The green padlock has become synonymous with safety and security. As we surf the internet, we breathe a sigh of relief anytime we see it when entering our credentials, credit cards, and other personal information. We have been trained to do so by experts and browser companies alike.
The adoption of secure networks continues to rise in businesses as they deploy more VPNs, network encryption between sites, etc. It is also becoming standard practice for businesses to configure their in-house applications/microservices to use mutual authentication when communicating.
So, what happens if one day the green padlock becomes meaningless?
Most forms of encrypted traffic have one thing in common -- the mechanism of establishing the identity of the machines involved in the communication. Certificates/symmetric keys form the foundation, which are generated based on recommended algorithms and key lengths to ensure a hacker cannot practically reverse them with suitable time and computing resources.
However, all of these assumptions about the impracticality of brute-forcing or reverse engineering the keys are turned on their head with the near inevitability of Quantum Computing. “For public key cryptography, the damage from quantum computer will be catastrophic,” Lily Chen, mathematician, and leader of the National Institute of Standards and Technology’s Cryptographic Technology Group, said in a session at the American Association for the Advancement of Science’s 2018 annual meeting in Austin, Texas, according to Gizmodo.
It should be noted that this threat is not isolated to future data when Quantum Computing becomes a reality. Today's encrypted communications and data remains potentially vulnerable to hackers of the future through a scheme called harvest and decrypt. In this long-game attack, hackers scrape the encrypted data and hold it until quantum computers are more accessible to crack the encryption and decrypt. Clearly, not all data would be valuable in the future, but nation secrets, personal health records, company IP (e.g. Coke secret recipe) are all examples of data that can be potential targets. NSA itself uses this technique, as revealed through the leaks from Edward Snowden.
It would thus be prudent for businesses to prepare for the threat of Quantum Computing on their data, including machine identities. NIST (National Institute of Standards & Technology) provides a simple strategic framework to help assess the threat.
Businesses can prepare by asking themselves the 3 questions and determine if they are at risk. They could begin to mitigate the risk today by increasing key length, using double encryption and improving their "crypto-agility". Investing in the tools and processes that provide control and automation of the machine identity lifecycle, could be crucial for their survival in the era of Quantum Computing, and maintaining the relevance of the green padlock.
To learn more visit Gemalto Booth 858 and Venafi Booth 144 at Black Hat USA 2018 in Las Vegas.