Home Science & Technology Threat actors steal data to decipher when quantum computing appears

Threat actors steal data to decipher when quantum computing appears

114
0

Although the commercial availability of quantum computing is still a few years away, business leaders, CIOs and CISOs must act now to prepare for the inevitable ability of technology to hack encrypted RSA data. The refusal to start adopting a post-quantum cryptography strategy (PQC) will jeopardize all existing encrypted data assets, according to a sharp warning from key technical cryptography experts released on Wednesday.

A peer-reviewed paper appeared on Wednesday describing the threat with a technical roadmap for moving to PQC. Naturea leading journal for scientific and technological communities.

Cybersecurity experts who wrote an article entitled “The transition of organizations to post-quantum cryptography“Emphasizes the fact that when large and fault-tolerant (LFT) quantum computers appear, attackers will be able to use them to hack most existing public key cryptosystems, including RSA and elliptic curve cryptography (ECC).

SNDL threat

The document points to three major issues that the authors believe should be addressed by organizations. The first is the existence of an active and critical threat called save now, decrypt later (SNDL), a practice in which attackers steal sensitive data and store it with the intention of decrypting it as soon as quantum computing becomes available.

Second, the authors warn that quantum computers will be able to hack the most commonly used RSA and ECC to forge signatures. According to the authors, this would jeopardize all SSL-based websites, zero-trusted architectures and cryptocurrencies.

And third, they emphasize how the National Institute of Standards and Technology (NIST) is ready to select a set of PQC candidates that it will recommend as standards. Although the paper was written a few months ago before publication on Wednesday, NIST is ready to disclose the candidates in a few weeks and possibly sooner.

Dustin Moody, a NIST mathematician, has confirmed the imminent announcement of candidates for the PQC algorithm. Among cybersecurity standards, this is one of the largest NIST standards enterprises
since the development of the Advanced Encryption Standard (AES) and Secure hashing algorithm-3 (SHA-3). The new PQC standard is likely to include more than one algorithm, Moody Dark Reading said.

“From a safety standpoint, we want to make sure we don’t put all our eggs in one basket,” Moody says. NIST is considering creating digital signatures with a public key, as well as encryption or equivalent key authentication, adds Moody: “There will be at least one for each.”

An unexpected NIST announcement was foretold two directives last week from the Biden administration aimed at recognizing and resolving PQC issues.

Impact on existing data assets

Although the paper provides a detailed technical breakdown of PQC issues, it also aims to lead to an understanding of the implications of quantum computing for existing information assets and emphasize the need to develop a plan.

“For those organizations that have not started integrating PQC into their systems and have not even planned it, we strongly encourage them to start their efforts now,” the document warns. “Organizations and businesses with sensitive data with a time value of more than five years should immediately consider a PQC.”

One of the co-authors of the article is Jack Hidari, founder and CEO of Sandbox AQ, a provider of software as a service (SaaS) focused on combining quantum computing and artificial intelligence technology to solve complex processing problems. The main processing issue it focuses on is helping organizations understand the risk of quantum computing by identifying critical asset data that is encrypted and developing strategies to protect it using future PQC algorithms.

The first thing companies need to do is go through a discovery process to determine the value of all their data, especially information that is encrypted. For example, a large pharmaceutical company could own billions of dollars a year in patented drugs, profits and royalties. If this data ends up in someone else’s hands, it could make this IP insignificant, Gidari warns.

“We realized that a white paper was needed to give context to CISO, engineering teams and other leaders in the C-Suite as to how this migration will take place,” Gidari told Dark Reading. “And that’s the motivation for this work.”

Hidari emphasizes that with the help of SNDL, state-sponsored and independent attackers have already started knocking out encrypted RSA data. “It’s happening right now – they’re storing that information, and then they’re going to decrypt it in a few years, when they have extra computing power,” he said. – That’s a concern.

PQC attracts powerful friends

Sandbox AQ may not be known today as a company that has just come out of stealth mode. But it’s a well-capitalized startup, incubated by Google’s parent Alphabet, which got out Sandbox AQ in March as a separate company.

The company has a well-known advisory board consisting of former Google Chairman and CEO Eric Schmidt, former U.S. Secretary of Defense Ashton Carter, former Deputy Chief of National Intelligence Susan Gordon and retired Admiral Mike Rogers, former U.S. Cyber ​​Command Commander and former National Director. security.

Before meeting with Hidari in January, Ernst & Young Americas cybersecurity chief David Burg said he knew PQC was a problem his company would eventually have to deal with with its customers. But Burg admits he was taken away because of the need to work on it immediately with companies.

“We left this meeting realizing that this is actually a set of issues that our clients in the United States and around the world will need to deal with sooner than we thought,” Burg says. The two companies have formed a partnership to work together to address this issue.

Protect health information on Mount Sinai

One of the clients EY works with is The Sinai Mountains Health System, which has 43,000 employees on eight hospital campuses in New York City. Christine Myers, director of information and technology at Mount Sinai and dean of the medical school, says cybersecurity is her number one priority.

“As for quantum computing, the reality is that this innovation will make it possible to decrypt data that is currently encrypted,” Myers said. “And as you can imagine for healthcare, unauthorized disclosure of confidential PHI [personal health information] it would really affect patients, whether it happened now, five years later or later. ”

Myers says she has signed up on Mount Sinai in Sandbox AQ and will begin reviewing and inventorying all the encryption methods currently in use. Sandbox AQ will then give tips on how to move forward.

“We will make a feasibility study for some of the products we will need to implement with them,” she said. “It’s going to be a long journey with them, but it’s important for us to just get started.”

Previous articleDisney missed with Reuters’ quarterly revenue estimates
Next articlePatented technology converts “waste” carbon into valuable chemicals and nutrients