Over the past several decades, cryptography has evolved tremendously, yet breaches still occur, even in environments that were thought to be crypto secure. These exploitations have multiple causes, but weak encryption keys are one of the most pervasive factors. Fortunately, there are solutions to this problem. Let’s dive in.
Present-day cryptography is still based on Kerckhoff’s Principle that the key, and only the key, matters. While some algorithms are secret as part of a layered security posture, many are public. The algorithms must be known to the entities using them, whether public or private. The encryption is then “unlocked” using a key. Therefore, the key is what ultimately secures the resource. The key must be generated in such a way that it is impossible to break, whether by brute force or some other method. This centuries-old issue is still an issue today, is not about to disappear, and securing keys has never been more urgent.
On July 5, 2022, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) announced the first group of encryption tools designed to withstand the assault of a future quantum computer.1 These public algorithms are expected to be finalized within the next two years, and up to four additional algorithms are expected to follow. The algorithms are only one tool that must be utilized to secure sensitive data.
Changing the algorithm still does not change the fundamental principle that the key to the algorithm must be strong. The key may be longer, or the usage may be different. The quantum-resistant and quantum resilient journey still requires other tools to be effective. One tool already exists: higher entropy. It will address not only the quantum era, but also the current threat of key exploitation.
Strong keys must be generated or seeded in a completely unpredictable process. This unpredictability is called randomness, and this randomness comes from truly random numbers. The four sources of randomness most widely used are pseudo, events based, classical physical (chaotic behaviour), and quantum physical (quantum phenomenon). The randomness must be verifiable through various tests that demonstrate the statistical properties of the random numbers.2
Pseudo-random number generators (PRNG) use an input (a seed) and generate multiple strings of numbers. The seed itself has to be random and unpredictable, which means that the seed must be truly random. Certain seeds give periodic behavior to the PRNG, and ultimately, as soon as one element of the sequence is known, all of the other elements of the sequence can be determined. The cost is very low, but the risk is very high, making it a poor choice for key generation when security is vital.
Non-physical TRNG can be used to seed PRNG in end user devices or servers by using entropy from system events or signals from system events. The amount of entropy generated depends on the amount of activity in a system. For such a device located in a data center, sufficient activity simply does not exist. Conversely, systems such as web servers may drain entropy faster than it can be produced. While such a model might be perceived as an acceptable solution, in practice, it is clearly not sufficient and may lead to some major breaches.
True random number generation based on classical physics, while based on a noise effect or chaotic behavior, is still fundamentally deterministic. Furthermore, the quality of the produced randomness can be questionable and is difficult to assess.3
The random number generation process is greatly enhanced with the addition of quantum entropy. QRNG exploits a phenomenon described by quantum physics, which is inherently random. This random number generation is provably random and secure. Furthermore, real-time monitoring of the entropy source is provided. It also delivers the highly available randomness necessary for speed. Obtaining this tool is easy and is not disruptive to an environment. The QuintessenceLabs Quantum Random Number Generator fits inside the center of your infrastructure and gets you to Quantum-Enabled resilience with the highest quality seed content you need.
Most likely, your enterprise has multiple systems across on-premise, cloud, or shared environments that use encryption: devices, datastores, applications, and operating systems. Although quantum computers have not yet arrived, now is the time to assess your organizational risk of a quantum attack and to prepare to fight quantum attacks with quantum random number generation.
1 (Boutin, 2022)
2 Bassham, L. Rukhin, A. , Soto, J. , Nechvatal, J. , Smid, M. , Leigh, S. , Levenson, M. , Vangel, M. , Heckert, N. and Banks, D. (2010), A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=906762 (Accessed September 19, 2022)
3 Ma, X., Yuan, X., Cao, Z. et al. Quantum random number generation. npj Quantum Inf 2, 16021 (2016). https://doi.org/10.1038/npjqi.2016.21