TalkingTrust with Thales and Isara – Quantum Safe Crypto

TalkingTrust Series – Thales and Isara – Quantum Safe Crypto 

 

00:10 Hello everyone. 

00:11 We're here today to talk about quantum

00:13 crypto,

00:14 what is available and where the market

00:17 is, and we're glad to have

00:18 here today my colleague Angelo Fasulo, 

00:22 Director of

00:23 Strategic Partnerships with our

00:25 quantum partner Isara,

00:27 who's one of the leading experts in

00:29 the quantum crypto industry,

00:31 and he's here today to help us

00:33 understand this a critical

00:35 and emerging market. So let's get started

00:37 with the short history

00:39 and background of quantum, including some

00:41 of the challenges of adjusting

00:42 organizations

00:44 who are dealing with innovation, cloud

00:46 IoT, and digital transformation,

00:48 and some of these impacts, so to start

00:49 with a little history.

00:51 Sure, that sounds good Dave. Thanks for

00:54 having us. Isara is

00:56 very happy to be a partner of Thales

00:59 and join you and the client base

01:02 on the journey

01:03 to quantum safe, and we thought

01:05 we'd start off with a few

01:07 slides to kick off the discussion, so

01:09 I'll

01:12 start here. So just generally

01:13 speaking, there is a ton

01:16 of good great content

01:19 available on quantum

01:22 computing,

01:24 how quantum computing is going to sort

01:27 of

01:27 revolutionize the compute industry, and

01:30 the different things that quantum

01:31 computing

01:33 is going to be able to do that a

01:35 traditional computer

01:37 can't do. I'm by no means an expert in

01:40 the field. I'm on the

01:41 business side, but at a high level 

01:43 so everybody understands,

01:46 quantum computers will be able to

01:49 solve problems that traditional

01:50 computers

01:52 don't solve, and today there are a number

01:55 of

01:55 nations, virtually all of big tech,

01:59 that are investing very heavily in

02:03 making sure that this materializes and

02:05 that this happens. With

02:06 right now moving from theoretical

02:09 to practical, and then you know there's

02:12 the next challenge which is going to be

02:14 moving from

02:15 practical to actual commercial use cases. 

02:18 But there will be a time it isn't a

02:19 matter of if it is, more of

02:21 a matter of when. 

02:22 When companies will be

02:25 able to

02:25 get shared quantum computing

02:28 services

02:29 in the cloud, and use those services

02:32 to improve things like drug design,

02:33 machine learning,

02:36 big data optimization for financial

02:40 modeling, optimization for traffic

02:42 modeling, all sorts of really cool

02:45 and exciting stuff. Now one thing

02:48 as well, and it's kind of why we're here

02:50 today and why

02:51 Isara and Thales is partnering,

02:54 is one of the big problems that quantum

02:56 computers will be able to solve. 

02:58 Factoring is complex math and

03:02 as all of you know complex math is

03:04 behind

03:05 the algorithms that are used to

03:08 protect

03:09 pretty much all layers of our

03:12 technology infrastructure. Crypto is

03:16 pretty much everywhere in the technology

03:18 stack

03:19 and that crypto, specifically

03:22 asymmetric crypto, is a

03:24 threat. Using something called Shores

03:26 Algorithm,

03:27 with the right quantum computing

03:29 computer, in the wrong hands - 

03:33 you know it's very important that

03:35 customers

03:36 start to, and when I say customers, I mean

03:39 customers of ours, customers of Thales,

03:41 we mean anyone from an

03:43 enterprise

03:45 to government should really start to

03:48 prepare

03:49 for migrating their cryptography so that

03:52 it's

03:52 quantum safe, and Angelo, to your

03:55 point, you know we're really looking at

03:56 digital transformation here. I mean

03:58 at the end of the day, everybody's moving

04:00 to a digitally transformed business.

04:02 So in effect when we talk about

04:04 customers, we're literally talking anyone

04:06 that's going to be here

04:07 10 years from now. They've got

04:09 to start worrying about this today,

04:11 and one thing,

04:14 one of the things,

04:14 I think we've all seen 20

04:16 years ago was

04:18 Y2K was a big issue. People

04:22 had to move from old systems to new ones

04:24 and it sounds like

04:25 with quantum we're seeing something

04:27 similar. Can you describe this in a little

04:28 more detail?

04:29 Yeah, and you know there's a common

04:31 term in the quantum industry Y2Q. 

04:33 The difference between Y2K and Y2Q is

04:36 with Y2K we knew when it was going to happen

04:38 but we don't know when it’s going to

04:39 happen for Y2Q. 

04:41 It's the opposite. We know what's

04:43 going to happen, we just don't know

04:45 when.

04:45 It is actually going to happen so what

04:48 we advise

04:49 most organizations now

04:52 is to focus on crypto agility, which

04:55 essentially means

04:57 getting themselves ready, and that's

05:00 different

05:00 depending upon the type of organization

05:02 that you're in. 

05:03 For example, if you are an organization

05:06 that builds

05:06 long life devices, satellites,

05:09 infrastructure,

05:11 cars, anything that has to be in the

05:14 field for a long period of time,

05:16 those solutions that you are shipping

05:19 out now

05:20 need to be quantum safe essentially now

05:23 because you know they're going to be in

05:24 life

05:25 for the next 10 or 15 years, and that

05:27 they will be susceptible to a threat

05:30 during that time. So we're encouraging

05:33 you know a lot of the preparation to

05:35 begin through

05:36 POCs for those companies to understand

05:39 the algorithms, understand how they will

05:41 perform

05:42 in their chips, in their memory, in their

05:44 communication,

05:45 in their sensors, so that their next 

05:48 product life cycle will have

05:50 quantum safe algorithms embedded. That's

05:52 one place, and the other

05:53 place is

05:54 for large enterprise, financial

05:56 institutions,

05:58 governments, anybody with a very complex

05:59 PKI.  I think we all know that it's

06:02 extremely

06:02 difficult and complex to migrate and

06:06 to

06:06 upgrade cryptography across the board, so

06:09 starting now and putting together those

06:11 plans

06:12 is a really critical, important

06:14 element

06:15 to the whole piece of the puzzle.

06:17 Right, and I guess like Y2K, to your point

06:20 people didn't really think

06:22 about that when they started building

06:23 computer systems, but today

06:25 we can start planning as you say for

06:27 crypto agility and quantum

06:29 now. Get it right, and by the way, as you

06:31 say in this slide,

06:32 people have to start worrying about this

06:34 stuff today to get it right.

06:36 You know, 10, 20 years from now when we

06:38 know

06:39 that those Shores Algorithms can be

06:41 broken, so how are we approaching this

06:43 from

06:44 a more specific view Angelo. Can we

06:46 describe in a little more detail

06:48 how we're approaching these customers?

06:51 One thing that we often get

06:54 asked about quite a lot is when

06:57 will,

06:59 how do you know what is going to be safe, 

07:00 what are the right algorithms

07:02 to use, et cetera. Right now NIST is going

07:05 through a very detailed

07:06 process, a selection process. Isara

07:09 as an example that follows that process very

07:11 closely. 

07:13 NIST will sort of lay the foundation

07:17 of what are the right algorithms

07:19 to be used and for the right, different use

07:21 cases,

07:23 so it's a matter for companies to do a

07:25 few different things.

07:26 Understand their infrastructure, follow

07:29 the process

07:30 that NIST has worked with vendors who are

07:33 also following

07:34 that same process so that when the time

07:36 is right,

07:37 they can move from early

07:40 evaluation,

07:41 to POC, to production. So

07:44 Isara at its core has a

07:47 quantum-safe toolkit. That quantum safe

07:50 toolkit basically allows developers to

07:53 take those algorithms and easily

07:55 implement those in their environment you

07:58 know. One of the partnerships that we

07:59 have, one of our

08:00 strongest partnerships, is with Thales,

08:02 and that's why we're here today

08:04 with Dave.

08:05 Thales has taken that tool kit and

08:08 embedded it

08:08 into it's Luna HSM, and

08:11 a customer can then take that HSM

08:15 and start to use the algorithms in a

08:18 number of different

08:19 use cases. That's what we're

08:23 encouraging clients to do, look at things

08:25 like

08:26 code signing, document signing,

08:29 certificates,

08:30 smart cards, and look at ways to start to

08:34 prepare to make those

08:36 elements of their of their

08:38 infrastructure

08:39 quantum safe. That's what

08:41 Thales and Isara

08:43 work together on.

08:46 One of the things I think is

08:47 interesting as we talk about crypto

08:49 agility is 

08:50 people are probably familiar with a

08:51 hardware security module being either a

08:52 physical device

08:54 that's stored on-premises safely or run

08:57 in the cloud,

08:58 and as you say, well if we've got crypto

09:00 agility what happens if

09:02 different crypto algorithms become

09:04 ratified by NIST. How do we evolve

09:06 those change over time?

09:08One of the things that Isara and

09:09 Thales have done is have what's called a

09:11 functionality update to the HSM, to

09:13 support those different

09:15 algorithms for quantum safe

09:18 algorithms 

09:18 over time as part of the Isara toolkit,

09:21 and then leverage those as we say into

09:23 these different

09:24 partners like DigiCert for code

09:26 signing, document signing,

09:28 public infrastructure, so you can issue

09:30 quantum safe keys

09:32 today and use them down the road as well.

09:35 So let me ask this though.

09:36 i'm sure what’s going through a lot of people's

09:37 minds is what about NIST

09:40 and this certification process? i'm

09:41 hearing there's a number of candidates.

09:44 Angelo, can you describe in a little more

09:45 detail how that's going. Who might win

09:48 and how do customers think about this.

09:50 That's a good question, and I think

09:53 we all have to keep in mind

09:54 that it is

09:56 going to be a continually evolving

09:59 process.

10:00 We're all going to learn what

10:03 algorithms are,

10:04 the best algorithms for the best use

10:06 cases, and then we'll all 

10:08 efficiently use those algorithms in the

10:10 best way and process

10:11 possible, and NIST is the

10:13 leader to

10:16 put those standards together for

10:18 us so then we can follow suit. So what I

10:20 mean, what Isara

10:22 does, this is a good

10:24 slide that covers it. 

10:26 We take the NIST candidates,

10:29 and NIST has gone through this selection

10:30 process.

10:31 The selection is getting

10:33 narrower and narrower

10:35 than even within the algorithms,

10:38 things will

10:39 change so we have extensive

10:42 researchers who

10:43 follow that process, look at the

10:47 algorithms, figure out the best way to

10:50 optimize it, and then basically

10:53 put it in a in a kit so that developers

10:56 don't have to do all of that work. 

10:58 They can make it easy for

11:00 developers to then go and use those

11:01 algorithms for the products that they're

11:03 trying to

11:04 bring to market. So 

11:07 with a Thales functionality module on an

11:10 HSM, and

11:10 the Isara toolkit, what you're

11:12 getting is ongoing

11:15 support and an ongoing 

11:18 commitment to the evolution of our

11:20 products

11:21 as the NIST process gets finalized.

11:25 And even after finalization as it

11:27 changes,

11:28 we can ensure that our toolkit

11:30 will always have those latest and

11:32 greatest changes

11:33 and make it easy for customers to evolve

11:35 their products. 

11:36 The best thing to do though

11:38 right now is to start,

11:40 is to take certain algorithms,

11:44 work with parties like us or open source

11:48 or a bit of both,

11:49 and to start to test, to start to

11:51 understand how they perform

11:53 within your environment, within your

11:55 product, so you

11:56 get the familiarization and you can more

11:58 easily and more confidently put a

12:00 plan in place to go to

12:03 market. A good

12:04 example of that is probably

12:07 right here with actually

12:08 code signing. We probably find 

12:12 code signing to be the most

12:13 common use case today.

12:16 If you take anyone who has a

12:19 long life

12:20 device, if you are in the infrastructure

12:23 business

12:24 and you have things that are going to be

12:27 in the field for

12:28 10, 15 years, you know that they are going

12:31 to be susceptible

12:32 to a looming threat, and you would want

12:35 to take something like

12:37 our toolkit and start to

12:40 embed those algorithms into the

12:43 different elements of your

12:45 overall

12:45 code signing solution. Right, so we work

12:48 with

12:49 Thales so that your Luna HSM can be enabled

12:52 with

12:53 those algorithms. You might have a code

12:56 signing service,

12:57 internal or external, you would want to

13:00 make sure that that service

13:02 is enabled with the algorithms. If you're

13:06 at the point where that service

13:07 eventually will be

13:09 a certificate authority like a DigiCert

13:12 for example,

13:13 or your internal certificate

13:17 services, you want to make sure that they

13:19 understand

13:20 the algorithms and then finally you know

13:22 the verification of those algorithms on

13:24 the actual end

13:25 device itself. So we look at this

13:28 as

13:28 the four different components in

13:31 the total solution that you would want

13:33 to make quantum safe,

13:35 and what Dave and I have both found

13:38 because we've been now

13:39 talking to a lot of enterprises over

13:41 the last year or two, 

13:42 typically where one would start

13:44 is with the HSM

13:47 and getting an HSM into some sort of

13:49 POC environment

13:51 to host the algorithms and to start

13:54 the process off.

13:56 That's a great example Angelo, and

13:58 as a lot of people are aware 

14:00 code signing’s been around for a

14:01 couple of decades now.

14:03 Organizations are improving their

14:05 processes to make them more

14:06 robust if you will, and you know

14:08 there's been a number of

14:10 very high profile issues around the code

14:13 sign process of whether it's

14:14 authentication to that process,

14:16 securing the keys without process. But

14:19 as they say, there's been a lot of issues

14:21 and this is one of the use cases that's

14:23 you know as

14:24 companies become more digitally focused on

14:26 services software,

14:28 cloud native containers, they have to

14:31 worry about

14:32 protecting those digital assets in a

14:34 very secure way. And

14:35 you know, code signing has been around

14:37 for a long time, and with Isara what

14:39 we're trying to do is

14:40 ensure that not only with today's crypto

14:42 they can secure their

14:44 digital assets, they can also do this in

14:46 a secure way

14:47 in a crypto agile world with quantum, and

14:51 this is really part of our

14:52 whole Modern HSM and modern story at

14:55 Thales as

14:56 we help our critical customers on

14:58 their path to digital transformation.

15:00 So let's take a closer

15:03 look now at

15:05 at one question that I think a lot of

15:06 people have. Angelo, I know

15:08 you don't control this process,

15:10 but as you say Isara and your team are

15:12 very

15:13 close to the team, but if you had to

15:14 guess, is there a high-level time frame

15:16 that you anticipate NIST finalizing

15:19 some of these details for us

15:21 around this. Is it a year out, is it two

15:23 years out?

15:24 Yes, NIST is this is already making tons

15:27 of 

15:28 progress right now. They've issued a

15:30 stateful, or a special publication

15:32 on stateful hash-based algorithms.

15:35 Stateful hash-based algorithms are

15:37 really good for

15:39 code signing, so

15:42 the process evolves but

15:45 you'll see updates in between 2022 and

15:49 2024, and you can expect a lot of

15:52 finalization to occur within that period.

15:55 I think it could happen

15:58 in

15:58 pieces versus all at once, but the

16:01 good news is that progress

16:03 is there and what we're 

16:06 kind of encouraging that 

16:09 you look at that process between

16:11 now and 2026. You really should have

16:13 everything

16:14 ready and underway and being able to

16:17 execute,

16:18 because thereafter, five or ten

16:21 years after that,

16:22 the threats could really

16:25 be more than just

16:26 the conversation that we're having

16:27 right now and we can start to see some

16:30 some real examples. So it's best to be

16:32 prepared.

16:33 Great and to your point, the first

16:35 link that we're going to share with you

16:36 is our

16:37 Crypto Agility Risk Assessment tool, and

16:39 this was designed for CISOs to

16:42 to be able to run through an

16:44 assessment in 10 minutes online,

16:46 and calculate their organization's risk

16:48 profile. Someone

16:49 building cars or planes

16:52 or trains may have a longer

16:54 assessment than someone building

16:55 software services, but

16:57 in either case it's vital now to take an

17:00 assessment. And then of course the second

17:02 phase is

17:02 to try this out as a POC with

17:05 the Isara toolkit

17:06 that one can use with our Thales Luna

17:08 HSMs running the

17:10 the quantum safe crypto. Plug that into

17:13 third-party applications like a

17:15 DigiCert PKI

17:16 to create applications like code signing and

17:18 have quantum crypto safe

17:21 code signing solutions.  So thanks

17:23 again for joining us today on this talk

17:25 Angelo.

17:26 As I say, Isara is a critical partner of

17:28 Thales as we

17:29 we move to this agile crypto world,

17:32 and we're going to be building solutions

17:34 now and for the next

17:36 decade to help secure companies as they

17:38 transform their businesses digitally.

17:40 This has been part of our Modern HSM

17:42 campaign and hope you've enjoyed this. As

17:44 I said, there's lots more information

17:46 we can share with you if you click on

17:47 those links, and please feel free reach out if

17:49 you have questions or ideas.

17:51 I want to thank Angelo for joining

17:53 us today and hope

17:54 this webinar was useful. Thanks for

17:57 having us Dave.  

17:57 Take care. Take care everybody.