among them was a lack of staff knowledge and fears that encryption on devices and applications within their products would be susceptible. Others worried that existing encryption will break and expose currently confidential data in the future. But as ITDMs start to take their first steps to quantum security, they seem to be apprehensive about one particular thing: money.
Respondents to our survey worried most about the mounting costs of quantum defence. Two out of five respondents worried about the difficulty and cost of overhauling encryption systems and replacing them with new ones. Many also worried about the cost of addressing attacks. It’s true – responding after an attack can be expensive but saving post-quantum protection until after an attack is not recommended.
Quantum Key Distribution (QKD) has been hailed as a potentially effective solution to quantum threats. It is apparently unbreakable, even by a quantum computer.
In QKD, millions of photons – each with a random quantum state – are shot through a fibre optic cable from sender to receiver. The receiver then allocates those photons to a beam splitter, guessing what the correct allocation may be. The receiver relays that information back to the sender and the initial sender responds, telling them what the actual allocation should look like. The photons that were incorrectly placed are thrown away and the ones that were correct form a new key. The unpredictability of that resulting key ensures its secrecy.
Furthermore, because of the unique sensitivity of photons – any party that attempts to steal the data being exchanged will change the data itself. The ensuing change will alert the sender and receiver and the key that was in the process of being made will be thrown out.
QKD systems have found homes at well-funded laboratories, the faculties of elite universities and government departments. DARPA, Los Alamos National Laboratory and the University of Bristol all have one. But the time and expense involved in constructing and maintaining them has proved prohibitive to pretty much anyone else and they’ve yet to be rolled out on a wide commercial basis.
The UK’s National Cybersecurity Centre (NCSC) declared that Public Key Cryptography may well offer a more cost-effective solution to this mounting threat. As the NCSC’s whitepaper on the subject says – “software or firmware implementations of post-quantum cryptography should be easier to develop, deploy and maintain, have lower lifecycle support costs and have better understood security threats than QKD-based solutions.”
Public Key Infrastructures (PKIs) seem like a comparatively easy way to adapt to the quantum landscape. PKIs have already been in wide use in webPKI for decades and are increasingly being deployed to help protect problem-ridden IoT networks and provide strong enterprise authentication level. When it comes to quantum, the cryptographic protocols that PKI protects connections with can be complemented with post-quantum cryptographic (PQC) algorithms.
But PKIs on their own won’t be enough, they’ll need to be crypto-agile enough to swap out cryptosystems quickly and easily. As it stands, many enterprises don’t know how many certificates they hold, how they use their keys, or where they reside. Those questions and more will have to be answered if enterprises want to progress on to the next step. Once they have a handle on their PKIs, enterprises can then move to automate systems to effectively discover, remediate, revoke, renew and reissue certificates as well as manage keys. This will all go towards letting your PKIs swap between PQC algorithms on the fly – otherwise known as – crypto-agility.
This initial investment can have long-term benefits in protecting against the losses a quantum vulnerable organisation is sure to face. The cost of becoming crypto-agile, overhauling current encryption systems and preparing for quantum threats is a factor. However, the cost of waiting until quantum attacks surface will be much higher.
Cyber-crime damages are expected to top US$6 trillion in 2021, twice what they cost the world in 2015. When quantum arrives, who knows where that number will top out.
If enterprises are worried about the cost of quantum defence now, just wait until they get the receipt for a quantum breach.