Security is crucial when transmitting data over any untrusted medium, significantly with the web. Cryptography is often used to guard data over a public channel between two entities. However, there’s an imminent risk to present cryptography with the appearance of quantum computer systems. According to the National Institute of Standards and Technology (NIST), “When quantum computers are a reality, our current public key cryptography won’t work anymore… So, we need to start designing now what those replacements will be.”
Quantum computing risk
A quantum pc works with qubits, which might exist in a number of states concurrently, primarily based on the quantum mechanical precept of superposition. Thus, a quantum pc might discover many doable permutations and mixtures for a computational job, concurrently and swiftly, transcending the bounds of classical computing.
While a sufficiently giant and commercially possible quantum pc has but to be constructed, there have been large investments in quantum computing from many companies, governments, and universities. Quantum computer systems will empower compelling improvements in areas comparable to AI/ML and monetary and local weather modeling. Quantum computer systems, nevertheless, may even give dangerous actors the flexibility to interrupt present cryptography.
Public-key cryptography is ubiquitous in fashionable data safety purposes comparable to IPsec, MACsec, and digital signatures. The present public-key cryptography algorithms are primarily based on mathematical issues, such because the factorization of enormous numbers, that are daunting for classical computer systems to resolve. Shor’s algorithm offers a means for quantum computer systems to resolve these mathematical issues a lot sooner than classical computer systems. Once a sufficiently giant quantum pc is constructed, present public-key cryptography (comparable to RSA, Diffie-Hellman, ECC, and others) will now not be safe, which is able to render most present makes use of of cryptography weak to assaults.
Store now, break later
Why fear now? Most of the transport safety protocols like IPsec and MACsec use public-key cryptography through the authentication/key institution section to derive the session key. This shared session secret is then used for symmetric encryption and decryption of the particular visitors.
Bad actors can use the “harvest now, decrypt later” method to seize encrypted knowledge proper now and decrypt it later, when a succesful quantum pc materializes. It is an unacceptable danger to depart delicate encrypted knowledge prone to impending quantum threats. In explicit, if there’s a want to take care of ahead secrecy of the communication past a decade, we should act now to make these transport safety protocols quantum-safe.
The long-term answer is to undertake post-quantum cryptography (PQC) algorithms to interchange the present algorithms which are prone to quantum computer systems. NIST has recognized some candidate algorithms for standardization. Once the algorithms are finalized, they have to be applied by the distributors to start out the migration. While actively working to offer PQC-based options, Cisco already has quantum-safe cryptography options that may be deployed now to safeguard the transport safety protocols.
Cisco’s answer
Cisco has launched the Cisco session key import protocol (SKIP), which allows a Cisco router to securely import a post-quantum pre-shared key (PPK) from an exterior key supply comparable to a quantum key distribution (QKD) machine or different supply of key materials.
For deployments that may use an exterior hardware-based key supply, SKIP can be utilized to derive the session keys on each the routers establishing the MACsec connection (see Figure 1).
With this answer, Cisco gives many advantages to prospects, together with:
- Secure, light-weight protocol that’s a part of the community working system (NOS) and doesn’t require prospects to run any further purposes
- Support for “bring your own key” (BYOK) mannequin, enabling prospects to combine their key sources with Cisco routers
- The channel between the router and key supply utilized by SKIP can also be quantum-safe, because it makes use of TLS 1.2 with DHE-PSK cipher suite
- Validated with a number of key-provider companions and finish prospects
In addition to SKIP, Cisco has launched the session key machine (SKS), which is a singular answer that allows routers to derive session keys with out having to make use of an exterior key supply.
The SKS engine is a part of the Cisco IOS XR working system (see Figure 2). Routers establishing a safe connection like MACsec will derive the session keys straight from their respective SKS engines. The engines are seeded with a one-time, out-of-band operation to verify they derive the identical session keys.
Unlike the normal methodology (see Figure 3), the place the session keys are exchanged on the wire, solely the important thing identifiers are despatched on the wire with quantum key distribution. So, any attacker tapping the hyperlinks will be unable to derive the session keys, as having simply the important thing identifier just isn’t adequate (see Figure 4).
Cisco is main the way in which with complete and revolutionary quantum-safe cryptography options which are able to deploy as we speak.
Watch this Cisco Knowledge Networking (CKN) webinar
and uncover how Cisco might help defend your community.
Share: