Protection against quantum computers starts with insights
Although still unknown when exactly, we know for a fact that the quantum computer is coming. We are aware that quantum computers pose a threat to a significant part of the current cryptographic algorithms. This means that many of our hardware and software systems are no longer safe. Organisations should inventory the cryptographic methods they are using, which turns out to be complicated. TNO is willing to help.
October is Cybersecurity Month
Therefore, TNO shares an article on cybersecurity every week. In these articles, we share the importance of addressing vulnerabilities in the design phase of software and hardware.
Everything is protected by cryptography: websites you log in to, messages you send, and every laptop and phone. Without it, data could easily fall into the wrong hands. Cryptography keeps our data safe… unless someone can crack it. And when the quantum computer arrives, that fear could become a reality.
Fortunately, algorithms have been developed that are resistant to quantum computing. This is called ‘post-quantum cryptography’.
How does cryptography work?
Cryptography is made up of several building blocks that use algorithms. As soon as one of those algorithms can be cracked, that algorithm needs to be replaced. The problem now is that quantum computers can crack a significant proportion of algorithms. Fortunately, algorithms have been developed that are resistant to quantum computing. This is called ‘post-quantum cryptography’.
Competing for the best algorithm
Coming up with better algorithms is nothing new – there are even international competitions for it. The winning algorithm ends up being used in most hardware and software. Until now, new algorithms usually performed as well as or better than existing ones. However, this is not the case for post-quantum algorithms: these are much more complex, meaning websites that use them take longer to load.
Secure algorithms with PQC migration
In order to switch to post-quantum cryptography, companies need to convert much of the cryptography in their systems. This is called post-quantum cryptography migration, or PQC migration for short. As it is impossible to replace all the algorithms at once, you have to start with vulnerable algorithms that protect vital assets. The problem with this is that most companies simply do not have a good overview of what cryptography is used where. Therefore, the first thing to do is to make an inventory of all the cryptography in your company.
'We’re investigating what the different inventory tools can do and whether they offer a complete solution.'
Can tools help, or will the process remain entirely manual?
A cryptographic inventory is a list of what algorithms you have in your systems, as well as how sensitive the data protected by the algorithms are. There is a diverse range of tools that can help you make a cryptographic inventory.
'We’re investigating what the different inventory tools can do and whether they offer a complete solution,' says Thom Sijpesteijn of TNO.
Manon de Vries, also of TNO: 'I expect the tools to be especially good at identifying cryptography, but not so good at determining how sensitive the data in a system are, because that depends heavily on the context. For example, information in a medical portal is much more sensitive than information on a Wikipedia page, but a tool probably won’t be able to detect the difference. Producing the inventory will therefore still require some manual work.'
'An attacker can already save data now for decryption with a quantum computer later.'
PQC migration: worth the time and money
For companies, PQC migration is not an easy process. It takes considerable time and money, and they have to decide which systems to convert first. In the meantime, newer, more efficient algorithms may come along, which they then have to convert again. Because of this uncertainty, many companies prefer to wait to migrate. But the threat is already out there.
'An attacker can already save data now for decryption with a quantum computer later. That’s why post-quantum cryptography is important now, not only when the quantum computer arrives,' says De Vries. 'In the US, there is already a law mandating the use of post-quantum cryptography in government systems. Although there is no such legislation in the Netherlands yet, we expect to see it soon.'
Struggling with the migration? Here are some methods that can help
To help companies with PQC migration, TNO has produced the PQC Handbook. In addition, TNO has developed a risk methodology, outlining how to produce an inventory and assess which algorithms are vulnerable. TNO has also developed a tool to help you choose the right algorithm: the PQChoiceAssistant.
Work with us!
De Vries: 'We’d like to test this risk methodology in practice and are looking for partners to try out our methodology, so we can then improve it. In return, we’ll help those partners with their migration. Seems like a win-win!' If you would like to work with us, get in touch.