Quantum computing

Now is the time to plan for Post-Quantum Cryptography


Panelists from an RSA Conference keynote agreed that organizations need to begin work on PQC migration, if they haven’t already.

RSA CONFERENCE 2022 – Even the most future-facing panels at this year’s RSA Conference are grounded in the lessons of the past. At the post-quantum cryptography keynote “Wells Fargo PQC Program: The Five Ws,” the moderator evoked the upheaval from RSAC 1999 when a team from Electronic Frontier Foundation and Distributed.net broke the Data Encryption Standard (DES) in less than a day.

“We’re trying to avoid the scramble” when classical cryptography techniques like elliptic curve and the RSA algorithm inevitably fall to quantum decrypting, said Sam Phillips, chief architect for information security architecture at Wells Fargo. And he set up the high stakes encryption battles often have: “Where were all the DES implemented? Hint: ATM machines.”

“We had to set up teams to see where all we were using [was DES] and then establish the migration plan based upon using a risk-based approach,” Phillips said. “We’re trying to avoid that by really trying to get ahead of the game and do some planning in this case.”

Phillips was joined on stage by Dale Miller, chief architect of information security architecture at Wells Fargo, and Richard Toohey, technology analyst at Wells Fargo.

Now Is the Time

The panel was named for the journalistic model of five questions that start with the letter “w,” but that didn’t come up until late in the audience Q&A portion.   “Sam was asking the what, the who, the why, the where, and the when,” Miller said. “So I think we’ve covered that in our conversations here.”

Most of the titular questions were somewhat vague and a matter of judgment. However, on the concept of when you should start planning for the post-quantum future, there was complete agreement: Now.

“You’ve got to start the process now, and you have to move yourself forward so that you are ready when a quantum computer comes along,” Miller said.

“There is not right now a quantum computer that is commercially viable, but the amount of money and effort going into the work is there to move it forward, because people recognise the benefits that are there, and we are recognising the risk,” he said. “We feel that it’s an eventuality, that we don’t know the exact time, and we don’t know when it’ll happen.”

Toohey suggested beginning preparations with a crypto inventory — again, now.

“Discover where you have instances of certain algorithms or certain types of cryptography, because how many people were using Log4j and had no idea because it was buried so deep?” he said. “That’s a big ask, to know every type of cryptography used throughout your business with all your third parties — that’s not trivial. That’s a lot of work, and that’s going to need to be started now.”

Wells Fargo has a goal to be ready to run post-quantum cryptography in five uears, which Miller described as “a very aggressive goal.”

“So the time to start is now,” he said, “and that’s one of the most important takeaways from this get-together.”

Crypto Agility Gets You to Quantum Resilience

Pivoting is a key marker of agility for the panel, and agility is vital for being able to react to not just quantum threats, but whatever comes next.

“The goal here should be crypto agility, where you’re able to modify your algorithms fairly quickly across your enterprise and be able to counter a quantum-based attack,” Miller said. “And I’m really not thinking on a day-to-day basis about when is the quantum computer going to get here. For us, it’s more about laying a path and a track for quantum resiliency for the organization.”

Toomey agreed about the importance of agility.

“Whether it’s a quantum computer or new developments in classical computing, we don’t want to be put in a position where it takes us 10 years to do any kind of cryptographic transition,” he said. “We want to be able to pivot and adapt to the market as new threats come out.”

Because there will be computers that can break current cryptography techniques, organizations do need to develop new encryption methods that stand up to quantum brute-force attacks. But that’s only the half of it.

“Don’t just focus on the algorithms,” Phillips said. “Start looking at your data. What data are you transiting back and forth? And look at devaluing that data. Where do you need to have that confidential information, and what can you do to remove that from the exposure? It will help a lot not only in the crypto efforts, but in terms of who has access to the data and why they have to have access.”

You’ve Got to Have Standards

One open question loomed over the discussion: When would NIST announce its picks for the new standards to develop for post-quantum cryptography? The answer: Not yet. But the uncertainty is no cause for inaction, Miller said.

“So NIST will continue to work with other vendors and other companies and research groups to look at algorithms that are further out there,” he said. “Our job is to be able to allow those algorithms to come into place quickly, in a very orderly manner, without disrupting business or breaking your business processes and [to] be able to keep things moving along.”

Phillips agreed. “That’s one of the reasons for pushing on plug and play,” he said. “Because we know that the first set of algorithms that come out may not satisfy the long-term need, and we don’t want to keep jumping through these hoops every time somebody goes through it.”

Toohey tied the standards question back into the concept of preparing now.

“That way, when NIST finally finishes publishing their recommendations, and standards get developed in the coming years, we’re ready as an industry to be able to take that and tackle it,” he said. “That’s going back to crypto agility and this mindset that we need to be able to plug and play. We need to be able to pivot as an industry very quickly to new and developing threats.”

Get in touch

If you have a question or would like some more information, contact us today.