The Quantum Computing Threat
Focus
Focus
Network Security

The Quantum Computing Threat

Table of Contents

The Quantum Computing Threat

Quantum computers will break classical cryptography with threats including harvest now, decrypt later attacks.
Where Can I Use This?What Do I Need?
  • PAN-OS
  • PAN-OS 11.1 or later.
Public Key Infrastructure (PKI) encryption and IKE key exchange mechanisms use classical cryptographies such as Diffie-Hellman (DH), Elliptic Curve Cryptography (ECC), and Elliptic Curve Diffie-Hellman (ECDH) extensively. Quantum computers (QCs) are likely to break these technologies within 5-15 years of NIST's standardization of the first post-quantum cryptographies (PQCs).
Post-quantum IKEv2 VPNs based on the RFC 8784, RFC 9242, and RFC 9370 open standards resist attacks based on quantum computing and PQCs. With RFC 8784, instead of sending the key material to the IKE peer in the peering handshake, the administrators configure and share the key material separately, out-of-band. If attackers steal the data, they can't decrypt it because they don't have the key material. RFC 9370 adds an additional seven optional KEM rounds to IKEv2 to enable the creation of hybrid encryption keys that are formulated with different types of KEM technologies. To break the hybrid key, all the KEMs used to create the key would need to be compromised. Palo Alto Networks' solutions to resist quantum attacks are based on open standards to enable and ensure interoperability with other equipment that meets the standards.
The most immediate danger is Harvest Now, Decrypt Later attacks, where attackers steal data (at rest or in transit) that they can't decrypt now and store it until a cryptographically relevant quantum computer (CRQC) can decrypt it. A CRQC is a QC optimized for using quantum algorithms to break encryption in seconds instead of in the millions of years that a classical supercomputer would take. The data at highest risk is long-lived data that will still be relevant when CRQCs become available.

What Is A Quantum Computer?

Quantum computers (QCs) are essentially the next generation of supercomputing platforms. QCs use the laws of quantum mechanics to vastly decrease the amount of time it takes to process data and run algorithms, including algorithms that can break classical decryption. Operations that would take a classical computer hundreds or thousands of years to process take seconds or even microseconds for a QC. Instead of being based on classical bits (zeros and ones) that increase a supercomputer's power linearly, QCs use qubits, which are based on polarized photons (light) and increase a QC's processing power exponentially.
There are several ways to create qubits and the method affects qubit quality—the efficiency of the qubits. The higher the quality of the qubits, the faster and more effective the QC. Because of their quantum nature, a qubit represents two states at one time and those states can be replicated across great distances. This is due to the quantum effects of superpositioning and entanglement:
  • Superpositioning—A qubit can represent both a one and a zero at the same time. Combining qubits results in escalating the number of states the qubits can represent because the number of states increases at a rate of 2**n, where “n” is the number of qubits. So two qubits can represent four states (2**2), three qubits can represent eight states (2**3), four qubits can represent 16 states (2**4), etc.
    As qubit density (the number of qubits that fit on a chip) increases, the number of states that the combined qubits can represent increases exponentially. The better the quality of the qubits, the closer the combined number of qubits come to a true exponential scale. Low-quality (noisy) qubits, when combined, don’t increase the number of states exponentially, but they still increase the number of states significantly compared to a classical computer. As the quality of qubits improves, QCs come closer and closer to a true exponential escalation of the number of states represented.
  • Entanglement—Entanglement is a quantum bond between qubits. Entangled qubits generate the same results from running the same quantum algorithm on them, no matter where they are, even if the qubits are halfway around the world from each other. So if you run a particular algorithm on entangled qubits that are located in Bangalore (India) and Los Angeles (United States), the entangled qubits in those locations yield the same result. The exact mechanism by which quantum entanglement works is unknown.
There are three types of QCs:
  • Quantum Annealers—These are available today. They are the least-powerful QCs with the narrowest use cases. However, attackers can use them to factor large numbers using quantum algorithms, which is how to break asymmetric encryption.
  • Analog Quantum Simulators—These solve physics problems that are beyond the ability of classical computers, such as quantum chemistry, materials sciences, optimization problems, factoring large numbers, sampling, and quantum dynamics.
  • Universal Quantum Computer—These are the hardest QCs to build because they require many physical qubits. They solve the broadest range of use cases and several companies are targeting the end of this decade for commercializing them. When they are developed, these are the computers that will be CRQCs.
QCs create a multi-dimensional space comprised of many entangled qubits in which to solve complex problems. For example, classical computers take each element of a database, process it, and then combine it with other elements after processing all the elements. QCs create an algorithm that solves for every state and outcome you're looking for. They pass the entire database through the algorithm simultaneously, analyzing the data for every outcome simultaneously. This makes QCs potentially millions of times faster than classical computers and is one reason they are excellent at solving complex mathematical problems such as breaking encryption.

How Does the Quantum Threat Affect My Network?

The vastly increased processing power and speed of QCs threaten to break classical methods for encrypting data, which could compromise your public key infrastructure (PKI).
The most immediate threat is Harvest Now, Decrypt Later attacks that steal your encrypted data with the intention of using a CRQC to decrypt it in the future. Once attackers steal your data and classical key material, there's no way to stop them from decrypting the data in the future using a CRQC. If the stolen data is still valid at that time, it is compromised.
Classical asymmetric encryption is based on prime numbers and relies on the difficulty of factoring complex numbers to derive those prime numbers. A quantum algorithm called Shor's algorithm can factor complex numbers and solve discrete logarithm problems. Shor's algorithm threatens PKI security, which is based on two very large prime numbers to produce the key. However, Shor's algorithm can't break PKI security in less than millions of years using a classical computer. Without CRQCs, Shor's algorithm wasn't a threat. However, given the processing power of a CRQC, Shor's algorithm can factor complex numbers and crack classical asymmetrical encryption (such as the key exchange material needed to decrypt data) in seconds or less. This is why Harvest Now, Decrypt Later attacks are an immediate threat.
The consequences of breaking classical encryption include compromising the security of classical PKI cryptographies that were thought to be secure, such as Diffie-Hellman (DH), Elliptic Curve Cryptography (ECC), and Elliptic Curve Diffie-Hellman (ECDH). The key exchange is at greatest risk and is why you need to configure post-quantum IKEv2 VPNs to secure the key exchange.
Certificates have been the foundation of how two endpoints establish trust. However, CRQCs can also compromise RSA, which is used to create and secure digital certificates. This means that attackers can steal or impersonate digital signatures with a CRQC, so the server you think you're connecting to might actually be an attacker's server. The ability to do this might come as soon as the next decade.
In addition, the sheer brute force processing power of QCs means that symmetric encryption isn't safe either. Grover's algorithm is a quantum, quadratically accelerated unstructured search algorithm that finds the unique input that produces a particular output value. Grover's algorithm targets symmetric cryptography and hash functions. It essentially halves the crypto strength of AES algorithms, so if you use AES-128 bit encryption, Grover's algorithm drops it to the crypto strength of 64-bit encryption. Because classical computers don't have anywhere near enough processing power, they can't use Grover's algorithm to break symmetric encryption. However, using a QC, Grover's algorithm can break AES-128 bit encryption.
Because of AES-128 bit encryption's vulnerability to Grover's algorithm, use AES-256 bit encryption, which Grover's algorithm will not be able to break in the near or mid-term future.
To help safeguard hash functions, use SHA-384 at a minimum.
Post-quantum cryptographies (PQCs) are available today and most security-savvy people can download and set up PQCs, which can't be decrypted. If you allow unauthorized PQCs on your network, an internal bad actor could introduce PQCs into your network. If that happens, you have no visibility into traffic that uses a PQC and no visibility into threats in that traffic. Use Decryption features to detect unauthorized PQCs on your network and automatically block traffic that uses PQCs.

What to Do Now to Mitigate Harvesting Attacks

Take these actions now to resist post-quantum Harvest Now, Decrypt Later attacks. Review your VPN connections and harden them:
  • Follow RFC 6379 for Suite B Cryptographic Suites for IPsec to upgrade your VPN connections to tough cipher suites. Use Suite-B-GCM-256 and avoid weaker 128-bit AES algorithms, which are vulnerable to Grover's algorithm.
  • Upgrade your CA to 4K RSA key sizes to mitigate brute force attacks that can break smaller key sizes and migrate your VPN certificate authentication to new certificates.
  • Upgrade to higher-bit SHA hash sizes such as SHA-384 and SHA-512. Stop using weak hashes such as MD5 and SHA-1.
  • Implement RFC 8784 and/or RFC 9242 and RFC 9370 to create post-quantum VPNs that resist quantum attacks.
In addition, review your SSL/TLS connections and harden them:
  • Upgrade SSL/TLS connections to tough cipher suites; use TLSv1.3 with Perfect Forward Secrecy (PFS) ciphers.
  • Tunnel SSL/TLS sessions in hardened, client-to-server VPN sessions. Use a post-quantum desktop application to support Reverse Proxy.