Top | |
Newsletter 6/22/2022 |
Back to Contents A Printable PDF of this post is available here. |
Quantum Computing and the End of Computer Security As We Know It.
I know that I don't have much to give
On May 4, 2022, the Biden
Administration released "NATIONAL
SECURITY MEMORANDUM/NSM-10." NSM-10 addressed both
the coming promise and the indeed real threat that quantum computing
represents. The document "identifies key steps needed to
maintain the Nation’s competitive advantage in quantum information
science (QIS), while mitigating the risks of quantum computers to the
Nation’s cyber, economic, and national security." While
quantum computing represents an enormous forward leap in the amount of
data that can be processed at one time and the calculations derived from
that data, such capacity and alacrity of processing will render today's
password security model moot. Quantum computing focuses on developing computer technology based on principles that describe how particles and energy react at the atomic and subatomic levels. Today’s computers encode information in 1’s and 0’s. Quantum computing says that information can be encoded simultaneously in more than one place. While the science is a bit muddy for those who are not quantum theory experts, we can all agree that quantum computing is faster than any other computing technology. In fact, the quantum computer that is in development at Google is 158 million times faster than the world’s fastest computer today. Digital transformation has already spurred an increase in demand for web designers and developers, and web development is one of the fastest-growing career fields in the United States right now. In the future, quantum computing has the potential to contribute to finance, military intelligence, pharmaceutical development, aerospace engineering, nuclear power, 3D printing, and so much more. Along with the technological advances promised by quantum computing come real challenges to our current computer security model of encrypted passphrases to verify the identity of a user requesting network access. Although quantum computers promise revolutionary benefits for many industries, they also pose an existential threat to all sensitive digital information, past and present.
Due to their incredible computing power, these machines will be
able to break through the public key encryption standards (RSA and
Elliptic Curve cryptography) relied on today by virtually every
organization, device and end-to-end encryption service. That’s a big
problem for businesses and governments alike. One reason quantum computers can break a password exponentially faster has to do with nature of quantum mathematics. Breaking a symmetric code like AES is a matter of searching all possible key combinations for the one that works. With a 128-bit key, there are 2128 possible combinations. But thanks to a quantum computer's ability to probe large numbers, only the square root of the number of combinations needs to be examined -- in this case, 264. This is still a huge number, and AES should remain secure with increased key sizes.
Nevertheless, organizations should begin to transform their security
protocols to adjust to what will soon be an even more challenging
security environment. Although it is estimated that the ability of
quantum crooks to easily overcome today's password protocols in maybe 20
years, changes in computing power tend to accelerate with each new
advancement. One method organizations could implement now
is to employ an access key regime where the key is replaced more
frequently. "Every
key, of course, requires a fresh cracking effort, as any success with
one key isn't applicable to the next."
Compounding this risk is what researchers call the “catch now,
exploit later” threat. Nefarious hackers might intercept secure messages
today and then hold onto them until tomorrow, whenever quantum computers
are advanced enough to decrypt them. Although there exists many position papers by various expert individuals and organizations, there is no common agreement on what post-quantum cryptography would look like. Microsoft is working on four different tracks to find the best path to PQC. Yet, there are some significant roadblocks to development and implementation of PQC. Currently, it is estimated that only 2% of organizations that could develop and implement PQC protocols today are doing so. PQC solutions are more costly to implement, and until sufficient quantities of scale are reached, the cost of implementing PQC will be prohibitive. Second, since PQC is technology meant to mitigate against future threats, testing PQC protocols cannot be done in a real world environment. Another barrier to greater adoption of PQC security techniques is the tremendous amount of computing power required by PQC. This is both an issue of costs and practicality. It is costly both in terms of money and time to implement. It is not practical for many entities to retool their networks to accommodate the required investment in hardware, nor do organizations lacking depth of pockets and people have the time or the means to implement new security protocols to counter an unknown future threat. As McKinsey Digital consulting concluded: Given the risks and costs outlined here, most organizations should take a wait-and-see approach to PQC solutions. The exceptions are organizations and uses for which the stakes for security are particularly high, such as in the defense industry, where even provisional PQC protection for some high-value systems or for data with long lifetimes outweighs trade-offs in cost or performance. Another exceptional circumstance is when it would be more costly or impractical—or impossible—to access and retrofit high-value systems in the future compared with installing some protection today.
Certainly, adoption of PQC is nothing for computer users at the consumer
level to be to worried about at least at the time of this writing.
Nonetheless, each advancement to computer technology tends to impact
consumers more and more quickly. An organization has been formed
that is attempting to address the challenges of identity verification
for average consumers. Formed by Google, Apple, and Microsoft, Fast Id
Online (FIDO) seeks to find alternatives to the traditional passwords
that could be implemented today.
The organization is called the FIDO
Alliance.
✓ SECURITY KEY
like A USB device that contains the key.
Wait a minute something's wrong baby, — Jimi Hendrix, Red House |
Back to Top Gerald Reiff |
Back to Top | ← next post | previous post → |