Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Encryption

Hackers Are Stealing Data Today So Quantum Computers Can Crack It In a Decade (technologyreview.com) 75

While they wrestle with the immediate danger posed by hackers today, US government officials are preparing for another, longer-term threat: attackers who are collecting sensitive, encrypted data now in the hope that they'll be able to unlock it at some point in the future. MIT Technology Review reports: The threat comes from quantum computers, which work very differently from the classical computers we use today. Instead of the traditional bits made of 1s and 0s, they use quantum bits that can represent different values at the same time. The complexity of quantum computers could make them much faster at certain tasks, allowing them to solve problems that remain practically impossible for modern machines -- including breaking many of the encryption algorithms currently used to protect sensitive data such as personal, trade, and state secrets. While quantum computers are still in their infancy, incredibly expensive and fraught with problems, officials say efforts to protect the country from this long-term danger need to begin right now.

Faced with this "harvest now and decrypt later" strategy, officials are trying to develop and deploy new encryption algorithms to protect secrets against an emerging class of powerful machines. That includes the Department of Homeland Security, which says it is leading a long and difficult transition to what is known as post-quantum cryptography. [...] DHS recently released a road map for the transition, beginning with a call to catalogue the most sensitive data, both inside the government and in the business world. [Tim Maurer, who advises the secretary of homeland security on cybersecurity and emerging technology] says this is a vital first step "to see which sectors are already doing that, and which need assistance or awareness to make sure they take action now." The US, through NIST, has been holding a contest since 2016 that aims to produce the first quantum-computer-proof algorithms by 2024 [...].

As more organizations begin to consider the looming threat, a small and energetic industry has sprouted up, with companies already selling products that promise post-quantum cryptography. But DHS officials have explicitly warned against purchasing them, because there is still no consensus about how such systems will need to work. "No," the department stated unequivocally in a document (PDF) released last month. "Organizations should wait until strong, standardized commercial solutions are available that implement the upcoming NIST recommendations to ensure interoperability as well as solutions that are strongly vetted and globally acceptable."

This discussion has been archived. No new comments can be posted.

Hackers Are Stealing Data Today So Quantum Computers Can Crack It In a Decade

Comments Filter:
  • by mark-t ( 151149 ) <markt AT nerdflat DOT com> on Saturday November 06, 2021 @02:18AM (#61962393) Journal
    I can't imagine there's much of a use case for decrypting content that is 10 years old. Wouldn't it be out of date and all but useless by then?
    • by fahrbot-bot ( 874524 ) on Saturday November 06, 2021 @04:09AM (#61962509)

      I can't imagine there's much of a use case for decrypting content that is 10 years old.
      Wouldn't it be out of date and all but useless by then?

      Note to self: Change passwords in 9 years, 11 months. :-)

      • Note to self: Change passwords in 9 years, 11 months. :-)

        Well, well, look at Mr. 4 weeks early over here.

        • Note to self: Change passwords in 9 years, 11 months. :-)

          Well, well, look at Mr. 4 weeks early over here.

          I've even put it on my calendar. :-)

    • I can't imagine there's much of a use case for decrypting content that is 10 years old. Wouldn't it be out of date and all but useless by then?

      I guess that this is probably true for an awful lot of data and I'm sure it is the case that the value of all secrets goes down over time. However I can imagine that there is quite a bit of valuable information that governments manage that lasts a lot longer than 10 years.

      Imagine that specification for some military hardware like a fighter aircraft. This information might be generated when critical bits if technology are developed which might be ten years before the hardware enters service. Add in 20

    • by Alumoi ( 1321661 )

      It may be out of date, but think of the blackmail opportunities.

    • Comment removed (Score:4, Informative)

      by account_deleted ( 4530225 ) on Saturday November 06, 2021 @04:56AM (#61962539)
      Comment removed based on user account deletion
    • You need more imagination. You could expose big corruption scandals that will completely destroy a poltiician's career, for instance. Or release naked pics from various celebrities.
    • I can't imagine there's much of a use case for decrypting content that is 10 years old. Wouldn't it be out of date and all but useless by then?

      Guess that depends on two things; how hot the actress was when the photos were taken, and how much TMZ is offering.

      (Yes, of course TMZ will be around 10 years from now, doing the same stupid shit. A lawyer runs it.)

    • Four words: NSA Utah Data Center.

    • It's hype. The article doesn't give any supporting evidence that hackers are stealing data today with the hope of decrypting it in 10 years. It merely suggests that it's something that could be happening (and specifically points to "nation states" as the ones who might want to do it).

      I would also suggest that it's hype that we'll have quantum computers in 10 years.

      • This headline here and the story are exactly what the media does.

        In 10 years, slashdot neckbeards will be saying it was the programmers who promised useful quantum computers in 10 years. But it was only the breathless media.

    • Wouldn't it be out of date and all but useless by then?

      Depends on your life cycle. Decrypting internal Google documents in 10 years would be pointless. All of their software would have been killed off, replaced, the replacements killed off, and replaced again with 4 programs doing the same thing, 3 of which would be in the process of being killed off again.

      On the flip side 5 years ago the complete design documents of the fresh operational F-35 would be current. They are still current today, and given the slow development of military technology they will likely

  • Is that stuff like RSA would be vulnerable to a quantum attack, but not something like AES, which is more likely how "user data" would be stored,
    • Yeah, exactly. I don't believe symmetric cyphers are particularly vulnerable to quantum attacks. If you're worried, just double the key length.

      • One concern is that someone will discover a better quantum algorithm to attack symmetric ciphers.
        • That's a very broad, strange claim, since the math has been worked on for decades, ever since Feynman first discussed the possibility.

          There is nothing available in the math to break information theory. New algorithms would be small improvements based on the details of the engineering, and would most likely be to work around problems that come up in the implementation, not anything that would improve the theoretical best algorithms.

    • Re:My understanding (Score:5, Informative)

      by arglebargle_xiv ( 2212710 ) on Saturday November 06, 2021 @03:28AM (#61962465)

      Yeah, but then it wouldn't make a nice scaremongering story.

      I'd be more worried about homeopathic cryptanalysis [metzdowd.com], which is a far bigger threat than quantum.

    • by Junta ( 36770 )

      Correct, however if you can work ecdh backwards than you can get the symmetric keys for any network communication. So breaking asymmetric would crack open TLS as transferred today. It wouldn't be that useful for disk encryption or to break passwords that are properly hashed/salted.

    • Looks like the mods don't understand the math! lol

      Very little will become vulnerable, even if the quantum tricks work. And even then, only the stuff with small keys. The biggest threats would be right when it was first achieved, if people don't know about it. The worst thing about keys being busted in secret would be the ability to log into compromised systems. So it is important to switch to large keys. But the large keys already in common use wouldn't be vulnerable to early efforts.

  • by petes_PoV ( 912422 ) on Saturday November 06, 2021 @02:29AM (#61962411)
    Any decently encrypted data will look like random numbers. So fill the archives with content that has the format of valid, encrypted data but it nothing more than /dev/random. The hackers will waste much time trying to decrypt this and (hopefully) give up. Either thinking the data is false or that there is a new, uncrackable, encryption technique being used.

    Of course, some disinformation to support that hypothesis would not hurt, either.

    • Security through obscurity will buy you another 3 months.
    • by Junta ( 36770 )

      They would presumably be capturing data in context. E.g. capturing traffic from client systems to wellknownbank.com.

      Grabbing encrypted disk content is not applicable to quantum, as that is already quantum resiliant.

    • That is pointless for multiple reasons:
      a) keeping relevant data and making it look relevant means dedicating hardware which looks like it is real and in active use as well. There is a cost associated with that.
      b) if someone is able to get into your network and exfiltrate that amount of data they will also be able to identify which data is actively used and which is decoy. Hackers typically do far more targeted attacks than you give them credit for.

  • Fool me once, fool me twice, NIST has a soiled reputation. Yet here they are discussing 'commercial' products, when there are plenty of open source crypto libraries, and OpenBSD has some robust or paranoid implementations based on past performance of supposedly sound standards. Then there are .govt only codes, normally not available to rest of world. Then there is Google and Cloud servers, were adding crypto is burning electricity and adding to global warming. However Wireguard is most efficient. Looking ba
  • I guess if you wanted to be really secure you could use the encrypted stream as a reference to other streams that are available to everyone at the same time, say the main stream is a set of instructions that say something like 'switch to 102.8FM and multiplex it with this value for the next second..'.
    Then you'd need the people collecting the data to also record all possible other sources of data.

  • by Freischutz ( 4776131 ) on Saturday November 06, 2021 @07:19AM (#61962705)
    Some 25 years ago the Russian security services went looking for typewriters to use for secure archiving and secure communications via couriers with an armed escort of Alpha Group gorillas. This is why, it scales the problem of getting the candy up from simply hacking a computer or network to investing in a tactical team to capture the courier and killing the gorillas. The only reasonably secure computer system today is an air-gapped one, and the only reasonably secure electronic communications method is a courier with an encrypted tamper proof USB stick and an escort of armed [wherever you sourced them from] gorillas, like al-Qaeda does.
    • Re: Typewriters ... (Score:4, Interesting)

      by chill ( 34294 ) on Saturday November 06, 2021 @07:46AM (#61962757) Journal

      Kids these days. Typewriters? You should read up on Project GUNMAN before posting about reviving Cold War tactics.

      • Kids these days. Typewriters? You should read up on Project GUNMAN before posting about reviving Cold War tactics.

        This was back in the early 1990s, probably before you were born, precious child. However, even back then I thought they were going a bit far with typewriters but the basic principle is sound. The Chinese had an easier time stealing large portions of the F-35 technical package by hacking the internet exposed computer systems of US defence contractors resulting in this: https://qph.fs.quoracdn.net/ma... [quoracdn.net] than the US had 'hacking' islamist terrorist courier system or Iran's air-gapped enrichment facilities. The

        • by forty-2 ( 145915 )

          This was back in the early 1990s, probably before you were born, precious child.

          Eyah, pretty sure the 5 digit UID says they were born before the 90s...

        • 1976 [cryptologi...dation.org]

    • Some 25 years ago the Russian security services went looking for typewriters to use for secure archiving and secure communications via couriers with an armed escort of Alpha Group gorillas. This is why, it scales the problem of getting the candy up from simply hacking a computer or network to investing in a tactical team to capture the courier and killing the gorillas. The only reasonably secure computer system today is an air-gapped one, and the only reasonably secure electronic communications method is a courier with an encrypted tamper proof USB stick and an escort of armed [wherever you sourced them from] gorillas, like al-Qaeda does.

      No wonder gorillas are endangered species.

      • That's due to the proliferation of gorilla warfare.

        We shouldn't allow them to bear arms. Or arm bears.

        • If you can stop them from growing bear arms, maybe you can stop them from growing bear necks, too? It's just gross.

  • Like the classified material surrounding the Kennedy assassination: governments vastly overestimate the importance of whatever information they have.

    Collect a bunch of random data today - decrypt it in 20 or 30 years - and spend how much time sorting through it? Sure, maybe you'll embarrass some former politician - that's if you're lucky - but nothing will be of any real importance any more. Deployment plans? Operational procedures? All irrelevant, after only a few years.

    • Considering that they still haven't released all the information about the Kennedy assassination, we have no way to weigh the important of any specific detail.

  • I mean you really need to stock up on storage to keep up with everyone else right?

  • The value of the vast majority of data out there is time-dependent: something that is worth the while keeping protected by encryption today will probably not be so in ten years time. If they are collecting data indiscriminately they may be wasting their time. This aside from the fact that chances are that in ten years time quantum computers will be only marginally less useless - from a practical point of view - than they are today.
  • Encryption isn't forever. What might be nearly uncrackable now won't be in 20 years.

    If you have something you want locked up forever, dirty secrets you want no people to ever see, then keep it off the net and put whatever media it was on into a shredderand put the remains inside of a blast furnace.

    • Or 200. Or 2000. Or never.

      It isn't actually clear, theoretically, that there are good shortcuts in information theory.

      It is clear that it is a lot of work to avoid bit-rot in stored data, though.

    • > Encryption isn't forever. What might be nearly uncrackable now won't be in 20 years.

      RSA was invented in the 70's, and in wide use by the 90's.

      Elliptic curve cryptography was invented in the 80's, and in wide use by the early 2000's.

      3DES was standardized in 1995, and saw widespread use early

      AES was standardized on in 2001

      All of these are unbreakable today, even 3des which only has some theoretical weaknesses which might one day be exploitable for some limited use cases.

      20 years is certainly not long eno

    • by kmoser ( 1469707 )
      ROT13^65535 should be unbreakable, no?
  • TURBULENT and TURMOIL.

  • I don't understand the claim. What will prevent malicious people from collecting data going forward, such that by the time a hypothesized quantum computer is available, they can also decrypt 9,8,...2,1 and 0 year old data? Also, if the invention happens in 15 or 20 years, what changes? Not much. They'll have slightly less valuable 20 year old decripted data, and 10 year old data, and fresh data.

    So it feels like government agencies introduce and mandate cryptographic tech in 1 year that's resilient to breaki

  • This has been talked about for years now:

    2017: https://www.wired.com/story/qu... [wired.com]
    2019: https://www.insidequantumtechn... [insidequan...nology.com]
    2019: https://carnegieendowment.org/... [carnegieendowment.org]

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...