Quantum Computing — a much bigger threat and advantage than AI
New encryption algorithms coming in 2024, hopefully before current encryption algorithms become obsolete
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics | Code.
🔒 Related Stories: Encryption | Cybersecurity | Application Security | Data Breaches
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
It has long been predicted and expected that quantum computing will be able to break encryption algorithms currently in use. If you’re not familiar with how encryption algorithms are broken there are various ways to do it, but one is a simple method of guessing repeatedly until you figure out the key that unlocks the data.
It’s like guessing a password. You’re looking at a website and you know the user name but you don’t know the password. You start guessing by entering passwords until you come up with one that unlocks the system. To be a bit smarter about it, you might think about what type of password the person might have selected, like the name of someone the person who created the password knows as was the case in the movie War Games.
Encryption keys are essentially passwords that unlock your data using mathematical equations. If you have the key, you can unlock the data. If someone can guess the key, they can unlock the data. If someone else can find your key, they can unlock the data.
As computers become faster and faster they will be able to perform this guessing process so quickly that it could make encryption using current methods useless, just like it’s super easy to crack a simple password now. Even complex passwords are crackable given enough time which is why we rotate them and use multi-factor authentication (MFA).
This process of guessing until you find a match is the underlying premise of validating a crypto transaction. The first time I read a book on bitcoin I wondered about the process of mining having some other nefarious purpose — like building a library of matching keys that can decrypt data on various systems. What if this mining process is essentially brute-forcing crypto for someone for some purpose? But I never took that thought any further.
I didn’t get into the details of what the mining process is matching which might indicate the type of library of data and hashes or keys could be trying to replicate. This could be far-fetched. It’s just that it instantly sounded like a brute force attack to me. And all I could think was is this really the best way to validate a transaction? It sure wastes a lot of electricity and time. More importantly, once I read about double spend and considered BGP attacks and inability to get back your money in certain circumstances I was out. I used to work for a bank. I like certain guarantees regarding my financial transactions. I wrote about some of those attacks in this post:
Building a library of matching encryption keys is one of the other ways attackers can be broken. Let’s say you’re using two-key cryptography with a public and a private key. If you have a huge database of matching public and private keys, for example, you could look up the private key if you have the public key instead of trying to crack it if the key is not properly seeded somehow to randomize it. Adding a random value to the mix when you create encryption keys helps thwart this method of breaking encryption. That random value is called a seed.
Looking up a password based on its hash is how rainbow tables work for cracking passwords. Attackers have amassed huge databases of hashes that match passwords. All the attacker has to do is look up the password once they have the hash if the password hashing process isn’t using some other random value in the mix to obscure the hash (a seed).
What if, instead of guessing matching keys or hashes, a quantum computer could quickly generate every possible combination and you could quickly look up all the possible private keys matching a public key and someone could use that to get into someone’s email, let’s say?
Of course you’d need to have a lot of storage for all those matches and I’m not a math major as I’ve explained before so some may tell me this is not feasible. Or is it? What type of compression algorithms do we have and how much storage do we have with cloud computing these days?
People told me that no one could influence the stock market because it is too big but I’ve seen it happen. People told me the dot bomb would never occur when I predicted it before 2000. People said no one would move to the cloud because it’s not secure and that banks would never approve financial transactions on the Internet because it’s too risky. But what do I know?
Personally, I think quantum computing is a much bigger potential threat and advantage than AI to all the world’s systems and data. If you want to read an executive level explanation of quantum computing here’s a good resource.
In light of the looming threat of quantum computing, NIST has been working on some new encryption algorithms that are supposed to withstand these attacks. The process is on-going but this is definitely something you should be aware of and keep an eye on. These new algorithms are supposed to be available in 2024.
Also, talk to your vendors and ask them what their plans are to address this threat. How fast will they implement new encryption standards and make them available to you, once NIST releases new guidance? To me this is much more important than whatever they are doing with AI. But I’m just a security nerd.
If you are newer to security and like math, this may be the future train you want to ride. Get on board!
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2024
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab