Life After Quantum: Prepare Your IT Security Strategies Today
From IC Insider Thales Trusted Cyber Technologies
Bill Becker, CTO, Thales Trusted Cyber Technologies
Despite the fact that quantum computing is still a long way from being a routine part of any federal agency’s IT network, data protection against quantum attacks already should be part of your cybersecurity planning.
Progress on quantum computing is moving rapidly. IBM is arguably the industry leader in superconducting qubits. In November 2022, the company debuted its 433-qubit Osprey processor, and it plans to release a 1,121-qubit processor called Condor this year.
In federal computing, the current administration is taking the threat of cybersecurity vulnerability posed by quantum very seriously. The National Cybersecurity Strategy, in “Objective 4.3: Prepare for our Post-Quantum Future,” emphasizes the need for data encryption advancements as a way to prevent bad actors from wreaking havoc with quantum computers.
“Strong encryption is key to cybersecurity and global commerce,” the objective states. “But quantum computing has the potential to break some of the most ubiquitous encryption standards deployed today.”
This position is substantively similar to the May 2022 White House National Security Memo on Quantum. According to the Memo, the United States “must prioritize the timely and equitable transition of cryptographic systems to quantum-resistant cryptography.” Agencies are required to test commercial solutions “that have implemented pre-standardized quantum-resistant cryptographic algorithms.”
Within the notion of such solutions is an emphasis on cryptographic agility, “both to reduce the time required to transition and to allow for seamless updates for future cryptographic standards.”
In other words, if you haven’t already begun your post-quantum encryption planning, you may already be behind.
The need for crypto-agility
Long-term data is susceptible to harvesting and early attacks. Therefore, IT managers and other network professionals must understand the vulnerabilities of their current cryptography, the expiration date of their encrypted data, and the crypto-agility maturity of their IT infrastructure.
Crypto-agility is a cornerstone of post-quantum cybersecurity, although it’s not really about quantum per se, requires flexible upgradeable technology and a hybrid approach of classic and quantum-resistant crypto solutions.
All algorithms will fail eventually. Unfortunately, many current systems today make it difficult to rotate keys, to choose different sizes/parameters, and to change mechanisms or key algorithms. These are all essential factors in crypto-agility. Consequently, it’s important to work with providers whose solutions offer that flexibility, so that protocols are less likely to fail in the face of as-yet-unknown threats.
To assist in planning for post-quantum cryptography, NIST offers a publication titled “Getting Ready for Post-Quantum Cryptography.” This document offers suggestions on monitoring standards development, assessing whether your network equipment is crypto agile, and performing risk assessments of where public-key crypto may be used in the infrastructure.
NIST’s National Cybersecurity Center of Excellence (NCCoE) has also embarked on an important project, entitled “Migration to Post Quantum Cryptography.” This project is developing a practical demonstration of technology to facilitate the creation of a migration roadmap. (Thales Trusted Cyber Technologies is among the technology collaborators participating in this project.)
The Office of Management and Budget has already released a memorandum, OMB M-23-02, with guidance for agencies to migrate to post quantum cryptography. The goal of this document was to identify agency susceptibility to cryptographically relevant quantum computers (CRQC), which can break algorithms for public-key encryption. By May 4, 2023 agencies were to submit a “prioritized inventory of information systems and assets, excluding national security systems, that contain CRQC-vulnerable cryptographic systems.”
The NSA also offered guidance, in the form of the Commercial National Security Algorithm Suite (CNSA) 2.0 for national security systems. This document stressed private and public sector cooperation, encouraging agencies to “work with software vendors to identify candidate environments, hardware, and software for the testing of PQC (post quantum cryptography).”
CNSA 2.0 provides recommendations for which algorithms to use and when to deploy those algorithms to protect national security systems. Agencies are expected to transition to post-quantum cryptography (PQC) between 2025 and 2030.
Standardization and current recommendations
The NIST Post-Quantum Cryptography project selected four algorithms for standardization in July 2022. NIST estimates standards for these PQC algorithms will be issued in 2024.
Although these new PQC standards aren’t finalized yet, there other quantum-resistant approaches emerging to protect federal computing from potential quantum security breaches. For example, NIST Special Publication 800-208 recommends “Stateful Hash-Based Signature Schemes” as means of generating digital signatures to protect software and firmware upgrades. This technique is actually required per CNSA 2.0.
Similarly, the Commercial Solutions for Classified (CSfC) program has issued a Symmetric Key Management Requirements Annex that details how CSfC packages can provide a quantum resistant solution for protecting long life data. Rather than waiting for new PQC algorithm standardization, the CSfC approach to quantum resistance requires use of symmetric keys, with NSA-approved key generation solutions to generate and manage pre-shared keys for CSfC security devices. CSfC notes that “Symmetric Pre-Shared Keys (PSKs) should be used instead of or in addition to asymmetric public/private key pairs to provide quantum resistant cryptographic protection of classified information within CSfC solutions.” PSK generation and management for CSfC solutions requires “a NSA-approved Key Generation Solution (KGS), using a FIPS 140-2/3 validated or NSA-approved Random Number Generator (RNG).”
The vendor community is taking the CSfC guidance to heart. Existing tools are being updated to manage pre-shared keys for IPsec and MACsec devices. Key management servers and hardware security modules offer encryption connectors for file encryption, database protection and enterprise key management. These key management solutions can also be deployed in the cloud and virtual environments; vendors are now working through the requirements to ensure their key generation solutions can be validated and approved by the CSfC Program Management Office.
Conclusion
Encryption is the foundation of data security. Quantum threatens that foundation. Consequently, organizations must begin designing quantum-resistant architecture immediately.
Make sure that your currently deployed IT hardware was developed with crypto-agility principles in mind, and is capable of receiving software or firmware updates. This will be critical as post-quantum crypto algorithms and protocols are standardized.
Check with equipment providers to determine whether they have beta or technology preview firmware that implements pre-standardized quantum-resistant cryptographic algorithms. Testing such offerings can go a long way to spot performance or interoperability up front, leaving time to tackle potential problems and to mitigate risks.
By starting now with testing and strategic planning, agencies can be more confident in their IT networks’ cyber defenses once quantum becomes an everyday part of the job.
About Thales TCT
Thales Trusted Cyber Technologies, a business area of Thales Defense & Security, Inc., protects the most vital data from the core to the cloud to the field. We serve as a trusted, U.S. based source for cyber security solutions for the U.S. Federal Government. Our solutions enable agencies to deploy a holistic data protection ecosystem where data and cryptographic keys are secured and managed, and access and distribution are controlled.
For more information, visit www.thalestct.com
About IC Insiders
IC Insiders is a special sponsored feature that provides deep-dive analysis, interviews with IC leaders, perspective from industry experts, and more. Learn how your company can become an IC Insider.