Canadian organizations with sensitive encrypted data must start working now to protect their data for the day when quantum computing is capable of breaking their protection, a conference has been told.
“If you are encrypting something with a shelf life greater than a decade you need to be really scared of this technology,” Atefeh Mashatan, director of cyber security research lab in Ryerson University’s school of management said Wednesday at the conference in Toronto.
Organizations in the crosshairs include governments, medical institutions and financial institutions, she said.
The encryption at risk can be found in credit cards, cellphones, the HTTPS code in browses, IoT devices — anything that uses a digital certificate for public key infrastructure (PKI).
So organizations affected need to do is start planning now for the inclusion in their systems of quantum-resistant solutions, she said.
First, inventory systems to see how much crypto your organization uses and the type. Solutions that use asymmetrical encryption like RSA are more vulnerable than those that use symmetrical encryption like Triple DES or AES. Then do a quantum attack risk assessment.
Depending on the sensitivity of the organization’s data, it may be able to wait a few years until a standard for quantum-resistant encryption is released (see below). Those with sensitive data may have to invest in hybrid crypto solutions that allow the combining of current technology and quantum-resistant solutions.
Check with your vendors: Do they have a roadmap for quantum-resistant computing?
”The last thing you want is to get into vendor lock-in,” Mashatan said.
In an interview she said organizations that could be affected need invest in “crypto-agility .. which is the ease at which they can transform their existing, vulnerable encryption schemes to quantum-resistant schemes.
“If they have agility, then as soon as [new] quantum-resistant standards are announced they can plug them in.”
(For more detail on how to prepare, see Quantum-safe.ca)
The federal government is well aware of the threat to its systems, Mashatan said in the interview. “It’s getting better” for large Canadian enterprises, she said. The problem is most are waiting for new quantum-resistant standards to be approved, which won’t come until 2024. “They don’t need to wait,” she said, “because that ship has already sailed. It might already be too late for those who are transmitting sensitive data over the Internet in encrypted form with a long shelf life.”
For those organizations needing to adopt quantum-resistant computing, the move may not be easy, Mashatan warned. It could be as hard as the switch from SHA1 to SHA2 solutions, when organizations discovered devices like routers that couldn’t be upgraded.
Governments are pouring huge amounts of money into research on the feasibility of creating scalable — and, hopefully affordable — quantum computers, the invitation-only conference for researchers and companies was told. The U.S. and the European Union have each committed over $1 billion; China has committed $10 billion.
Quantum computers open the possibility of processing data and algorithms at a hugely faster rate than current supercomputers, with opportunities for applications from artificial intelligence to finding fast routes to deliver packages.
However, quantum computers will also be able to break asymmetrical public key encryption schemes like RSA used by many organizations to secure messages and transactions.
The question is, how soon? While a number of companies like IBM, Google and Intel have small quantum computers, it isn’t clear how soon a machine able to crack RSA 2048 encryption will be working.
Mashatan noted one Canadian expert, Michele Mosca of Waterloo University, thinks there’s is a one in seven chance a quantum computer will break RSA 2048 encryption by 2026, and there’s a 50-50 chance it will be done by 2032.
Others experts say it could be more like decades before that can be done — unless there is a break-through.
Still, already researchers suspect some countries are collecting and storing encrypted data for the time in the not too distant future when it can be cracked. That in part is why experts say organizations need to start preparing now.
Which is also why the U.S. National Institute for Standards and Technology (NIST) has embarked on a competition to approve standards for quantum-resistant encryption. It is scheduled to release a standard or standards in 2024.
New solution
The conference was sponsored by NXM Labs, headquartered in San Francisco but with research facilities in Toronto, which makes solutions allowing connected devices to automatically manage their own security.
NXM also announced its quantum-resistant Quake framework (short for quantum augmented key encapsulation) for computers and IoT devices. Quake is a software/firmware solution designed to be easily installed by system administrators and integrators and doesn’t require changes to existing security protocols or enterprise processes, the company said.
In an interview company CEO Scott Rankine said the first commercial implementation will be in connected vehicles later this year in partnership with telecom carrier Sprint. Later it may be seen in connected home devices. Pricing is still being finalized.
“It’s a framework that not only makes communications quantum safe, but it can also scale across millions of devices,” he said. “It’s a way to add quantum safe technology to our already secure platform.”
Quake can be integrated with any existing security framework of a processor chip, he said. In essence, it would be a firmware or software update to a network extending security to the perimeter. Even if one device with Quake is hacked, he said, the attacker can’t access others.
Among those at the conference was Terry John Myers, manager of quantum computing at Deloitte Digital Canada. His team works with clients to understand quantum computing and how it might apply to their organizations, as well as and how to build roadmaps to meet the security challenge.
“Globally organizations aren’t taking the threat seriously enough,” he said. Admittedly, there’s more awareness in Canada than in some parts of the world in part because it’s a leader in artificial intelligence, and AI is a good use case for quantum computing.
But, he added, as with any new technology the private sector here will wait “until they see it knocking at the door, or in this case breaking the door down, lighting the house on fire and walking away.” In the meantime they’re thinking ,’This is an interesting thing’.”
However, he warned Canadian organizations to move faster. “You’re going to a gun fight with a knife. When this stuff happens there’s going to be an arms race.”
