Software

How to start using post-quantum encryption

An important first step, according to NIST’s Dustin Moody: Do a cryptographic inventory.
article cover

Yuichiro Chino/Getty Images

3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

The threat of quantum computers—which could potentially turn today’s encrypted data into regular ol’ data—has led encryption experts to turbocharge their cipher suites.

On August 13, the National Institute of Standards and Technology (NIST) announced three post-quantum encryption standards—algorithms that tech practitioners must test out as quantum computing advances, IT pros who spoke with IT Brew said.

“The process of switching over will not be flipping a switch. That’s why you have to start playing with this now. You have to start implementing it,” Johannes Ullrich, dean of research for the SANS Technology Institute, told us.

A quantum-computer attack on today’s connection-protecting algorithms like Rivest-Shamir-Adleman (RSA) and Elliptic Curve Diffie-Hellman (ECDH) remains theoretical—for now.

Powerful enough quantum computers could potentially crack the encryption codes protecting online communications and sensitive data, Phil Venables, VP at TI Security and CISO of Google Cloud, wrote in an August 15 blog post, leading to “serious consequences, jeopardizing online privacy and the security of our digital world.”

As for NIST’s three post-quantum encryption standards:

  • ML-DSA and SLH-DSA protect digital signatures, the certificates that provide assurance of software or document integrity.
  • ML-KEM establishes support keys—the process of securing online data transmissions.

“Go ahead and start using these three,” Dustin Moody, NIST mathematician and lead on the post-quantum cryptography standardization project, said in a statement announcing the quantum keepers.

Look before you quantum leap. For end-users, testing out quantum-encryption might just mean turning it on where available, and seeing what crashes, according to Ullrich. A system admin can “use a browser with the new algorithms enabled,” for example, “and see if they can still connect to old firewall interfaces.”

This May, Google implemented ML-KEM in its Chrome browser by default for the online-privacy protocol known as TLS 1.3.

Part of the preparation for quantum-ready encryption means “doing an inventory of your data” Moody told IT Brew, “to see what information is protected by cryptography, and what cryptography is protecting that data”. In partnership with CISA and NSA, NIST released a quantum-readiness roadmap in August with suggestions for encryption roll call, including discovery tools.

For inventory, Ullrich recommended network-monitoring systems that enumerate endpoints and any algorithms you’re using for particular TLS connections. One open-source option: Zeek.

CISA also recommended that IT pros engage with supply-chain vendors to find tech that might have quantum-vulnerable cryptography and may not be ready to handle upgraded standards.

In addition to monitoring legacy software, like web servers running on older IoT devices, Ullrich also advised developers to examine which libraries support the new algorithms and investigate any weaknesses when configuring protections into code.

Forward-looking defenders like Moody imagine attackers doing the same: preparing, perhaps gathering today’s encrypted data in the hopes that tomorrow’s sophisticated tech will unlock it.

“You’re already at risk today from that future quantum computer, even though it hasn’t yet been built,” Moody told IT Brew.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

I
B