Quantum computing: becoming "crypto agile"

In practice, however, a quantum computer needs to be considered for the potential impact it has to decrypt encryption algorithms thought to be unbreakable. 

“A viable quantum computer is capable of breaking the RSA algorithm [an asymmetric cryptography algorithm], or any other asymmetric algorithm in a much shorter period of time compared to classic computers,” stressed Avesta Hojjati, VP of Engineering at DigiCert in a talk delivered at IoT Tech Expo Europe. “What is that shorter period of time? For 50 years it’s been thought that the RSA algorithm will not be broken for thousands or millions of years. With a quantum computer we’ll be able to break any asymmetric algorithm based on a factorisation problem in less than a week.” 

Because cryptography is the foundation of running applications on the Cloud - which is common for IoT, in the context of the audience Hojjati was addressing - breaking these algorithms spells out serious concern for these applications; running from medical devices to electric vehicles, demonstrating the versatility of IoT applications today and the risks breaking these algorithms runs to the end user. 

“Overnight, all the security promises we’ve had could be broken once we have a viable quantum computer,” said Hojjati. “Add this to the compliance challenges and the complexity of designing and deploying IoT devices [and it’s extremely difficult].” 

Becoming “crypto agile”

As a result, companies require “crypto agility,” according to Hojjati, which refers to the capability to utilise more secure cryptographic algorithms. 

“Let’s say you have a medical device like an infusion pump, or you have a programming logic controller (PLC) and these devices are using RSA to secure a connection,” he said. “There’s a new vulnerability that tells you RSA is broken. What can you do to fix this issue?” 

Depending on what you pick, explained Hojjati, you could send out technicians to update the firmware; you could send an over-the-air update if you have the capability to do so; or you could do both and update the device to use a quantum-safe algorithm. 

“The first step is asking if you know what cryptographic algorithms exist in your devices,” he said. “If you cannot answer that question, you are not in a good position.” Consequently, the next step after that is to create a Cryptographic Bill of Materials (CBOM). “This will create an inventory of all your devices, to know what cryptography applications are on that device.”

There are “four buckets” of challenges to consider: crypto agility; development; building the device and deploying it.

“As a software developer myself, the first thing that comes to mind is that if I have produced software that has a vulnerability, I want to make sure that vulnerability can be fixed at any moment,” said Hojjati. “Moving onto the build, this depends on what you’re building. If you have a complex system, you want to choose the right hardware for it, and for that you want a specific device that could support a specific set of applications. 

“Finally, there is the deployment part of this: [if] I have millions of IoT devices deployed, I want to know if any of these devices has a specific vulnerability.” 

Providing specific use cases, Hojjati showed how DigiCert is supporting its customer operating in the healthcare sector, whose challenges related to global silos across the world, manufacturing devices that weren’t managed by the same individual; operational goals which meant a technician couldn’t update every single device; and abiding by strong regulatory and compliance regulations. This was resolved by providing a centralised security solution which meant the customer could view the devices deployed globally.

“The impact was that the corporate philosophy that meant they previously thought once they sold the device, it was out of their control,” explained Hojjati, “The corporate philosophy changed.”

If you’re interested in learning more about quantum computing, Electronic Specifier’s explanation can be accessed here.