TranscriptRene: Hi! Welcome to QuBites, your bite size pieces of quantum computing. My name is Rene from Valorem Reply and today we're going to talk about quantum computing and security considerations you should keep in mind. And I'm very honored to have a special guest here today, Lea Jäntgen.
Hi Lea! Welcome to the show, how are you today?
Lea: Hi! I'm good, I'm good. Thank you. I’m happy to be here.
Rene: Yeah, looking forward to chatting [with you] about quantum security. Can you tell us a little bit about yourself and your background as it relates to quantum computing and security?
Lea: Yeah, sure. So, I'm working for Spike Reply [on the team] responsible here in Germany for the security. IT security basically, all parts of it. And at the same time, I'm part of the Reply’s COP Quantum Computing. My background is in business informatics, but I really love all this quantum computing stuff. So I'm more self-taught there, but I'm really curious about the impact on security that quantum computing [will have].
Rene: Awesome, so that is a really nice expertise here. Combining the business side of things, security and quantum computing, so amazing triangle [of experience/insight]. So, let's dive right into the topics!
So, what are the potential threats [when it comes to] quantum computing for the IT environment we are facing? Because I know there are more qubits coming out in the next couple of years, and so what are some of the potential threats that we might be facing?
Lena: So, I think the [biggest] threat that we're facing is the uncertainty about how things will go and all the new algorithms that might occur. We already know that encryption is at risk. So, the main threat, at the moment, is to encryption because we know that there are already algorithms out there that can be a threat to encryption. But at the same time, we don't know which other algorithms might occur or might come up in the future when qubits become more and more advanced. So, these [unknown algorithms] are the main threats, but for encryption we already know [the risk].
For encryption, there are two algorithms in quantum computing that can actually be a threat and they are different for symmetric and asymmetric encryption. So if we talk about encryption, symmetric encryption basically shares a key. And if you want to crack this key, there is a robust algorithm that can actually reduce the time [it takes] to brute-force [attack] the key by the square root. So, we can much, much faster [learn] the key. However, we can solve this pretty quickly by just enlarging the key and taking a longer key. For asymmetric encryption it's more complicated. There is [another] algorithm called Shor’s algorithm which can do prime factorization in polynomial, what we call in IT, polynomial time. Which means I can basically crack RSA keys for example, in very, very fast time and there's no real solution for that yet.
Rene: So you can basically crack asymmetric keys like RSA really fast with quantum computing. And with the increased qubits, we're going to see in a few minutes or hours or days even, [attacks that] would currently on classical hardware, take hundreds, of thousands of years probably, right?
Rene: So yeah, I can totally see that this definitely is a big threat. Because RSA is one of the key pieces of the Internet infrastructure as well, right? So it's [a threat] all over the place, for all secure channels.
So, what are some of the alternatives that you could implement for current quantum computing weak cryptography algorithms?
Lea: Yep. So as I mentioned, we could move away from asymmetric key encryption to symmetric encryption. But symmetric encryption has some disadvantages. Like key distribution, it's a shared key I have to somehow transfer to you if I want to use it, for example, to encrypt our communication. So, there are disadvantages for symmetric encryption but NIST [National Institute of Standards and Technology] is working currently on a new standard to replace RSA with quantum secure asymmetric algorithms. The last update was on the 22nd of July, they announced that they are now in the final round and there are seven new [algorithm] finalists that they already developed for alternative algorithms to RSA for quantum security. But NIST is not there yet. Their standard is not there yet but, we are certain that in the next years it will come.
Rene: I think there's also a lot of research at all the large tech companies and universities around this. It is called, I think, post quantum cryptography [right]?
Lea: Yep, exactly. That's the name [also called] post quantum encryption. All these seven finalists that NIST is considering in their standards, they come basically from these big tech companies and universities. There are a lot of submissions to this new standard.
Rene: So, while we wait for these new cryptography algorithms that are quantum computing safe, what can we do now and how can [our] clients be prepared for the quantum computing supremacy - which we’re going to see in our lifetime; and how does crypto agility help here?
Lea: Yeah. So, as you already mentioned, we can become crypto agile. I think everybody knows what agility means in IT. So, it's the same for encryption. We want to make our organization and our development and our IT systems [in a] way that [will allow us to] change our encryption algorithms very fast.
So, one [real-world] example: I [did] an encryption migration for a company [that required us] to manually replace 300 web server certificates. And it took us months! So, if you have an agile way like with automation, with for example config files or something that, we call Crypto Service Gateways (CSG), where we have a single point where we can change our encryption algorithm. Then we could potentially do this in minutes, we just roll out a new encryption algorithm.
This is not only for the quantum age, but encryption algorithms also break all the time. There are [always] new methods [arising] to break them. So this can help us now to not only prepare for quantum computing but also for other threats. We have to make sure that we include this in our organizational processes. So if [an encryption algorithm] becomes broken, we have to [plan for]/include it in our incident response plan. We have to know which algorithm [is being used] at the moment. So we have to evaluate an standard state for our encryption. And last but not least, we have to use more like DevSecOps, include security more in the daily development and be [readily] aware of these things and not just say ‘there is this one security department over there that's taking care of all of this.’ That [is] crypto agility.
Rene: Awesome. That all makes a lot of sense. In general, you should be agile of course, especially with your infrastructure as it relates to security. Making sure that you can quickly change out these keys and certificates and so on, right? Because that should be done anyway, like you were saying.
Well, awesome. Thank you so much for joining us today and sharing your knowledge about quantum security and the current threats and how clients can be prepared. Very much appreciate that you joined us today Lea.
Lea: Cool. I’m happy to be here.
Rene: Thanks everyone for joining us for another episode of QuBites, your bite size pieces of quantum computing. Watch our blog, follow our social media channels to hear all about the next episodes and when they are coming out. Take care, stay safe and see you soon bye bye.