Perhaps no one is more aware of the potential of quantum computing to perform calculations that were previously impossible than IBM. And, like any new technology, these advances can be used for good or for bad. One potential bad use case in the future is hackers using quantum computers to crack asymmetric encryption algorithms like RSA that are used everywhere to exchange keys for subsequent encrypted communications with symmetric algorithms like AES. Algorithms like RSA are expected to be broken in the future with powerful quantum computers in the future using an algorithm known as Shor’s algorithm. Luckily, the AES algorithm is still considered secure because even using a quantum algorithm called the Grover algorithm, it takes millions of years for the most powerful quantum computers to decipher a message.
But in the future, very powerful quantum computers will require major changes in the communications infrastructure used with today’s information technology. This would require a program dubbed Y2Q (Years to Quantum) which would be much larger than the Y2K date code update that occurred in 1999. Our estimate is that over 20 billion devices will need to be upgraded or replaced and it will be a process that will likely take 20 years time.
So it’s critical for IT managers to start planning now to minimize the risk of someone using a quantum computer to compromise their organization’s data. But the task will be very challenging. Several large companies may use thousands of different applications that use encryption. Even worse, some of these apps may have been installed 10 or 20 years ago. The encryption module may have been developed by retired or retired employees or contractors. The company may no longer own the source code for the software and only have object code. And sometimes encryption may have been implemented as code embedded deep within the application rather than a separate module that can be easily isolated.
So, for that purpose IBM has introduced a complete Quantum Secure Roadmap for its clients to assist them in their migration to quantum secure encryption. The roadmap consists of three main steps which we describe below:
Discover: Identify Cryptographic Use, Analyze Addiction, and Generate a Cryptography Bill of Materials (CBOM)
As we mentioned above, it is not possible for any organization to manually scan all their applications and find places where cryptography is used. So IBM has developed an automated program that will scan through all available object code, source code, and network traffic to identify places where cryptography is used and provide an inventory they call Cryptography Bill of Materials (CBOM) so users can figure it out. what needs to be fixed. This program can display the results of its analysis in a dashboard as shown below:
Observe: Cryptographic Vulnerability Posture Analysis and Prioritize Remediation Based on Risk
After going through the Discover phase, the company will likely find a lot of things that need improvement. However, not all data carries the same level of risk. Some data is more important or has a higher shelf life than others, so it’s important to prioritize which to do first. IBM can assist with this process and help its clients establish priorities so that clients can develop their full plan for remediation.
Transformation: Remediation and Mitigation with Crypto-Agility and Built-in Automation
Finally, IBM can assist its clients with the remediation process and provides automated tools that can assist with this. One of the key attributes that is highly recommended for this phase is call crypto-agility. Although US NIST has selected its first set of quantum-resistant Post Quantum Cryptography (PQC) algorithms for standardization, it is possible that even better ones will come in the future. So for these new implementations it is wise to structure the software so that the encryption algorithms are implemented in a more modular way so that they can be replaced more easily, if needed. One does not want to embed the encryption algorithm deep inside some software application and repeat the mistakes we pointed out earlier in this article.
In addition to providing software and consulting services, IBM has also built quantum security features into its hardware. For example, z16 mainframes have built-in logic that can execute some of the PQC algorithms more efficiently and IBM tape storage has a Hardware Security Module (HSM) that can also process encryption algorithms.
For additional information on IBM’s quantum secure roadmap, you can view the press release located on their website Here. You can also visit the programming web page for more detailed information about their Quantum Safe products and services Here.
May 10, 2023