DigiCert’s Post

Transcript

Quantum computing promises huge benefits, but it also threatens to undermine the foundational security of the Internet. We are increasingly reliant on encryption algorithms, but soon quantum computers will have enough power to break asymmetric cryptography. So how do you prepare for this moment? And when do you need to upgrade your systems to be quantum safe? We're going to find out, because today in the register hot seat, we will be asking Avesta Hajati of Digicert. About how to prepare for post quantum cryptography. So this all revolves around a date known as Q day. What happens on queue day? Yeah. The first thing I want to mention is that we all have heard about why 2K. We knew when Y2K was happening exact day and time. When it comes to Q day, we really don't have a date. We know it potentially could happen. And the implication of this day is basically when we know a powerful and stable enough quantum computer will be indeed able to break a couple of different type of symmetric encryption algorithms such as. ECC as well as RSA Q day, in my opinion as a security expert is the day that we all consider security is broken if we don't have the proper plan in place. When do organizations have to start thinking about preparing for this day? There is 2/3 and of thoughts here. Three. Number one is that we don't have a large enough quantum computer today that is capable of breaking or weakening our encryption algorithms for that type of an organization. They basically just keep kicking the ball down the road until the queue date arrives. There's other organizations on the other hand, where they know that the data that has been encrypted today, it could be collected and once we have a stable enough quantum computer, they can decrypt that data. This is often known as harvest now, decrypt later. That type of organization have began transitioning to what we call quantum safe or post quantum crypto algorithms, not yesterday, but a few months ago, and that's way ahead of this. The standards that NEST will will finalize in the next few weeks or so. So what's the first step in the preparation? First step is visibility. So if you really don't know what you have in your environment, you will have a very hard time replacing that specific asset. So consider that you have RSA algorithm widely distributed in your organization and the following question will be that you have to go ahead and migrate your critical systems or transition your critical systems to PQC if you truly can't answer. The visibility question, meaning you have a proper inventory in place, you have a plan of knowing where these specific assets are, then you're missing the first step. First step is visibility, observability or discovery, however you would like to define that. But it's important to understand where those assets are to prepare for this transition period. What sort of surprises might organizations find in this discovery? Yeah, many, many surprises. I often ask this question when I deal with Csos and they have their security team in the room. I asked them if they really. Do know that they're utilizing SHA 1 which is another type of hashing algorithm in a sense in their organization and they often smiled because Shaw 1 was deprecated back in 2017, but seven years later they are still asking this question if they have share one. Now to a question, many surprises quite arrive when you're going very deep and wide into that observability and visibility. You may find broken algorithm, you may find outdated algorithms and you may find. Many surprises that he never thought about encryption could put on your table. So I wouldn't want the individuals to be shocked that many of these outdated algorithms were found out. But if you are doing it through discovery and visibility operations, you'll be shocked with most of the results. What are the algorithms that are likely to replace RSA and ECC? So for the past 7 to 8 years, almost Nest National Institute of Standard of Technology has gone through a process. Identify set of algorithms that we refer to as post quantum crypto or quantum safe algorithms. These algorithms are generally based on what we usually call newer type of mathematics. These are the families of mathematics such as hash based, lattice based, supersingular, isogeny based algorithms where a quantum computer doesn't have the ability to basically break them nor a classical computer has. So in the past seven years number of these algorithms have gone through the process to. Either get merged together or get dropped from this list either due to vulnerabilities or weaknesses or bad performances. And when we are standing today is that NEST has the real specific algorithms. These are signatures and one key encapsulation mechanism that are going to get a standardized in the next few weeks. These algorithms again are based on a completely different mathematical families that makes them to be more protected and in a sense not breakable. But quantum computer did you Sir recommends. Something that you call crypto agility. Now, what's that? Yeah, very good question. So for almost 40 to 50 years, we had a very big promise. And the promise was that it will take thousands or millions of years for the RSA algorithm to be broken based on the classical computers. And that's because classical computers aren't good at solving the factorization problem and it will take a while. Now, 50 years later, we recognize that with quantum computers might take much smaller. End of time instead of thousands could take maybe seconds, hours or weeks to break the RSA algorithm now with post quantum crypto algorithms. We can't really promise that these algorithms aren't going to be broken either due to bad implementation to the new environment that they're going in, or so many different factors. Given both of those factors together, what we recommend and what industry recommend is to be crypto agile instead of choosing one specific algorithm because at any point any organization may have to swipe 1 algorithm out and replace it with a safer or a new one. In this specific framework, what is being recommended is to be crypto agile where you do have visibility, you do have an inventory of all of your cryptographic assets, 2 you do have the replacement of these automated and #3 you have. Set of policies and management layers that are automatically getting triggered based on a security level and based on your existing algorithms in your environment. This sounds like a lot of work. So how much of this process can be automated? It is a lot of work. It really depends how you're deploying crypto Agility. If you're Greenfield scenario meaning you have not deployed anything, then Cryptozoic could be very simple. You included as part of your build process you create the inventory of all the cryptographic assets before you lose. The product and then you keep automation. On top of that, now if you have brownfield, meaning you already have your organization, it's pretty large, you have a number of different virus, this becomes very complex. But at the end of the day, solving this complex puzzle is all about a strategy. You can just go ahead and throw a solution at this problem. You have to identify the proper problem and then fix that with the proper solution in place in order to be able to make this a viable strategy to move forward with in future our regulators going to demand. Mandate quantum safe algorithms. That's most likely the case. A matter of fact, in the US we have seen executive orders that have began recommending to take the first step towards moving to quantum safe algorithms. This is specific for the federal government where they're asking to have a level of visibility for their organizations to know where all of the cryptographic assets are. And once the final specifications for these post quantum crypto algorithms coming out, they will have to move forward with implementing those. Now besides the federal government, we also are seeing in other sectors such as finance that the auditors are are asking about the ability of deploying quantum safe algorithms in in financial institutions and their environments. Healthcare is another one. So most likely we will begin to see some regulations coming down before end of this year and then in the next two or three years we are seeing an enforcement of those policies, not every organization. Is going to prepare for Q&A. What might happen? After that day, for those organizations that haven't taken the steps to prepare, cryptography is so widely and deeply implemented in everything that we do today that once Q day arrived, the backbone of everything will be broken. And that's not fiction, that's given, That's fact, because we are all utilizing either RSA or ECC algorithms in every activity that we do without recognizing that. Now consider that overnight. All of these will be built on financial institutes will begin losing their secrets, patient data will be lost, satellite communications potentially could be compromised. So the impact is extremely wide and deep. And to those who may consider this to be a science fiction is not a science fiction, It's proven that this will happen and this is just a ticking bomb. And unfortunately we really don't have a way to stop the ticking bomb, but we do have a specific approaches that could prevent us from the blast radius and that blast radius is having the proper. Strategy in place, having crypto agility implemented and having that overall posture that doesn't keep us 100% dependent on cryptography where it's broken, but keep us dependent on a flexible and dynamic approach to cryptography. If you're not worried, you're not paying attention. Avesta Hajati, thank you very much. Thanks for having me.