How to Fight the Coming Quantum Data Decryption Threat
Is quantum computing 15 years away? Twenty? Is a nation state or threat actor secretly already using it? Are threat actors already capturing and storing your data, hoping some of it will still be useful when quantum computers enable them to decrypt it?
We don’t fully know the answer to these questions, but we do know one thing – the time to start preparing for quantum computing threats is now.
The Threats that Lie Ahead
To understand what you can do about quantum threats, it’s important to understand the nature of the threat in the first place.
Today, most companies rely on either of two types of encryption: asymmetric or symmetric.
Asymmetric encryption relies on a public key and private key that can only be broken through the factoring of very large prime numbers – something today’s computers can’t do efficiently. Breaking these keys is so difficult that VPNs, Internet traffic (SSL/TLS), Amazon and bank purchases all rely on this type of encryption. But quantum computers will not have the same limitations, and researchers have found at least one known method for quantum computers to break asymmetric encryption in a reasonable time period.
Symmetric encryption uses the same key to both encrypt and decrypt the data. In this form of encryption, outside of implementation errors, the only known way to break it is through a brute force attack, which would currently take so long that it would be infeasible. But quantum computers will eventually be able to conduct brute force attacks on symmetric encryption more rapidly, putting this encryption choice at risk.
When to Prepare
NIST (National Institute of Standards & Technology) points out that we can make a strategic choice on when to worry about quantum computing by looking at three questions:
- How long does my encryption need to be secure (x years)? For example, credit card data may have a shelf life of several years while transactional data is not of value to thieves for more than a few minutes. Calling back to the question on whether thieves are stealing this type of data for future use, the answer is likely yes. Sensitive data with a far off expiration date is a future goldmine for criminals who crack the quantum computing code.
- How long will it take to re-tool my existing infrastructure with a quantum-safe solution (y years)? Every company’s “crypto-agility” is different – if you’re currently using encryption technologies that are rarely updated, it will take you much longer to re-tool into a quantum-safe solution when the time comes.
- How long will it be until a large-scale quantum computer is built (z years)? We don’t know the answer to this exactly, but let’s assume it’s in the next two decades.
NIST says if x + y > z for your company, then you should start making steps to prepare now.
How to Prepare
One obvious way to improve your security is to start using the largest key sizes available. There’s also a better encryption option for defeating quantum attacks – double encryption. Encrypting your data at the disc or block level and again at the file system level ensures it’s protected whether it’s at rest or in motion, even from quantum computers.
Why? A computer that’s performing an attack doesn’t succeed when it finds the right key – it succeeds when it recognizes it’s found the right key. Without that recognition, it will continue sifting through options, trying to separate the wheat from the chaff. With double encryption, if a computer breaks the first encryption level, the data still appears just as encrypted as before. It looks like chaff.
Double encryption is widely available today. The only reason more companies don’t use it is because they don’t have solutions that enable them to easily manage double encryption for the entire enterprise. It’s essential to have one dashboard that controls both encryption levels so you can have a coordinated recovery process – otherwise, it’s too easy to lock yourself out of your own data.
If you’re not yet familiar with the term “crypto-agility,” you soon will be. It refers to the ability to change what encryption is applied to which file or network session and to do things like easily change the algorithm, manage, control and tune an enterprise’s encryption. Crypto-agility is not only going to be a plus in the coming quantum era – it’s going to be necessary for survival.
Ask yourself, if tomorrow a major company or nation state announced it had d successfully created a quantum computer, how long would it take you to update your protection? Set up systems and approaches today that will make it easier to adjust and update tomorrow as new technology arrives.
There’s still a great deal of mystery surrounding the future of quantum computing, but what you can be absolutely sure of is that the race is on. Get one step ahead by launching your quantum security strategy right now. There are too many threat actors counting on your procrastination.
Chris Burchett is vice president, client security software, at Dell.