As 2017 gets in full swing, many of us in the security industry will be on the lookout for the key new technologies that will impact our business this year. Quantum computing is one trend that is ready to leap out of the lab and become a regular component of many businesses. But how it will affect security processes?
Hacks on large organisations such as Yahoo! were hard to miss last year and businesses will have to ensure they don’t follow suit. Quantum computers have the potential to perform calculations faster than ever before, making many people in the industry reassess their approach to cyber security. In the first instance, we need to first understand what it is, how it works and how it will improve security.
All that talk – but what is it exactly?
Every computer, whether that is a smartphone, laptop or smart TV, currently manipulates binary digits called ‘bits’. These ‘bits’ have two values: ‘0’ or ‘1’. However, quantum computing bits, called ‘Qubits’, differentiate themselves by the fact that their value can be 0,1 or both. A group of Qubits can be in several states simultaneously whereas a group of bits can only have one state at a given time.
A group of Qubits is very effective at solving specific problems, whereas classic computers are often slower at working out these same challenges. These specific problems often include factorisation of large numbers. Many organisations are looking to quantum computing as the ideal solution for finding the specific results they are looking for much faster, particularly breaking encryption keys.
Quantum computing vs encryption
Most businesses now introduce some form of data encryption as part of their security process. To unlock encrypted data, we would need an encryption key but quantum computing could increase the chances of someone successfully gaining access through brute forcing the cryptographic keys.
This all depends on the type of encryption companies are using: asymmetric or symmetric. But what is the difference between the two and will quantum computing impact them positively or negatively?
Asymmetric encryption, often known as Public Key Infrastructure (PKI), helps identify that ‘User X’ is always ‘User X’. PKI also ensures that if you were to send data to ‘User X’, only they can read that data. Many of us will be using PKI on a daily basis, with it often being used to secure sensitive data sent over the internet. This type of encryption relies on both public and private keys because they work as a pair, with the public key working only with the matching private key, and vice versa. The public key is used for encrypting data and the private key can be used for decrypting it. These keys are in reality a prime number (a very large one at that, with hundreds of digits) and they are linked together by a formula. With the computers taking an extremely long time to factor in the two initial large prime numbers, it isn’t even worth attempting to break encryption in this way. For example factorising a 1024-digit number would take millions of years. Quantum computers? They could do it in an hour.
The process of symmetric encryption allows a number of interested parties to communicate privately by sharing the same key needed to encrypt and decrypt the data. With symmetric encryption, it isn’t possible to identify who sends the data or validate the origin either. It is done by only sharing the key with interested parties. Many consumers use symmetric encryption on a daily basis, with popular online shopping platforms using it to encrypt order details. The phone you order the product off encrypts the data with a key between you and the platform, and only the platform can decrypt the order data.
A word of warning though: for those wanting to use symmetric encryption, quantum computing can make it nearly twice as weak. For example, if you were to have a 128-bit symmetric key it will become as weak as a 64-bit key. This may seem alarming but for most people the data is considered to be secure with a symmetric encryption key of 80 bits, so using 256 bit keys should still secure data against quantum computing.
How to overcome the risks
Many people are wising up to the positives of quantum computing and so algorithms are being developed to try and resist the impact of the technology on encryption. However, there aren’t solid recommendations yet so it is worth using hybrid encryption (a mix of both types of encryption) alongside rolling keys as regularly as possible to ensure you have all bases covered.
There may not be the perfect solution for quantum computing yet but the security industry should be paying attention to it to ensure they find the perfect balance between enjoying the benefits of the technology without it putting consumer’s data at risk.
By Cyrille Quemin, Head of Mobile, Yoti