Michael Osborne Principal RSM IBM Research (CVE-2014-0160) OpenSSL Heartbleed Vulnerability

Jan 2017: (https://thehackernews.com/2017/01/heartbleed-openssl-vulnerability.html ).

Crypto Agility MIT Technology Review Quantum Safe

In this specific case ‘lack of cryptographic agility’

Crypto Agility Quantum Safe Cryptography

We often do not know where crypto Rolling your own cryptographic Algorithm flaws, including block is deployed algorithms or implementations ciphers and cryptographic primitives; – Third party software and libraries, Misuse of libraries and algorithms embedded crypto, remote API’s, Smart Protocol problems, meaning fixes cards, HSMs, Cloud Services Poor management that require changes to the protocol; Components use ‘arcane’ low level – No revocation, No rollover or weak keys cryptographic APIs Side channel attacks, where secret Randomness that is not random – PKCS#11, MS CSP, OpenSSL libraries keys leak out; Failure to centralize cryptography We often do not know how crypto attacks, which may overlap protocols and is used Failure to allow for algorithm implementations; and adaptation and evolution – Usage configured in the calling application or system Implementation flaws, where there is a bug in the code that is often – Vendor specific knowledge not revealed until it is too late to rewrite it. – Dependencies on third party components Quantum Safe Cryptography

Fault tolerant quantum computers will be able to decrypt public key cryptography

The National Institute of Standards and Technology predicts it may be possible to break 2000-bit RSA by 2030 – NIST report on Post

“There is a 1 in 7 chance that some fundamental public-key crypto will be broken by quantum by 2026, and a 1 in 2 chance of the same by 2031” – Dr. Michele Mosca, Institute of , University of Waterloo

“Accenture believes the inflection point in quantum computing is coming quickly and the ability to break classical cryptography will be reached in the next 8 years.” – Cryptography in a Post Quantum World, Accenture Quantum Safe Cryptography of a large quantum computer being built in the next 15 years

IMPACT = EXTREME Risk = probability x impact

Consequences

Insignificant Minor Moderate Major Extreme

1980-2016 Rare Medium <3% Low Low Low Medium

Unlikely 2016-2018 Low Low Medium Medium 3% - 10% Medium

2018- Moderate Low Medium High 10% - 50% Medium Medium

Likely Medium High 50% - 90% Medium Medium High

Almost Certain > 90% Medium Medium High High High

Crypto Agility Quantum Safe Cryptography Why is the impact so high?

Grover’s algorithm halves the security of the following algorithms: AES, GMAC, SHA-256, SHA 3 Shor’s algorithm completely breaks many Public Key Cryptography schemes: RSA, EDSA, CC,

+Chinese Algorithms +Russian Algorithms +Korean Algorithms Quantum Safe Cryptography

Elliptic curve algorithms at threat much earlier than RSA equivalents Note: Given are the number of logical qubits. Each logical qubit requires many physical qubits

Factoring Algorithm (RSA) EC (ECC)

N bits Approx #qubits Time N bits Approx #qubits Time

2n 4n3 F’(n) 360n3

512 1024 0.54.10 9 110 700 (800) 0.5 . 10 9

1024 2048 4.3.10 9 163 1000 (1200) 1.6.10 9

2048 4096 34.10 9 224 1300 (1800) 4.0.10 9

3072 6144 120.10 9 256 2800 (3600) 6.0.10 9 Quantum Safe Cryptography

2. The future 1. Long term digital confidentiality of data identities

MIT Technology Review Quantum Safe Cryptography

Amazon Amazon RSA Trust 2015 2038 Amazon Root CA 2048 Service May 26 Jan 17 1 bits s

https://blog.mozilla.org/blog/2017/11/14/introducing-firefox-quantum/ Quantum Safe Cryptography

DigiCert DigiCert RSA 2048 bits SHA-256 12:00:00 Jan Assured ID Assured ID 15, 2038 Root G2 Root G2

Class 3 Class 3 RSA 1024 bits SHA-1 23:59:59 Aug Public Public 2, 2028 Primary Primary Certification Certification Authority Authority

Apple Root Apple Root RSA 2048 bits SHA-1 21:40:36 Feb CA CA 9, 2035 Quantum Safe Cryptography

Version: 3 (0x2) Serial Number: 14 (0xe) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=U.S. Government, OU=ECA, CN=ECA Root CA Trust: Always Validity Validity Date: 2040 Not Before: Jun 14 10:20:09 2004 GMT Not After : Jun 14 10:20:09 2040 GMT Subject: C=US, O=U.S. Government, OU=ECA, CN=ECA Root CA Subject Public Key Info: Key Strength: 1024 bit Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): Quantum Safe Cryptography

2000 2005 2010 2015 2020

Support for Windows XP ended April 8, 2014 June 2018: NetMarketShare’s March The third and final report had revealed that Windows Service Pack, SP3, XP’s market share increased Windows XP Introduced 2008 to 4.59%, and the latest report of the month May shows that the OS has once again improved its share. https://www.windowslatest.com/2018/06/03/new-stats- show-windows-xps-market-share-increased/

This Photo by Unknown Author is licensed under CC BY-SA Quantum Safe Cryptography Quantum Safe Cryptography

“About percent of the devices that are control systems are on Windows XP or other non supported operating systems,” said Daryl Haegley, program manager for the Office of the Assistant Secretary of Defense for Energy, Installations and Environment. https://www.defenseone.com/technology/2017/04/pentagons-bug- bounty-program-should-be-expanded-americas-military-bases-dod- official-says/137229/

This Photo by Unknown Author is licensed under CC BY-SA Quantum Safe Cryptography

“ Treasury Department/Internal Revenue Service”

Individual Master File: A massive application that receives taxpayer data and dispenses refunds. “This investment is written in assembly language code -- a low-level computer code that is difficult to write and maintain -- and operates on an IBM mainframe

https://www.nextgov.com/cio-briefing/2016/05/10-oldest-it-systems- federal-government/128599/

https://www.computerhistory.org/timeline/1961/ Quantum Safe Cryptography

MIT Technology Review Quantum Safe Cryptography

Trust is based on the cryptography that it uses Public Keys are used to validate transactions

This Photo by Unknown Author is licensed under Shutterstock CC BY-SA Quantum Safe Cryptography

Many are ‘permissioned’ Heavy use of and public key cryptography Required for performance, governance and auditability Many asset transfer applications will be long term • Land registries, property, valuable goods https://www.theblockcrypto.com/2018/12/10/crypto- simplified-explaining-permissioned-blockchains/

Shutterstock Quantum Safe Cryptography

Systems using todays • Code updates and patches • Malware pattern updates cryptography for long • Transaction authentication term authentication are • Ownership of blockchain assets • User authentication at risk • Remote systems access

Crypto Agility Quantum Safe Cryptography

Healthcare data Finance data Government data • Guide 0068 - Clinical Trials (US) • Tax Records 7-10 Years in most • Secure Intelligence Sharing 25 Years countries, Sarbanes Oxley • Toxic Substances Control Act • Health Records (Japan) - 100 • Trade secrets , Mergers and / Occupational Safety and Years Acquisitions up to 50 years Health Ac t 30 years • Mental Health Records (UK) 20 • Confidentiality agreements (P) 50 • Military Data Years Years • Dumpsite Record (I) – 30 • Radiation Records (D)– 100 • Payroll records (Rou) 50 Years Years Years

21 Quantum Safe Cryptography

Sensitive data protected • Data communications over TLS that have been harvested with todays • Encrypted media that is improperly disposed or cryptography is lost vulnerable in the future • Encrypted data lost during a data breach • Snapshots of encrypted cloud data • systems using blackened(wrapped) encryption keys that are public

Many data protection schemes use combinations of Public Key cryptography and Symmetric encryption

Crypto Agility Quantum Safe Cryptography

Quantum Key Distribution • Micius launched August 2016 • Technique: quantum-entangled photons• A point to point technology only • Quantum entanglement distance record• Expensive, 1200KM • Relays for extending distance • Only solves key distribution and not • 80-kbit secure quantum keys authentication • One-time-pad encoding

Quantum Random Number Generator • Quantum Random Number Generators (QRNG) are a subset of True Random Number Generators (TRNG) that use quantum mechanical events as the basis for generating • Something to improve classical cryptography randomness. • NIST Quantum Beacon – but does not address the quantum challenge Quantum Safe Cryptography

MIT Technology Review Quantum Safe Cryptography

CRYSTALS (Cryptographic Suite for Algebraic Lattices)

• Kyber is a CCA-secure key encapsulation mechanism, whose security relies on the hardness of the module-LWE problem. • Dilithium is a digital signature scheme whose security is relies on the module- http://pq-crystals.org - Licence: LWE and module-SIS problems. Creative Commons Zero:

FALCON

• FALCON is a digital signature scheme using Fast-Fourier lattice based compact signatures over NTRU

http://falcon.org - Licence: Creative Commons Zero:

GTO 2019 / DOC ID / Month XX, 2018 / © 2018 IBM Corporation 25 Quantum Safe Cryptography

Crypto Agility Quantum Safe Cryptography

Risk Baseline Risk Context – changes over time

The cryptographic algorithms used, The evolution of fault tolerant quantum computers, The protocol in which the algorithms are embedded, The number of physical qubits required for each The size of the keys used, logical qubit, How the keys are distributed and stored. The connectivity of qubits. IBM Research Security IBM Security Quantum Risk Subscription Service The application context,Assessment The improvement of(Quantum) quantum crypto analysis, The security time value of the data being collected, The development of new quantum algorithms, The difficulty upgrading the application or The development of hybrid cloud / quantum solutions infrastructure. Strength evolution in PQC algorithms

Q 2019 ???? Day

Risk Analysis Implementation Deadline Day

27