November 2021 marks the 45th anniversary of when Whitfield Diffie and Martin Hellman published their paper, New Directions in Cryptography, introducing the world to a new system for developing and exchanging keys over an insecure channel. The Diffie-Hellman key exchange has since become one of the most important developments in public-key cryptography and is frequently used in a range of different security protocols including, TLS, IPsec, SSH, PGP, and many others.
But the continued advancements in mathematics and computing, and the fast-approaching Quantum Age, puts Public Key Encryption (PKE) at risk. The system that was built in the 1980s was not designed for today’s hyperconnected world with vast amounts of data traveling from the data center to public clouds to edge environments. Even more troublesome is that with PKE systems, the data and the encryption key used to unlock that data travel together – an attacker needs only to compromise one connection to retrieve all the secret information. As a result, man-in-the-middle attacks have become more frequent with more at stake.
These inherent vulnerabilities of legacy encryption, combined with a quantum computer’s ability to break today’s encryption standards in a matter of minutes, will require the greatest cryptographic transition in the history of computing. But history shows past cryptographic transitions can take years, even decades to complete.
In 2005 and again in 2007, the U.S. National Institute of Standards and Technology (NIST) recommended through special report SP 800-57 that subscribers move from 1024-bit to 2048-bit RSA by 2010. In 2011, NIST upgraded their policy and issued special publication SP 800-131A to allow for a three-year transition period from 1024 to 2048 bits ending Dec. 31, 2013. It took more than 20 years for the Advanced Encryption Standard (AES) to completely replace Data Encryption Standard (DES) and 3DES.
Today, RSA-2048 encryption is considered the gold standard for PKE and critical to the protection of email exchanges, VPNs, secure webpage connections, digital supply chains, e-commerce, cryptocurrencies, passwords, and users accounts. If PKE enables more than 4.5 billion internet users to securely access 200 million websites and engage in some $3 trillion of retail e-commerce annually, why are so many organizations taking a lackadaisical, wait-and-see attitude to quantum readiness planning and execution? Many are relying on the Post-Quantum Cryptography (PQC) project sponsored by NIST to determine the set of PQC standards and migration guidelines needed to augment and ultimately replace RSA.
In the April 2021 report published by NIST, Getting Ready for Post-Quantum Cryptography the standards body outlines the challenges associated with adopting and using PQC algorithms after the standardization process is complete – which is currently on pace for selection by the 2022-24 time frame. As mentioned above, and reinforced in the NIST paper, experience has shown that in the best case, another 5-15 more years will be needed after the publication of the cryptographic standards before a full transition is completed.
This timing is problematic on three fronts:
- A quantum computer may be available before then.
- There is no guarantee that the cryptographic standards selected will not be broken by adversaries or vulnerable to implementation errors. Again, if we look to history, we will find that all past cryptographic standards have been broken.
- “Harvest today, decrypt tomorrow” attacks are happening now.
Dr. Diffie himself shared during a recent panel talk at IQT NYC Fall 2021, “When you think cryptographic standards, you must think in terms of centuries.”
It’s time for a new key delivery architecture: one that’s quantum-safe, interoperable with existing network security solutions, can immediately shore-up both PKE and pre-shared key (PSK) weaknesses, and was designed to work with vast, large area networks where multipoint key transmissions to the network’s edge is required.
Phio Trusted Xchange (TX) from Quantum Xchange fits the bill. The zero-trust architecture delivers on-demand, ephemeral key pairs that are dynamically regenerated to replace traditional static, pre-shared keys fraught with security risks. It decouples key generation and delivery from data transmissions allowing for true crypto-agility. And perhaps, most importantly, it embraces a defense-in-depth security model by combining keys delivered inline by traditional methods with a second, independent platform that delivers quantum-safe, symmetric keys out-of-band down a separate quantum-protected tunnel and mesh network.
Once again, we turn to Dr. Diffie’s recent remarks at IQT where the father of modern encryption encouraged the industry and organizations to embrace security-in-depth practices and implement quantum-safe symmetric keys into their existing crypto infrastructures.
Learn more about Quantum Xchange’s quantum-safe, out-of-band, symmetric key delivery system here.
