Post-quantum computing security
|Richard Harris in Security Wednesday, November 6, 2019|
Post-quantum computing security is speculative at best because there aren't that many quantum computers in place - yet. Tim Hollebeek with DigiCert talks with ADM about their new survey, and what security might look like after quantum computing hits the mainstream.
There is a brewing fear about Quantum computing because of the power behind moving quantum bits around in such blinding speeds that some say, will instantly break every encryption algorithm on the Internet today. DigiCert Inc. has released the results of a new survey titled, "Quantum's Peril & Promise" that highlights the quantum computing security concerns. NIST and many other leaders predict that future quantum computers will, likely within the next decade be able to break today's most sophisticated encryption algorithms, leading to profound security issues. We recently had a conversation with Tim Hollebeek, Industry and Standards Technical Strategist at DigiCert regarding their recently announced survey, and just how scary a post-quantum world might look.
ADM: An interesting survey from DigiCert regarding the post-quantum computing security implications. But first, we have to ask, isn't quantum computing years away?
Hollebeek: Although the mass adoption of quantum computing is still on the horizon, we have seen some big breakthroughs just this year. In January, IBM introduced the world's first circuit-based commercial quantum computer, the IBM Q System One. This past October, Google's quantum computer performed a task that isn't possible with traditional computers. Both are milestones in bringing quantum technology out of the lab and into production environments. Recent studies from the National Academy of Sciences report that although RSA and ECC algorithms are safe for now, a powerful quantum computer could break even a sophisticated 2048-bit RSA key in just a few months. It will take substantial time to develop, standardize, and deploy post-quantum cryptographic techniques, so the time to start transitioning to a quantum-safe future is now.
ADM: Is there any particular aspect of post-quantum computing that your survey examined?
Hollebeek: The survey focused very much on gauging awareness and strategies for the coming post-quantum environment. The industry studies are telling us that, to be fully protected, businesses must begin to address the quantum computing threat today. But how much do enterprises even know about Post Quantum Cryptography (PQC)? How should they prepare? And what steps should they take?
ADM: How does this impact DevOps?
Hollebeek: Like most organizations, DevOps will need to revisit security as it prepares to take advantage of all that quantum computing has to offer. These teams will need to adjust their cultural mindsets, implement best practices, and acquire technology that will enable them to support quantum cryptography.
DevOps teams will also need to plan to transition existing cryptography to post-quantum algorithms—without impacting development lifecycles and their ability to meet business objectives. One of the best strategies for protection is to build crypto-agility deep the infrastructure, using an automated public key infrastructure (PKI) platform. This approach ensures that software updates are automatically protected with secure communications and code signing throughout the enterprise. It lets organizations not only current crypto algorithms, but also future quantum crypto algorithms, and toolkits for encryption, such as OpenSSL.
ADM: Who did you survey?
Hollebeek: DigiCert commissioned ReRez Research, of Dallas, Texas, to survey IT professionals within 400 enterprises of one thousand or more employees in the US, Germany, and Japan. The respondents were split between IT directors, IT security managers, and IT generalists. The survey focused on four key industries, including financial, healthcare, transportation, and industrial organizations.
ADM: What was your most interesting finding from the survey as it applies to DevOps?
Hollebeek: The perceived urgency of the threat was among the most interesting findings as it relates to DevOps. The median prediction for when PQC would be required to combat the security threat posed by quantum computers was 2022. So nearly everyone feels they will still be working at their company when the threat becomes real. Just one in four (26 percent) say PQC will take until 2025 or beyond to arrive.
Since DevOps is already moving at high speed to keep pace with digital transformation, that means the pressure is on to respond proactively to the imminent threat, but do so without disrupting its regular cadence of deploying packages and software updates.
ADM: Did any finding surprise you?
Hollebeek: One unusual finding was that although general awareness of PQC is high, when we gave participants a multiple-choice question asking what, precisely, PQC referred to, less than two-thirds choose the correct response. Even more, telling was that more than half (59 percent) claim to be deploying hybrid (PQC plus RSA/ECC) certificates today. That's unlikely, as PQC certificate availability today is limited to early testing situations. However, these findings were understandable, because, as is usually true with complex new technologies, general awareness comes well before mastery of the nuanced details.
ADM: What should DevOps teams do to prepare their environments for post-quantum computing?
Hollebeek: Based on survey results, we have identified three key recommendations for companies ready to start planning their strategies for securing their organizations for the quantum future.
First, organizations should know their risk and establish a quantum crypto maturity model. They should also take steps to evaluate and understand the importance of crypto-agility in their organization and establish it as a core practice.
Finally, they should work with leading vendors to establish digital certificate best practices and ensure they are tracking PQC industry progress to help stay ahead of the curve, including their products and solutions. Change rarely happens quickly, so it's better not to wait, but to address crypto-agility now.
About Timothy Hollebeek
Timothy Hollebeek has more than 15 years of computer security experience, including eight years working on innovative security research funded by the Defense Advanced Research Projects Agency. He remains heavily involved as DigiCert’s primary representative in multiple industry standards bodies, including the CA/Browser Forum, striving for improved information security practices that work with real-world implementations. A mathematician by trade, Tim spends a lot of time considering security approaches to quantum computing.