Skip to main content
banner image
venafi logo

Post-Quantum Cryptography: Technology Advances, But Businesses Still Lag

Post-Quantum Cryptography: Technology Advances, But Businesses Still Lag

post-quantum cryptography
September 22, 2016 | Scott Carter

Last week, Google announced Chrome 54 beta, which includes new advances in encryption. Google’s efforts result in part from NSA warnings last year that quantum computers will eventually be able to crack current encryption algorithms. While Google is to be lauded for advancing encryption technology used in browsers, the move comes at a time when many organizations still do not take full advantage of current encryption safeguards. 

How real is the quantum computer threat?

Before we lament the less-than-stellar state of current encryption, let’s examine the future risks that quantum computers represent to encryption in general. Quantum computers process alarming amounts of data which allows them to make extraordinary calculations that would render current encryption ineffectual.  CNET serves up a quick explanation of how quantum computers crack encryption technology.  

Venafi Chief Security Strategist, Kevin Bocek, takes the NSA’s advisory and Google’s reaction very seriously. He feels that it’s safe to assume that “adversaries are trying to break encryption, our systems of trust and authentication, and may soon be able to do so.” As a result, he applauds Google for stepping up its efforts and experimenting with post-quantum-cryptography early on.

What is the real threat today?

Back to reality. Sadly, Encryption Everywhere is still more of a goal than it is a reality. So while Google is actively developing technologies that would stop quantum computers from cracking current encryption, many companies are still vulnerable to current attacks against encryption.

Even if they have implemented encryption for publicly facing websites, many do not even know how many keys and certificates they have or how they are being used (and potentially misused) in their environments. Cybercriminals can circumvent this encryption by misusing untracked keys and certificates to hide in encrypted traffic, eavesdrop on communications, deploy malware, and spoof websites.

How are companies making vulnerable encryption even worse?

Vulnerabilities, such as Heartbleed and the more recent DROWN, have proven how easy it is for certificates to be exploited. Yet many companies simply did not take remediation of these vulnerabilities seriously—many rotated certificates, but did not replace keys. A year after Heartbleed, almost ¾ of the Global 2000 still had not completely remediated, leaving them exposed.

Another weak cryptography practice is the continued use of vulnerable SHA-1 certificates, on which many businesses still rely. Despite warnings from the NSA and NIST over 10 years ago, SHA-1 certificates are still widely used by organizations. According to Bocek, “People are slow to adapt to change, despite the fact they are leaving themselves at risk.” He estimates that “the internet is still flooded with SHA-1 certificates, and will remain so—I would bet—until January 2017 when browsers will finally stop trusting SHA-1.”

Bocek sums it up, “We must put in place fast, easy automation for web encryption and authentication. This will help protect the foundation of online security today and help us respond to new vulnerabilities and the crypto requirements of the future.”

His counsel to organizations everywhere is to start now. Invest in adaptable systems that can support encryption changes as we move toward more secure alternatives. 

Like this blog? We think you will love this.
image representing big data
Featured Blog

Was ist homomorphe Verschlüsselung, und wie wird sie verwendet?

Was ist homomorphe Verschlüsselung? Zweck der

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Scott Carter
Scott Carter

Scott is Senior Manager for Content Marketing at Venafi. With over 20 years in cybersecurity marketing, his expertise leads him to help large organizations understand the risk to machine identities and why they should protect them

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more