The Web Security Emergency

We responsible users of the internet have always been wary when surfing the Web. We know that we need to make sure websites use TLS security, we need to see HTTPS and a tick next to the certificate to ensure no one is eaves dropping on information being transmitted.

How wrong we are.

The security industry has long known the weakness of RSA and ECC  – the major cryptography used on the internet –  as well as other asymmetric cryptography algorithms, against a quantum computer. And they have done little, to prepare for the advent of the first quantum computer, because it has always been a futuristic dream. But this position is quickly becoming antiquated, there have been many developments in the last few years which now have scientists projecting the first quantum computer to arrive within 5 years. 5 years isn’t that far away when you consider that your sensitive data could be being recorded by anyone today or even in the past, with a hope to decrypt it in 5 years!

There are people who think that Quantum computers will never come, but they are just burying their heads in the sand. Researchers have already developed one which implements Shor’s algorithm – the one which breaks RSA and ECC – on a chip!

So what is the security industry doing about it now? The threat won’t arrive in 5 years, the internet is insecure today. People are carrying out bank transactions today, believing that the data being transmitted will never be read by an unauthorized third party. Programs and drivers are signed with algorithms which will be broken in 5 years, what will stop malware then? There are also anonymous systems such as Tor and I2P which likely use RSA as the basis for their security, in 5 years how many citizens in politically oppressed countries will get the death penalty?

Fortunately there are asymmetric cryptography algorithms which are not known to be breakable by quantum computers, but these have not been standardised or fully researched yet. These can be found at http://spectrum.ieee.org/computing/software/cryptographers-take-on-quantum-computers. So what it comes down to is, that the security industry doesn’t have the answer, and that’s the reason they are not telling anyone of the problem, they’re effectively covering up the truth.

UPDATE:

I’ve seen a lot of rapid developments recently, I’m still optimistic about an RSA breaking quantum computer within 5 years (from June 3, 2010)

http://arstechnica.com/science/news/2012/04/doped-diamond-sends-single-photons-flying.ars

UPDATE:

The commercially available D-Wave (Quantum Annealling) can factorise numbers, according to some of their marketing, and this stackexchange question. The StackExchange question also describes the currently perceived limits of D-Wave or Quantum Annealling in general, estimating that N^2 qubits are required for an N bit prime. The current DWave is only 512 bits.

If the amount of bits were to double annually, then 1024 bit SSL encryption would potentially be easily cracked by such a device in 11 years.

However, this is what is commercially available. Given enough money it would be conceivable that a Goverment / Military could possess one now. Maybe even the NSA.

UPDATE:

D-Wave cannot break today’s SSL web encryption:

The optimizer they now claim to have is restricted to problems that can be mapped to an Ising model—in other words, the computer is not universal. (This precludes Shor’s algorithm, which factors integers on a quantum computer.)

http://arstechnica.com/science/2013/08/d-waves-black-box-starts-to-open-up/2/

UPDATE

I’ve got less than a year left on my 5 year prediction, but I have finally found a scientist themselves make a prediction, it would not be unreasonable to think US DoD could have this already, or within a year, but it would be most practical to simply say I was possibly out by 5 years. So effectively the warning starts today!

They hold out the possibility of a quantum computer being built in the next five to 15 years.

see http://www.abc.net.au/pm/content/2014/s4105988.htm

UPDATE [2015-09-30]:

Even the NSA are worried about the post-quantum computing world, see: http://hackaday.com/2015/09/29/quantum-computing-kills-encryption/

UPDATE [2015-10-14]:

Maybe my prediction was right (only out by 4 months): http://www.engineering.unsw.edu.au/news/quantum-computing-first-two-qubit-logic-gate-in-silicon

Apparently it is feasible to build a quantum computer today. One that can defeat all encryption used in internet communication today (as long as that data is wire tapped and stored). Although it may take 5 years for mass scale commercialization, I’m sure NSA, FBI and DOD of the USA would be capable of building a quantum computer now, if they didn’t already have one.

The breakthrough by UNSW, could very well have been discovered earlier in secret. So this has implications for international espionage today, broader law enforcement in years, and the whole underpinning of the internet security in 5 years.

Using WiFi and searching Google via HTTPS? In 5 years, the owner of the Access Point could very likely decrypt your searches, and other information including bank passwords.

The only secure encryption today requires a password to be entered on each end of the communication channel.

Further Reading

http://en.wikipedia.org/wiki/Quantum_computer

http://www.newscientist.com/article/dn17736-codebreaking-quantum-algorithm-run-on-a-silicon-chip.html

http://www.itnews.com.au/News/213800,toshiba-invention-brings-quantum-computing-closer.aspx

http://www.nature.com/nature/journal/v460/n7252/pdf/nature08121.pdf

http://spectrum.ieee.org/computing/software/cryptographers-take-on-quantum-computers

One thought on “The Web Security Emergency”

Leave a Reply

Your email address will not be published. Required fields are marked *