Cloud Hosting

By 2029, Google plans to create a million-qubit quantum computer that is far more powerful than the system shown in 2019.

Stephen Shankland / CNET

When quantum computers are mature enough, many of todays cryptography can be cracked. This reveals private communications, corporate data, and military secrets.

Quantum computers today are too primitive to do that. However, the data currently secretly collected can still be sensitive when more powerful quantum computers come online a few years later.

The computing industry is well aware of this potential vulnerability. Some companies are embarking on creating, testing, and adopting new cryptographic algorithms that are not affected by quantum computers. Some of these companies, including IBM and Thales, have already begun offering products protected by so-called post-quantum cryptography.

Quantum Safe Encryption penetrates your life through upgraded laptops, phones, web browsers and other products. However, most of the burden of quantum-secure encryption rests on the shoulders of enterprises, governments, and cloud computing services that need to design and install technology. This is a very complicated change Y2K bug fix Or upgrade Internet communication from IPv4 to IPv6..

Stay up to date with the latest information. Get the latest technical articles from CNET News on weekdays.

Its a tremendous effort, but it has to be done. Not only are todays communications vulnerable, but quantum computers can later crack digital signatures, guaranteeing the integrity of updates to apps, browsers, operating systems, and other software, paving the way for malware. There is.

Quantum computing is a dardardar kid in the industry, raising millions of dollars in investment.This month Google I / O Developer Conference, Search giant announced plans for a new quantum computing center that employs hundreds of people. Build a practical quantum computer by 2029Other major tech companies such as Honeywell, IBM, Intel and Microsoft are competing to build the first powerful quantum computer.So is Ion Q, PsiQuantum, Xanadu, Silicon quantum computing And other startups.

The National Institute of Standards and Technology is at the forefront of global efforts. Find Post-Quantum Cryptography Algorithms It will be fast and reliable.that is win 82 initial contributions Group of 7 finalists Two encryption tasks: digital key exchange and digital signature addition.

We plan to select a small number and start standardization in early 2022, said Dustin Moody. NIST A mathematician working on this effort spoke at the IBM Cryptography Conference in March. We want to fully prepare the final version and release it around 2024.

NIST oversees the work, but business, academia, and government researchers participate through NIST. Post-quantum cryptography mailing list And published PQC conferenceAn open approach is important because trusting cryptographic algorithms to protect passwords, credit card numbers, financial records, and other sensitive information requires a thorough scrutiny of the cryptographic algorithms.

When these machines can break traditional encryption is an open question. But safe money suggests that it wont take long.

John Graham Cumming, Chief Technology Officer of Internet Infrastructure Company Cloudflare, Said there is a lot of uncertainty: It can take five or twenty years for a quantum computer to be able to break the encryption. But Cloudflare is already Tested post-quantum protection And this year, we plan to adopt them for internal operations.

With researchers from Intel and NTT Research 451 Research Analyst James Sanders Think of it as taking about 10 years.

How urgent is the problem to be resolved?

Im not crazy at all, said Brian Lamacchia, who heads the encryption process at. Microsoft researchBut Im a little impatient.

The urgency is increasing because todays encrypted data can be collected quickly and decrypted later. Hackers and nations can record network data. For example: Internet routing issues send traffic across borders To China and other countries.

If long-term security is needed, it can even be too late, said Thomas Peperman, a crypto engineer at German semiconductor maker Infineon and one of the co-creators of the PQC algorithm candidate. T.

NIST evaluates the problem openlyOnce cyberattackers have access to the power of quantum computing, modern public-key-based cryptosystems cannot withstand testing. There is nothing an attacker can do to protect the confidentiality of previously stored encrypted material, the agency said.

Public key cryptography is the foundation of many of todays cryptography. Two digital keys, one secret and the other public, can be paired and used together to protect communications. For example, it is used to establish the security of connections between a web browser and a bank, or between a company server and a remote backup system.

In 1994, MIT professor Peter Shor discovered that quantum computers could find prime factors for numbers using a technique named after him. Shors algorithm Is a spark that has sparked interest in quantum computing for businesses, scholars and intelligence agencies, said Seth Lloyd, another professor at MIT and a pioneer in the field.

The resulting survey shows large companies and well-funded startups. Accelerating the pace of progress in quantum computingQuantum computer manufacturers are building machines with more qubits (basic data processing elements) while developing error correction technology to maintain stability over long calculations. I am. Algorithms speed up the decoding of quantum computersAlso.

Advances in Quantum Computing Drive Cyber Security Companies Deep watch To speed up the cryptanalysis timetable. He said it could happen in 10 to 15 years instead of 20 years Marissa Reese Wood, Vice President of Products and Strategy.

With todays ubiquitous RSA encryption algorithms, traditional computers require about 300 trillion years to decrypt communications protected by a 2,048-bit digital key. However, a quantum computer with 4,099 qubits requires only 10 seconds, Wood said.

For comparison, Google Quantum computer in 2029 with 1,000 logical qubits Stable enough to perform long calculations.

Quantum migration is, in many ways, more difficult than past cryptographic upgrades. One problem is that digital keys are likely to be large in size and require more memory to process them. Algorithm changes are not a simple replacement, especially for smart home devices and other products with limited computing power.

Even before NIST chooses a winner, enterprises can adopt cryptographic agility in todays computing infrastructure to ensure that their systems are independent of any particular cryptographic technology. This is the advice of several experts, including CEO Andersen Cheng. Post quantumIs a London-based company that helps customers deal with quantum cracking.

People thought I was crazy, Cheng said when he co-founded Post-Quantum in 2009. I dont think they are laughing anymore.

Experts also recommend a hybrid approach that double-protects data with both traditional and post-quantum cryptography encryption. This allows system administrators to accept PQC faster without worrying about potential weaknesses in relatively immature algorithms. Hybrid encryption is currently possible, but most people expect full-scale adoption of PQC after NIST standardization work is complete.

IBM already offers quantum-secure cryptography in some of todays cloud computing products. If you have a secret that needs to be kept secret in 10 to 30 years, you should start this transition sooner or later, said Vadim Lyubashevsky, a cryptographer at IBM Research.

France-based Thales, like IBM, adopted the PQC algorithm in the final round of NIST and began allowing clients to test the technology. This is important given the impact of financial and government agencies on customers.

Switching to quantum-secure encryption is difficult on slow-moving computing infrastructures.

Estonian voting cards have a signature algorithm that is physically printed on the chip, said Joel Arwen, chief crypto engineer at the secure communications company. WickerIt takes a lot of effort to change that.

Another difficult fix is the computer system that controls the power grid and military operations. They usually run for decades. But wherever sensitive data exists, post-quantum cryptography upgrades will take place, said Gartner analyst Martin Reynolds.

Twenty years later, Reynolds said. Everyone will be pleased that we have achieved it.

Quantum computers have the potential to crack todays encrypted messages.Its a problem

Source link Quantum computers have the potential to crack todays encrypted messages.Its a problem

Continued here:
Quantum computers have the potential to crack todays encrypted messages.Its a problem - Illinoisnewstoday.com

In the aftermath of the cyberattack on Colonial Pipeline that crippled the nations supply of oil and gas for almost a week, U.S. President Joe Biden, on May 11, 2021, signed an Executive Order. The order issued a slew of cybersecurity directives to companies on contract with the Federal Government.

Two terms that feature prominently in the order are data encryption and Zero Trust. Data encryption is a fundamental cybersecurity requirement, so its quite shocking that the latest order born out of a cyberattack had to call it out explicitly. However, this only goes on to show how lightly companies have taken data security in the past and continue to do so.

Almost every data security standard, law, or regulation was enacted to prevent cyberattacks. The PCI DSS standard for the credit card industry, HIPAA for the healthcare industry, the ISO standards for manufacturing, or the NERC Critical Infrastructure Protection (CIP) to protect North Americas electrical power grids all exist to thwart or recover relatively unscathed from cyberattacks and data breaches. And all of these laws have data encryption as their core tenet.

Save Your Business from Certificate Expiry-Related Outages Now!

But how effective are these laws? The PCI DSS standard came to being in 2004, but since then, countless credit card companies have been hacked (Equifax and Capital One being the notable ones). The HIPAA was first signed into law way back in 1996; however, just since 2020, healthcare and health insurance data breaches have gone up by 50%. True, some of the companies affected werent compliant with the laws, but many of them were and still got attacked. Also true is the fact that after every attack, the law concerned undergoes a revision, only to have its shortcomings exposed in the next attack.

Lets extend the above argument to Bidens Executive Order on National Cybersecurity. Say every private company that the Federal Government deals with follows the order and encrypts all of its data both at rest and in transit. Would that make the companies invincible to future cyberattacks?

The simple answer is NO.

In January 2021, the National Security Agency (NSA) released a cybersecurity product that recommended all private and government institutions to eliminate obsolete TLS protocol configurations (TLS 1.0, and TLS 1.1) by upgrading them to the latest version (TLS 1.2 or TLS 1.3). One statement in the product goes as follows:

Using obsolete encryption provides a false sense of security because it seems as though sensitive data is protected, even though it really is not.

Therein lies the catch. Organizations could be encrypting their data, but using weak or obsolete encryption defeats the purpose. While some IT systems still run on outdated data encryption, most OT (Operational Technology systems such as IoT, SCADA systems, sensors, actuators, and their controllers) use highly outdated encryption technology, making it an easy target for hackers. Hackers can use the vulnerable OT devices as a gateway to the core IT systems, and from there, steal sensitive customer data (though the opposite happened in Colonial attackers got to the IT first).

The only way to make sure data remains truly encrypted is by using the latest encryption protocols. For data in transit, TLS 1.2 or 1.3 is the latest protocol. Upgrading to the latest encryption protocol involves reconfiguring clients and servers to negotiate only that protocol.

A crucial part of the protocol upgrade is TLS certificate upgrade. A sizable enterprise, especially Federal Government service providers, can have over a million TLS certificates, both server and client. And in most enterprises, the management of these certificates is still manual. Manually upgrading a million TLS 1.0/1.1 certificates to TLS 1.2/1.3 is a herculean task and could take an enterprise up to two years with a dedicated team. This is why most enterprises put off upgrading encryption protocols indefinitely and face the obvious repercussions.

Automating the upgrade process. The process has the following steps:

There are some certificate lifecycle management tools that automate the above process end-to-end. With these tools, enterprises can accomplish the upgrade in less than a week. AppViewX CERT+ is one such certificate lifecycle automation tool thats worth looking into.

The Colonial Pipeline breach has brought to the fore the necessity of Zero Trust architecture. Zero Trust works on the premise that threat insides both inside and outside the organizations network perimeter (its also called Perimeter-Less Security).

In the present scenario, inside threat is not only limited to a careless or disgruntled employee but also nodes, devices, and services (collectively called machines). The attack on Colonial Pipeline and many attacks preceding it happened because an outsider exploited a vulnerability existing in a machine inside the network perimeter. In such cases, the actual threat is not the hacker but the vulnerable device.

One of the best ways to prevent internal machine vulnerabilities is by safeguarding their identities, i.e., certificates and keys. With the rise in new-age, ephemeral machines such as IoT devices and chatbots, there is an explosion of machine identities that increase the surface area for attacks.

Machine identity management is the hot new term (even Gartner has recognized it as one of the top security trends in 2021), and for good reason. So far, the spotlight has always been on human identity management; in fact, most Identity and Access Management (IAM) tools consider and manage only human identities. But with machines taking over, its high time organizations attached as much, if not more, importance to machine identities as human identities.

Again, machine identity management boils down to the proper management of certificates and keys. Certificates need to be constantly monitored, renewed before their expiration, and revoked immediately in case of a compromise. Organizations should make sure they get certificates for their customer-facing applications only from trusted CAs and store private keys and sensitive certificates in an isolated HSM (Hardware Security Module).

Another tenet of Zero Trust security is minimum access privileges for both humans and machines. Some tools that automate certificate lifecycle management also provide role-based access controls (RBAC) to restrict user access granularly. Similarly, machine-to-machine access can be restricted by imposing granular rules and policies, which also certificate management tools do.

Proactively prevent data breaches and outages with automated machine identity management. Try AppViewX CERT+ or give us a call.

The post Data Encryption, Zero Trust A Practical Review of Bidens Executive Order on Improving the Nations Cybersecurity appeared first on AppViewX.

*** This is a Security Bloggers Network syndicated blog from Blogs AppViewX authored by Nishevitha Ramamoorthy. Read the original post at: https://www.appviewx.com/blogs/data-encryption-zero-trust-a-practical-review-of-bidens-executive-order-on-improving-the-nations-cybersecurity/

Originally posted here:
Data Encryption, Zero Trust A Practical Review of Bidens Executive Order on Improving the Nations Cybersecurity - Security Boulevard

The new Intermediary Guidelines (IL Guidelines), require messaging platforms that have over 50 lakh registered users (such as WhatsApp) enable the identification of the first originator of the information.

The challenge from WhatsApp is that this impinges on an individuals constitutional right to privacy and is therefore unconstitutional.

The stance of the Centre is that the right to privacy, like any other constitutional right, is not absolute but subject to reasonable restrictions.

The debate is around this proviso to Guideline 4 (2) of the IL Guidelines: Provided also that in complying with an order for identification of the first originator, no significant social media intermediary shall be required to disclose the contents of any electronic message, any other information related to the first originator, or any information related to its other users. Whatsapp argues that this cannot be technologically done without breaking end-to-end encryption. If that happens, communication can be monitored."

Encryption, traceability, privacy

Temporarily setting aside the legal arguments surrounding this, there are technological challenges around implementing methods that would enable platforms to identify the first originator of the information while also maintaining end to end encryption.

The main technical challenge here is that allowing for identification of the first originator without breaking end-to-end encryption and doing it prematurely for all (as it would not be known when a request appears) is considered nearly impossible by most tech experts.

Prof Kamakoti at IIT Madras, came up with a proposal to allow for traceability of WhatsApp messages without eroding privacy. Briefly, his proposal was:

1. Make the originators phone number visible to all recipients; or

2. Encrypt the originators phone number in the metadata of the message that can only be decrypted by WhatsApp, using a key held in escrow, after relevant court orders are produced.

However, the solutions proposed by Prof Kamakoti have been panned by tech experts across India, including a cryptography expert who is a professor at IIT Bombay. A cyber security expert Anand Venkatanarayanan has published a detailed explanation of why Prof Kamakotis proposal is erroneous and not feasible.

In the words of another cryptography expert at a recent conference, the ask to trace the first originator without breaking end-to-end encryption, is akin to the government asking to have roll down windows on airplanes.

Breaking end-to-end encryption would also lead to immense security issues for every individual. By implementing a system where messages are not secured by end-to-end encryption, we are putting ourselves at the mercy of extremely skilled hackers, who can very easily intercept and read personal messages, thus significantly intruding on an individuals right to privacy.

This also carries a significant threat to our democracy as it will allow a malicious foreign power the ability to hack and capture data of Indian citizens, including lawmakers and government officials who use the platform.

What can/will the Court do?

Ideally, the Court would have to first understand the technical feasibility of the ask, and consult with tech experts.

Given what has been stated above, the Court would then note that while the right to privacy does come with reasonable restrictions, given the current technology, the obligation within the IL guidelines cannot be carried out without a significant threat to the right to privacy.

The letter of the law states that the authorities must look for alternative, less intrusive means as Provided further that no order shall be passed in cases where other less intrusive means are effective in identifying the originator of the information. This will take care of the proportionality requirement laid down in the Puttuswamy judgement but it all boils down to the orders being specific and transparent about it. The track record has not upheld these requirements so far. Further, because end-to-end encryption would have to be broken for all users, its a disproportionate step that WhatsApp must institute even without an order, since the inception it will have to modify its service.

WhatsApps motivations

While this may or may not be a diversionary tactic by FaceBook (FB), it is more importantly, a challenge that arises out of business interests for FB, for two reasons:

If WhatsApp were to implement a system allowing for tracing of the first originator, it would mean that messages sent on WhatsApp would no longer be end-to-end encrypted. If this happens, it is very likely that most users would migrate to other platforms, such as Signal, which would have robust end-to-end encryption systems. However, once it reaches the threshold of designation as an SSMI, then there might again be a churn in the instant messaging market.

Developing a system where the first originator of a message can be traced without breaking end-to-end encryption, would require a significant monetary investment, which WhatsApp is understandably looking to avoid having to incur.

Further, the timing of the petition is quite circumspect. It comes at the heels of the end of the deadline to comply with the IL Guidelines. Further, this is also when the government is pushing WhatsApp to take back its privacy policy update for Indian users and WhatsApp has halted it.

(The writer is a founding member and executive director of IT for Change, a Bengaluru-based NGO that works at the intersection of development and digital technologies)

See the rest here:
WhatsApp challenges govt: Breaking end-to-end encryption will lead to security issues but timing of petition circumspect - Free Press Journal