Key Points:
- Quantum computers capable of breaking modern cryptography are close enough to begin planning for it
- Cloud Security Alliance has built a countdown timer to “post-quantum”
- Planning now involves implementing better-than-best practices for algorithms and certificates
Still a Future Problem?
It’s easy to push this problem to the back burner, because quantum computing has continued to be a technology that’s perpetually on the horizon; always talked about but never realized in contemporary tech. But the idea seems harder to ignore now that a specific date has been predicted for the event.
Where did this come from? A bold prediction from Cloud Security Alliance, an “organization that defines standards, certifications and best practices for cloud computing security, says its website will feature a Year to Quantum (Y2Q) countdown clock to serve as a reminder of the need to find and implement new security solutions.” [1]
This might bear some resemblance to the Y2K situation that steadily ramped up to a fever pitch in 1999. Thousands of organizations scrambled to patch systems ahead of January 1, 2000 when the famed date-time datatype bug was predicted to wreak havoc on the world by breaking systems that weren’t designed to handle the distinction between 2 and 4-digit year values. We expected that ancient mainframes would begin dividing by zero and take the power grid down.
But this problem of quantum computers breaking crypto is undeniably worse. Unlike Y2K where the unrealized risk involved systems halting or malfunctioning, the loss of privacy from broken crypto would not be a sudden occurrence. It would be surreptitiously effected by unobtainable weapons of brute force, reserved for nation-states with the resources to develop them. It would happen quietly but the consequences would be severe: espionage, cyber warfare, and chaos inflicted on infrastructure by an enemy who can do the unthinkable: break keys and certificates in a short time.
What’s Behind the Prediction?
Cloud Security Alliance (CSA) self-describes as “the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.”[2] They offer courses and certificates in various cloud security topics and host a deep well of research on security topics contributed by authors from across the industry.
It’s unclear the research or the science incorporated by CSA into the estimated post-quantum date of April 14, 2030 from their countdown timer—it’s not attributed. But digging through their Research section turned up some great reads from the Quantum Security category like “Practical Preparations for the Post-Quantum World” from October 2021 and “Preparing Enterprises for the Quantum Computing Cybersecurity Threats” from May 2019.
The consensus is that the current cryptographic algorithms of RSA, Diffie-Hellman (DH), and Elliptic Curve ubiquitously used to secure network connections (TLS/HTTPS) for email, web browsers, or access keys will be susceptible to being broken by quantum brute force within 10 years. It’s only a prediction, but by the time it’s proven it will be too late to prepare.
Planning for Post-Quantum Security
Earlier this year, we ran a piece titled “What You Need to Know About Shrinking Certificate Lifespans” which makes essentially the same point: we’re getting closer to a time when certificate renewal intervals will continually shorten to stay ahead of the threat of quantum attack, perhaps to as short as 1 day.
The two main strategies for preparation, using technology that we have now, are:
- Adopt stronger algorithms.
Quantum computers utilizing an algorithm called Shor’s Algorithm can quickly factor math equations that involve large prime numbers, which are what make traditional public key cryptography an effective tool. The only method to counter this increase in brute force power is to increase bit length of the hash or utilize a more quantum-resistant algorithm that’s tougher to factor. Read the linked white papers from CSA above on preparing for a post-quantum world, they’re a much deeper dive packed with useful details. - Shorten key/certificate intervals
Since the target of brute force methods for breaking cryptography are keys and certificates, an effective strategy is to just rotate them more often. We anticipate that this interval, which previously had a reasonable lifespan of up to a year, will be shortened to days and eventually hours. Since it’s not feasible for human administrators to manually perform rotations, it must be automated. Luckily, the tools we have these days for scriptable infrastructure make it an exercise in configuration to cycle out old certificates on a set interval. - Build a strategy
Anyone who’s been in IT and infosec for any period of time knows that institutional changes happen slowly. It’s taken 20 years for the world to achieve the level of encrypted communications we have today. To retrofit that with new tools will easily take another 10, which puts us right at the prediction date for post-quantum. Start planning for more stringent crypto standards now.
Sources
- Cloud Security Alliance | About Us
https://cloudsecurityalliance.org/about/ - Post-Quantum Countown Timer: CSA
https://cloudsecurityalliance.org/research/working-groups/quantum-safe-security/ - Research Publications: CSA
https://cloudsecurityalliance.org/research/artifacts/?term=quantum-safe-security