Ollie Omotosho - Director, Strategic Partnerships, Thales
Antti Ropponen, Head of Data & Application Security Services, IBM Consulting
In the world of business, data security is paramount. Cryptography is the cornerstone to protecting the data, ensuring confidentiality, integrity, and preventing exposure of sensitive information. Threats to cryptography are generally prevented by using common cybersecurity hygiene practices defined in clear and achievable governance. Exploiting a weakness in cryptography often requires multiple failures in the implementation of those hygiene practices to be successful.
However, in a future with cryptographically relevant quantum computers, the dependency on multiple failure points to successfully attack a cryptographic solution will not be as relevant. Any weakness in the cryptography ecosystem could result in a catastrophic failure in protecting business critical assets.
As quantum computing technology progresses, the need to address the technology’s related risks also grows in urgency. Organizations need to ensure they can safely, and with agility, understand and introduce changes to their cryptography ecosystem at a rate that allows them to add quantum-safe cryptography to their critical systems and data, ahead of emerging threats. Businesses must, now more than ever, take proactive measures to protect their digital information.
Thales and IBM Consulting are working together to lead and guide the industry in how to successfully address these threats and challenges. With the pending announcement by NIST of the standardized post-quantum cryptography (PQC) algorithms expected in 2024, the next piece of the puzzle will be ready to help bring protection to your organization in a Post-Quantum world. That protection is desperately needed right now, even if quantum computers aren’t fully capable of braking today’s security.
Information cared about today needs to be protected by quantum-safe solutions that will account for the threats of the future cryptographically relevant quantum computer to be truly considered secure.
The Rise of Harvest Now, Decrypt Later Attacks
A large, emerging concern are "Harvest Now, Decrypt Later" (HNDL) attacks, where hackers intercept and store encrypted long-life data with the intention of decrypting it once quantum computers become capable of breaking current encryption standards. As quantum computing continues to advance, the threat it poses to traditional encryption methods is clear. Current encryption algorithms, such as RSA, rely on the difficulty of factoring large prime numbers to ensure the security of data.
However, quantum computers promise to solve these mathematical problems at an exponential speed, rendering current encryption methods vulnerable to attacks.
“The experts’ likelihood estimates for when a cryptographically relevant quantum computer will appear suggest that some companies might already be facing an intolerable risk requiring urgent action.” 2023 Quantum Threat Timeline Report from the Global Risk Institute
HNDL attacks take immediate advantage of this future vulnerability. As the clock has turned to 2024, this brings us ever closer to the chance of current cryptography being broken. This poses a significant risk to all sensitive information within an enterprise, as data that is currently considered secure may become compromised in the future. Organizations with long-term data needs for more than 5-10 years are even more vulnerable.
At Thales, we’ve been hearing many customers express their concern of such risks and looked for help in how to mitigate these risks and navigate their Quantum Readiness strategy. Read the customer case study from a large leading financial institution.
Is the threat from Quantum Computing only Harvest Now, Decrypt Later?
No, there are more threats that need to be addressed. The attacks that are of higher concern today are offline attacks where an adversary can collect public or harvested information and attempt to reconstruct private keys from this information.
Depending on what a private key was used to protect at some point in the past, several threats are possible alongside HNDL.
These types of attacks are relevant to ‘long term identities’ where a private key (recovered from a public key) can be used to authenticate to a system for a variety of purposes that include:
- to create credentials that allow authentication into systems with the aim of causing damage or extracting information.
- to initiate malicious transactions on long term blockchains or distributed ledgers.
- to sign malicious code or system updates that will be trusted due to long term digital certificates in trust repositories.
This type of threat poses interesting questions on the design of systems that have long life cycles – for example cars, transport infrastructure, core banking applications, and blockchain applications.
Fraudulent Manipulation of legal history and digital evidence
These types of attacks relate to the use of a recovered private key to create or manipulate digitally signed data such as transactions or documents that have some legal value. This type of threat poses questions on the future trustworthiness of digital transactions that are executed today. A future quantum adversary could create a signed document proving ownership with a back-dated transaction date.
At some point in the future, it will be necessary to distinguish between real and fraudulent documents that both have valid signatures.
Furthermore, a recovered private key could be used to create or manipulate digital evidence. Such evidence might include audit records, past email exchanges, communication exchanges.
The Need for Post-Quantum Cryptography (PQC)
To mitigate the risks posed by Quantum computers and HNDL attacks, businesses must prepare for Post-Quantum Cryptography (PQC) now. PQC refers to newer encryption methods that are resistant to attacks from both classical and quantum computers. This transformation from classical cryptography to PQC is incredibly complex and only made even more challenging with the ongoing transformation of data moving to the cloud and consumed in variety of way and entities.
For those in industries who will be heavily impacted by PQC, such as anyone leveraging PKI, TLS, Code Signing, IoT, or Secure Manufacturing, the next few years will be revolutionary from an IT perspective. This changeover requires proactive planning and a well-timed strategy for it to be implemented smoothly, all while keeping expenditures under control.
Organizations should begin now to find answers to some critical questions:
1. How does the progress of quantum-safe cryptography development and its standardization impact my organization?
2. How can my organization assess and modify its current cryptography to become quantum-safe?
3. How do we quickly identify cryptographic assets, assess crypto implementations at risk, and examine systems for managing all crypto keys?
The questions may seem simple enough, but the answers are not. That’s why Thales and IBM Consulting have partnered together to help their customers navigate this demanding process.
How can Thales and IBM Consulting help you?
We have a proven methodology of success, validated through dozens of successful Quantum Safe programs for clients across the industries, from Banking, Telecoms, Insurances to Governments.
The Quantum Safe Program is comprehensive in its objectives, from helping clients understand and identify the real threats and challenges to their organization from Quantum Computing by delivering Quantum Safe strategies for clients through cryptography governance and posture analysis, discovering the critical hotspots within organizations which are at most risk to attacks from quantum in the near future, through to client education and culture enablement for the quantum age.
We deliver end-to-end programs for client transformations, which includes the target roadmap for Quantum Readiness, over-arching Quantum Migration framework delivered through risk & vulnerability identification, robust Quantum Safe Strategy and architecture, technical Proof of Concepts & MVPs for high value & strategic elements followed by application and infrastructure transformation for Quantum Safe.
The Quantum Safe remediation journey is unlike anything the cryptography world has seen today and it can be very complex and challenging, especially without the right partners!
How is Thales and IBM Consulting achieving success against the Quantum Threat?
Recently, Thales launched the first of our PQC Starter Kits, in partnership with Quantinuum. The Luna HSM PQC starter kit combines our Luna HSMs, PQC Functionality Modules (FMs), and a source of quantum entropy along with several of our technology partner integrations to enable customers with a PQC Root of Trust to quickly begin and cost-effectively test the effects of Post-Quantum Cryptography within their organization on their data, devices, and applications. A primary goal of this process is for an organization to achieve crypto-agility; the ability to adapt to new compliance and protect against emerging quantum threats while minimizing disruption to operations.
To ensure a truly smooth transition to PQC, the Luna HSM PQC Starter Kit will also be available through the IBM Consulting Cryptography and Quantum Safe program.
IBM Consulting Cryptography and Quantum Safe program provides industry frameworks, assets & accelerators that complements the PQC starter kit while providing the technical foundation to deliver the Quantum Safe program as described earlier.
The Quantum Safe Program provides technical capabilities to support the Quantum Safe Strategy for organizations. From bottom-up technical discovery of cryptography artefacts within code, applications, systems and networks to automated enterprise cryptography inventory management and compliance, to Quantum Safe solution testing & education to finally Quantum Safe remediation technical solutions that help organizations remediate and mitigate against the Quantum threat.
Going beyond the technology itself, IBM Consulting Cryptography and Quantum Safe services offers unique frameworks, capabilities, methods, and approaches for Quantum resilience end-to-end. With it, you can replace at-risk cryptography and maintain ongoing visibility and control over your entire cybersecurity posture as cryptography evolves into a PQC world.
No single company or vendor can solve this complex transformation alone, which is why we have proudly worked to build out the Thales PQC Partnership ecosystem, consisting of both service and technology partners.
With an extensive ecosystem of partners such as IBM Consulting across a range of existing and emerging use cases including Quantum Safe, Thales and its trusted technology partners provide a vetted and comprehensive suite for data protection to our joint customers. This will allow us to move the Quantum Safe conversations beyond the theoretical and into the practical, which is exactly what organizations need to help them understand the challenges, architecture, how to implement, and prepare their organizations to bring PQC to scale.
Join us for a webinar on February 29th where Thales, IBM Consulting, and our mutual partner Quantinuum will discuss how organizations can better manage HNDL risks and navigating the complex transformation to PQC.