​DigiCert Protection for Quantum IoT is here - will the world seize the opportunity in time?



Security professionals, academics and researchers are all rising to meet quantum threats with great enthusiasm. Researchers at the MIT have just developed a cryptography circuit which can protect low-power IoT devices from quantum threats. Developments like this are encouraging, even if they might seem premature.


Timothy Hollebeek, DigiCert
March 5th 2020 | 1718 readers

Timothy Hollebeek, Industry and Standards Technical Strategist, DigiCert
Quantum computing won’t be available for another 10 to 15 years to all but the most powerful, well resourced actor. The industry is quite right to get ahead of these threats because a widespread change in security can be rather slow. 

Quantum poses massive risks for the future of internet security. Maybe not now, but sooner than we may be prepared for. Quantum-resistant cryptography is available to test now, but widespread adoption may take quite a bit longer. Will the wider world make the changes they need to in time?

The arrival of quantum signals a real change in computing. While classical computing uses bits - composed of 1s and 0s, quantum uses qubits, which can be composed of multiple values at the same time. This makes them more powerful for some problems, like factoring large numbers. That seemingly simple change will have massive effects. 

But whatever piece of technology those operating legally and ethically can take advantage of will also be a boon to the cybercriminal underground. Whether that’s a vulnerability in a new device, or an earthshaking piece of new technology, innovations can often just as easily be deployed against a target as they can be used to improve it. 

The added capability that quantum brings to bear will defeat the asymmetric cryptography used today, such as RSA and ECC keys. The US National Institute of Standards and Technology (NIST) predicts that quantum computing will break the encryption protocols that underpin much of the modern internet sometime in the next decade or so. 

Post-quantum cryptography aims to create cryptographic systems—based on sufficiently complex mathematical problems—which even quantum computing cannot break. 

The wider world, unfortunately, is often slow to pick up on the security industry’s lead. For example, it has taken the payment industry two decades to remove DES from payment systems, and they’re still not finished. 

The IoT’s vulnerabilities only seem to have grown in line with its boom in popularity, withstanding years of grave warnings about its inherent dangers. Governments are just now drafting legislation and standards that will make manufacturers produce safe IoT devices and compel consumers to use them safely. 

The cybercriminal underground has long thrived off the security blind spots of the surface world and cyber criminals will be eager to exploit the quantum lag too. Other, more sophisticated and well-resourced, actors may be well ahead of cyber criminals. 

The issue becomes even more pressing when we consider quantum threats alongside the massive innovations that are quickly coming our way. Cities around the world are currently being fitted with a galaxy of IoT sensors, all installed with the purpose of turning urban centres into computers. Furthermore, massive pieces of public infrastructure - such as power plants and energy grids are now being connected to the internet. These installations are meant to last for years to come and hopefully, have been secured according to today’s threats. But what about tomorrow's? 

Devices are being produced, applications are being written and data is being encrypted today which needs to remain secure for at least a decade if not more. Planning, preparing and implementing protection can take years and quantum is already on its way. Enterprises need to be able to get way ahead of the curve if they want to withstand it. 

Fortunately, tools already exist to combat quantum threats. While quantum computing would be effective at defeating standard asymmetric cryptography, it has a harder time with symmetric cryptography—which can support yet-undefeated AES-256 bit keys—and hash-based signatures which are now being standardised as a defense against quantum computer threats. Preparing for quantum will take some time and enterprises should start testing these kinds of solutions now.

In the meantime, the security industry is busily working away on algorithms that can protect against quantum threats. NIST have put out an open call for post-quantum algorithms. Both Microsoft’s picnic and ISARA’s qTESLA have been advanced to the second stage of the process, with the final aim of having these cryptosystems eventually standardised. 

DigiCert is working with these and other leading technology companies to create hybrid certificates, which combine traditional RSA and ECC cryptography with post quantum algorithms. Such a combination requires an attack to not just break the traditional algorithms, but post-quantum algorithms too. The company is helping interested companies test these hybrid certificates now. 

Fortunately, the solutions will be coming before the threats. The only question is, how long it will take for the world to realise they’re here.

You can read too...