Transitioning to Quantum-Safe Encryption
Encryption is the foundation of the internet
Encryption plays a critical foundational role in nearly everything we do today with computers on the internet. Ever since the creation of the SSL Internet Protocol by Taher Elgamal while he was working as Chief Scientist at Netscape Communications, we have been able to use the internet securely to connect with websites, companies, and people. Over the years, SSL has been upgraded to Transport Layer Security (TLS) using asymmetric encryption to increase security further using algorithms such as RSA, Diffie Hellman, and Elliptic Curve.
We use these algorithms to protect all communications and take great care in issuing credentials and managing them between the parties that need to exchange data, such as user access to the Delinea Platform and Delinea Secret Server, and for Distributed Engine communications to the Delinea Platform.
Additionally, we use symmetric key encryption, such as the Advanced Encryption Standard (AES,) to securely store information at rest so the symmetric key holder can encrypt and decrypt data. Delinea Secret Server uses AES-256 encryption to ensure that data stored within its vault is protected and that only users with sufficient privileges can access an individual Secret.
Thus, the encryption process, keys, and algorithms are critical elements of our security and trust fabric. We must continually strive to mitigate the risk of compromise to ensure that Delinea's products can protect sensitive customer systems and data against any cyber threat.
Quantum computers—innovation enabler or cybersecurity threat?
The advent of quantum computers represents a monumental leap in computational capability beyond classical super-computing, which promises to help solve some of the most complex problems for scientists and businesses. Quantum computers are available for use today from several sources, including IBM, Microsoft Azure, AWS, and GCP, to name a few. While quantum computers provide a new way to solve complex problems, threat actors can also use them to break our current cryptography due to their speed and unique capabilities.
Quantum computers provide a new way to solve complex problems, but threat actors can also use them to break our current cryptography
The question on everyone's lips is whether a sufficiently large-scale quantum computer can break these traditional encryption algorithms, and when.
As early as 1994, Peter Shor discovered that quantum computers could break our current public key encryption algorithms because they could rapidly find the prime factors that make up the private key, and then break the encryption. While threat actors can theoretically use Shor's algorithm to achieve this, massive-scale quantum computers that are unavailable today are required.
When might such compute power be available?
Nevin's Law says that quantum computing power is experiencing doubly exponential growth (i.e., growth by powers of powers of two) relative to conventional computing (i.e., doubling processing power every two years per Moore's Law.) Thus, it's only a matter of time until we see quantum computers with sufficient power to break public key encryption.
On a promising note, quantum computing is not ideal for solving every problem. It's harder to crack symmetric encryption than asymmetric encryption, which is counter-intuitive given the challenge of factoring prime numbers with the latter method. Symmetric encryption, like AES, is very strong. Very long keys make symmetric encryption impervious to cracking. Gaining unauthorized access requires stealing or guessing the symmetric encryption key. Guessing is impractical due to the size of the key space.
Grover's algorithm is a quantum algorithm for unstructured data that provides a quadratic speedup in the computation over classical computing. This can result in AES-128 being feasible to crack, but AES-256 is still considered quantum resistant—at least until 2050, (as referenced throughout ETSI GR QSC 006 V1.1.1.)
Delinea's recommendation is to migrate any use of symmetric encryption using AES-128 to AES-256.
Cryptography in a post-quantum world
Quantum computer manufacturers are working hard to increase the performance and scale of their systems to help solve even more complex problems and advance innovation. Given the inevitable scaling of quantum computers and advances in mathematical algorithms, we will eventually see quantum computers break our current encryption. So, we need to plan for ongoing crypto algorithm changes within our systems since the quantum-safe algorithms continue to be developed, improved, and tested.
NIST has been working on Post-Quantum Cryptographic Algorithms since 2016 and has four candidates for standardization as published in NIST IR 8413.
Additionally, there is a push throughout the US Federal government to migrate to Post-Quantum Cryptography, which started with the White House issuing Executive Order 14028 on "Improving the Nation's Cybersecurity" in May of 2021. In May 2022, National Security Memorandum 10 (NSM-10) published "On Promoting United States Leadership in Quantum Computing While Mitigating Risk to Vulnerable Cryptographic Systems." The Office of Management and Budget (OMB) then issued Memorandum M-23-02, "Migrating to Post-Quantum Cryptography."
Delinea recommends that you inventory your use of cryptographic algorithms and prioritize the transition to Quantum-Safe Cryptography for the highest-value assets in your environment.
Delinea is embracing Quantum-Safe Cryptography
Over the last year, Delinea has been working with the NIST-approved CRYSTALS-Kyber algorithm to understand better how it works. We aim to determine places in our solutions where we can migrate seamlessly and gradually from traditional to quantum algorithms without adversely impacting the user experience or our products.
We generally found that we can use Kyber-1024 instead of AES-256 for data encryption with negligible impact on response time and Secret data storage. We are considering the use of Quantum-Safe Encryption as an extension of Secret Server's existing capabilities.
Delinea Secret Server adds an additional layer of security for more sensitive secrets. Only users with this enabled and the corresponding password can access the associated secrets. With this mechanism, users can protect their secrets from vault administrators. We're exploring enhancing this model, protecting secrets from quantum computer-based "store now, decrypt later" (SNDL) attacks. Vault users could then select which algorithm to use to protect their Secrets, either AES-256 or Kyber-1024.
Delinea recommends educating users on this protection feature and its contribution to protecting their more sensitive secrets and mitigating the risk of quantum computer-based SNDL attacks.
The risk quantum computing poses to existing encryption techniques is undeniable but not yet immediate. The practical use of quantum computing is still in its infancy, and it doesn't currently pose a significant threat to most existing encryption technologies.
However, to counter potential risks associated with quantum computing, solution providers should begin assessing options for algorithm migration. Similarly, consumers should incorporate requirements for such capabilities into their risk assessment process and evaluate their vendors' roadmaps to confirm they address such requirements in an acceptable timeframe.