Points A through to Q - R (Quantum-Resistance)
Show transcript [en]
it's time to introduce Stuart Walters and he's going to talk us through points a Australia through the QR Quantum resistance so big round of applause for [Applause] Stuart hi uh yeah uh I'm Stuart and um let's get into this I guess um except my mouse isn't working oh there it is yep okay uh so I'm the managing director and principal consultant at bespoke it proprietary limited a boutique consultancy out of wa that works uh nationalwide um but I'm also a casual electorate um to president-elect of um the IC 2wa chapter and a co-administrator of the dotm club also not an IRP assessor I'm just going to put that in there cough cough yet um I work on um principally
confidentiality and integ problems I do a lot of crypto work um and uh authentications um app control that sort of thing um and not that I normally care to sort of print out my resume but um these sorts of jobs here I've just listed just because um it kind of relates to some of the skill sets required to sort of um do this kind of work um so I've previously been a uh Unix administrator that deals a lot with DN as an elap uh Windows administrator with specialities in active directory design and implementations um I'm a cryptography specialist um particularly in TLS and pki design and implementations and audit and uh for the last uh maybe decade or
something like that I've been working as a Solutions architect security architect Enterprise architect you call it whatever you want these four roles um in my career history have um a common threat amongst them in that they all deal with hierarchies um you wouldn't think that um they would relate to each other but in the context of pki they do it's very hierarchal and so um it's it does have a it does help to have a a grasp on how hierarchies fail um within systems today we're going to cover the topics of um some of the reasons that Australians Australian organizations get crypto cryptography and Key Management wrong the philosophies and principles behind sound cryptography and Key Management uh
we're going to explore some of the coming shifts in the field of academic and apply cryptography and why in our information systems it's uh necessary for Change and uh what organizations can do to change themselves to reduce their future risks um and I hope uh not that it's actually necessary to do Quantum resistance but I I hope um we um demystify Quantum uh resistance a bit for people um particularly Quantum Computing um we we cover a little of that but it's not actually necessary to to deal with Quantum resistance it's a completely different field all right I use some very specific terminology in this talk um so I'm going to list them here um when I say due care
and skill that's a legal term but uh when used here I mean it to be an acceptable level of skill or technque knowledge was used and all necessary steps to avoid loss or damage were performed uh but I will add in a caveat empor there I'm not a lawyer um you should not interpret this as legal advice um if you need legal advice on the legal terminology around uh due Caren skill um please go seek legal advice for that um I also talk quite a bit about what's reasonably secure um and and I Define that as due care and skill was applied known vulnerabilities would remove or reduce to acceptable levels that a skilled person would be
reasonably expected to make uh when I say insecure I'm generally meaning uh not operating safely uh if I say not operating reasonably secure or not reasonably secure I'm also meaning not operating safely and U I don't tend to use this much I don't think but uh not operating operating safely over long periods of time might mean you're negligent um so why all these business terms um this is about cryptography is it not um well yes it is but um when you when you're trying to change an entire organization's perspective on cryptography and Key Management it's quite a difficult task it's a very complicated subject there not many people outside of um people who work on
cryptography Solutions um fully understand and uh it can be very difficult to get change within Australian organizations to move to what we know is um a good working state but um they're not there yet and they don't have the the skill or care to to go there so when you as technologists use um language like the chis the crypto system is vulnerable to breach it doesn't hit as hard as possibly using langu like due care and skill did not apply to the control of the crypto system and the organization May potentially be negligent if it continues to operate the crypto system in knowingly unsafe ways that it does I find um leveraging business language um
when taking matters of cryptography up the chain far more effective in trying to get them to listen to what you're talking about it's inherently hard to talk about cryptography to anyone um except for those who sort of um deal with it directly but um hopefully some of that language might help if you having to go through this process yourself all right a bit of a tangent uh this talk is about cryptography but um we kind of have to take you back a little bit further than that into a bit of philosophy um to understand why cryptography actually matters um so I'm not sure if you're aware it's almost impossible for you prove that you are
secure um you can think you're secure that's an opinion you can believe that uh that's a belief and sometimes a mistaken one you can feel that you're secure which is usually intuition feelings or emotions however you want to phrase that um you can state that you're secure um but that doesn't necessarily make it so and they are claims or assertions and you can truly sorry you can try to read them with yourself um that the available evidence that you have before you uh is a conclusion of secure is true but that doesn't always make it so uh it's improbable and impossible for you to completely and irrefutably prove that you are 100% secure um you can do
the opposite however which is sometimes a little strange um you can disprove you are secure or put it another way you can prove your insecurity um that's because secure is not a fact it's never been a fact and never will be a fact it's a value uh anyone trying to tell you that they are secure might be knowingly using it as a value or deluding themselves that it is a matter of fact and or knowing that it is a value but hoping you will believe it is a fact so when you have conversations around the word secure I find it um much better to to use the term reasonably secure um so uh to understand all this we're
going to need to dig into a bit of philosophy U we're going to skip epistemology um Aesthetics versus ethics also known as form versus function and the demarcation problem of science um but if you have an interest in this I I'd highly recommend you you go read up on these subjects so um one of the one of my favorite philosophers I guess you could say is um David Hume he's a Scottish um thinker from the 18th century he was a philosopher historian and Economist and um he gave us um advances in the field of philosophy relating to empiricism uh yeah my sense of humor at 3:00 a.m. in the morning is a little weird um Hume came up with the is or
problem and that can be sometimes referred to as hume's law or hume's Guillotine I've heard it referred to as um Humes Fork as well um for visual Lear learners neurod Divergent and some speedrunners here's a 1 minute 30 video explaining the isort problem I'm not going to play it today but there's the link you can um play at home once you see this video um related to hume's law is what Hume himself called the fact value distinction um Humes ports forward that his is or problem sorry say that again Hume puts forward in his isor problem that when people reason about the world around them there's a gap between their statements of fact which usually
expressed as true or false and their judgments of Reason which is usually expressed as right or wrong or good or bad so an example of this is um I say to you what a wonderful day it sorry what what a wonderful day today is um now first off we need to kind of look at that statement and determine which of the um words are facts and which are values so day is a fact days happen we can prove that from most places on Earth um today is might also be a fact if you ignore a bunch of philosophy and physics that says time doesn't exist if we take the word wonderful and reduce it down to something similar
what's being said there is that today is good so wonderful meaning Good Wonderful is the value in the sentence but what facts did I come to rely on to say that um today is wonderful is it that the sky is sunny and blue or is it that today is Friday and the weekend is soon is it that I'm not at work today and instead I'm attending uh camera nerd con infac Edition um is it that I've seen many of my friends today and that makes me feel good or is it because I've lured 300 3,000 delegates here with the prospect of talking about cryptography and I'm actually talking to them about philosophy in some kind of ba and switch
move that I find amusing unless you ask more questions about um the statements of fact that led to the Judgment of reasoning that the day is wonderful in my opinion or you know according to my judgment you won't truly know if the facts meet the value judgment I promise you it's the bit and the switch on the philosophy to be honest um but what if my assertion that the sky sunny and blue was false um uh because right now the sky might be gray and rainy or maybe you just hate philosophy because hate being smart I don't know we may never know and I can't move my screen again sorry there we go all right
um understanding hum's law helps us see that people mess up their facts to Value transition quite a bit um sometimes facts aren't facts at all either um some sorry sometimes people include assertions which are unverified claims of fact opinions their beliefs their biases or whatever it suits them on the day because they just don't want to hear what you're talking about um and then they reach uh to incorrect judgment values um for example statements like our crypto system is secure with no or little factual backing to um that value judgment um so some quick takeaways on human and the isort problem and the fact value distinction um people even in our own industry get the fact value
distinction pretty wrong and sometimes quite a lot um sometimes sorry when someone talks about we should or we ought to they're talking about values not facts and that's important um that sometimes um can tell you what they're talking about um also when we're talking about facts versus values what we're actually talking about is science versus ethics uh we need both ethics and Science in our infos industry but uh the industry is nevertheless a scientific discipline that means we need to follow the facts um particularly when um auditing or assessing um any system to be honest but I I mean in the context of um cryptography uh crypto systems uh there's more to all of this
if you stud study it as a matter of philosophy but for our purposes on The Talk today I I don't go much deeper in into it I do um there's a there's a postcript note there that says um the reason why sales and marketing teams call their differentiators to um competitors products and services value Pro propositions is because they're selling you on a value statement not a fact a matter of fact um they know that um values make sales not facts and so when you look at the claims of vendor or you look at the claims of a product or service that's been delivered to your organization you do need to weed out um sometimes I find it's helpful to weed
out the value statements from the facts and try to see if the facts will actually meet those values that does sometimes expose some insecurity in systems all right um then we drop into sir car POA he's an American sorry an Austrian British thinker from the 20th century uh philosopher of many schools of philosophy he introduced um falsifiability problem of induction and the problem of demarcation um we won't be going much into Poppa's philosophical work except for his observations on pseudoscience versus science um for visual Learners again playing at home you might find this video a little more um easier to deal with than my voice but um you can watch that at home if you need to
um POA studied um if you're not aware POA studied um Sigman FR how Sigman FR developed his psychoanalytical theories on human behavior and how Einstein developed his general theory of relativity whereas Freud um sought to use past Ed prove his theories on human behavior Einstein used future events to attempt to disprove his own theories of the universe so what's the implications of that why is that important Freud's methods allow um Freud or anyone for that matter to reinterpret their past events over and over again without requiring them to concede um that the theories have been TR proven to be untrue whereas Einstein's methods on the other hand was was actively looking to disprove his own work because if he
couldn't disprove his theory he might be one step closer to being true so in short Einstein's methods which poal science remove the possibility of Pride ego or falseness from affecting the result and uh this is converse to fr's methods which poet calls pseudo science so bringing this back to secure reasonably secure and insecure when I audit crypto systems I'm often documenting to customers the evidentiary facts as I can see them which demonstrates their systems are flawed or broken um and especially the ones that can lead to full system compromise um I wish I could say I've had fantastic customers over the years but I I can't genuinely remember the last time I didn't break a
PKR such as the state of um cryptography in Australia possibly or maybe I just have a bias because I I work with customers that need help uh but usually the first question I immediately get back from the customer after doing that is but do you have do you actually have any proof that we've been compromised and my answer is more or less along these lines um it's usually a bit of a bit to us I try not to be but um my answer to the question every single time is that I'm sorry it's not my job to prove to you that you have been breached in the multiple years that you've been operating that crypto system
it's your organization's job to prove to me the pki specialist that you have been operating that pki with due care and skill such that I'm in a position to say that you've been running it reasonably secure if you want to know it was breached um go hire digital for if you want to know if it can be breached go hire pentest red team that's what they do but if you cannot demonstrate to me with facts that you hold sufficient evidence uh about the how the crypto system was operated with due carent skill then it actually is secure to me um it's an assumed breach position within cryptography we'll get into um why that is in a little
bit but I simply say this show me the facts that You' have been operating with duare and skill and anything else is the assumed full breach whether it is or not um we'll come back sorry I've said that already um so let's look at the problems with the questions uh why the question sorry problem with the question that was asked at all the problem with the customer asking me something like that a defensive security specialist to supply them with conclusive proof that they've been breached it become a three-fold problem um so unless uh it's glaringly obvious obvious that evidence exists um by answering it all I risk wandering outside of my speciality as a pki specialist I
exercise due care and skill pertaining to PKR um but can I say the same if I were to suddenly do some pen testing or digital forensic analyst work maybe maybe not um there's also the problem of absence of evidence is never evidence of absence um just because I go looking for evidence of a breach doesn't mean I find it but that doesn't mean a breach didn't occur um the adversary might have been very very good at Tiding up their tracks or may I may be very very bad at you know digital forensics work um this one's the most Insidious one though um and I I I experienced this a lot in trying to move organizations
forward um with cryptography systems and that is that regardless if the breach did occur or not hidden within the question is an applied assertion to the contrary um that because they're saying um have you actually seen the breach they're putting in an assumption um that they were secure in the first place or that they were ever secure um this is unfortunately Peak pseudoscience and we we experienced a lot of it in the the tech sector and especially I experiened a lot in in crypto system auditing and design um you know you get statements like AI is intelligent and can do as good if not better than humans um blockchain is commercially viable and we decentralize
currency I won't announce that one cuz I know I put that in there to annoy some friends of mine with risk management Tendencies but anyway um quantum computers will help us solve complex problems quickly um these kind of statements don't have facts behind them um there's lots of values but until the facts come forth and maybe they never will um we can't actually say this uh well you you you can make the claim but it's it's not a matter of fact and pki pki and and evidentiary controls around pki need to operate on fact um so to those sorts of people who say these things I say maybe you're right but please do prove that with
facts um so that I can assess whether the um the facts of the situation meet the value judgment that you're claiming to be uh and I probably have a few facts of my own which can cast doubt on or partially refute or fully refute possibly even completely disprove those um value judgments the value of sorry the burden of proof is always on the claimant um so let all the the facts be tallied and then and only then we should probably assign the value judgment if the system is good or bad so in short if you're going to claim that or imply your crypto system is secure bring me as many facts as you can must and I I can tell you whether it's
insecure outright because I found a um I found lack of controls or I found lack of evidence of controls or I found the breach or on the bance of probabilities do I believe it to be reasonably secure absence of any evidence of the contrary uh this was a joke for those people who actually know this philosophy I pretty much butchered a lot to get to that point um that's the man that probably can refute just about everything I just said but um I'm not using philosophy here to teach philosophy I'm teaching it I'm using it to teach science all right another tangent 50% l less tangent okay we're going to get to some of the um philosophies and principles
behind sound um cryptography and Key Management um something that um I find is lacking in a lot of the the systems I uh audit unfortunately uh and it's it's the lack of this that usually is where I find a break somewhere okay so K I'm going to butcher his name he's um I think he's Austrian uh but it's always hard R to pronounce Kirk Hoffs principal there were six of them but um the one we um here to most in cryptography design is the second design principle of military ciphers from kirkoff or AKA kerkoff's principle it's the modern of all it's the basis of of all modern cryptographic algorithms prior to that um it was stenography and
that wasn't very effective so this is kind of where true cryptography happens um but kirkoff says um this it should not require secrecy and it should not be a problem if it falls into enemy hands uh fast forward to uh 1930 Cloud Shannon's work in information Theory produces Shannon's Maxim Shannon's Maxim was either independently derived from kofs or um is based on it and we don't really know um but it's considered a Reformation of the same idea and Shannon's Maxum state that one ought to Design Systems under the assumption that the enemy will immediately gain full familiarity of them um these two um principles or philosophies you might want to call them um do a lot of the
heavy lifting when it comes to sound cryptography and Key Management design and we can U reform both of them into a modern version which becomes Secrets must be secret sorry Secrets must remain secret and that sounds pretty obious when you say it aloud but you'd be surprised um how often um CIS admin teams and organizations break this rule a lot and it leads to theoretical or practical breaks in crypto systems all right but more more specifically on Secrets must remain secret a crypto system should be secure if everything about the system except for its critical components is public knowledge and the critical components are defined as at the very least your private Keys must remain secret your
initialization vectors must remain secret your nonces a number used once must remain secret and only be used one time they must never be reused and random numbers must remain secret and they must be truly random when they are generated they must not be predictable nor mustn't they be pseudo random this is an All or Nothing proposition in cryptography either you can demonstrate proof that the critical components of your crypto system have remained secure or they are inherently insecure there's no granularity in a break in cryptography it's so and particularly pkis um that product is so brittle uh it is not how we would build a secure protocol today um it was it's just very ancient in its design it's
simultaneously one of the best and worst things we have um it is pairing all the encryption on the internet and yet it's about 40 to 50 years old and has a lot of problems with it and no one even talks about what do we do to replace it people have tried and it it doesn't it didn't happen so um but for now you have to know that um you either have proof that those critical components are safe or that they are just insecure there's no third option when cry crypto systems are concerned
all right when a crypto system is not able to be proven that Secrets have remained suspected or it is suspected and or proven that the secret has become public knowledge your only viable option to remove that publicly known secret is to replace it with a privately held secret in the case of private Keys becoming public knowledge we call that process reing it's hugely disruptive um but it's the only way to be sure that you hold the secret and and no one else holds the secret for example if we you know if I find a breach all the way up to your root CA um you have to untrust everything and reissue every single certificate in your organization it's a
massive cost and a huge amount of time to deal with it can be done it's just you don't want to um so as a pko specialist if you cannot prove to me that your secrets remain um secret or I suspect that they have not remained secret or there is demonstratable proof that those Secrets did not remain secret then I will tell you that this crypto system is no longer worthy of your trust as it is insecure and that you need to immediately rekey your crypto system for your own protection and anything less than this means that you're not operating safely and if it comes down to it if you continue to not operate safely despite
being told by a pki specialist that the crypto system is known in a known bad State then potentially you're in action to restore secrecy to your own systems might constitute negligence say if you're breached 3:00 a.m. here it's not good um all right so people process and Technology I've been really happy I'm I'm an architect this is an architecture concept um and it's been in architecture for some time but around five to six years ago I started witnessing um people uh within the infoset community talking about these things um which is great um believe it or not um architecture is not supposed to be solely practiced by Architects um it was always intended that um Architects um not only practice
architecture themselves but they help you practice architecture that's the point it's an all organizational thing or at least it's meant to be that's not how it works in practice uh but the point is that um Architects are um there to help you practice your architecture they're not the Guardians of all architecture so I'm happy to see this concept come into to um infoset Community around uh five six years I started seeing that um within talks um but something I've noticed since then is that some of our community doesn't fully understand the concept of people process and Technology I thought I would just quickly address that um if you have a people problem it's best to
implement a fix to the people um likewise if you have a process problem it's best to implement the fix to the process and if you have a technology problem go fix the technology it's not exactly forbidden to use one on the others uh if that works but um more often than not you're probably implementing the wrong kind of fix uh I've seen more organizations than I care to count um try to fix people problems um with poorly conceived technology um that could have just they could have just had a Frank conversation with their own staff and then work things out um unfortunately this happens quite a lot um in in it and it does happen to be in
infos
SEC um I mentioned that because uh most organizations um Key Management woes are a result of um instigated failures in people in process as much as they are um failures of technology so simply buying Key Management solution and expecting that will resolve the underlying cult cultural problems in your organization is not going to go well for you um you will have spent a lot of money on a solution that you don't understand um can't get your people to accept and doesn't actually um become fit for purpose um so an experienced architect will usually detect when a people are process fix is easier cheaper or more effective than that but I got to say even experience Architects do get caught
on this sometimes it's not always obvious to us when um there are multiple facets to the problem in the people process and Technology um but just be mindful not to be over dependent on technology Sol Solutions particularly within um cryptography and Key Management um because you you can end up buying a product that works in practice but not in your organization all right we here at cryptography finally and I forgot to start my timer so I don't know how far into this talk we are okay so um let's talk computers iops and Moors law um so I had to put the first few points in here just for completeness I know you all know this um I'll just
quickly Buzz through it uh CPU is comprised of millions of tiny transistors on a Di and we measure each transistor State as being off or on represented in mathematics via Z 1 all right we got past the the boring bit um we also know from experience done many decades ago how fast a CPU can um perform uh their their input outputs per second or iops required to perform the encryption and decryption operations um there's maybe six um sources I I tend to H um tend to lean heavily on lenser and ler to a bit but um there are others there too and whilst some of those are old experiments when we combine um sorry I missed the step there um
those experiments were really old like 30 40 years old um and they relate to the CPU of the day but um when we combine those old experiments with Mo's law as a Rough Guide we can generally get an understanding of how fast encryption and decryption operations work in today's CPUs um we don't actually need to do that um L is still calculating stuff so um he's still still doing it on Modern CPUs and as are others um I'm just using that for today's purposes um so mes law being an observation that um the number of transitions in an IC will um double every 2 years um ero CPU speed approximately doubles every 2 years and
that means that encryption and decryption operations um speed up as a result when CPUs get faster so to do the attacks on Crypt graphy um which means periodically we have to increase our key sizes to accommodate um growth in CPUs and processing power all right cryptography is in essence a study of computations over time the broad aim of cryptography is to make uh it so that the cost of computations on ourselves is relatively lower than when in comparison to that of the adversary uh we're trying to make the adversary's computations cost more but periodically the adversaries cost drops below a safe level because the ever continuing growth of CPU and to compensate that we increase
our key size to uh which adds further cost to the adversary all right um show hands bit dark in here but um who knows if their workplace is still using RSA 248 um and please also put your hand up if you know a if you're working on a customer cust that's working on RSA 2048 yeah a couple all right all right next question um what year is it appropriate to move away from RSA 2048 um if you put up your left hand if it's this year and put it up put up your right hand if it's next year oh a couple of hands all right sorry that was a trick question um I'd argue that the
appropriate year to move away from RSA 2048 was probably 2021 or possibly earlier if you had larger protection requirements um best case scenario RSA 2048 has hit its Sunset phase in 2025 giving you 5 years of Total Protection uh worst case if you need longer than 5 years um it's not giving you the protection you need right now um I haven't built a pko trust chain with RSA 2048 since prior to 2020 um just to be safe and if your organizations have I'm sorry to say that due care and skill might not have been present I'm going to show you how that gets calculated um so for that you need to go to um nist SP
80057 part one rev 5 the Link's there if you need it I'm not going to open the whole document tables 2 and four in that document tell you you can use um RSA 2048 till December 2030 um and this is where I find most organizations get hung up on it they think they're still in the grace period of using it safely um unfortunately then you also get to figure two within um 857 which also gives you this and it talks that whole section talks about algorithm originator usage period versus algorithm security life what it basically says um you need to reduce the years using it by how many years years of protection off the back of deck 2030 so
in this example if you expect the full protection of RSA algorithm using a modulus of 20 48 bits and you require that um system to be adequately protected 4 years excuse me um you have to stop using that um algorithm no longer than uh 2027 but by that same R an hour if you're expecting full protection um for 7 years you have to stop using it this year and if you're expecting it for 10 years years 2021 which is why I stopped using it back then and 7 years sounds like enough but iure you it's it's really not um cryptographers measure years not in 1 and two and 10 and 50 that they're dealing with um time calculations of
hundreds thousands millions so 7 years is quite short in in a cryptographer as well um the ism says that we should be moving off that anyway so the FED go State go and CI industry should all be on RSA 37 uh 372 or above at this point but I would just go ahead and remove RSA 2048 from your organizations so bit of a reality check unfortunately um if I audit your pki and I find that RSA 2048 is still in use from next year I will report back that du care and skill is not being applied to your PKR operations and you are not operating safely um RSA is um no longer fit for purpose
uh it was good while it was there but it's time to move on to something else and this is um a series of changes that will need to happen over the next 15 years because we kind of got lucky not lucky is not the right word RSA is extremely well-designed and it's um quite good that it has lasted as long as it has but it we know it's not going to last forever and algorithms historic don't last that long so um it's it's good that we've had it for so long but now we need to move to other things um I would recommend you all go to um well they say 37 uh 372 or above
and the reason for that is cuz um the major pko software out there which is Microsoft adcs um calculates um Step UPS on bits in a bitwise manner so um it jumps from 2048 to 496 you actually can't do a 3072 um PKR on adcs but if you're with adcs go to 496 you'll be fine more 3M humor all right um let's talk about quantum computers a bit um all right I I really am going to butcher this this is not my field this has strayed quite massively out of it um this is closer to physics than it is mathematics and PKR so for everyone who knows this better than I am sorry than I
do I'm so very sorry but we'll press on I've put some slides in here for your amusement or entertainment okay so um believe it or not though you don't need to know much about comp quantum computers in order to sort of start your Quantum resistant cryptography program um some knowledge does help but they are as I said before they are different scientific Fields um Quantum Computing is um theoretical and applied quantum physics Quantum resistant cryptography is just standard theoretical and Applied Mathematics if you're writing the algorithms that's a bit different but if you're implementing them it's really just maths and um Quantum cryptography is theoretically and applied quantum physics and Mathematics um you need a uh I've changed the order of that um
let me just go down to the next Point Quantum resistance cryptography does not equal Quantum cryptography um just quickly the difference between the two is um the former uses um mathematics on ordinary CPUs to defeat Quantum attacks whereas the latter is cryptography using entangled photons at an atomic level and I'm sorry this is such a oversimplified view because when you get into the physics of life it's not me um but it is cryp cryptography using sorry Crypt cryptography at an atomic scale and that's not what we're doing here uh what we're trying to do is the first step not the second step which is just protect ourselves from the day that quantum computers come about and that is called
Quantum resistant cryptography so um just be mindful they're very two very confusing terms and um they uh they often get swapped out but they are different things now you need a sufficiently size Quantum CPU to run Quantum algorithms of any form uh including the qu the quantum algorithms that attack classical cryptography um there's two kinds of quantum processes that we H um that that exist um we only care about one of them there Quantum an I always pronounce this word wrong analine uh for example the systems made by d-wave um and there's also Quantum CPUs and for example the systems made by IBM Google and and such we don't care about um d-wave and the analing systems
um Quantum analing processes are incapable of running Quantum algorithms related to cryptography um as far as I know they will never be important in the context of your or my concerns on Quantum resistance they're just not capable of running the algorithms to attack cryptography um so if someone comes you and says DW just made a gazillion Q bits CPU you you don't need to worry about that um this is um a picture of it's not a picture of the quantum CPU it is a picture of the cooling system of a Quantum CPU the CPU somewhere in there but um that's um Source Credit from end Gadget as you can see it's quite large quite fancy and quite expensive we're
going to get into that just now no next um when a classical CPU has binary transistors and can calculate the zeros and ones Quantum CPUs use quantum bits or Q bits and uh a lot of physical and logical Gates my loose understanding as I said this is closer to physics than it is mathematics for me um but my loose understanding is that um Quantum CPUs and quantum mechanics Works uh is that the quantum CPU can calculate zeros ones and the superposition States of both zero and one at the same time I'm going to be honest I don't understand this part of physics um I have a concept it's there so will you but um whether you
understand that or not is dependent on how much phys training in physics you've had um and my total level understanding of this is that um being able to calculate additional States over just the two binary states of 01 makes the Quantum CPU much faster for certain types of um calculations now some of the quantum CPUs are being used um or it's it's thought that they can be used to model viral behavior um better predict weather patterns um that sort of thing but unfortunately pretty much from day one as soon as we get a sufficiently sized um Quantum CPU um we lose all known cryptography that we use on the internet to protect the internet all right so the chips are very tiny in
comparison to the size of that cooling system um that's because the quantum CPUs are very error prone and to reduce the noise or their errors um which they're very very prone to um they need to be super cool super cooled using sorry super cooled and they use super conducting circuits um that's L that large and expensive heat pipe system you saw in the previous slide um is there to deliver quantities and quantities of liquid nitrogen just to keep it at the the required temperature to reduce the error count um and uh that is designed to um cool the quantum CPU to approximately I think it is from memory 2° less than space and you read that sentence wrong if you were
reading it not 2° lower than the the temperature of Earth but 2° lower than the cold vacuum of space that's very very cold um um my best guess I'm not a physicist um but that's somewhere in the vicinity of - 270° Centigrade um though there are improvements um currently in the works to make um hotter running CP Quantum CPUs um which means they will be cheaper to cool because of that extreme cooling solution needed to make these work you will probably never hold a Quantum CPU in a phone siiz device uh in this lifetime or at least in the next 40 years um that statement would become false if room temperature superconducting circuits were possible and thankfully
for a bunch of reasons no one has created them yet um or relating to the brakes in cryptography um they otherwise have some great benefits um so this is my way of saying that civilians will never have direct access to this technology probably from day one or possibly even ever um so do not let any fan company use fancy value propositions about owning handheld Quantum devices they might be misleading you uh and yes unfortunately I put this in because there's already companies doing this um especially one because there is an Australian company doing this I'm not going to Mame them um the only organizations in the world that will have ready access to this technology is nation states uh
whatever we're calling the Fang like companies today so you know the ones uh IBM who's doing a lot of research in this field and a handful of other companies that are doing research in this field um but that's going to have implications if you've ever had designs of playing with this shiny new technology as it comes out um couple more observations um and so for some context uh originally it was um it was calculated that 4,000 error free cubits would be what it's originally sorry what it's um required to break an RSA 2048 BK um at the time uh the the largest Quantum CPU processor was around 100 cubits so a mile short um they're up to
I think roughly um 1,000 cubits in a CPU at the moment but um still scaling it from 1,000 to 4,000 is um a huge feat of engineering that may have problems as time goes on IBM's Quantum road map um say they have the the path forward to 4,000 cubits in the next couple of years I think from memory it was 2026 uh and I'm a huge IBM fan but um you know their Quantum team is stock full of very very smart people probably smarter than me but I kind of say prove it um do what you say you can um I I think there might be manufacturing problems as time goes on I could be
wrong um but I would you know rather than build um believe the value proposition of another distant but it's absolutely going to work technology I think we should sort of um cut through some of the Su science on this and and just ask companies like these to continue their work it's a very important work but it it does come with a lot of marketing claims that cannot be proved today um their approach doesn't uh make use of a single 4,000 Cubit CPU mind you it uses um smaller Quantum CPUs uh over cluster um there's probably a couple of things that um could go wrong with that as they're trying to scale up um and there's also no consensus about
um actually how many cubits it would take to break an RSA 2048 bit key um 4,000 is um less likely or less there's less consensus around it these days um IBM still kind of I think they they might be pushing that line still but um there's a there's a more recent piece of research that says approximately 20,000 noisy cubits I.E error prone cubits um is what's required to build RSA 2048 bits so in terms of um capabilities break RSA 2048 right now that's just not going to happen um but that doesn't mean we can sit idle for these sorts of things which we'll get to in a sec um so the estimates of when when
Quantum Computing becomes a problem for us such that the qu Quantum algorithms become a problem for us is a is widely speculative no one actually can tell you an honest answer on this because we just genuinely don't know we we think but we don't quite know um my personal guess and it's not one you should put stock in um it's between 15 and 45 years possibly never at all and I know that doesn't exactly seem helpful but um I'm sort of beginning to think that it is another fat of a technology um we've proven it works but I'm concerned about the commercial viability of this kind of Technology we have science that fails all the time simply because it can't
scale in the economic realm so we'll see what happens in in the next 10 to 20 years I guess um all right so time for me to confess I made a bit of a mistake as I was designing a strategy piece for Quantum resistance and it's it's a simple little mistake um I I I've actually done these um sort of um critical infrastructure um head to toe review of cryptography um pieces before um and the the organization I'm referring to that I've done just recently completed out the work is for an organization I won't name but I'll refer them to uh refer to them here as Acme uh when I did the previous um uh
work of this Cal for a different organization um Quantum wasn't a factor um all right my notes are here um so in that particular job um I got a got a pretty strange request from the board um of uh this company it was in 2018 roughly uh and the board had read a big four piece sorry big four Consulting piece about how the top 10 things for the Board needs to worry about in 2018 next year is going to be Quantum Computing it's just Peak pseudo science um because not not in line with reality um or the facts as I would say um so I got that question it was very easy for me to respond and say in the
next 2 years quantum's not going to be a thing for you so you don't need to worry about it um and the mistake was when I took on this job with hackme I scoped it up um more or less kind of in the same way I did the the last one and I forgot to retest my own validations sorry my own assumptions and calculations on whether Quantum would be a factor and I only remembered to do that halfway through actually doing the job and what I came out with was a critical infrastructure organization probably needs to start moving towards um Quantum resistance this year if not next um while there's a lot of years ahead
there's also a lot of work for critical infrastructure organizations to um achieve Quantum resistance and they're not particularly known for moving fast um so live and learn um the need for me to act with duare and skill um it even gets me from time to time uh it just um Mid job lose a bit of money but put in the um the the pathway for Quantum resistance and that's how um this work um sort of came into a Quantum resistance
Focus sorry oh my God sorry okay no I've lost my place sorry so sorry okay here we go all right quantum resistance requires that you can withstand Quantum attacks from what's known as Shaw's algorithm um which given sufficiently large Quantum CPU is a full break of widely used uh asymmetric mathematics including integer integer factorization mathematics uh including RSA and discrete logarithm mathematics um DSA and EDC Ed ecdsa um there's also Grover's algorithm and that's a partial break of symmetric algorithms and again this is on the assumption um that there's a sufficiently large Quantum CPU that is key because um shaes is a mathematical proof that we can break these it just needs a big enough CPU to do it but the
CPU doesn't exist yet um so that's what we're looking at here is is what uh how fast can they perfect the technology if they can perfect the technology but anyway back to grows um that break is a partial break of symmetric algorithms including AES um and the partial break is due to a quadratic Improvement in speed which translates to harving of the key space and effectively halves the time taken to Brute Force the key all right so if potentially um quantum computers are so far away why do any of this um a couple of reasons no one can really predict when a sufficiently large quantum computer will come into existence but if it does happen when it does happen it may be
quicker than we realize we can't predict these things and usually with these sorts of things someone finds the solution to the problem that's been holding them back and then it just goes and we find this all the time in um uh cryptography and Hardware cryptography design but um you know you know something stands for 30 years but then all of a sudden like five people attack it five different ways and and and get their solution um so it can be a little difficult to um it I perfectly predict when um a large enough Quantum CPU will come about such that um Shores and uh Grovers will be effective but there are other reasons um there's retrospective
decryption which um you might know as capture now um decry lator or harvest now decry lator um these kind of attacks are happening right now it's within nation states capabilities today to record and um everything on networks that they they monitor store that traffic and wait until the day that they can unlock it they they do some of the biggest nation states do have this capability um there's an extraordinary amount of work that's um required to go to Quantum resistance as well for instance um I was looking at sort of some of the timelines and it may take Acme 10 to 20 years to be able to fully realize that whole strategy so um It's
actually kind of important that they they start and all ice um critical infrastructure Industries um start their process now I'm not saying we're going to be rolling out um new devices and new software tomorrow that's not how this works um but they do have to have a plan and they do need to start moving towards that plan pretty much now um because if they're going to get there in 10 years they need to start the process um I think it's also going to be cheaper on the long run in the long run to do it now I was unfortunately at the of my career or part of the Y2K disr uh disrup sorry disruption um as I recall um it asked
business um to um fix that problem a long long time prior to it actually being fixed and um a lot of the times you know there was just push back for the expenditure to you know fix some code or test some code and it got to the point where about 3 to four years prior to the event is when everyone panicked and we had the event that it was that was hugely expensive that's a very expensive way to run uh a project um in software and Hardware um and when you're talking about cryptography hardware and software they are quite expensive already um so try to uh I'm saying we should probably um try to avoid um last minute fixes I think
it'll be cheaper if we do it on the the low on the slow basically and um yeah Acme like all other CI organizations are very slow moving when it comes to technology acquisition it's going to take all organizations but especially CI organizations to Source technology and Source technology that support the new algorithms to make this happen um so the path to Quantum resistance doesn't require ownership or knowledge of a quantum computer um the nation states and the fangs those um we won't um but what you what you do need to know about um sorry what you do need for Quantum resistance is U what algorithms you have in your organization already where they are so that you know um how
when you can replace them at a time when we we start rolling out um Quantum resistance algorithms um this is something that every company I've ever worked for on cryptography or key management has pretty poorly f with um so if you're not in a position to um tell me exactly what algorithms you have um what trust chains you have what pkis you have what private keys of whatever you have and where you have them uh on every single device in your organization um don't feel bad this is quite common unfortunately but in order to make a pathway to Quantum resistance we probably need to do the things that we know in In classical cryptography we
should be doing better let's take a look at some of the algorithms though um so this was sweet B cryptography if you know this history um you'll know that there was a list of um cryptographic algorithms there was sweet a that was reserved for defense um cryptography and sweet B was the the civilian thing um that's stocked full of um Chu a ecdh ecdsa it was released in 2005 it was deprecated in 2018 now curiously its replacement which is called the commercial NSA Suite uh cryptography Suite U 1.0 um put RSA back on the list and that has led to um speculation within the um civilian cryptography community that there may be a breach on ECC um there's
also speculation that it's just simply that um the NSA have done the mathematics on um uh the timelines for Quantum resistance so they're not going to waste any more time spending money trying to push ECC out there as they had been for 15 years we don't know we probably won't ever know um but um the upshot of all of that is that RSA is back in in commercial NSA cryptography Suite it just has to be 372 bit or larger um there's ecdsa a little bit um and some more chartu and some AES this is um the best possible list of algorithms today but I don't at all suspect it will be the final list um
we'll get to that in a sec um so your pkis will probably be running crystals Del lithium um you might also be running pkis to run um Cod signing of your software and your firmware using LMS or xmss and chart is still there it's just increased a little and AES is there um we increased AES um to twice the size a couple years back to um defeat the fact that Grover cut the key space in half so that's currently the fix um I'm not sure what happens if someone improves Grovers and that has me a little concerned um all right so cnsa 2.0 won't be the end of this either um NIS just finalized the cnsa 2
algorithms which are now known as fips 203 fips 204 and fips 205 so you'll be able to get the the public docs on that sort of stuff uh if you want um and fips 206 is now in ipd status so that's a commentary period um so I'm expecting that there will be um further updates to the cnsa list over time you'll find that cnsa will bleed into n standards and they'll also bleed into ISM standards so um I I sort of taken the approach on this strategy that um because I know where cnsa and and nsa's cryptography goes um I'm just the ism wasn't there at the time that um I wrote in the requirement for the strategy to go to
cnsa 2.0 but um I knew it was going to land there eventually all right so how do we get an organization to move on an issue when it's seemingly so far away and the existing crypto systems are already treated with that's a typo um below care sorry low care and low skill uh basically the way Acme is treating it the way the strategy is designed as a two-phased approach um fix your Basics first um for the next 5 years build into your organizations um into your people your process and your technology um the skills to work uh on cryptography and Key Management if you don't have them fix up what you know to be a problem and Implement your
compliance to cnsa 1 which does align with ISM and nest and a bunch of others and in a second part of the that approach once you've built up internally within your teams the skills to rapidly swap out algorithms um move start to make the move towards um Quantum resistance in the 10 years after that um your goal should be imp to implement compliance with cnsa 2 or any later version um at a minimum I'm not not saying put these six into a document and call it your strategy don't do that um there was a lot more in ACM strategy they did relate to um localized problems so that's why I don't bring them here um
you will have your own localized problems that need to be addressed in strategy as well but um uh for strategy one clarify your management intent about cryptography and Key Management um things I'm looking at here as an auditor is if you have a policy document does it use policy language and not technical language or training language as they often do does it have buying from the SE Suite is it regularly updated um is it actually replied sorry the is it actually relied upon and used by your people and linked to your processes um does Define what um some of your staff should do in the event of a non-conformance to the policy um uh does it require systems that are
non-conformant to be added to the risk register for mitigation and treatment and uh within the organization's people I want to see that the policy documents actually used don't write a policy document sticking in a drawer like just about everyone else does I want to see that there's a uh an active conversation between management labor on um issues of cryptography I know it's not sexy taking the word cryptography to the board or to your sea Suite but it does kind of need to happen with this level of technological change all right for strategy 2 increase your oversight and compliance um things I'm checking for there oh sorry I I will say um about strategy one and I'll say
this about all of them uh anything less than those kind of um things with in your um your cryptography and Key Management um means that you might not be operating safely and means I might one day find a break in it so for strategy 2 your oversight and compliance I want to know if your audit function collects enough evidence to make certain inferences and assertions about the state of your environment um what is the quality of their evidence collection and storage um does your audit function perform scheduled and random audits of all trusted root CA and immediate CA stores on all endpoint devices I want to know when you're trusting devices that you didn't know you were
trusting um at will can you manually or or automatically determine what the trusted Roots doors or where the private keys are on any given device um and when conformance um sorry when non-conformance isn't there is it IM immediately remed remediated or is it um being sent to risk register to be remediated or what happens is audit just collecting results and then stashing in a vault somewhere and not doing anything about it these are the kind of things I'm looking for there um manage the supply chain is the hardest one of them all um the the problem with Quantum resistance is it's both a a supply chain risk issue and a um technical problem to be engineered
around um there's any number of suppliers that you buy from who don't do Quantum resistance have no Quantum resistance plan themselves and you rely on them to get you there um you're buying that technology and how many times are you you buying that technology that will knowingly not get there the kind of things I'm looking for there is um what's your supply chain assessment um can you do you get um software bombs and and other key component information from your suppliers um are they being evaluated on their road map towards Quantum resistance which is a new part I had to add as a part of this this work in this strategy um within the Acme strategy uh we
basically said um we're going to start tagging on every tender and every um uh procurement action a little rer to um the vendors that we're working with to um to let them know that um Quantum resistance is important to us and over in the next couple of years um you as a vendor may be judged on that um I've worked in um for product and software vendors for long enough to know how to get them to move on issues they don't want to move on it's usually um before you sign the contract or before you sign the purchase order ask them for something because as soon as you sign wet signatures you're bound by those
terms of contracts you can't get them to change this is why we're doing this now it's it's the supply chain aspect of it um every Network device every one of the three major desktop operating systems every browser every mobile device and in critical infrastructure organizations things like PLC scaras hmis um HVAC and other iot systems all have their own cryptography algorithms in them and we now have to tell every one of those vendors that Quantum resistance is important to us it's a huge undertaking it's going to take years um so that's why we're not leaving it to the last minute um we're going to embed that into the supply chain we're going to um tell
our procurement function that um the first step for them is to uh make make it known to the vendors that at a future point we will be judging their products and services based on their capacity to meet our standards for um Quantum resistant cryptography um and at a second stage we will be judging those who can meet our time our future timelines for compliance um the cnsa 2.0 has its own timeline it's a very aggressive timeline and I don't think um Acme can get there so we've picked alternative dates that are just slightly nudged in the future and you might want to do that too um but you'll need to pick a date like a hard
date that you want to move to it and then at third stage to that is that um after that dat if you are not compliant with the quantum resistance algorithms that we want in your products we're not going to buy you um we giving vendors a a very long leeway here um because it's going to be a difficult undertaking it's going to cost them money but the reality of it is is that we depend on them doing a thing before we can do a thing and that's the issue here um so these are the kind of things I'm looking is your is your supply chain checking that good um when I audit your crypto systems now
in terms of um the technical aspects um in terms of cryptography um cnsa 2.0 until um the ism or Nest updates to more than those kinds of standards if you're a CI organization you're using um uh I 62443 as your Guiding Light for that usually um we are finding a way to comply to that and cnsa at the same time and I suggest you probably do the same um the IC documents the iso documents they don't update very often it's like once every decade um and the the rate at which algorithms are now going to come at us all is going to be more rapid than that so um there needs to be a way for
you to comply to your base compliance um in the form of iso and I 62443 but at the same time prog into this um massive undertaking of technological change that um is coming in the next decade or two uh with key management practices that was a weird one um uh critical infrastructure organizations and in my experience um most organizations in Australia do not use the one thing that um all organizations should and every cryptographer says that is the use of fips 140 certified hsms um with the way key stealing works and credential escalation works on uh Windows networks these days it is if you do not have a HSM a fips 142 sorry 140-2 or fips 1403 certified HSM operating in
your environment I will tell you that you are not operating s operating safely um the cost for this stuff is not cheap but it has come down and these things um they massively make a difference to key security the policy sorry the strategy suggested that um well we wrote into it that um what we call sensitive keys are what should be protected by these devices so sensitive Keys got defined as um all private keys of Casa uh all Kap devices and any k um Keys issued by the kip device um all administrators who um authenticate via certificate based authentication and code signing Keys um so if uh we put in a writer in there to say um and anything else by the
sizo or the person who designates Authority operate or something like that so um we've defined this classification of what is sensitive key and we're saying that moving forward they must be stored in approved fips 140-2 fips 1403 or fips 2011-3 which is uh Ubbi Keys um and the reason is um it basically eradicates key theft um or makes it extremely hard it takes the scale out of remote um theft um out of your credentials it it will not be 100% proof positive but what I'd say to you is that there's just no way to protect a key on general purpose operating systems like Windows Linux and um uh Mac uh using uh just the the software
protections there's um there's a couple of reasons for that um general purpose operating systems are not built for key storage they're not built for cryptographic purposes um they have a few little things thrown in but um they have two weaknesses um all of them do the first is that um they use discretionary access controls to um monitor file systems and they use a super user account so the first thing an adversary needs to do to steal your keys um is to find some sort of system or root privilege and then just take what they want from the discretionary access control system um it's just no safe way to operate key storage short of um a physically
separate and Harden storage device so if you're not using one of those please reconsider it uh the last one the last one's a strange one um essentially with um moving towards Hardware protected storage there might be a Temptation for employees to um subvert some of the physical controls like a UB key can actually be NFC red if a if a Ubbi is taped to a phone it's permanently being read all the time and that's exactly the sort of thing we don't want uh we want to impose cost on the adversary such that um it requires them to only get access to make an attempt on the key once a physical action happens so that means the trigger
button on the UB key gets pressed or um USB gets inserted into a slot or in HSM smart card um card gets inserted into a smart card so um this is um this is what we've written in the strategy is that all um user-based authentications should if possible um require physical Touch of a human and I know that's kind of annoying but it actually will um greatly impede the ability for the adversary to steal your cryptography keys I think that that's it so thank you for listening uh if you have any questions I'll take them now um but I did want to thank um bides camera um my uh co-speaker throughout the the day the delegates um you are all fantastic
too and especially uh Acme who allowed me to talk on this subject because I don't normally get to talk about what I do uh um CU I'm under disclosures and that sort of thing look thank you very much let's give SE a round of applause [Applause]
Related talks
43:48
23:15
56:44
56:17
40:07
56:06