iTWire – Business and industry must keep pace with innovation to tackle cybersecurity challenges says DigiCert executive
Brian Trzupek is a crypto and security tech by day and night. He’s testified before Congress on matters of identity and authentication and has worked in pushing the forefront of digital certificates and enterprise PKI for almost two decades. Trzupek has been in Sydney recently to speak with customers and took time from his schedule to speak with iTWire . Far from it being the usual discussion of why certificates are essential to digital trust, he surprised me by telling me quantum computing can make it all come crashing down and industry needs to rise to the challenge. This takes a new approach that Trzupek dubs ‘crypto agility’.
Quantum computing For clarity, IBM defines quantum computing as specialised technology, including computer hardware and algorithms that take advantage of quantum mechanics, to solve complex problems that classical computers or supercomputers can’t solve, or can’t solve quickly enough. For example, quantum computers can be used to simulate complex chemical reactions with better models for how atoms interact with one another, which can be used to develop new drugs and materials. They can also be used to optimise complex systems, such as traffic flow or financial trading. Quantum computers have shown that they can process certain tasks exponentially faster than classical computers. In late 2019, Google claimed it solved a problem that would take 10,000 years for the world’s fastest supercomputer within just 200 seconds using a quantum computer. Future quantum computers could open hitherto unfathomable frontiers in mathematics and science, helping to solve existential challenges like climate change and food security. Quantum computing isn’t simply the stuff of science fiction. You could buy a quantum computer now if you have a lazy million dollars, or you could rent space from IBM. Even so, like cloud, like aritifical intelligence, like electric vehicles, quantum computing is here now and it’s only time before it is available to the masses. Yet, for all the good quantum computing can do, there’s one massive concern looming – the sheer mathematical grunt it offers that can crack – in fact, not only crack, but absolutely smash – cryptographic protections that the world relies on, in every system everywhere. One of the greatest protections of cryptography has been the sheer massive number of years it would take to brute-force such encryption. Well, with quantum computing that contracts instantly to seconds. Quantum computing, in the hands of the bad guys, takes us right back to the start from a security perspective. Well, it would, except the giant brains of industry, people like Trzupek, are already focused on this. “People might think you just replace a certificate, it’s not a big deal,” he said. “But that’s wrong, it goes deeper than this. Quantum computing brings advanced algorithms to break cryptographic protections on data in rest and in transit. That’s the connections we use right now, it’s data on laptops.” RSA In the world of cryptography, the most famous algorithm is RSA, named after Ron Rivest, Adi Shamir, and Leonard Adleman, who publicly described it in 1977. The concept behind RSA encryption is to use two prime numbers as keys, which together combine to generate a shared secret that encrypts messages between two parties who share these secrets but do not know them ahead of time. The difficulty of factoring large numbers has been known since 1770, if not earlier when Pierre de Fermat – of Fermat’s last theorem fame – proved there are no solutions for factoring into an integer times itself without using any square root operations or continued fractions. In fact, it is so complex an algorithm that the energy to figure out the factors and reverse engineer is more cumbersome than brute forcing, and with huge bit-size encryption is already centuries upon centuries. Well, until quantum computing renders it to seconds. A Google search for “quantum RSA” indicates conflicting views on precisely when quantum computing will break RSA algorithms, but ultimately it is agreed that time is coming, and it may be sooner than you think. “RSA is predicting serious trouble in five years,” Trzupek said. “Certificates will need to be replaced,” he says, but it goes deeper. “The software running will need new algorithms. The Internet protocols using RSA now weren’t built for other things. You can’t just swap algorithms.” “All the wonderful cloud providers and content distribution networks (CDNs) doing SSL acceleration and processing are all doing RSA; it’s all going to have to change.” Fortunately, the minds of DigiCert are on it. “We work ahead of things,” he said. “We’re the PKI geeks you don’t invite to parties because all we talk about are PKIs.” “A lot of software, hardware, infrastructure, and algorithms will have to change,” Trzupek said. “Vendors will have to testing, test their key generation, certificates, and so on. They’re going to have to deploy hundreds of millions of dollars of infrastructure and if they can’t work with these they need to know before putting them in the field or it will cost hundreds of millions to fix.” It can sound bleak; “Our quantum computing experts say it’s less than five years before a quantum computer exists that can destroy RSA and then it all starts to erode. Different algorithms will erode within 10 years.” Crypto Agility Still, this is where Trzupek and his team are working on the problem. A new skill, a new attitude, is needed, one that he describes as “crypto agility.” “Algorithms will start to not be viable. It won’t be all in one day, it will be continual, but certificates, libraries, software, and hardware will need to be replaced over time.” “Crypto agility is the key to unlock this,” he said. Digital bill of materials Additionally, Trzupek says the company’s 2024 security trends report has been released. “Last time we did predictions for the year, one was that customers would embrace a digital bill of materials.” At the time, a small percentage of vendors were dealing with a software bill of materials, but fast forward to today and now 99% have embraced it. “The prediction was good,” Trzupek said, “but a software bill of materials is still in our predictions. It goes back to what are the threats? Running on devices, cloud clusters, vulnerabilities in the software supply chain, things running on third-party software – it’s not always known at a single point in time. These are the things that lead to breaches, disclosure of PII, class-action lawsuits, destruction of systems, ransomware, erosion of trust, and more. It all starts with a breach.” DigiCert’s research is seeing recognition that the whole software lifecycle needs to be uplevelled, with more data points pulled into the lifecycle. “It’s like a nutritional label,” Trzupek said. “What’s in this? Is it good? Is it ready to put on the store shelf?” However, what do you do with it? “Our prediction now is companies will use the nutrition label to monitor over time and see vulnerabilities as they get injected into the lifecycle at any stage into what they’re building. They’ll use the bill of materials to have traceability through the software chain to see, and resolve, and stop breaches.” “We’re going to see that sophistication in the software lifecycle,” he said. “I talk to a lot of customers and see telcos say they’re looking into hardware bill of materials to understand the full hardware supply chain – not only the devices themselves but what goes into the devices too.” It all goes back to crypto agility. “It’s the crypto bill of materials – what are the algorithms being used in all that software? What are the protocols, keys being exchanged, certificates being embedded?” “You’ll see a lot more coming through next year,” he said. DigiCert There’s more to DigiCert, of course. “We can give people certificates,” Trzupek said. “But we go deeper. We can provide the software to manage all these components to help people solve, and touch, all workflows. We have deep understanding of crypto and PKI and where it fits and we help people design solutions all the time.” The company last year launched Quantum Labs so customers could test tools, and a month ago it launched a service designed to help facilitate introductions with its experts and who can aid customers in inventorying, creating plans, and executing on their security plans.