The director of cybersecurity at the National Security Agency induced a few smirks among cyber pros last week when he told Bloomberg that there wouldn’t be any backdoors in the new encryption standards his agency is working on with the National Institute of Standards and Technology (NIST).
In cybersecurity parlance, a backdoor is a deliberate flaw in a system or software that can be surreptitiously exploited by an attacker. In 2014, the rumor that an encryption standard developed by the NSA contained a backdoor resulted in the algorithm being dropped as a federal standard.
“Backdoors can assist law enforcement and national security but they also introduce vulnerabilities that may be exploited by hackers and are subject to potential misuse by the agencies they are intended to assist,” John Gunn, CEO of Rochester, N.Y.-based Token, maker of a biometric-based wearable authentication ring, told bluehillco.
“Any backdoor in encryption can and will be discovered by others,” added John Bambenek, principle threat hunter at Netenrich, an IT and digital security operations company in San Jose, Calif.
“You may trust the U.S. intelligence community,” he told bluehillco. “But will you trust the Chinese and Russians when they get access to the backdoor?”
Trust but Verify
Lawrence Gasman, president and founder of Inside Quantum Technology, of Crozet, Va., a provider of information and intelligence on quantum computing, maintained the public has good reason to be skeptical about remarks from NSA officials. “The intelligence community is not known for telling the absolute truth,” he told bluehillco.
“The NSA has some of the finest cryptographers in the world, and well-founded rumors have circulated for years about their efforts to place backdoors in encryption software, operating systems, and hardware,” added Mike Parkin, an engineer with Vulcan Cyber, a provider of SaaS for enterprise cyber-risk remediation, in Tel Aviv, Israel.
“Similar things can be said about software and firmware sourced from other countries that have their own agencies with a vested interest in seeing what’s in the traffic crossing a network,” he told bluehillco.
“Whether it’s in the name of law enforcement or national security, the authorities have a long-running disdain for encryption,” he maintained.
There should be a trust but verify approach when it comes to encryption and security generally, advised Dave Cundiff, CISO at Cyvatar, maker of an automated cybersecurity management platform, in Irvine, Calif.
“Organizations may have the best of intentions but fail to see those intentions all the way through,” he told bluehillco. “Government entities are bound by law, but that doesn’t guarantee they will not introduce a backdoor intentionally or unintentionally.”
“It is imperative for the community at large to test and verify any of these mechanisms to verify they cannot be compromised,” he said.
Taming Prime Numbers
One of the drivers behind the new encryption standards is the threat of quantum computing, which has the potential to break the commonly used encryption schemes used today.
“As quantum computers become mainstream, it will make modern public-key encryption algorithms obsolete and insufficient protection, as illustrated in Shor’s Algorithm,” explained Jasmine Henry, field security director for JupiterOne, a Morrisville, North Carolina-based provider of cyber asset management and governance solutions.
Shor’s Algorithm is a quantum computer algorithm for calculating the prime factors of integers. Prime numbers are the foundation of encryption used today.
“Encryption depends on how hard it is to work with really large prime numbers,” Parkin explained. “Quantum computing has the potential to make finding the prime numbers encryption relies on trivial. What would have taken generations to compute on a conventional computer, now comes up in moments.”
That poses a big threat to today’s public-key encryption technology. “The reason that is so vital is that public-key cryptography is often used to transfer ‘symmetric’ key encryption. These keys are used for the transmission of sensitive data,” explained Andrew Barratt, managing principal for solutions and investigations at Coalfire, a Westminster, Colorado-based provider of cybersecurity advisory services.
“This has significant implications for almost all encryption transmission, but also for anything else that requires digital signatures such as blockchain technologies supporting cryptocurrency like Bitcoin,” he told bluehillco.
Gunn maintained that most people misunderstand what quantum computing is and how it is vastly different from the classic computing we have today.
“Quantum computing will never be in your tablet, phone, or wristwatch, but for specific applications using specialized algorithms for tasks such as search and factoring large prime numbers,” he said. “The performance improvement is in the millions.”
“Using Shor’s Algorithm and future quantum computers, AES-256, the encryption standard that protects everything on the web and all of our online financial transactions, will be breakable in a short period of time,” he added.
Barratt asserted that once quantum computing is available for mainstream use, crypto will have to pivot away from prime-number-based math to Elliptic Curve Cryptography-based (ECC) systems. “However,” he continued, “it’s only a matter of time before the underlying algorithms supporting ECC become vulnerable at scale to quantum computing by designing quantum systems specifically to break them.”
What NIST, with the assistance of the NSA, is developing are quantum-resistant algorithms. “The requirements for quantum-resistant algorithms can include extremely large signatures, loads of processing, or massive keys that could present challenges to implementation,” Henry told bluehillco.
“Organizations will have to contend with new challenges to implement quantum-resistant protocols without running into performance issues,” she added.
When a working quantum computer will be available remains unclear.
“It does not appear we have hit the inflection point in the practical application yet to be able to say with any certainty what the timeline is,” observed Cundiff.
“However, that inflection point could occur tomorrow allowing us to say that quantum computing will be widely available in three years,” he told bluehillco, “but until there is a point to move beyond the theoretical and into the practical, it is still possibly a decade away.”
Gasman said that he thinks the world will see a quantum computer sooner rather than later. “The quantum computer companies say it will happen in 10 years to 30 years,” he observed. “I think it will happen before 10 years, but not sooner than five years.”
Moore’s Law — which predicts that computing power doubles every two years — doesn’t apply to quantum computing, Gasman maintained. “We already know that quantum development is moving at a faster speed,” he said.
“I’m saying we’ll have a quantum computer quicker than in 10 years,” he continued. “You won’t find many people who agree with me, but I think we should be worried about this now — not just because of the NSA, but because there are a lot worse people than the NSA who want to exploit this technology.”