Apple, Signal Debut Quantum-Resistant Encryption, but Challenges Loom

  /     /     /  
Publicated : 23/11/2024   Category : security


Apple, Signal Debut Quantum-Resistant Encryption, but Challenges Loom


Apples PQ3 for securing iMessage and Signals PQXH show how organizations are preparing for a future in which encryption protocols must be exponentially harder to crack.



Apples new PQ3 post-quantum cryptographic (PQC) protocol introduced last week is the latest manifestation of a trend that will accelerate over the next few years as quantum computing matures and takes root in a variety of different industries.
Protocols like
PQ3
, which Apple will use to
secure iMessage communications
, and a similar encryption protocol that Signal introduced last year called
PQXDH
, are quantum resistant, meaning they can — theoretically, at least — withstand attacks from quantum computers trying to break them.
Many consider that capability will become vital as quantum computers mature and give adversaries a
trivially easy way to crack open
even the most secure current encryption protocols and access protected communications and data.
Concerns over that potential — and of adversaries already harvesting sensitive encrypted data and storing them for future decryption via quantum computers — prompted a National Institute of Standards and Technology initiative for
standardized public key, quantum-safe cryptographic algorithms
. Apples PQ3 is based on Kyber, a post-quantum public key that is one of four algorithms that
NIST has chosen for standardization
.
Rebecca Krauthamer, chief product officer at QuSecure, a company that focuses on technologies that protect against emerging quantum computing-related threats perceives Apples announcement will drive further momentum in the PQC space.
We have been implementing with a number of well-known organizations in the space, and I can say firsthand that Apples announcement is the first of many to come in the next four months, Krauthamer says. She anticipates similar moves from developers of other messaging apps and social media platforms.
Up until now, the government, financial services, and telecom sectors have driven early adoption of PQC. Telecom companies in particular have been at the forefront in experimenting with quantum key distribution (QKD) for generating encryption keys, she says. But in the past 18 months, weve seen them migrate towards PQC as PQC is digitally scalable, while QKD still has significant scalability limitations, Krauthamer adds.
For organizations, the shift to PQC will be long, complicated, and likely painful. Krauthamer says post-quantum encryption algorithms will redefine the landscape of authentication protocols and access controls. Current mechanisms heavily reliant on public key infrastructures, such as SSL/TLS for secure Web communications, will require reevaluation and adaptation to integrate quantum-resistant algorithms, she says. This transition is crucial for maintaining the integrity and confidentiality of mobile and other digital interactions in a post-quantum era.
The migration to post-quantum cryptography introduces a new set of management challenges for enterprise IT, technology, and security teams that parallels previous migrations, like from TLS1.2 to 1.3 and ipv4 to v6, both of which have taken decades, she says. These include the complexity of integrating new algorithms into existing systems, the need for widespread cryptographic agility to swiftly adapt to evolving standards, and the imperative for comprehensive workforce education on quantum threats and defenses, Krauthamer says.
Quantum computers will equip adversaries with technology that can relatively easily strip away the protections offered by the most secure of current encryption protocols, says Pete Nicoletti, global CISO at Check Point Software. The lock in your browser bar will be meaningless as quantum computer-equipped criminals will be able to decrypt every banking transaction, read every message, and gain access to every medical and criminal record in every database everywhere, in seconds, he says.  Critical business and government communications conventionally encrypted in site-to-site VPNs, browsers, data storage, and email are all at risk of harvest now, decrypt later attacks, he says.
Right now, in certain verticals, business leaders should assume that all of their encrypted traffic is being harvested and stored for when quantum encryption is available to crack it, Nicoletti says. Even though such attacks might be a while away, business and technology leaders need to be aware of the issue and start preparing for it now.
The goal should be to not impact users when transitioning to PQC, but every indication is that it will expensive, chaotic, and disruptive, he says. Messaging apps like Apples PQ3 are relatively easy to deploy and manage. Consider the chaos when your corporate firewall or cloud provider does not support a certain post-quantum encryption algorithm with a partner or a customer, and you cant communicate securely, he says, by way of an example. Unless vendors of browsers, email, routers, security tools, database encryption, and messaging are all on the same page, enterprise IT teams will have their hands full making the switch to PQC, he cautions.
Grant Goodes, chief innovation architect at mobile security vendor Zimperium, advocates that organizations take a measured approach to implementing PQC, considering the enormity of the task and the fact its unclear when in the future many of the most feared security consequences of quantum computing will come to pass. Like others, he concedes that when quantum computers finally come of age, they will make even the most secure RSA encryption trivial to break. But breaking an RSA-2048 key would require some 20 million qubits, or quantum bits, of processing power. Given that current practical quantum computers only have around 1,000 qubits, its going to take at least another decade for that threat to become real, Goodes predicts.
Second, there is the concern that these proposed post-quantum ciphers are very new and have yet to be truly studied, so we dont really know how strong they are, he notes. As a case in point, he cites the example of SIKE, a post-quantum encryption algorithm that NIST approved as a finalist for standardization in 2022. But
researchers quickly broke SIKE
shortly thereafter using a single-core Intel CPU.
New ciphers based on novel mathematics are not necessarily strong, just poorly studied, Goodes says. So a more measured approach is likely prudent for adopting PQC, he adds. Post-quantum cryptography is coming, but there is no need to panic. Doubtless they will start to make their way into our devices, but existing algorithms and security practices will suffice for the immediate future.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Apple, Signal Debut Quantum-Resistant Encryption, but Challenges Loom