Data Sensitivity

How to Protect Sensitive Data in the Age of Quantum Computers

Enterprises are going to face new security threats in 2023 with the advent of powerful new quantum computers. These computers have the power to break the cryptographic encryption techniques that have been traditionally used to protect sensitive and confidential information. We recommend that CISOs explore the use of post-quantum algorithms to encrypt their data immediately, according to the recommendations by the US National Institute of Standards and Technology (NIST).

Most business entities store information about people and organizations they have relationships with. Some of this information may be of a sensitive nature, containing either private or confidential information not to be shared with third parties.

Intentional or unintentional exposure of this information can constitute a data breach. High-profile data breaches (Target, Equifax, the US Federal Government) have resulted in loss of public trust, decrease in share prices, and increased regulatory scrutiny.

Enterprises have realized that they cannot afford to have data breaches. CISOs (Chief Information Security Officers) have been charged to protect & secure all information of a sensitive nature. Typically, CISOs have set up their defenses by protecting the perimeter of their networks and by encrypting their sensitive data. It is highly likely that one or both of these defenses will fall in the near future. Next-generation Quantum Computers have the ability to break the cryptographic approaches that we have traditionally used to secure data within the enterprises. In this article, we will focus on protecting your data assets even when quantum computers are present.

The Current Approach to Protecting Sensitive Data

Depending on their security stance, organizations can be put into three categories.

1.   Vulnerable Enterprises:

These are organizations that do not have a catalog of their data assets, do not know the location of their sensitive data assets, and have this information present as unencrypted plain text.

2.   Semi-Secure Enterprises:

Organizations with a data catalog that have classified their data assets into sensitivity & confidentiality categories and have encrypted their data using traditional cryptography.

3.   Presently Secure Enterprises:

Organizations that encrypt all their databases. These organizations may become insecure once quantum computing becomes the norm.

 In terms of vulnerability, these organizations face different risks of data breaches.

Risk of Data Breach High Risk Medium Risk Low Risk
Comprehensive Data Catalog Exists? No Yes Yes
Sensitive Data Classified? No Yes Yes
Sensitive Data Encrypted? No Yes Yes
Sensitive data encrypted with post-quantum computing algorithm? No No Yes

Potential Risks Posed by Quantum Computers.

The risks shown above are all based on the strength of the cryptographic algorithm that is used to encrypt the data. Traditional approaches to encryption (e.g., RSA) usually involve the use of public and private keys (prime factors of a large number). Computing the prime factors through brute force is considered a hard problem, requiring massive computational resources. A standard method of encryption, known as RSA encryption, relies on the difficulty of factoring large numbers into their prime factors. This approach involves generating a public-private key pair, where the public key is used to encode data, and the private key is used to decode it. The security of this technique relies on the fact that the public key is created by multiplying two very large prime numbers, making it very challenging for anyone to determine the original factors through brute force. In normal computing methods, it is considered virtually impossible to factor such large numbers. This makes the RSA encryption secure for normal computers. Now imagine a scenario where a new type of computer appears, where the computation of the keys is possible. Now, the entire security infrastructure is suddenly vulnerable. What was thought to be secure is no longer secure. This is exactly what quantum computers are capable of doing. So CISOs must immediately consider alternative approaches to securing their enterprise data environments.

NIST Recommendations:

The United States National Institute of Standards and Technology has created the following table to show types of encryption techniques that have been rendered insecure by quantum computers.
Cryptographic Algorithm Type Purpose Impact from Large-Scale Quantum Computer Bits of Security Pre-Quantum Bits of Security Post-Quantum
AES Symmetric Key Encryption Larger Key Sizes Needed 256 (AES-256) 128 (AES-256)
SHA Hash Values Hash Functions Larger Output Needed 256 (SHA-256) 128 (SHA-256)
RSA Public Key Signatures, Key Establishment No Longer Secure 128 (RSA - 3072) 0 (RSA-3072)
ECDSA,ECDH (Elliptic Curve Cryptography) Public Key Signatures, Key Establishment No Longer Secure 128 F = 256- 383 0 F = 256-383
DSA (Finite Field Cryptography) Public Key Signatures, Key Establishment No Longer Secure 128 L = 3072 N = 256 0 L = 3072 N = 256
*Note: Scroll right to view the complete table.

NIST has recommended that current cryptographic techniques be replaced by Post-Quantum Cryptography. They recommend using classical algorithms that are “Classical + Quantum Safe.” The NIST PQC Round 4 candidates are mentioned below.

Public-Key Encryption/KEMs Digital Signatures
CRYSTALS-Kyber CRYSTALS-Dilithium
FALCON
SPHINCS*
*Note: Crystal Kyber has already been broken. It’s potentially insecure.

Given the potential threats posed by foreign actors that are advanced in quantum computing, there is a sense of urgency regarding the need to move to Post Quantum Cryptography. For immediate security against “harvest-and-decrypt” attacks, a systematic solution needs to be adopted. 

Recommended Approach to Securing the Enterprise Using Quantum-Safe Encryption

Organizations can take the following step-by-step approach to securing their enterprise from vulnerabilities created by Quantum Computers.

  • Use an automated scanning tool (like Global IDs) to scan the data ecosystem
  • Use Data Profiling software to detect encrypted and hashed values in databases
  • After modifying the business processes and software codes that use the encrypted fields, replace traditional encryption algorithms with a post-quantum encryption approach. Only then is the enterprise secure and resistant to attacks from quantum computers.