How To Be Crypto-agile: Building Cryptographic Resiliency In The Age Of Quantum Computers
Cryptography makes everything in our modern lives possible. Without it, the internet would be reduced to a giant wasteland of digital brochures and public bulletin boards. Everything that makes the internet useful – from commerce to private communications – is powered by cryptographic algorithms that scramble our data so that only intended parties can read it.
Since cryptography underpins so much, the prospect of it being broken is disquieting. Quantum computers have the potential to break much of today’s cryptography and upend our entire digital economy in the process. What isn’t discussed enough is how to be ready for cryptographic disaster scenarios, including, but not limited, to the creation of more powerful quantum computers. The answer is crypto-agility and it can handle the gradual evolutionary changes in cryptography as well as earth-shattering breakthroughs in the feasibility of attacks.
We’ve Been Here Before – Only Change Is Certain
In all of history, no cipher withstands the test of time. The Caesar cipher was once state-of-the-art in keeping messages secret by substituting one letter for another. It is now reduced to a cryptogram game that my 96-year-old grandmother tackles daily.
We’ve come a long way since Caesar ciphers were state-of-the-art, but we’re far from perfection. Most attacks on cryptography bypass the ciphers themselves and instead focus on how they’re implemented. Information is gleaned through side channels, by attacking the endpoints, by exploiting poor random number generation, or by compromising users or systems with legitimate access to keys, and so forth. But we’ve had to evolve the ciphers and their parameters, too.
Hard Problem Assumptions
A sufficiently powerful computer could break all of our current cryptography. In fact, if you shrink the key sizes, we can break current cryptography with ordinary laptops. Our theoretical security depends on assumptions about how hard an attack is and how long it would take to be successful.
For example, public-key cryptography relies on “trapdoor functions,” which are math problems that can be efficiently calculated in one direction but are extremely difficult to calculate in reverse. Imagine having a set of numbers and operators for plus, minus, and multiplication, but no division. You could very efficiently multiply two numbers, but if you wanted to divide, you’d have to repeatedly subtract over and over again. So reversing the multiplication if you don’t know the inputs takes much longer than what you have to do to effectively divide. With sufficiently large numbers, the difference in calculation time can be drastic.
Because computers can be programmed to try lots and lots of different combinations – and because mathematicians are incredibly clever at finding shortcuts that reduce the difficulty of an attack, we end up working with numbers that are ridiculously big – so big that it would take effectively forever to break them. For example, it would take all the world’s computers something like 77 billion years altogether to crack a single key with 128 bits of security.
Seems like we’re safe.
But then again, we discover new techniques all the time and computers keep getting faster. In 1977, 1991, and 2001, the RSA Corporation put out a challenge for people to break RSA encryption. The challenge from 1977 was solved in 1994. All of the challenges from 1991 were solved by 2009. Some, but not all, of the challenges from 2001 have been cracked. RSA halted the challenge in 2007. One might surmise they were feeling less than confident.
But RSA encryption isn’t inherently insecure. Far from it. The trouble is the size of numbers that were presumed to be secure at these different points in time. As of today, the longest key cracked out of the challenges is around 250 decimal digits long. And that’s short by today’s standards.
One takeaway here is that what appear to be insurmountably hard problems at one point in time look very different fifteen or twenty years later. In twenty years, will we be saying the same thing about the algorithms and key sizes that we use today?
Yes. Unequivocally, absolutely, yes. And it could happen sooner.
Quantum Computing Is a Pipe Dream…Until It Isn’t
All of the standard public key cryptography of today can be broken by quantum computers of sufficient power. Quantum computers exist today, but they remain far from being able to crack modern cryptography. These are “computers” that are sensitive to the slightest vibrations and temperature changes. They typically run in rooms that are deep underground and they are supercooled down near absolute zero. As a result, they aren’t stable enough, programmable enough, or powerful enough for the task.
At least, as far as we know.
I’ve been reading predictions about quantum computers being imminent for as long as I’ve been hearing the same thing about virtual reality becoming our primary interface with computers. It’s always been ten years away. It’s the bogeyman that’s just out of sight. But then again, it could be the bogeyman that’s already in the basement.
Follow The Money – Quantum Computing Research
Although there are companies like IBM and Google and some well-funded startups trying to build these computers, governments have deeper pockets and more at stake. We know the U.S. and China both have top-secret programs to develop quantum computers. We just don’t know how far along they are. Or if they’ve already succeeded.
Meanwhile, research funds in the U.S. have been flowing into “post-quantum cryptography” or PQC. They are even sponsoring a contest to identify new cryptographic standards to secure data in a world with quantum computers. The contest started in 2016 and has two separate races: one for public-key encryption and key-establishment algorithms, and the other for digital signature algorithms. As of press time, they’ve narrowed it down to four candidates in the first race and three in the second with “alternates” in case new research blows up any of the current top picks.
The attention and funding of PQC makes me think that the government believes the threat of an adversary having quantum computers is very near.
But here’s the thing about these new algorithms: they aren’t as well studied as our current ones, which means that the winner of the competition could easily turn out to have weaknesses that allow it to be broken by classical computers.
To sum up where we are with quantum computing:
- The tools we have for keeping our data safe today are excellent.
- Over time, what we think is most appropriate for protecting our data – both algorithms and key sizes – evolves and changes.
- Quantum computers are here, but we have no idea when they’ll be powerful enough to threaten current cryptography or even if that’s already happened somewhere in secret.
- Soon we’ll have a new standard for public-key cryptography that is theoretically quantum computer safe, but which may or may not prove to be generally safe.
If you’re writing software and incorporating cryptography today, what should you do?
Set Yourself Up For Success With Crypto-agility
Imagine that tomorrow a university puts out a press release announcing that they’ve built a quantum computer that cracks modern cryptography and they prove it by calculating the private keys of the web servers of the most visited websites.
If this happens and it’s credible, then we’ll have a Y2K-style moment where the entire software industry throws its collective roadmap out the window and everyone scrambles to identify every bit of cryptography in their systems and make plans to upgrade it. It would span engineering, IT, Ops, open-source projects, vendors, and more. In the very worst-case scenario, we don’t yet have a winner selected from the PQC competition and everyone jumps in different directions.
The good news in this scenario is that random hackers around the world won’t have access to the new computer so it’s unlikely we’ll see massive data leaks. The scarier scenario involves some new cryptanalytic research that finds ways to significantly speed up attacks on current algorithms such that hackers could band together and break cryptographic keys that could lead to devastating attacks on financial institutions, critical infrastructure, and more.
For some companies, however, events like this will be a minor blip. These are the companies that have built their systems in a way that lets them quickly change what algorithms or cryptographic primitives they’re using.
Crypto-agility is a process where you separate the concerns of algorithms and parameters like key sizes from your code and your systems. You accomplish this by creating a layer of abstraction that insulates developers and infrastructure from low-level cryptographic decisions.
TLS 1.3 actually works this way to some extent as it allows for a number of different algorithms, primitives, and parameters to be negotiated when a browser talks to a server. Newer servers and browsers can negotiate newer algorithms, but can also fall back to older ones that are still allowed when necessary.
For the rest of your systems, you need to think much more carefully about how you’ll future-proof your company. Here are some points to keep in mind:
- Your Development Stack - It’s pretty common for developers to reach for standard open-source libraries like Sodium, Bouncy Castle, and OpenSSL when they need encryption, but these libraries leave a lot up to the developer. They don’t handle file formats, where to store keys, crypto-agility concerns, or other critical pieces. They are foot cannons that are far from developer-proof. Instead, choose a tool that already handles all of these concerns and has crypto-agility at the core so your developers can focus on higher-level problems.
- Blockchain Is Vulnerable - Every transaction on the major blockchains is signed using pre-quantum public key cryptography. In most software settings, data can be taken offline and re-signed or re-encrypted. But it’s incredibly difficult to change anything on the blockchain – by design – and for people who are putting encrypted data on there, it’s even worse. That data is public and copies of it exist around the world. There’s no way to protect that data if an algorithm is broken or weakened, and that data will still be there twenty years from now. The future of blockchain in a post-quantum world is concerning.
- Your Vendors Need Encouragement - Leaning on vendors to let them know that you expect them not just to encrypt your data (preferably with application-layer encryption), but to be crypto-agile, is something you need to start doing now. Or use it as part of the criteria when evaluating security and vendor suitability.
- You Can Be Standards-Compliant and Post-Quantum Today - For many use cases, companies can have all of their data protected with quantum computer-resistant algorithms today – without even straying from standards. The widely used AES-256 algorithm is believed to be resistant to attacks by quantum computers, so if you’re doing server-side encryption with root keys stored in a KMS, you should be able to use AES-256 from top to bottom. As an added benefit, this choice is more performant than the public key alternatives.
How IronCore Labs Helps
If you’re using IronCore Labs’ SaaS Shield product family, then you already have the benefits of crypto-agility including:
- Key rotation
- Algorithm and key size rotation
- AES-256 bit encryption at all layers below the KMS, and optional AES-256 at the KMS layer.
- Ability to rotate KMSes
- Ability to apply different keys and security criteria to different segments (per customer or any other data segment strategy) in case we get to a future where there are competing PQC standards in different parts of the world.
- Developers only need to call encrypt/decrypt: all the details of how the encryption is done and how the keys are managed are abstracted away and independently configurable.
- We provide mechanisms to efficiently re-key already encrypted data in case of a key compromise or an algorithm compromise.
Whether you use IronCore Labs or not, future you will thank you for taking the time to design your systems in a way that keeps them resilient to the inevitable changes to best practices in cryptography. Soon we should have new standards for post-quantum cryptography and ideally you can just flip a switch to start using them (or use them doubled up with classic cryptography to cover all your bases).
In the end, crypto-agility means preparing your processes and tools to absorb change without having to change code or spin up big projects. Getting things ready now can go a long way to set you up for success in the future.