Entrust on the future of a post-quantum security landscape
Quantum computing is expected to disrupt encryption based cryptographic defense by 2030, according to IT security specialists Entrust.
Entrust formed in 1969, with the founding of Datacard Corporation and the advent of secure, high-speed payment and identity card printers. Since then, they have acquired other powerful brands, developed new technologies, and extended their global footprint. Their vision is built around 'Securing a world in motion'.
In a recent industry roundtable, Anudeep Parhar, Chief Information Officer & General Manager PKI and IoT Solutions BU at Entrust, and Greg Wetmore, Vice President Product Development at Entrust, explained how quantum computing will augment classic computing, as opposed to replacing it.
This post-quantum world will be hybrid, spanning decades and industries with high privacy and compliance obligations will lead with most vulnerable use cases.
According to Entrust Director of Product Security, Dr. Pali Surdhar, "The National Institute of Standards and Technology (NIST) is working to identify the best quantum-safe algorithms that are less likely to be broken by quantum techniques. That includes the creation of algorithms that are based on symmetric and hash-based schemes or using other approaches, such as code-based, lattice-based and multivariate cryptography."
What is Quantum Computing?
According to Anudeep Parhar, quantum computing is "an area of computing focused on developing computer technology based on the principles of quantum theory, which explains the behaviour of energy and material on the atomic and subatomic levels."
As classic computers can only encode information in bits that take the value of 1 or 0, this restricts their ability, whereas quantum computing uses quantum bits or qubits, therefore harnessing the unique ability of subatomic participles that allows them to exist in more than one state i.e., a 1 and a 0 at the same time.
Superposition and Entanglement are two quantum physics concepts leveraged by these supercomputers, according to Parhar.
"This empowers quantum computers to handle operations at speeds exponentially higher than conventional computers and at much lesser energy consumption. Post-quantum cryptography is the development of new kinds of cryptographic approaches that can be implemented using today’s classical computers but will be impervious to attacks from tomorrow’s quantum ones," said Parhar.
Post quantum cryptography and its impact on business
Parhar adds that the movement of data across the internet today is secured by public key encryption algorithms
"Quantum computers can break current public key encryption. Mitigation strategies are required now to address this business risk. Information that needs to be secure in 5 years or more needs to be protected now," he said.
Greg Wetmore is Vice President Product Development at Entrust. Talking of a fragmented quantum community, Wetmore said that "when it comes to PQ standards, NIST is at the centre. At this stage of maturity, NIST has acknowledged the need for hybrid and dual signatures to transition to new PQ algorithms. Their aim is to help improve standards and guide the market towards an easier transition," said Wetmore.
However, Wetmore adds that "everyone is waiting on NISTs recommendations, but that is not expected until 2022-2023. Depending on the approach that’s selected, all the governing bodies will need to adopt the changes and upgrade their own standards to reflect the approach."
NIST call for "hybrid" or "dual" modes
Wetmore comments that "it has been clear to the experts for some time, that there is a need to address transitions in the trusted crypto infrastructure by providing Hybrid approaches.
"Hybrid approaches are roughly described as methods which incorporate a classic crypto and a PQ crypto component into a solution. There are many challenges to implementation and trust infrastructure when attempting to hybridize.
"Hybrid modes provide protection against further cryptanalytic breakthroughs until we have confidence in PQC," said Wetmore.
Cryptographic Center of Excellence
Entrust's solution to this post-quantum security threat is the Cryptographic Center of Excellence, a group responsible for establishing an enterprise-wide strategy for crypto and PKI.
Wetmore adds: "They are the central point of contact within the organisation responsible for crypto and PKI issues - going beyond technology to provide guidance to projects and teams and help with compliancy. They take ownership for the convergence, management, and roadmap of crypto, keys, secrets and certificates."
Entrust are at the forefront of post-quantum cryptography as participating members of the IETF, and participants in the NIST PQ Competition. They have only draft for dual mode that’s being looked at.
According to Gartner, organizations with crypto-agility plans in place will suffer 60% fewer cryptographically related security breaches and application failures than organisations without a plan.
"There are different approaches on how to prepare for secure cryptographical communications in a post quantum age. Using a hybrid approach is one of the more popular methods being proposed as a way of transitioning to the as yet undefined PQ algorithms. The hybrid approach suggests that rather than trust one algorithm, it places traditional algorithms like RSA and ECC alongside new PQ algorithms. This is helpful for current use cases while pre-quantum is an acceptable method for authentication and to test IT ecosystems against PQ algorithms. What we’re talking about here is backward compatibility. Trying to solve the problem of starting to roll out PQ crypto before all applications are upgraded to support the new algorithms," says Wetmore.
Wetmore asserts that the Post-Quantum community (for example, surrounding the NIST PQC competition), is pushing for "hybridized" crypto that combines RSA/ECC with new primitives in order to hedge our bets against both quantum adversaries, and also algorithmic/mathematical breaks of the new primitives.
"Everybody knows RSA and ECC – they have known issues but they provide trust. By merging them, you get that classic trust but with quantum resistance of PQ algorithms. Solutions are FIPS-compliant as long as one component is FIPS-compliant; Ex {RSA + Dilithium}."
