Quantum Leap: Is This the Future of Cyber Security?
Over the course of the past two years, Los Alamos National Labs has been running a very interesting experiment. In an attempt to create the perfectly secure Internet and communications environment, Los Alamos has been running and operating an instance of the Quantum Internet.
A recent article published on the Technology Review states that , "one of the dreams for security experts is the creation of a quantum internet that allows perfectly secure communication based on the powerful laws of quantum mechanics."
According to the article, the basic idea here is that the act of measuring a quantum object, such as a photon, always changes it. So any attempt to eavesdrop on a quantum message cannot fail to leave telltale signs of snooping that the receiver can detect.
That allows anybody to send a "one-time pad" over a quantum network which can then be used for secure communication using conventional classical communication.
Sounds great, right? The current technological evolution has really revolved around more users, more devices and a lot more data. This has forced IT security professionals to adopt new types of encryption methodologies to further safeguard their information.
Data in motion and data at rest all has to be encrypted and the entire key management process must be carefully controlled.
Let’s take a look at some modern encryption and security practices. AES 256bit is probably one of the most secure encryption types you can use. However, even with this type of platform, key-recovery attacks against full AES platforms have been recorded.
In using bicliques, which is faster than brute force by a factor of about four, attacks against very secure platforms are very possible. Furthermore, chosen-key-relations-in-the-middle attacks have been recorded against AES-128 systems.
Today, the Quantum Internet is limited to point-to-point connections and scalability becomes a serious challenge. Although information can be passed between two points, creating logical routing algorithms is still on the drawing board.
Although Quantum cryptography promises better communication methods, the points of failure will fall on the infrastructure and the deployment. The network environment is only as secure as the infrastructure that supports it. For example, a recent blog from SkullSecurity.org directly dives into the widely exploited padding oracle attack that affected a lot of popular web frameworks.
Here’s the fact of the matter, cryptography related issues rarely are the fault of the algorithm itself. Many issues revolve around deployment, poor planning or challenges within the infrastructure. Much of the burden in actually deploying crypto-security will fall upon the developers. For example, Apple had the right idea when they implemented secure storage on iOS.
This means that their system uses an encrypted storage "container" for things like credentials and sensitive cookies. This allows all of the cryptography heavy lifting to be done under the hood and provides developers with a simple API to encrypt and decrypt items.
One security and cryptography professional recommended for developers to "use vetted crypto API's whenever possible, follow documented best practices, and have all security related code audited by people that are familiar with software security. If you need to encrypt client/server traffic, use SSL, for instance."
When it comes to key management, cryptography, and data security – it’s important to have a good design in place. Furthermore, systems which are very sensitive to intrusions must be tested and challenged periodically.
In deploying best practices security solutions, continuously documenting the environment and always, proactively, testing for vulnerabilities will create a much more robust and secure infrastructure.
Interview: The Looming Specter of Cyber Warfare
Quantum Internet and cryptography solutions will, without a doubt, create new types of fast and secure systems over which we can communicate and share information.
However, just like with any other technology – the planning, design and implementation part of the project can mean the difference between a truly secure system, and one with holes in it.
Some of the issues raised in this article will be discussed at IDGA’s Cyber Security and Network Defense summit next month. For full details, go to www.defensecybersecurity.com