Hackers Are Stealing Data Today So Quantum Computers Can Crack It In a Decade

While they wrestle with the immediate danger posed by hackers today, US government officials are preparing for another, longer-term threat: attackers who are collecting sensitive, encrypted data now in the hope that they'll be able to unlock it at some point in the future. MIT Technology Review reports: The threat comes from quantum computers, which work very differently from the classical computers we use today. Instead of the traditional bits made of 1s and 0s, they use quantum bits that can represent different values at the same time. The complexity of quantum computers could make them much faster at certain tasks, allowing them to solve problems that remain practically impossible for modern machines -- including breaking many of the encryption algorithms currently used to protect sensitive data such as personal, trade, and state secrets. While quantum computers are still in their infancy, incredibly expensive and fraught with problems, officials say efforts to protect the country from this long-term danger need to begin right now.

Faced with this "harvest now and decrypt later" strategy, officials are trying to develop and deploy new encryption algorithms to protect secrets against an emerging class of powerful machines. That includes the Department of Homeland Security, which says it is leading a long and difficult transition to what is known as post-quantum cryptography. [...] DHS recently released a road map for the transition, beginning with a call to catalogue the most sensitive data, both inside the government and in the business world. [Tim Maurer, who advises the secretary of homeland security on cybersecurity and emerging technology] says this is a vital first step "to see which sectors are already doing that, and which need assistance or awareness to make sure they take action now." The US, through NIST, has been holding a contest since 2016 that aims to produce the first quantum-computer-proof algorithms by 2024 [...].

As more organizations begin to consider the looming threat, a small and energetic industry has sprouted up, with companies already selling products that promise post-quantum cryptography. But DHS officials have explicitly warned against purchasing them, because there is still no consensus about how such systems will need to work. "No," the department stated unequivocally in a document (PDF) released last month. "Organizations should wait until strong, standardized commercial solutions are available that implement the upcoming NIST recommendations to ensure interoperability as well as solutions that are strongly vetted and globally acceptable."

Re: otp

[getuid()]

Symmetric encryption, e.g. AES, is good enough for encrypting backups. As for pubkey based encryption, elliptic curve might be robust (I think, not an expert on crypto).

Quantum computers will be good at factorisation, so they'll break prime-numbers based pubkey encryption, but not necessarily everything else.

Re:

[cfalcon]

> Symmetric encryption, e.g. AES, is good enough for encrypting backups

Sure, but why not use like, Serpent or whatever in addition to AES? It doesn't make a backup much slower, and it means that multiple vulnerabilities would have to be present. Veracrypt and Truecrypt before it offer AES/Twofish/Serpent, and modern things like this offer several other variants. It's true that the others don' have hardware acceleration, but when you are writing to disk encryption is often not your roadblock anyway.

Re:

[IdanceNmyCar]

You seem fairly educated. My conclusion from quantum is that stored data likely will not be feasible for future-proofing against quantum computer attacks?

The only way to really be secure is through quantum communication and potentially at potentially at a later date some way to store data in a quantum state, though decoherence seems to suggest this will be a non-trivial problem. This means, you can only really secure the communication of the data and never the data itself when in a steady-state. Once the da

Re:

[cfalcon]

> stored data likely will not be feasible for future-proofing against quantum computer attacks?

If you store your data symmetric encryption on a disk, there's no looming technology that will trivialize that. Obviously, it's always possible that the future will unlock that, but there's no threat from what we know about quantum computing today. There is an attack that basically halves key lengths, so your 256 bit encryption might be effectively 128 bits, but that's still a ton of bits. Nobody knows what

Re:

[AmiMoJo]

The performance hit might be more than you expect. Modern CPUs have instructions to accelerate AES, as so some storage controllers.

Re:

[drinkypoo]

Modern CPUs have instructions to accelerate crypto so as to not clog up the CPU doing it, leaving capacity for other tasks. But with modern multicore systems most of us can dedicate some processor cores to a task, even a long-running one, and still have cycles to burn.

Re: otp

[getuid()]

Ok, so since elliptical curves are doomed, too, pubkey encryption is pretty much doomed. (There may be new concepts resilient to QC breaking in the pipeline, but I'm not aware of a production-ready candidate.)

BTW, AES (symmetric encryption in general) is not particularly resource hungry. Asymmetric encryption is what makes performance problems.

Now it depends what "hackers" are stealing - if they're siphoning off traffic, pubkey encryption breaking is fatal. If it's copying of backed-up data or encrypted dri

Re:

[cfalcon]

>The performance hit might be more than you expect.

I mean, it's not. You probably don't want every single thing written to a high speed SSD to be triple encrypted or whatever, but the discussion was about backups.

You can try this yourself though. Your machines all have inbuilt AES support, so try:
1- Writing to an AES container on a high speed SSD
2- (1) but with triple encrytion
3,4- (1) and (2) but with an internal hard drive
5,6- (1) and (2) but with a USB drive

I'd be shocked if you see performance decr

Re:

[Anonymous Coward]

When you make a secure connection, the bulk of the data is encrypted with a symmetric key that is proof against future quantum stuff, but that initial handshake is done with public key cryptography, and it is used to exchange the symmetric key for the remainder of the transaction. Record that and attack it with some hypothetical future computer that can solve public keys and you can extract the symmetric key used for the remainder of the connection.

Lookup Diffie-Hellman key exchange. That runs on symmetric key encryption and allows for exchanging a symmetric key for the session. It does require both sides to interact so can't be done off-line, so email and such is out. Where you need public key encryption even if you can do DH-kex is to ensure that there's no Man In The Middle. That is what the whole certificate malarky in 'web is all about. (Using commercial companies to "establish trust", ha.)

No idea if, say, authenticated symmetric encryption or q

Re:

[IdanceNmyCar]

https://www.microsoft.com/en-u... [microsoft.com]

for current parameters at comparable classical security levels, the number of qubits required to tackle elliptic curves is less than for attacking RSA, suggesting that indeed ECC is an easier target than RSA./quote

Re:

[Junta]

Though to be fair, RSA is really expensive classically, and at this juncture it's hard to know the practical distinction between 1530 qubit and 4096 qubits, they are both implausible to achieve without some sort of categorical advance and it's hard to know if such an advance is possible, or if possible, if it could scale on up to 8192 qubits.

So technically the EC approach is theoretically weaker in the quantum sense, the benefits likely outweigh the risk, and a better strategy for post-quantum would be fles

Re:

[gtall]

Brilliant! We'll give everyone really good track shoes so they can shuttle the pads around.

Wouldn't it be obsolete by then?

[mark-t]

I can't imagine there's much of a use case for decrypting content that is 10 years old. Wouldn't it be out of date and all but useless by then?

Re:Wouldn't it be obsolete by then?

[fahrbot-bot]

I can't imagine there's much of a use case for decrypting content that is 10 years old.
Wouldn't it be out of date and all but useless by then?

Note to self: Change passwords in 9 years, 11 months. :-)

Re:

[burtosis]

Note to self: Change passwords in 9 years, 11 months. :-)

Well, well, look at Mr. 4 weeks early over here.

Re:

[fahrbot-bot]

Note to self: Change passwords in 9 years, 11 months. :-)

Well, well, look at Mr. 4 weeks early over here.

I've even put it on my calendar. :-)

Re:

[HuskyDog]

I can't imagine there's much of a use case for decrypting content that is 10 years old. Wouldn't it be out of date and all but useless by then?

I guess that this is probably true for an awful lot of data and I'm sure it is the case that the value of all secrets goes down over time. However I can imagine that there is quite a bit of valuable information that governments manage that lasts a lot longer than 10 years.

Imagine that specification for some military hardware like a fighter aircraft. This information might be generated when critical bits if technology are developed which might be ten years before the hardware enters service. Add in 20

Re:

[garyisabusyguy]

All the cool kids have been doing it for a while now [wikipedia.org]

Re:

[Alumoi]

It may be out of date, but think of the blackmail opportunities.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[GrumpySteen]

Equifax and Experian already leaked almost all of that information.

Re:

[fph il quozientatore]

You need more imagination. You could expose big corruption scandals that will completely destroy a poltiician's career, for instance. Or release naked pics from various celebrities.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[geekmux]

I can't imagine there's much of a use case for decrypting content that is 10 years old. Wouldn't it be out of date and all but useless by then?

Guess that depends on two things; how hot the actress was when the photos were taken, and how much TMZ is offering.

(Yes, of course TMZ will be around 10 years from now, doing the same stupid shit. A lawyer runs it.)

Re: Wouldn't it be obsolete by then?

[chill]

Four words: NSA Utah Data Center.

Re:

[garyisabusyguy]

*ding* *ding* *ding*

you win the prize

Re:

[phantomfive]

It's hype. The article doesn't give any supporting evidence that hackers are stealing data today with the hope of decrypting it in 10 years. It merely suggests that it's something that could be happening (and specifically points to "nation states" as the ones who might want to do it).

I would also suggest that it's hype that we'll have quantum computers in 10 years.

Re:

[Aighearach]

This headline here and the story are exactly what the media does.

In 10 years, slashdot neckbeards will be saying it was the programmers who promised useful quantum computers in 10 years. But it was only the breathless media.

Re:

[thegarbz]

Wouldn't it be out of date and all but useless by then?

Depends on your life cycle. Decrypting internal Google documents in 10 years would be pointless. All of their software would have been killed off, replaced, the replacements killed off, and replaced again with 4 programs doing the same thing, 3 of which would be in the process of being killed off again.

On the flip side 5 years ago the complete design documents of the fresh operational F-35 would be current. They are still current today, and given the slow development of military technology they will likely

My understanding

[Valgrus Thunderaxe]

Is that stuff like RSA would be vulnerable to a quantum attack, but not something like AES, which is more likely how "user data" would be stored,

Re:

[93 Escort Wagon]

Yeah, exactly. I don't believe symmetric cyphers are particularly vulnerable to quantum attacks. If you're worried, just double the key length.

Re:

[chas.williams]

One concern is that someone will discover a better quantum algorithm to attack symmetric ciphers.

Re:

[Aighearach]

That's a very broad, strange claim, since the math has been worked on for decades, ever since Feynman first discussed the possibility.

There is nothing available in the math to break information theory. New algorithms would be small improvements based on the details of the engineering, and would most likely be to work around problems that come up in the implementation, not anything that would improve the theoretical best algorithms.

Re:My understanding

[arglebargle_xiv]

Yeah, but then it wouldn't make a nice scaremongering story.

I'd be more worried about homeopathic cryptanalysis [metzdowd.com], which is a far bigger threat than quantum.

Re:

[Junta]

Correct, however if you can work ecdh backwards than you can get the symmetric keys for any network communication. So breaking asymmetric would crack open TLS as transferred today. It wouldn't be that useful for disk encryption or to break passwords that are properly hashed/salted.

Re:

[Aighearach]

Looks like the mods don't understand the math! lol

Very little will become vulnerable, even if the quantum tricks work. And even then, only the stuff with small keys. The biggest threats would be right when it was first achieved, if people don't know about it. The worst thing about keys being busted in secret would be the ability to log into compromised systems. So it is important to switch to large keys. But the large keys already in common use wouldn't be vulnerable to early efforts.

Use decoys

[petes_PoV]

Any decently encrypted data will look like random numbers. So fill the archives with content that has the format of valid, encrypted data but it nothing more than /dev/random. The hackers will waste much time trying to decrypt this and (hopefully) give up. Either thinking the data is false or that there is a new, uncrackable, encryption technique being used.

Of course, some disinformation to support that hypothesis would not hurt, either.

Re: Use decoys

[Anonymouse Cowtard]

Security through obscurity will buy you another 3 months.

Re:

[Opportunist]

That may be enough time to pinpoint and neutralize the threat.

Re:

[Junta]

They would presumably be capturing data in context. E.g. capturing traffic from client systems to wellknownbank.com.

Grabbing encrypted disk content is not applicable to quantum, as that is already quantum resiliant.

Re:

[thegarbz]

That is pointless for multiple reasons:
a) keeping relevant data and making it look relevant means dedicating hardware which looks like it is real and in active use as well. There is a cost associated with that.
b) if someone is able to get into your network and exfiltrate that amount of data they will also be able to identify which data is actively used and which is decoy. Hackers typically do far more targeted attacks than you give them credit for.

Re:

[DrMrLordX]

Mod up, was gonna say the same thing.

"Oh so the hackers learned from government stooges, cute".

Re:

[drinkypoo]

It's not exactly cheap to do it so the story is one of poor believability.

Not to mention that we're constantly hearing about how practical quantum computers that will crack common encryption methods are right around the corner. Ten years, they say. And they were saying that ten years ago.

Damaged reputation of NIST

[Canberra1]

Fool me once, fool me twice, NIST has a soiled reputation. Yet here they are discussing 'commercial' products, when there are plenty of open source crypto libraries, and OpenBSD has some robust or paranoid implementations based on past performance of supposedly sound standards. Then there are .govt only codes, normally not available to rest of world. Then there is Google and Cloud servers, were adding crypto is burning electricity and adding to global warming. However Wireguard is most efficient. Looking ba

Sure

[EnsilZah]

I guess if you wanted to be really secure you could use the encrypted stream as a reference to other streams that are available to everyone at the same time, say the main stream is a set of instructions that say something like 'switch to 102.8FM and multiplex it with this value for the next second..'.
Then you'd need the people collecting the data to also record all possible other sources of data.

Typewriters ...

[Freischutz]

Some 25 years ago the Russian security services went looking for typewriters to use for secure archiving and secure communications via couriers with an armed escort of Alpha Group gorillas. This is why, it scales the problem of getting the candy up from simply hacking a computer or network to investing in a tactical team to capture the courier and killing the gorillas. The only reasonably secure computer system today is an air-gapped one, and the only reasonably secure electronic communications method is a courier with an encrypted tamper proof USB stick and an escort of armed [wherever you sourced them from] gorillas, like al-Qaeda does.

Re: Typewriters ...

[chill]

Kids these days. Typewriters? You should read up on Project GUNMAN before posting about reviving Cold War tactics.

Re:

[Freischutz]

Kids these days. Typewriters? You should read up on Project GUNMAN before posting about reviving Cold War tactics.

This was back in the early 1990s, probably before you were born, precious child. However, even back then I thought they were going a bit far with typewriters but the basic principle is sound. The Chinese had an easier time stealing large portions of the F-35 technical package by hacking the internet exposed computer systems of US defence contractors resulting in this: https://qph.fs.quoracdn.net/ma... [quoracdn.net] than the US had 'hacking' islamist terrorist courier system or Iran's air-gapped enrichment facilities. The

Re:

[forty-2]

This was back in the early 1990s, probably before you were born, precious child.

Eyah, pretty sure the 5 digit UID says they were born before the 90s...

Re:

[Aighearach]

Sarcasm was deprecated in 1998. There was a slashdot story about it. It turns out it was neither funny nor useful, and nobody understood it anyway.

Re:

[phantomfive]

1976 [cryptologi...dation.org]

Re:

[know-nothing cunt]

Some 25 years ago the Russian security services went looking for typewriters to use for secure archiving and secure communications via couriers with an armed escort of Alpha Group gorillas. This is why, it scales the problem of getting the candy up from simply hacking a computer or network to investing in a tactical team to capture the courier and killing the gorillas. The only reasonably secure computer system today is an air-gapped one, and the only reasonably secure electronic communications method is a courier with an encrypted tamper proof USB stick and an escort of armed [wherever you sourced them from] gorillas, like al-Qaeda does.

No wonder gorillas are endangered species.

Re:

[Opportunist]

That's due to the proliferation of gorilla warfare.

We shouldn't allow them to bear arms. Or arm bears.

Re:

[Aighearach]

If you can stop them from growing bear arms, maybe you can stop them from growing bear necks, too? It's just gross.

Government paranoia?

[bradley13]

Like the classified material surrounding the Kennedy assassination: governments vastly overestimate the importance of whatever information they have.

Collect a bunch of random data today - decrypt it in 20 or 30 years - and spend how much time sorting through it? Sure, maybe you'll embarrass some former politician - that's if you're lucky - but nothing will be of any real importance any more. Deployment plans? Operational procedures? All irrelevant, after only a few years.

Re:

[Aighearach]

Considering that they still haven't released all the information about the Kennedy assassination, we have no way to weigh the important of any specific detail.

This trend likely to be marketing ploy by disk man

[WatchMaster]

I mean you really need to stock up on storage to keep up with everyone else right?

What data?

[OneHundredAndTen]

The value of the vast majority of data out there is time-dependent: something that is worth the while keeping protected by encryption today will probably not be so in ten years time. If they are collecting data indiscriminately they may be wasting their time. This aside from the fact that chances are that in ten years time quantum computers will be only marginally less useless - from a practical point of view - than they are today.

You're not thinking 4th-dimensionally, Marty!

[rainer_d]

https://www.youtube.com/watch?... [youtube.com]

Intelligence agencies want their strategy back

[mac1235]

It's theirs dammit

In other news..

[Malays2 bowman]

Encryption isn't forever. What might be nearly uncrackable now won't be in 20 years.

If you have something you want locked up forever, dirty secrets you want no people to ever see, then keep it off the net and put whatever media it was on into a shredderand put the remains inside of a blast furnace.

Re:

[Aighearach]

Or 200. Or 2000. Or never.

It isn't actually clear, theoretically, that there are good shortcuts in information theory.

It is clear that it is a lot of work to avoid bit-rot in stored data, though.

Re:

[Srin Tuar]

> Encryption isn't forever. What might be nearly uncrackable now won't be in 20 years.

RSA was invented in the 70's, and in wide use by the 90's.

Elliptic curve cryptography was invented in the 80's, and in wide use by the early 2000's.

3DES was standardized in 1995, and saw widespread use early

AES was standardized on in 2001

All of these are unbreakable today, even 3des which only has some theoretical weaknesses which might one day be exploitable for some limited use cases.

20 years is certainly not long eno

Re:

[kmoser]

ROT13^65535 should be unbreakable, no?

hackers AND NSA

[BardBollocks]

TURBULENT and TURMOIL.

10 year old data?

[robi5]

I don't understand the claim. What will prevent malicious people from collecting data going forward, such that by the time a hypothesized quantum computer is available, they can also decrypt 9,8,...2,1 and 0 year old data? Also, if the invention happens in 15 or 20 years, what changes? Not much. They'll have slightly less valuable 20 year old decripted data, and 10 year old data, and fresh data.

So it feels like government agencies introduce and mandate cryptographic tech in 1 year that's resilient to breaki

This is old news...

[SwashbucklingCowboy]

This has been talked about for years now:

2017: https://www.wired.com/story/qu... [wired.com]
2019: https://www.insidequantumtechn... [insidequan...nology.com]
2019: https://carnegieendowment.org/... [carnegieendowment.org]