Paul Germain, CEO, Certification Networksexplains the risks associated with pooled cryptography strategies and the importance of cryptographic hashing in reducing criminal data exposure in a post-quantum world.
It is now inevitable that the encryption algorithms used to secure vital data around the world – from defense and banking to infrastructure and air travel – will be hacked. With the escalation of computing power enabled by quantum technology, the question is not if, but when the potentially devastating breaches will occur.
With “harvest now, decrypt later” hacking strategies currently underway, criminals are relying on the power of quantum computing to allow them to unlock massive data resources. The onus is on companies not only to consider the future quantum threat but to determine how best to protect current resources today.
Here, I explain the risks associated with bulk encryption strategies and the importance of cryptographic hashing in reducing criminal data exposure in a post-quantum world.
Quantum computing is getting closer than ever to reality, with venture capitalists Investing nearly $1.02 billion in quantum computing startups in 2021 alone. While there is great excitement about the incremental change in AI performance, there are issues such as the power of quantum computing that can be unleashed – and the security implications of which are potentially devastating.
Globally, security experts expect quantum computers to threaten to break the asymmetric encryption used to secure everything – from defense to infrastructure. While it would take billions of years for classical computing power to implement Shor’s algorithm, which has been shown to break current cryptographic strategies, the arrival of a quantum computer of sufficient size and complexity is a game-changer.
For companies that review security strategies, this quantitative post-security threat is not in the future; It’s not about thinking about how to respond when quantum computing becomes available. Criminal organizations globally embark on mass data collection and breach plans today on the grounds that although the information cannot be immediately decrypted, at some point in the future, access to the power of quantum computing will unlock these information resources. Systems are at risk – not in the future, but today.
time and data
While security bodies around the world, including Open SSL, They are working hard to develop new quantum-proof algorithms, and no organization can wait. Moreover, changes must be made that can be made today to protect existing data resources and reduce the decryption risks posed by quantum computing. What is required is a change in mentality and a change in technical approach to the solutions already available.
A key step is to reduce the value of “harvest now, decrypt later” strategies by reducing the amount of “usable” data collected during a hack. During several recent attacks, criminals have been able to spend months collecting data – and despite encrypting it, they have had time (often months) to access huge data sets. This enabled them to form enough knowledge about the encryption algorithm being used to know that once they had the opportunity to use quantum computing, they would be able to crack the key and gain full access to the entire data source.
Today’s priority is to put in place data security policies that radically reduce the time and data available to criminals.
Many organizations have begun to adopt micro-segmentation as part of their data security policies. While this is a step in the right direction, unless they are also implementing encryption, in the end, data collection is still a very real threat.
It is also necessary to recognize the inherent risks associated with the bulk encryption model: using the same encryption key, however strong, to protect all data resources is not a strong policy. Once in, the criminal has one set of data to work with, and one encryption key for identification.
However, the concept of cryptographic hashing is based on a more nuanced approach to data protection, defining different data classes for each data type and protecting each class using its own encryption strategies, algorithm and encryption key.
In addition to creating multiple data classes, regular rotation of the encryption keys used for each class will greatly limit a criminal’s time with any data set. If the keys are rotated every hour, for example, anyone capturing the data has minutes, not months, to work on a data set. This means minutes to understand the data; To determine which data packets belong to a data classification, group the data sets together to create a sample; Determine the encryption strategies used for each data class and then reverse engineer the keys. In addition, with very small sample sizes in each data class, it becomes very difficult to crack the used keys.
Incorporating new standards
The next generation of post-quantum cryptographic strategies is being developed. But this is a challenge that will never go away – especially for security agencies that have been required to keep data for decades. With the exponential growth in computer power, it will be easy to crack tomorrow’s leading algorithm in five, ten or twenty years – no matter how clever the algorithm is, no organization can risk relying on a single encryption key.
Mass encryption is inherently flawed, which means that organizations must maximize the value of a set of standard encryption algorithms. The use of cryptographic hashing and key rotation is an important step, which greatly increases protection against a quantum threat even with current cryptographic algorithms. When new post-quantum cryptographic standards are introduced, they can be incorporated into this model to maximize the protection of the organization.
Cryptographic strategies need to be updated now
This threat is not in the future. It happens today. “Harvest now, decode later” violations occur at the moment. Quantum computing services in the cloud give criminals the opportunity to purchase a slice of quantum energy. Algorithms will continue to evolve and improve; Criminals will continue to gain access to more powerful computers. By creating multiple data classes and using regular alternation of keys, it is not only difficult to decipher the limited data set, but it is also likely to provide a much lower value; The value is outweighed by the enormous cost of quantum computing power.