Identifying and preparing for future risks is core to enterprise cyber-resilience. But it’s not something that CIOs need to manage alone. Technology vendors can provide insights and intelligence to help organisations identify emerging threats.
HP is a case in point. With cyber security products and services, and the research of the HP Security Lab at HP Labs, it provides IT decision makers with leading-edge technology and services to help keep ahead of threats.
Just one of the many threats currently on its radar is the potential risk that quantum computing presents to cryptography. In particular, the threat is to a type of cryptography called asymmetric cryptography which today’s IT systems rely on massively for the security of data encryption solutions as well as digital signature applications. Many security technologies are at risk including TLS, IPsec, X.509, SSH, and most authentication protocols.
Any potential weakness in cryptography is a global threat. Tommy Charles, chief cryptographer at the HP Security Lab, says: “Losing asymmetric cryptography is analogous to a zero-day attack with the power to break almost every element of the enterprise tech stack, from user authentication and code signing, to encrypted storage and secure network communications. The potential scale of the impact is unlike anything we have seen to date.”
Today’s asymmetric cryptography uses one-way functions to secure data via a public key. The mathematical problems underpinning one-way functions make it practically impossible to reverse the process without access to the private key.
Quantum computing threatens to fundamentally undermine this approach by taking advantage of how subatomic particles behave. What’s more, algorithms designed to run on quantum computers ensure probabilities accumulate while they run, making it possible to crack even the most challenging of mathematical puzzles. And while today’s quantum computers are only making a start, it is expected that the technology will mature and give them the speed and power of calculation to threaten cryptography.
“As quantum computing progresses, cryptographic inversion becomes easier. Threat actors will be able to crunch numbers in huge volumes while also enabling the probabilities for solving the underlying mathematical problem to stack up,” says Thalia Laing, cryptographer and security researcher at the HP Security Lab.
How likely is it that this threat will materialise? According to a survey of quantum experts by the Global Risk Institute, 50% of respondents believe there’s more than a 30% chance of a cryptographically relevant quantum computer being invented by 2032. For Charles, this is a risk no business should take: “no matter how you look at it, there’s a significant chance that the cryptography your business relies on most is going to be broken. Businesses have an imperative to act,” he says.
Fortunately, progress is already being made in the area of new, quantum-safe encryption standards. The US’ National Institute of Standards and Technology (NIST)has led an international collaboration which recently selected four quantum-resistant algorithms that are able to run on standard, binary computers.
Three of these solve the quantum dilemma through “structured lattices”, which use many more mathematical equations than in legacy asymmetric cryptography which relied on the hard “factorisation” problem. The new approach adds “noise” to encryptions through deliberate errors. With structured lattices, recovering values from encrypted text is a near-impossible challenge, even using quantum computing.
However, the move to quantum-safe cryptography will take time and involve considerable effort. Laing says: “It’s likely that cryptographic algorithms in use today will be replaced by a broader suite of quantum-safe alternatives. This will help businesses provide protection for their various use cases with best-fit solutions, while also building resilience by having some fallback options. And with the use of new algorithms, a vulnerability may yet be discovered in how they are used. As such, it is likely that legacy and new algorithms will coexist for a while in a hybrid approach until quantum-safe technology matures.”
HP can already advise businesses on how to plan for a quantum-safe future. For IT leaders who want to understand the risk and be able to act, Charles outlines a number of practical steps:
- Engage your suppliers. Asking vendors and other partners to report on their quantum preparedness provides you with valuable insights and highlights to your partner the importance of this issue, helping to spur future action.
- Audit your data. Some of the data you encrypt today could be recoverable in the future. Audit what data is at risk of so-called store-and-decrypt attacks and ensure this data cannot be accessed in the first place. Alternatively, start deploying quantum-safe encryption alongside legacy algorithms.
- Review your digital signatures. Do you rely on long-term public keys that cannot be upgraded? If so, your business will be at risk of signature forgery on the arrival of quantum computers. Now is the time to ensure all your keys can be upgraded in the future if required, or to put in place additional controls on digital signature usage.
Given the magnitude of this potential threat, HP advises IT leaders to demonstrate an abundance of caution. Charles concludes: “With regard to the quantum challenge, IT leaders should move forward cautiously and in a controlled manner from what we trust now to what we will trust in the future. Implement practical solutions while being aware of the usual vulnerabilities that can come with new systems.”
Protect your business from the threats facing your industry with our in-depth security guide. You can learn more about the HP Security Lab here.
HP has several exciting events coming up this year – click on each to learn more.
- The Official CIO Summit UK presents the best opportunity to hear how your peers are tackling the biggest challenges in the UK IT industry. (This event takes place in September).
- The CSO Security Summit, scheduled for November, is the best place to hear what novel approaches and innovative technologies your security peers are taking to enhance and futureproof their security strategies.
