31 May Encryption in a Quantum Computing World
By Anthony Monas, CTO
With current investments and advancements in quantum computing, industry experts are sounding the alarm and estimating that, within 10 years, our currently unbreakable encryption algorithms may in fact become breakable. In November 2022, the White House released memo M-23-02 Migrating to Post-Quantum Cryptography to ensure that the heads of executive departments and agencies prepare now for a post-quantum cryptography (PQC) world and to incorporate crypto-agility* as a part of their Zero Trust Architecture planning.
While 10 years might seem like quite a bit of time from now, it will be here before you know it.
Major cloud providers such as AWS, Azure, and Google Cloud all have quantum computing options and companies are already taking advantage of them. In 2020, Volkswagen invested in solving the automotive binary paint shop problem (BPSP) using AWS Braket, and BMW hosted a Quantum Computing Automotive Challenge in 2022. Academia is also showing momentum surrounding the applied use of quantum computing, with Qiskit being downloaded over 100,000 times in April 2023. With interested parties across industry and academia investing time and money into the success of quantum computing, it is a technology movement that is simply waiting on a few key breakthroughs to start the quantum computing revolution.
System Encryption Implications
From browsing the web over HTTPS to encryption-at-rest disk storage and everything in between, encryption today is ubiquitous. While crypto-agility is gaining traction as PQC implications continue in the spotlight, it is not a new concept and should be intentionally designed into your overarching technology security posture. This sound cybersecurity practice will help to both protect you against today’s cybersecurity threats as well as those in a PQC world.
Given all areas of a system that use some form of encryption, mitigating the risk of a vast catalog of cryptography primitives and algorithms can be daunting. For example, working through the layers of a simple web application yields numerous areas where crypto-agility is paramount to a robust cybersecurity posture. Let’s assume this simple web application is hosted in AWS, runs Django as its application server, and uses AWS PostgreSQL Relational Database Service (RDS) as its data source. All resources are deployed in a single AWS region within a single AWS availability zone (remember we said “simple” and not necessarily the right way!).
- At the lowest level, within the bounds of AWS, there is network encryption in play with VPC network communications. As a customer, this is out of your control, and we are reliant on AWS’ internal crypto-agility. (This is also why a multi-strategy approach to encryption is necessary.)
- Then, when we begin looking at our Django EC2 and Postgres RDS resources, there are customer-controlled AWS Elastic Block Storage (EBS) encryption considerations to be made with AWS Key Management Service (KMS) to ensure your data is encrypted at rest on your EBS volumes.
- We then must consider the communications between Django and RDS and need to ensure we have the proper encrypted communications set up between these resources. Within PostgreSQL RDS, this example stores the Django database user’s passwords and the application’s end-user’s passwords in an encrypted hash format within a database table.
Even in this simple example, where we have not even begun talking about client connections to our application (web HTTPS traffic, administrator SSH traffic, Terraform/Jenkins automated deployments authentication and authorization, etc.), we’ve already cataloged multiple symmetric, asymmetric, and hash primitives, along with a wide variety of algorithms that are used.
Key Questions to Ask
Take a hard look at your IT portfolio and you will most likely find numerous systems, some critical, that have been around for 5-10 years or more. This is particularly true for the Federal Government. Will these systems be ready for a PQC world? What about the systems you are deploying this year?
Consider our simple encryption example above: Have you catalogued each of these with your systems? Can you swap out these encryption approaches without impacting the business functions of your systems?
While crypto-agility will help to address and mitigate immediate cybersecurity threats in a non-quantum computing world, what about the notion of bad actors storing encrypted data now with the intention of decrypting the stolen data in a PQC world? This thought could be coined as the Schrödinger’s Data paradox: Even though the industry standard encrypted data you stole today cannot be decrypted, we don’t know if it will be able to be decrypted in the future or if it will remain encrypted forever.
Questions such as these, in a PQC world, have very real policy implications today. For example, do we need to notify customers that their encrypted PII data was stolen and that at some time within 10 years it may be decrypted and exposed through quantum computing applications?
Criterion’s Expertise Provides Answers
Intentional cybersecurity control design and implementation is a fundamental capability here at Criterion and foundational to all our services capabilities. We support a wide spectrum of systems implementation and use security-by-design in all aspects of our engagements, including crypto-agility. Our Solutions Engineering Framework, Cloud Management Framework, and Cybersecurity Framework (including Zero Trust Architecture considerations) provide a multi-discipline approach to mitigate risk across the cybersecurity spectrum. Together, they help to ensure your systems remain secure and ready for the traditional cybersecurity threats of today and tomorrow, along with those that will arise in a PQC world.
*Crypto-agility is a term that is gaining increasing awareness across the technology world. Short for cryptographic agility, it a term that represents a system’s ability to quickly change between cryptographic primitives (think symmetric or asymmetric cryptography) and algorithms (think SHA-256, MD5, or RSA) to address cybersecurity threats in a manner that does not disrupt the system’s business functions.