Crypto agility measures how well your company can adapt to new cryptographic primitives and algorithms without making disruptive changes. Every company will need to achieve this bragging right as soon as possible to avoid the coming quantum computing cryptographic apocalypse. This includes a combination of auditing where you are on the journey and then actually taking action. During this podcast we talk about products from QuSecure that can help you close discovered gaps.
Rebecca Krauthamer – Chief Product Officer
Greg Bullard – Chief Technology Officer
The Post-Quantum World on Apple Podcasts.
Quantum computing capabilities are exploding, causing disruption and opportunities, but many technology and business leaders don’t understand the impact quantum will have on their business. Protiviti is helping organizations get post-quantum ready. In our bi-weekly podcast series, The Post-Quantum World, Protiviti Associate Director and host Konstantinos Karagiannis is joined by quantum computing experts to discuss hot topics in quantum computing, including the business impact, benefits and threats of this exciting new capability.
Crypto-agility is a term we’re hearing more often. What does it really mean, and why is it critical for your organization to achieve it before the coming quantum cryptographic apocalypse? We delve into all this with QuSecure, a company delivering post-quantum cryptography, on this episode of The Post-Quantum World. I’m your host, Konstantinos Karagiannis. I lead Quantum Computing Services at Protiviti, where we’re helping companies prepare for the benefits and threats of this exploding field. I hope you’ll join each episode as we explore the technology and business impacts of this post-quantum era.
We’re lucky to have two people here today from QuSecure. We have the cofounder and chief product officer, Rebecca Krauthamer, and the CTO and VP of engineering, which is Greg Bullard. Thanks for joining.
Rebecca, start us off with a little bit about QuSecure in general.
We’re a tech group, and we started QuSecure several years ago, and it was through this quantum journey. My background is in AI, and so I came into quantum via that route, understanding that quantum is the next generation in technology and is going to push us forward to achieve some of these things that we could only dream of before. We started this venture studio called Quantum Thought, and the idea was to start the company like a venture and incubator firm. The idea was to start companies in quantum, and, long story short, it became really clear that the need for post-quantum cybersecurity — preventing against these advancing quantum risks — was the application. That became apparent through our growing expertise in quantum, and so we dove in, we took on this space, and QuSecure was born.
We develop software-specific, or software-only, solutions to protect all data, whether it be transit, at rest, etc., from these incoming quantum attacks, but as well as these existing hacks, so the things that you read about in the news, the things that are existential risks for data, protect against those as well as the incoming quantum threats.
What I do at Protiviti is, we help companies with use cases in quantum, and then, on the other side, we try to help them figure out what they need to do for this apocalypse that’s coming. We don’t cover that too often on the podcast, but I figured it was time for another postapocalyptic episode here, so here we go. Give us a little overview of post-quantum cryptography basics. People are usually confused by this. Obviously, it doesn’t mean cryptography being generated by a quantum computer, so for those who don’t know, maybe summarize that.
I’m sure a lot of your listeners are familiar, but we know that quantum computers are going to disrupt and advance a lot of technology. One of the things that we know for sure is that an algorithm exists, called Shor’s algorithm, and that is going to devastate public key cryptography as we know it. There’s a number of other things that are at play, Grover’s, etc., that quantum is also set to disrupt, but the key thing is that it’s a given now that thanks to Shor’s algorithm and the processing capabilities of quantum, it’s a ticking time bomb. The cryptography that we use today is based on primary factorization, and that will be broken. Post-quantum cryptography is a new class of cryptography that protects against, again, existing threats, existing computational threats, as well as what is coming down the pipe when it comes to quantum computing.
I have a feeling that when we talk about some of your products, we’ll be getting into which of the post-quantum safe ciphers are in use and all that good stuff. The reason people need to start worrying about this now is, obviously, information is being gathered and saved in hopes that one day it can be reversed. I know there was just a Booz Allen report published. I don’t know if you saw this — they were speculating on “China is gathering information” — I think everyone is. I think the U.S. is. I think every country is gathering information. That’s the whole point there, the whole thing.
The lifetime of healthcare data is a lifetime. It tends to linger. What do you talk to customers about when it comes to crypto-agility? That’s a big thing I like to push customers to understand. Greg, talk a little bit about crypto-agility and this idea of how important it is.
Let’s start with post-quantum crypto. There is a set of algorithms that are being computed and driven by NIST, the National Institute of Science and Technology, and there will be a down select of what is deemed the favorite algorithm and all that stuff — Saber, Kyber, a couple of others. We’re moving all of them right now.
The crypto-agility, though, let’s talk about what that’s really about. We’ve got a whole bunch of folks, they’re still running on Windows 95. They’re not ready to upgrade. They’re never going to upgrade. We need to be able to roll out the upgrade for quantum-proof around the planet. We need to be able to do it in any company, any market, and it’s got to be done in a way that you don’t force a big-bang upgrade like you did with Year 2K.
When Y2K came around, when that moment went by, it was, all of a sudden, the next century, and with crypto-agility, we want to be able to bring the most critical communications, the most critical assets, forward to post-quantum and then be able to go clean up the rest. That means that some of the machines with the Windows 95 are still going to be maybe running on TLS 1.3 for a few more years, and they can be managed and sequestered. I think the real key challenge in crypto-agility is managing and forcing the upgrade as the attacks are put into place. That’s the piece that I think often is missed. Otherwise, all it is is backward compatibility.
Another key point here is that — you made a reference to it a few minutes ago — you don’t need quantum hardware. You don’t need a quantum computer to protect against the quantum attack. Quantum attack is going to be hidden out of our view. It’s going to be using hardware that may exist today in some government space somewhere we don’t know, but it will get commoditized in maybe five to 10 years. The quantum attacks will be strong enough to break our current crypto in two to three, but they’ll probably be able to sell it to you in a small chip that’s cheap in commodity in a few years.
And so, of course, at that point, the bandits and the thieves and everybody else that wants to steal money are going to get ahold of that, and they’re going to come after all of our communications and our encrypted data. They’ll be decrypting everything they’ve been able to collect. I look at that agility as a way of getting that rollout done in a managed and safe way, a way that doesn’t break down the whole system. That’s really the key there.
Yes, because a lot of companies don’t write code, and crypto is really in there. It’s buried. It’s hard-coded. You can’t abstract it out. You can’t easily swap it, so we want to move them away from that kind of practice. Also, they’ll use some third party, not like you guys, but a third party who doesn’t care about agility, and then they’re locked into something they don’t understand, and then, when these machines appear, what are they going to do?
Those are good points. Sometimes you have to understand your data flows and which ones are really vulnerable and which ones maybe aren’t as critical. It’s scary what’s out there, especially with government machines. Who knows? Some of them could be ancient. There are satellites in space that are just going to be chunks of useless metal pretty soon.
Yes, and there’s the great unknown too with anything photonic. That seems to be the path towards an interconnected quantum computer system, so who knows. If we get interconnect right, you won’t need 4,000 quality qubits in a machine. You’ll need 1,000, and then you’ll just chain four of them together, and all of a sudden, overnight, you go from 1,000 to an RSA slicing-and-dicing machine. That’s why we can never give a clear timeline. If you do that whole Maschke’s theorem approach where, how long is the shelf life, what’s your time needed to swap out crypto, and then you figure out how long before a machine comes along, we don’t know. I suspect we’ve already blown it with Maschke’s theorem. I think most companies find that they’re behind.
To illustrate Maschke’s theorem, it’s the combination of what’s your shelf life and how long is it going to take for you to do this upgrade? You start thinking about it as a company or an organization that has the sensitive data and you start to really realize, “This is bad.” I just heard Maschke speak at a group that I was part of, and he said they’re releasing their study this year. They release their report annually, and this is the first year where the experts are really starting to put aggressive time frames on when they think these quantum computers will be ready. We’re at a bit of an inflection point where we don’t really have any more time.
I think we’ve already blown it, so it’s time for folks to just start doing damage control here to quickly identify the things that need to be protected. What’s your Coca-Cola secret recipe that you’re trying to protect? Try and figure that out, and start looking at other hybrid solutions, even in the short term, and of course, your team has solutions already now. You mentioned you have all the ciphers in there, so that way, you could whittle down, take that approach of chopping out the ones that don’t make the final cut for that reason.
Let’s dive in to the two main ones. There’s a post-quantum network and a post-quantum data-at-rest approach, so if you wanted to maybe cover those?
There are a couple of key requirements that you need to meet: You need a post-quantum algorithm. That’s essential, and that’s where NIST is the place to go for that. You also need a post-quantum key. We use PN generators, pseudo-random number generators, and they are not random. They are pseudo-random, and this is the foundation of nearly all of our digital random number generators. Often, they’re based off a system clock.
There are all kinds of attacks that you can apply. The great thing about quantum computers is that they are extremely good at correlating. They can formulate pretty much any combination in an instant, and that’s what makes them so profoundly powerful. It’s why the time of decrypt of a current asymmetric session, which is thousands of years for our computing, will be a 10 seconds-ish thing in the quantum domain. You need a key that is really deeply random.
The third thing is, in order for the belt-and-suspenders approach of safety, you need to make sure you’re rotating that key. We don’t typically rotate keys in our sessions, in our file storage, anything like that. We used this in World War II. We would look at the messages that were coming from the Germans, and we would look for the tail on the message. The tail on the message was always the same — it was always “Heil Hitler” — and that gave us some known text, and since the same key was used, we would start decrypting there. It’s a wonderful study to look at that stuff, but you’d find out that they would use that relatively dumb thing that happened. Because the key was the same, they could actually end up being able to crack the whole message.
Yes. A onetime pad should really be used one time, because if it’s not, it’s —
What’s better than a onetime pad is a rotating onetime pad, and that’s exactly the kind of thing we need to do. Quantum-proof keys are basically onetime pad keys. We have a quantum source. There are a couple of them in the market we’re actually using — a couple of them for some supply redundancy. They are photonic devices that do some pretty fancy physics to come up with highly random numbers and numbers that are not in a pseudo mode at all. We then have a protocol which essentially looks a lot like TLS and drops it in place of OpenSSL or something — well, and some reference code. What that does is, it handles communicating to and from the server that’s providing the keys.
Everything we do is over the quantum channel, so we communicate with clients over the quantum channel. The clients set up sessions between themselves over a quantum channel, and then, when it comes time to file to encrypting data at rest, any entity can say, “I need to encrypt some data at rest,” and they’ve got a key and they start rotating through the keys as they encrypt depending on the file size.
We also randomly shift keys, because if you let the enemy know when you’re rotating keys, then they’ll use that information. So, you do it based off of a quantum random number, not off of a non-quantum random number. The old trick is to avoid the dilution of that randomness and get those keys deployed. That’s the initial product of the system — to deliver that capability. It should replace that padlock on your browser that’s up in the upper corner and will give you that post-quantum-proof.
Another key part of it is the ability to control the crypto-agility. You should have an administrator. You’re talking to your bank. Your bank should be able to say, “We’re watching all the quantum attacks, and you need to upgrade within three weeks and now within two weeks and now within one week,” and then once you don’t upgrade your stuff to the post-quantum capability, they say, “Sorry, you’re going to have to call on the phone if you want to move any money from now on, because we can’t count on your system to deliver the proper security.” They essentially can manage off the crypto-agility. That’s the main value of crypto-agility, in my opinion.
Yes, because you can’t count on every single packet having already been gathered. That is a little unreasonable to expect. When you reach the point where you know the threat is real at that point, we do have to be doing due diligence.
There’s a real important message about all the data that has already been gathered. Whatever you got out there, if it’s truly important for control — i.e., a password — you’d better change it, and you’d better get a good quantum-proof password. That’s also going to be an interesting space, but the other stuff, good luck. If you ever thought your Social Security number was safe, you should probably check again, and hopefully, then, knowing your financial balances from whatever year they collected your data isn’t that big a deal, but there’s going to be a lot of disclosure that’s going to go on without us knowing it.
Yes, because even data at rest is not safe if you’ve been transmitting it over these means in the past, so, good point. You should be changing those keys, especially if it’s for a data-at-rest solution.
Changing those keys is critical especially when you consider cloud and the cloudification of the world, where all that stuff is out there. It’s easier to gather than if it’s sitting on your phone and your phone never actually leaves your hands, but things like that, that’s important.
Yes, I know it’s a bit of doom-and-gloom, right? The outlook is bleak, and that’s why we came into this space, and what we design is very much designed with the real world in mind. It can be scary to think about these things. It can be hard to sometimes consider what it takes, and so everything that we built is really — it might sound complicated, but it’s designed to make this upgrade accessible and easy and to bring the enterprise or bring the government into full protection in a secure and safe way.
Make it straightforward, and we mitigate the risk and the anxiety for people — get them protected. It isn’t that hard. That’s why we keep talking about things like deployability and what crypto-agility is really for. It’s about getting folks converted in a way that they don’t have to sweat about it. The IT person who’s running the organization doesn’t have to sweat about it, and everybody can just say, “We got it covered, and that’s it.”
Yes. This isn’t like hybrid TLS then. It’s not like you’re doing ECDSA plus Kyber or something. This is just purely replacing all that and creating a new plug-in for PKI?
The thing that worries me the most — and this is where we’re going to be doing a lot of intelligence gathering, a lot of watching in the market, a lot of updating product in the future — is, what is the attack we don’t yet understand? We think that the Kyber-Saber suite is going to be fine, but every year, there is going to a whole new set of quantum-enabled attacks that are going to come out. The question is, what are they going to be on that year? Are they going to be on looking at our records and being able to figure out our future passwords based off of our last ones, the ones they’ve already been able to collect and decrypt? Are they going to be in biometrics? There are so many opportunities. My belief is, the hybrid is — I want to be careful here. It’s a nice try, but I believe that it’ll probably be vulnerable about being kicked over within a short period of time.
It seems like a stopgap. It’s like a better-than-nothing approach.
Well, we’re working the deployment model. We’re certainly interested in organizations. We’ve had financial organizations, government, lots and lots of different parties come to us and say, “I need you to take care of my business operations,” whatever form that they take. Specifically, let’s pick out your bank or your broker. They want to make sure that it’s quantum-proof in the connection between your browser and their stuff. They’re going to put the servers where they’re accessible and probably managed in their network, and then the clients — they’re going to push out client updates. Now, you only need to get the client update once, so you’ll drop into your favorite browser, it will pick up the post-quantum client, and then that padlock in the browser corner is going to end up being a post-quantum thing, negotiating with the server or whatever website you’re going to. That’s the model.
We also are migrating towards the cloud. There are many opportunities for this to be deployed by cloud providers and maybe your local ISP, maybe some other entity, but you’re going to end up picking up different keys from different places for different purposes, and that should all be seamless in the system.
That makes sense, and that’s really what we want. We want something math-based, easy to plug right in. We don’t want people to have special browsers they have to download or anything like that, or else you won’t have mass adoption.
Adoption is the number one thing, because people are typically afraid of crypto. They’re afraid of security problems. They imagine the worst. They deal with all that anxiety. It tends to stall people because they’re not exactly sure what is really good, where the promises are made, and then you end up having these issues of the technical complexity. We are going to publish a lot of transparency about our vulnerabilities and make sure that we’re going to attack the heck out of it and then make sure that the deployment is truly easy, that you don’t need to have some one thing operating. We really want a mesh of everything running together so that no matter where you are, whatever is going on, you’re near a key server, and that key server can give you the keys you need and work through to get you to whatever site you need.
That could be between two devices on their own. That actually is how the file works in a lot of encryption, because when file encryption is going on, whether it’s a database or a file on your personal device or whatever else, it’s just going to go ahead and grab a key and go ahead and do the encryption. Then you’ll have an opportunity to go back and retrieve the key from the key management system that it’s integrated with, and that key will be your ticket. The nice thing is, you can manage those keys. You can shut down access to them. You can do all kinds of safety things if you’re afraid you’re under attack.
Or if you find out one of the ciphers needs to be replaced, you can just quickly stop the use of one and switch over.
And then come back and reencrypt. Periodic encryption is not a bad idea. It’s pretty cool.
Do you want to talk a little bit about the data-at-rest work that you’re doing?
Well, sure. The data-at-rest is taking the very same keying system and the very same algorithms and, instead of setting up a connection point-to-point, it is taking the file locally and encrypting it. In the case of servers and bank records and health records and all that kind of stuff, we’re definitely going to be working with those IT teams to get that capability tucked into their database structures.
It’s, once again, still pretty straightforward. There’s a pile of data — small, big, whatever, we can encrypt it, put a quantum key on it. And what’s really nice is, we start to see individual key management for a specific piece of information or a specific patient or a specific customer or something like that. It allows you to break up the honey pot. As it is today, a lot of things, when you break in, if you can get your way in, you get into the entire store, and between the rotation of keys within one encryption operation, it follows along. It may be multiple keys encrypting it to new keys for different operations and different pieces of data. It really annoys the heck out of the attackers.
Yes and people don’t do due diligence currently, so I can imagine that as we move to post-quantum, people aren’t going to be rotating keys on their own and things like that. You’re automating it to make the policy go from paper to zeros and ones as it is, right?
Yes, because otherwise, we see it all fall apart because of a huge gap where no one actually pushes the buttons to do it.
I’ve read a few times that you talked about zero trust. Are you talking about implementing this with other zero-trust solutions that are already in place at a customer, or do you have some kind of extra AI that you’re providing for some kind of control of who accesses what? Is there anything like that going on?
Well, that’s a complicated question. It’s a fantastic concept, but the way we operate our digital systems, you still need a root of trust in all your endpoints, because if you can’t get a root of trust, then how do you possibly authenticate? Very few of the systems and pretty much zero of the commercial systems that we have today can permit you to run code securely on an untrusted platform, and that’s a foundational premise for zero trust.
Let me step away from that question. We’re definitely working with integration with identity and access management. How do I know that you are the one asking for your key for that file, something like that, so you can decrypt it? You want to make sure that that is very strong, and the fact there is that it’s a wide market — everybody loves their own choice. Nobody wants to be told, “You have to switch.” That’s going to be in integration, and that integration is right on the front of our priority list, getting it seamless and smooth.
That’s not exactly the answer to the zero trust. There’s also a whole bunch of stuff about trusting platforms, and there continue to be needs to make sure platforms are quantum-proof from attack. I don’t think the current HSM market is well-versed to protect against quantum attack. I’ve done a lot of attacks in my life, and the first thing I want to do is go after the platform or go after the credentials to get onto it. They’re super easy. That’s if I can’t skim the stuff off by passive measures like gathering a file or gathering communication. That’s the kind of stuff that needs to be addressed. We’re certainly looking around at that space, and we’re also seeing not much action in it. That’s the territory for us to be figuring out how to solve together.
Yes, and I want to bring this back to something Rebecca brought up earlier. You’re interested in AI and how quantum is going to influence that. Do you see any use of quantum machine learning at your company? Do you see any way to apply it to any of these problems? For example, with zero trust, some of the more interesting approaches use some kind of machine learning to understand how a network behaves, what’s an anomaly. You’re already using quantum for random number generation, so would there be some other quantum usage to defend?
Yes. It’s really interesting. We’re building the protective stuff, and we’re also doing a live research and investigation into the what we can do to understand what an accelerated hack would look like. We’ve done some research with Harrisburg University. We’re publishing findings sometime soon on that, so keep an eye out.
It’s really interesting. We’ve played around with GANs. When it comes to QML — and this is stuff that I’m super interested in — you can look at things like Grover’s, you can look at different stuff that’s down the pipe. There are some theoretical things that you can do. We’re still, frankly, just a little far away from that, but it’s a very active area of research from our side. The answer is yes, what is coming down the pipe is going to be brutal, and it’s going to be enhanced by quantum.
It’s about pattern matching. Quantum is too, and so when quantum and AI go together, we are in for a world of hurt. I’m sure that they’ll have psychiatric typers running in all of our traffic lights and phones and all that other stuff because it’s going to be that easy. You look at that and you say, “You had a little tone of voice different last Tuesday at 2:30 —something tells me you’re depressed,” or whatever it’s going to be. The power of data analytics is just overwhelming to humanity. We just a) don’t understand it, and b) because we don’t have a way to understand that immensity, we are very unprotected against it, and we’re going to kick that into hyper mode.
I’m part of a group that’s authoring some governance guidelines for quantum computing with the World Economic Forum, and I help authors — specifically, the privacy section. Like Greg is saying, it’s all pattern recognition — behaviors, everything from looking at these pseudo-random numbers that are generally used in figuring out what patterns are used to generate these, because everything is deterministic when you’re using a computer generator, to behaviors on the network. You can even use it for, potentially, social engineering in a very sophisticated way. There’s a lot that we don’t know. There are some things that we can extrapolate out for, but yes, we’re very actively on the research side, poking at it as well.
QML is going to have a huge impact on security in general. I think it will. Anything you see being done now with smart networks and things like that, I have a feeling they’re going to be revolutionized one day — if you can have access to the machines, of course. Right now, there’s three dozen quantum computers, and you can get them for a few minutes a week, so I don’t know if they’re really going to revolutionize the network just yet, but give it time.
It is exciting to see what you’re already working on, because these are the things we need implemented for reality right now, not just theoretically. We should definitely take a look at this, and in fact, I might do the same. I might take a deeper look at some of this stuff too.
It’s all about, like I said, helping customers get to this crypto-agile place sooner, so this is super-impressive stuff. Thank you both very much for joining me.
Now, it’s time for Coherence, the quantum executive summary, where I take a moment to highlight some of the business impacts we’ve discussed today in case things got too nerdy at times. Let’s recap.
Crypto-agility measures a company’s ability to enable rapid adaptations to cryptography. This includes using new cryptographic primitives and algorithms without making disruptive changes to a system’s infrastructure. Every company will need to achieve this bragging right as soon as possible. Quantum computer is capable of cracking 2048-bit RSA, and other implementations could be here as soon as three to five years, depending on technologies such as interconnect, which could combine quantum computers to get us to 4,000 error-corrected qubits sooner than later.
Companies need to audit where they are in the path to crypto-agility and should start taking actions now to close any gaps. My team at Protiviti helps companies identify how crypto-agile they are. QuSecure is one of the companies providing products that can help you close discovered gaps. They use post-quantum secure ciphers that are NIST finalists and solutions that work today. QuSecure offers quantum key management, which uses quantum random number generation to create strong security keys. Classical computers have known weaknesses in creating random numbers, after all. Defender also offers post-quantum data-at-rest, which defines and enforces how your data are protected. Turning policies into actions has been an issue for many organizations in general. Now, it can solve this issue with an added healthy dose of post-quantum ciphers.
That does it for this episode. Thanks to Rebecca Krauthamer and Greg Bullard for joining to discuss crypto-agility and QuSecure’s offerings.
This is our last episode of 2021. We’ll be back on our regular schedule in January. I just want to take a moment to thank you all for making this a great first year. Happy holidays. If you enjoyed the show, please subscribe to Protiviti’s The Post-Quantum World, and leave a review to help others find us. Be sure to follow me on Twitter and Instagram @KonstantHacker. You’ll find links there to what we’re doing in Quantum Computing Services at Protiviti. You can also DM me questions or suggestions for what you’d like to hear on the show. For more information on our quantum services, check out Protiviti.com, or follow Protiviti Tech on Twitter and LinkedIn. Until next time, be kind, and stay quantum curious.