Taking a Quantum Leap to Assure Strong Encryption
For those not familiar with Cloud Resource Community co-sponsor the Cloud Security Alliance (CSA), it is an organization like co-sponsor (ISC)2 whose site you need to bookmark and reference often. The reason is that CSA is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. Hence, when the CSA talks cloud security professionals listen.
CSA is talking and will be doing so loudly, on what may seem an arcane, but is an absolutely important subject: Random Number Generators.
Yes, you read correctly and here is why. The Cloud Security Alliance's Quantum-Safe Security (QSS) Working Group (QSS-WG) has released a research brief titled Quantum Number Generators, a whitepaper that looks to detail the impact of randomness on security in an effort to develop the building blocks for effective encryption. The word “Quantum” is the critical one here as the (QSS-WG) believes that we are going to need to fight hackers with quantum computers with tools such as quantum number generators.
A little context is in order, and CSA provides a nice synopsis:
A random number is generated by a process whose outcome is unpredictable, and which cannot be reliably reproduced. Random numbers are foundational to information security and are the building blocks of encryption, authentication, signing, key wrapping, one-time codes, nonces, and other cryptographic applications.
The performance and characteristics of random number generators have a strong impact on security. Attackers do not usually attempt to crack encryption, they simply steal or guess keys. Poor quality or insufficient quantity of random numbers make it that much easier, reducing security well below its designed level and making the overall system vulnerable.
The challenge going forward is that Quantum computing, which involves joining the power of atoms and molecules to perform memory and processing tasks, has the potential to perform certain calculations significantly faster than any silicon-based computer. In short, as the paper explains quantum computing will likely outperform today’s a billion-fold and thus make cracking random numbers that are not quantum themselves capable of being compromised in seconds by a hacker with nothing more than a PC.
Headed up by co-chairs, Bruno Huttner of ID Quantique and Jane Melia of QuintessenceLabs, the QSS – Working Group is focused on, “stimulating the understanding, adoption, use and widespread application of quantum-safe cryptography to commercial institutions, policy makers, and all relevant government bodies.”
The report even has a nice schematic to explain all of this:
Source: CSA white paper, Quantum Number Generators
This is a case where literally cloud security pros are going to have to “fight fire with fire.” When you think about how easily passwords have become quickly compromised, and realize that as amazing as the benefits of quantum computing are likely to be in the hands of good guys, assuring the strength of random numbers against attacks from those with malicious intent is no small task. It is why book marking the CSA and (ISC)2 sites along with this community should be considered best practices.
Edited by Stefania Viscusi