Post-Quantum Computing Is Coming – Is Your Security System Up to it?

Nils Gerhardt, CTO at Utimaco, explains that while we cannot predict exactly when digital crime will become a threat, we can take steps to ensure protection.

Sooner or later, companies will all have to adapt to security in an age of quantum computing.

IBM recently launched ‘Eagle’, a working quantum computer with 127 quantum bits while China produced two quantum computers. Even the slowest of these new machines can out-perform conventional supercomputers, risking security of the encryption techniques on which current digital security is built on.

Quantum computers are tricky to manufacture, so we cannot predict exactly when digital crime will become a threat, but we can realistically expect that most companies will have at least five years to prepare. Bear in mind that once quantum computers are powerful enough to break the encryption used today, it is not only their future data that can be revealed. It also applies to any past data that was intercepted and stored by attackers while digitally signed contracts could be re-written – it may also be possible to steal data today and decrypt it later when the technology is available.

While you likely have several years to prepare, it could equally take time to prepare your security so that it is up to scratch for a new generation of cyber-threats. So, what needs to be done in order to prepare effectively?

How Quantum Computing Will Impact Businesses

The technology behind quantum computers is only available in prototypes at present, but we have a good idea which algorithms are less secure and which will not be secure at all. The US’s National Institute of Standards is currently conducting rounds of tests to create an official list of quantum-safe algorithms, and there are companies that already offer hardware security modules (HSMs) with firmware that supports algorithms that are compatible with the ongoing NIST standardisation process.

Businesses will need to understand which of their data needs protecting and what will be worthless to cybercriminals, which will determine where post-quantum cryptography (PQC) and conventional cryptography can be used. Once this has been done, a proof-of-concept that uses PQC or hybrid methods to protect data can be created before a plan is put in place to roll it out across a company’s digital assets.

For some systems it will be a case of simply switching from using one method to another – Transport Layer Security, for instance, can be made quantum-resistant, and post-quantum cipher suites are already available in Amazon Web Services. This will mean that information that is in transit, for example credit card details being sent from a customer to an e-commerce retailer, should be able to be secured in any future transactions. Legacy systems might need to be significantly upgraded or replaced however, and fully rolling out quantum security over an organisation could take years to complete in some cases.

Without preparing adequately for post-quantum security, attackers could access credit card information, steal encrypted patient data or compromise the security for blockchain-based technologies like cryptocurrency. Digitally signed documents created before a switch to quantum-resistant algorithms would also be vulnerable, potentially invalidating millions of legal agreements unless they could be re-signed by both parties in a format that has better security. Even blockchains, which power the $2 trillion (£1.5 trillion) cryptocurrency market and an increasingly large number of other applications, could be vulnerable to quantum computers.

Preparing to Transition

Some sectors like the automotive industry have already started to use post-quantum security, while others like defence and energy are likely to have already made the change towards becoming ‘crypto agile’ – able to change the cryptographical systems they use when required.

If your company hasn’t implemented quantum-resistant security yet, how can you go about it? Because the threat is at an indeterminate point in the future, and we still don’t know exactly what quantum computers will be capable of, and it can be daunting to transition an organisation to quantum-resistance.

The starting point will be to conduct an audit of every instance of cryptography that a company uses and a classification of data that considers what protection is needed and for how long. Businesses will need an overview of how each item is secured and which cryptographic methods are used for ‘moving’ information being transmitted to and from the organisation.

Crypto-Agility Is Key

Although we don’t fully know when security threats from quantum computing will appear, its capabilities are well understood. This means that we can prepare for post-quantum security now and introduce crypto-agility that allows for the switching of encryption technology to whatever is most appropriate in a given scenario. HSMs are one example of how quantum-resistance is available today. When combined with a thorough understanding of what is and isn’t quantum-resistant in a company’s infrastructure, it will be possible for any company to secure themselves and the data that must be secure decades into the future long before quantum computing enters the mainstream.

By Nils Gerhardt, Chief Technology Officer at Utimaco.

Utimaco is a platform provider of cybersecurity and compliance solutions and services.

Guest Contributor
Guest Contributor
Follow on Twitter @eWeekUK
Get the Free Newsletter
Subscribe to Techrepublic UK for weekly updates from Techrepublic and eWEEK on the latest in UK top tech news, trends & analysis
This email address is invalid.
Get the Free Newsletter
Subscribe to Techrepublic UK for weekly updates from Techrepublic and eWEEK on the latest in UK top tech news, trends & analysis
This email address is invalid.

Popular Articles