Crypto Agility – Protect Yourself Against “Steal Now, Decrypt Later”
James Thorpe
Share this content
Large-scale quantum computing is coming soon – and with that comes important cybersecurity threats.
One of these threats is “steal now, decrypt later,” where attackers harvest encrypted data and wait for quantum technology advancements to decrypt it.
This article explores the threats quantum computing has on current encryption algorithms and how crypto agility can help you safeguard your digital assets from steal now, decrypt later attacks.
Cryptographic Algorithms
Cryptographic algorithms can be categorised into two broad categories, symmetric and asymmetric algorithms.
Symmetric algorithms
Symmetric algorithms are also referred to as secret key algorithms because they use a single secret key for encryption and decryption processes.
Asymmetric Algorithms
Public key or asymmetric algorithms incorporate a keypair (public and private key) which is alternatively used for different cryptographic processes (such as key exchange, signing or authentication).
Currently, popular public key or asymmetric algorithms, such as the Rivest-Shamir-Adleman (RSA) algorithm, the Digital Signature Algorithm (DSA), and the Elliptic Curve Digital Signature Algorithm (ECDSA), have their security based on the following hard mathematical problems such as:
- Integer Factorisation
- Discrete Log
- Elliptic Curve Discrete Log.
Public key cryptography algorithms are predominantly used in various protocols such as TLS, IPSEC, SSH, Internet of Things (IoT), document signing and code signing.
How Quantum Computing Impacts Cryptographic Algorithms & Cybersecurity
Quantum computing is a fast-evolving field with a substantial effect on existing crypto solutions.
Quantum computing will affect symmetric key algorithms in such a way that their key security will be reduced by about half, which means AES 256-bits will provide security approximately corresponding to AES 128-bits.
The situation is compounded in the case of asymmetric algorithms since quantum computing will solve the hard mathematical problems which are the backbone of the RSA algorithm, ECDSA and DSA.
In short, large-scale quantum computers will be able to break the majority, if not all, of the current asymmetric cryptographic standards that are used to protect online communications today.
As quantum computers continue to advance, they will eventually be able to break current public-key algorithms, thereby compromising the security of most current communication protocols and databases.
This could result in sensitive information, such as financial or healthcare records, being accessible to malicious individuals with access to a powerful quantum computer.
Steal Now, Decrypt Later
The concept of “steal/harvest now, decrypt later” occurs when attackers use existing technology to capture encrypted data while it is in transit.
They then store it and then decrypt it at a later point in time when they can access a quantum computer powerful enough to break the encryption algorithm.
In this way, attackers are able to access data with a long shelf life, which is currently protected by strong encryption.
The potential magnitude of information disclosure will be immense, posing a significant threat to everyone, especially defense and military communication systems.
The technique to “steal now, decrypt later” may be heavily utilised by state-backed organisations to capture encrypted traffic of competitor countries to decrypt the traffic once a quantum computer is built.
How to Protect Against “Steal Now, Decrypt Later”
One way to protect against “steal now, decrypt later” attacks is to apply crypto agility via post-quantum cryptography (PQC) in addition to existing encryption methods, which is referred to as hybrid encryption.
PQC algorithms are designed to be resistant to quantum computer-based attacks and therefore can provide a higher level of security if combined with traditional encryption algorithms.
However, updating cryptographic algorithms is a very difficult and time consuming task for most organisations that have numerous applications and instances of software that need to be migrated.
To ensure protection against “steal now, decrypt later”, modern enterprises and organisations must prioritise crypto agility and start incorporating PQC into their communication systems and technologies.
It is a lengthy and time consuming process, but shifting from current public-key/asymmetric algorithms to post-quantum cryptography will restrain later decryption of the organisation’s encrypted traffic.
What is Post Quantum Cryptography?
Post-quantum cryptography (PQC) is a form of cryptography that’s designed to be resistant to quantum computing.
It uses mathematical algorithms that are believed to be secure against attacks from quantum computers, even when they become powerful enough to break traditional encryption algorithms.
The timeline of post-quantum cryptography is a relatively short one, as the concept has only been around for a couple of decades.
A major milestone in this research area was the publication of the NIST Post-Quantum Cryptography Standardization Process, which was started in 2016.
The chosen winners of the NIST process are expected to become standardized within the next year or so.
Migration to Post Quantum Cryptography
Due to the risk posed by quantum computers, it’s crucial for organisations to begin preparing for migration to post-quantum cryptographic algorithms now – before bad actors start harvesting sensitive data.
To do this, organisations must upgrade their hardware, software and services so that when it becomes necessary to switch over to post-quantum cryptography, there will not be any disruption of service.
Doing this work now will provide organisations with much-needed peace of mind that their digital platforms are protected from future attack vectors.
Post Quantum Cryptography (PQC) & Crypto Agility
PQC deals with the study, design, development and evolution of post-quantum asymmetric algorithms, which will be safe from quantum computers.
Organisations are actively involved in PQC research to design security solutions that should be secure against both classical and quantum computers and easily workable or integrated with existing network and communication protocols.
Practicing crypto agility is an important step for data protection in the face of quantum computing.
Crypto agility means that organisations can quickly change their cryptography protocols when new attacks are identified, allowing them to stay ahead of any potential threats.
This allows organisations to quickly adopt PQC standards when made available and remain secure and protect their data even as quantum computing advances.
Achieving Crypto Agility
Organisations need the capacity to quickly update cryptographic methods without significant change to information systems to retain regulatory compliance and mitigate security risks.
While adopting new methods of application development can facilitate crypto agility, the complete re-engineering of existing information systems is only possible in rare cases.
Cryptographic gateway services can facilitate crypto agility in legacy and new IT systems by allowing organisations to immediately adopt new encryption methods without code updates in a comfortable and highly automated way.
A crypto-agile service provides a policy engine that separates the process of developing, enforcing and updating policies from the application side.
These services also enable these tasks to be conducted without service interruption – thereby providing true crypto agility to organisations that need to prepare for the threats of quantum computing.
To find out more information, visit: www.cryptomathic.com
