Meeting The Security Demands Of Post-Quantum Computing
The South Korean company Norma is a leader in IoT and Quantum security. Established in 2011, the company provides expertise and network security solutions for a range of wired/wireless environments, from smart homes and smart cities to national grids and heavy industry. Post-quantum cryptography is crucial to defend against cyberattacks that are specifically targeting today’s data. We spoke recently with Chung Hyun-chul, CEO of Norma to address critical post-quantum security issues.
- Question 1) As quantum computers become a reality, they will be able to break today’s public-key crypto-graphic (PKC) security.
What are some key steps that organizational leaders should take today to prepare and protect their organizations’ data and systems?
The first thing to do is to figure out what public key cryptography (for example, RSA, ECC, etc.) is currently being used internally. Afterward, a roadmap planning on how to build a security system in response to the threat of quantum computers is required. Among many tasks such as net-work infrastructure, applications, and security solutions, it is highly recommended to prepare a roadmap strategy being appropriate for the characteristics of the respective enterprises, which should be prioritized and how to be converted.
Specifically, these are like performing a post-quantum risk assessment, diagnosing an organiza-tional infrastructure, possessing a Crypto-Agility to respond to quantum attacks, checking how fast PKI can be migrated into post-quantum cryptography, adopting a hybrid method of PQC and classic cipher solutions, and designing a quantum-safe infrastructure, etc. These factors need to be taken into consideration comprehensively.
- Question 2) Cybercriminals use harvest now, decrypt later (HNDL) attacks to take advantage of quantum computers when they become more widely available. What can businesses do now to formulate their responses to HNDL, assess their security and prevent these attacks from potentially com-promising their data?
That's a very good question. Quantum computers are not yet universal, but I think this is a very appropriate question to explain why businesses need to be proactive about quantum security. HNDL refers to the act of stealing encrypted current data with the expectation that if quantum computers are commercialized, public key cryptography can be broken.
Attackers can collect data without having the skills to decrypt it right now. However, when quan-tum computers are introduced in the near future, it will be possible for them to break cryptog-raphy and obtain information. This means that all data today is at risk of being hacked, and it is important to be aware that if not protected now, it could be disclosed at any time.
For example, if an attacker attempts to steal data based on HNDL, it will be a threat to disrupt national safety nets, from smart cities, autonomous vehicles, and corporate industrial operations to power plants, financial data and security intelligence.
So, before discussing how to transform a system, businesses must assume that their encrypted data is potentially decryptable. On the premise of this factor, the corresponding scenarios and roadmaps should be prepared.
In this respect, the step-by-step roadmap needs to be arranged. Since a full-scale transition to quantum security is expensive, a sequential approach is required by securing important infor-mation or infrastructure in advance.
- Question 3) Crypto-Agility combines current, tested cryptography like RSA with post-quantum algorithms. How important is it and what are the advantages for companies to work with partners that practice hybridization and Crypto-Agility?
As mentioned earlier, preparing a secured system for a quantum computer requires a lot of in-vestment in terms of time and money. It also requires high security skills.
However, changes to cryptographic operations should not affect functionality, and users should not feel uncomfortable or alienated from the system changes. A company's concerns about Cryp-to-Agility can be addressed with the consultation and solutions from the companies specializing in cryptographic security.
Accordingly, the collaboration with a professional security firm brings economic benefits to the company by reducing trial and error through the technology and know-how of a professional security firm with various experiences, reducing costs and increasing efficiency.
- Question 4) Decision-makers can pursue one of three paths: adopt post-quantum cryptography (PQC) so-lutions today, retrofit existing systems to PQC standards or significantly enhance their traditional encryption protocols. Could you discuss some of drawbacks and trade-offs to consider for each approach?
Well, among three options, the first is to adopt a PQC environment across the infrastructure, including solutions such as applications from the beginning. The second is to change only the system's ciphers to the PQC standard, and the third is to modify the algorithm, like increasing the key length, or taking additional security measurement on to the current system.
Of course, adopting the first PQC solution is the most ideal and an ultimate alternative, but it may be difficult to make a full-scale conversion right away because it requires a lot of investment in terms of time and money. In addition, since it is a new technology that has not been tested on the market yet, there may be risks in terms of safety.
The second option can lead to unexpected issues in terms of compatibility between legacy sys-tems and ciphers, resulting in additional costs. And each revision will eventually have the same effect of adopting a full-fledged PQC environment. So, it's a good idea to plan it well from the beginning and move forward step by step to the first option.
The third option is difficult to choose, especially because it has problems that require a lot of resources, such as speed and memory, and is not a fundamental solution.
For companies developing solutions with the PQC technology applied, it is recommended to use the existing system and the new solution in parallel by preparing a strategy with the help of a professional consulting firm. Relatively low-importance, or costly work can be managed with the existing system, and the new PQC technology can be applied to the core systems and sensitive data only, expanding the application gradually.
- Additional Question 5) What is the difference between QKD and PQC technology and application, and what is the current global trend?
Quantum cryptography is largely divided into QKD, quantum cryptography key distribution with the hardware chip applied and PQC which is a software-based post-quantum cryptography. QKD is a quantum cryptography, which theoretically guarantees very high security, but it requires high costs, various conditions and additional infrastructure for its implementation. Therefore, it is quite difficult to introduce QKD into the market in a fast manner. On the other hand, PQC is a cryptographic technology based on mathematical problems that quantum computers take too much time to solve. It can be applied to the infrastructure by replacing the existing cryptograph-ic algorithms without the need for special equipment. In particular, it can be applied only by software implementation, so its scope is relatively wide.
Due to these characteristics, QKD-centered discussion was conducted in the early days of quan-tum security, but now PQC is attracting attention for technical reasons, and it is expected that PQC will take up a much larger share in the future.
Today, Norma is accelerating the commercialization of PQC in partnership with several large cor-porations and public institutions in Korea. We are carrying out pilot projects with HDC (Hyundai Development Company) and SK Telecom. Now we plan to expand the collaborations with global companies continuously in the future.
This content is sponsored by Norma.