Lately, a lot of the discussions I’ve been having during webinars and online ‘round tables’ have centered around crypto key management and key protection. Invariably, the topic will typically move to quantum computing and how this up-and-coming technology will affect data security. The misinformation and the scaremongering around quantum computing is really confusing security professionals.
Asking a question about quantum computing today would be like asking if the industrial revolution would affect space travel. They are remotely related, but their impacts were apparent at very different times in history. There is no doubt that quantum computing will make an impact on computer computational power but to all of the futurists who say it’s around the corner, no one has been able to define how far away that corner is, how much faster and how expensive it will be.
Some say quantum computers are already here. Some say we’ll have them in six years, others say 30 years. For those who have seen news reports announcing that people have already created quantum computers, they really haven’t — the simple truth is that reliable and accurate quantum computers do not exist. We have approximations and simulations, but these perform imperfect calculations for a very limited time. Scientists are working on ways to solve problems using these imperfect systems, but these are in no way comparable to what a fully reliable working quantum computer would be able to do.
A quantum computer is not simply a much faster traditional computer – rather it’s a whole new computing platform, which will require a whole new way of thinking. New cooling, new containment, new programing language, new everything are needed. Taking the leap from an abacus to a microprocessor would be an acceptable analogy. Additionally, you probably won’t see a quantum computer powering a corporate database or a file retrieval system. Quantum computers will probably be relegated to computational intensive questions like: ‘what’s the best way to use the gravitational force of the planets to propel a space ship toward Mars?’.
To put this into perspective, if you ever saw the original 1975 Rollerball movie with James Caan, there’s a ‘computer’ named Zero that is depicted as a cylinder of water with little bubbles rising up through it. It’s not too far-fetched that a quantum computer might resemble Zero more than it would something like a Cray from the ‘80s and ‘90s or even HAL from Stanley Kybrick’s movie 2001: A Space Odyssey. In short, we’re anticipating something quite revolutionary.
The security concern de jour is that quantum computers will quickly break current encryption algorithms. If you’ve ever attended one of my encryption webinars, you’ll remember that there are 1.15×1077 combinations for an AES 256 bit key. This is a number that is very hard to comprehend. For context, there are about 1×1078 atoms in the universe – only one order of magnitude larger than the number of AES 256 bit key combinations. No matter how you look at this, that’s big.
Today’s computers cannot even come close to cracking an AES 256 bit key through a brute force attack in any reasonable lifetime and while it’s theoretically possible for a quantum computer to crack a crypto key, it’s still going to take a long time and be really expensive. What people don’t take into consideration is that no matter how fast computers get, hackers intent on decrypting data or thwarting crypto protection don’t spend their time trying to crack crypto, and nor will they in the future. This is because most companies aren’t protecting their keys in the first place.
Hackers are searching for – and finding – the keys that are (in many cases) hidden in software. Much like a burglar who tries to break into a house, he’ll always look for the key under the mat or the flowerpot or above the door. The greatest lock in the world won’t deny a hacker entry if they have the key. This was true for the last 1,000 years and will be true for the next 1,000 years as well.
Even with the advent of quantum computers, a hacker’s first impulse won’t be to crack the key but rather to steal the key. In other words, security professionals have the power today to stop most crypto theft by protecting their crypto keys. This same protection will extend into the quantum era because quantum computers initially will be expensive and not available to even your high-end hackers.
The question should not be: ‘Will quantum computing really effect a company’s security posture?’. The question should be: ‘What can I do today and tomorrow to make current and future crypto stronger?’. The whole quantum computing scaremongering is a red herring. But like all shiny objects, it’s hard not to look at the ‘quantum problem’. Companies need to concentrate on solving the simple attack before even thinking about the exotic one. The simple solution remains to protect your keys in hardware.
If you protect your keys in hardware, you’ll force the hacker to go to the next company. Don’t be that next company.