Crypto Agility: Solving for the inevitable

Security today relies on cryptography, an information-protection technology that uses algorithms to transform messages into a form that is difficult for a third party to decipher. For decades, computers and networks have relied on cryptography to provide confidentiality and integrity, and for common tasks like authentication. Arguably, it has become the backbone of modern cybersecurity as we put more of our lives online.

Cryptography depends on the fact that today’s computers don’t have the power to decode encrypted data in a realistic time frame (such as in our lifetimes). But that changes as we march closer to quantum computers — machines that use the properties of quantum physical phenomena to perform algorithms at lightning speeds compared with today’s fastest computers. A mature quantum computer could crack a private cryptography key from its public key counterpart in minutes (compared with thousands of years with a standard processor). It’s important to note that quantum-computer prototypes are still gradually increasing in size and capabilities and don’t yet pose a threat. Eventually, however, they will become powerful enough to attack widely used public key cryptography.

Cryptography and quantum computing are on a collision course that will threaten this cornerstone technology underlying cybersecurity. The systems we’ve built to power our digital lives aren’t ready for the strength of our public key cryptography standards (RSA, EC, and DSA) to be undermined. (This blog post explains this in greater detail.) We must prepare for a future where many of our current cryptographic algorithms don’t work. The solution will mean deploying necessary changes as an industry, which will take time and is considerably more complex than it may seem.

Cryptography: What’s at Stake
Stored data is encrypted using symmetric key algorithms (such as Advanced Encryption Standard, or AES), which are less threatened by quantum computing. Exposures are more about communication channels and the “key establishment” portion of the Transport Layer Security (TLS) protocol. In TLS, two parties use public key cryptography to authenticate one another and then negotiate a shared symmetric key for the session. The result is a session key that enables secure communication between the two parties.

Why does this matter if quantum computing is not yet a thing and the threat is limited to certain situations?

The first reason is that an attacker can record encrypted data now in preparation for breaking the encryption later, once scalable quantum computing is available. This is known as a “harvest-now, decrypt-later” attack, and it is particularly threatening for long-lived information assets (think bank account numbers, for example). As we get closer to the quantum-computing threat, vulnerable data with shorter lifespans also becomes a concern.

To read the complete article, visit Dark Reading.