Quantum Security Concepts
Cryptographically relevant quantum computers threaten to break classical
cryptography.
Where Can I Use This? | What Do I Need? |
Quantum computers (QCs) threaten network and data security. When QC development reaches a
mature state that produces cryptographically relevant quantum computers (CRQCs),
purpose-built to break decryption, many classical ciphers that were deemed safe will no
longer be able to prevent attackers from decrypting your data. This means that your
public key infrastructure (PKI) based on classical cryptography will be vulnerable to
post-quantum attacks. The threat is immediate, especially for long-lived data, because
of
Harvest Now, Decrypt Later attacks, in which attackers
obtain the encrypted data and store it until they have a CRQC that can decrypt the
data.
Resistance to attacks based on quantum computing begins with enhancing the key created
during the IKEv2 key exchange to safeguard your VPNs and with understanding your current
cryptography and post-quantum cryptographies (PQCs). Palo Alto Networks' solutions to
resist quantum attacks are based on open standards to enable and ensure interoperability
with other equipment that meets the standards.
The first step is to implement
RFC 8784 to create quantum-resistant IKEv2
VPNs as described in this document. Quantum-resistant VPNs can prevent attackers from
recording critical encrypted key material and prevent them from decrypting the data even
if they successfully steal the encrypted data. RFC 8784 provides a quantum-resistant
transition from today's classical cryptography in a straightforward manner that does not
require cryptography upgrades and is deemed the easiest way to introduce quantum
resistance to your VPN communications.
The second step is to implement
RFC 9370 by itself or with RFC 8784 to create quantum-resistant IKEv2 VPNs
using multiple key exchange mechanisms (KEMs) that can combine both classic and PQC KEM
technologies. This solution is also known as IKEv2 post-quantum hybrid key and uses the
new replacement PQC algorithms that are not vulnerable to a quantum attack that uses
Shor's algorithm.
This chapter describes QCs, the threat they pose to your data security, what you can do
about it now by creating quantum-resistant IKEv2 VPNs, and how to plan and prepare to
migrate to post-quantum VPNs and PQCs.