How to Protect Sensitive Data in the Age of Quantum Computers
Most business entities store information about people and organizations they have relationships with. Some of this information may be of a sensitive nature, containing either private or confidential information not to be shared with third parties.
Intentional or unintentional exposure of this information can constitute a data breach. High-profile data breaches (Target, Equifax, the US Federal Government) have resulted in loss of public trust, decrease in share prices, and increased regulatory scrutiny.
Enterprises have realized that they cannot afford to have data breaches. CISOs (Chief Information Security Officers) have been charged to protect & secure all information of a sensitive nature. Typically, CISOs have set up their defenses by protecting the perimeter of their networks and by encrypting their sensitive data. It is highly likely that one or both of these defenses will fall in the near future. Next-generation Quantum Computers have the ability to break the cryptographic approaches that we have traditionally used to secure data within the enterprises. In this article, we will focus on protecting your data assets even when quantum computers are present.
The Current Approach to Protecting Sensitive Data
Depending on their security stance, organizations can be put into three categories.
1. Vulnerable Enterprises:
These are organizations that do not have a catalog of their data assets, do not know the location of their sensitive data assets, and have this information present as unencrypted plain text.
2. Semi-Secure Enterprises:
Organizations with a data catalog that have classified their data assets into sensitivity & confidentiality categories and have encrypted their data using traditional cryptography.
3. Presently Secure Enterprises:
Organizations that encrypt all their databases. These organizations may become insecure once quantum computing becomes the norm.
In terms of vulnerability, these organizations face different risks of data breaches.
Risk of Data Breach | High Risk | Medium Risk | Low Risk |
---|---|---|---|
Comprehensive Data Catalog Exists? | No | Yes | Yes |
Sensitive Data Classified? | No | Yes | Yes |
Sensitive Data Encrypted? | No | Yes | Yes |
Sensitive data encrypted with post-quantum computing algorithm? | No | No | Yes |
Potential Risks Posed by Quantum Computers.
The risks shown above are all based on the strength of the cryptographic algorithm that is used to encrypt the data. Traditional approaches to encryption (e.g., RSA) usually involve the use of public and private keys (prime factors of a large number). Computing the prime factors through brute force is considered a hard problem, requiring massive computational resources. A standard method of encryption, known as RSA encryption, relies on the difficulty of factoring large numbers into their prime factors. This approach involves generating a public-private key pair, where the public key is used to encode data, and the private key is used to decode it. The security of this technique relies on the fact that the public key is created by multiplying two very large prime numbers, making it very challenging for anyone to determine the original factors through brute force. In normal computing methods, it is considered virtually impossible to factor such large numbers. This makes the RSA encryption secure for normal computers. Now imagine a scenario where a new type of computer appears, where the computation of the keys is possible. Now, the entire security infrastructure is suddenly vulnerable. What was thought to be secure is no longer secure. This is exactly what quantum computers are capable of doing. So CISOs must immediately consider alternative approaches to securing their enterprise data environments.NIST Recommendations:
The United States National Institute of Standards and Technology has created the following table to show types of encryption techniques that have been rendered insecure by quantum computers.Cryptographic Algorithm | Type | Purpose | Impact from Large-Scale Quantum Computer | Bits of Security Pre-Quantum | Bits of Security Post-Quantum |
---|---|---|---|---|---|
AES | Symmetric Key | Encryption | Larger Key Sizes Needed | 256 (AES-256) | 128 (AES-256) |
SHA | Hash Values | Hash Functions | Larger Output Needed | 256 (SHA-256) | 128 (SHA-256) |
RSA | Public Key | Signatures, Key Establishment | No Longer Secure | 128 (RSA - 3072) | 0 (RSA-3072) |
ECDSA,ECDH (Elliptic Curve Cryptography) | Public Key | Signatures, Key Establishment | No Longer Secure | 128 F = 256- 383 | 0 F = 256-383 |
DSA (Finite Field Cryptography) | Public Key | Signatures, Key Establishment | No Longer Secure | 128 L = 3072 N = 256 | 0 L = 3072 N = 256 |
NIST has recommended that current cryptographic techniques be replaced by Post-Quantum Cryptography. They recommend using classical algorithms that are “Classical + Quantum Safe.” The NIST PQC Round 4 candidates are mentioned below.
Public-Key Encryption/KEMs | Digital Signatures |
---|---|
CRYSTALS-Kyber | CRYSTALS-Dilithium |
FALCON | |
SPHINCS* |
Given the potential threats posed by foreign actors that are advanced in quantum computing, there is a sense of urgency regarding the need to move to Post Quantum Cryptography. For immediate security against “harvest-and-decrypt” attacks, a systematic solution needs to be adopted.
Recommended Approach to Securing the Enterprise Using Quantum-Safe Encryption
Organizations can take the following step-by-step approach to securing their enterprise from vulnerabilities created by Quantum Computers.
- Use an automated scanning tool (like Global IDs) to scan the data ecosystem
- Use Data Profiling software to detect encrypted and hashed values in databases
- After modifying the business processes and software codes that use the encrypted fields, replace traditional encryption algorithms with a post-quantum encryption approach. Only then is the enterprise secure and resistant to attacks from quantum computers.