Q Day is coming

Caute_cautim · ‎10-26-2023

Hi All

They call it Q-Day: the day when a quantum computer, one more powerful than any yet built, could shatter the world of privacy and security as we know it.

It is also involves state actors in competition too:

https://www.nytimes.com/2023/10/22/us/politics/quantum-computing-encryption.html?unlocked_article_co...

But within the U.S. cybersecurity community, the threat is seen as real and urgent. China, Russia and the United States are all racing to develop the technology before their geopolitical rivals do, though it is difficult to know who is ahead because some of the gains are shrouded in secrecy.

Regards

Caute_Cautim

JoePete · ‎10-26-2023

A good article, but it paints with a broad asymmetric brush. We've always known asymmetric cryptography was breakable; you can derive a private key from its complementing public one. It's just that it was impractical at the time (and largely still is). The most immediate risk probably is not to confidentiality (i.e., secrets being revealed) but to the authentication component of public-key systems. Breaking RSA, DSA, elliptic curve will make it easy to forge digital signatures and certificates. Put another way, I don't see an attacker utilizing a quantum computer to get access to a key exchange so that they can intercept credit card data. No, they'll use the technology to forge a digital certificate and just phish the data. The threat is more to integrity/authentication than confidentiality (i.e., secrets).

Sure, those troves of symmetrically encrypted data at rest are at risk because quantum computing can also reduce the work factor involved there, but that ship already sailed. That encrypted data has been collected. While we can run around re-encrypting it with longer keys, it won't change the state of what's been already stolen. But I have to wonder, what really is in that data? Nuclear codes, Ok, we should be changing that kind of data regularly anyway. But what about permanent information (e.g., personal info)? I have to assume that it is already out there because it was shuffled around corporate and government America as plaintext for a long time.

To me, the confidentiality aspect gets overblown. Yes, it is personal, like someone stealing a diary, but the reality is most of us gave up our secrets decades ago. Even at the corporate level, they get duped into handing the over keys (literally, Microsoft) every now and then anyway. The real issue boils down to identity and authentication.

Caute_cautim · ‎10-26-2023

@JoePete Very valid points indeed. I think it will take a very long time, for many vendors, manufacturers, developers to a) identify where those cryptographic encrypted assets actually exist and to b) ascertain what the value is to the organisation or person (from your perspective). Unless they commence that journey now. I can imagine, with the runaway affect of IoT devices, now in our everyday lives, there will be a lot of issues with revoking, reissuing certificates and updating existing systems (if they can). Yes, there will be an immediate effect, especially if the financial industry, don't get their act together in good time i.e. financial transactions, trust, reputation, integrity and authentication etc. Think about the number of Medical IoT devices and equipment associated within the medical fraternity etc.

But there will be a huge residual backlog of devices, solutions, which simply are legacy or are still used within organisations - which is similar to old Windows OS still being used in some organisations, because it works, and they see no need to replace it - and we all know the ramifications of that occurring.

I can see your point, that personal data, may well be floating around somewhere in some silo somewhere, which we all gave away, due to actually living our lives and beyond. From a privacy perspective it could be horrendous, especially if the authorities require organisations to ensure that personal data is actually protected, but in fact is actually sitting at rest, without the encryption process being updated.

A lot of organisations may take the easy way out, simply wait, others will be proactive, as it will affect the very fabric of society and how we live our lives. Others will not care, and then it many cases it will simply too late to do anything about it at all.

Regards

Caute_Cautim