让网络攻击者访问量子计算机有点像将法拉利Portofino M的钥匙交给一个12岁的孩子。你真的不想考虑可能的后果。
这不是量子计算机带来的安全风险是否成为重大危险的问题,而是何时成为重大危险的问题,德勤公司董事总经理兼美国网络量子准备负责人、世界经济论坛专家网络成员科林·苏塔尔(Colin Soutar)警告说。他观察到,一些威胁已经在影响组织。“对手通过Harvest Now-Decrypt Later(HNDL)攻击瞄准组织,这使他们能够窃取敏感数据,目的是在量子计算机变得[广泛]可用后对其进行解密。
NTT Research首席执行官Kazuhiro (Kazu) Gomi表示,当今公钥加密的安全性基于这样一个事实,即解决因式分解问题需要大量的计算资源,特别是对于大整数。他警告说,在未来的几年里,这种情况可能不再如此。“Shor的算法在可扩展的量子计算机上运行,将完全改变这种环境,”Gomi预测。使用可扩展的量子计算机,分解问题将不再难以实现,攻击者将能够从公钥中确定密钥。“一旦知道密钥,不良行为者就可以完成许多不同的攻击,包括假装是交换敏感信息的合法一方,”他指出。
量子网络攻击到来的时间表取决于足够强大的量子计算机的广泛可用性。“量子计算的进展正在进行中,包括技术公司和研究机构在内的各种组织正在研究量子硬件和算法,”Gomi说。“然而,重要的是要注意,构建稳定和可扩展的量子计算机是一项极具挑战性的任务,仍然存在重大的技术障碍。
一、攻击检测
量子网络攻击可能类似于今天的身份盗窃和数据泄露。“唯一的区别是损害会更广泛,因为量子计算机可以攻击广泛的加密算法,而不仅仅是公司或数据中心实施算法的特定方式,这就是目前攻击的方式,”伊利诺伊大学厄巴纳-香槟分校格兰杰工程学院电气和计算机工程副教授Eric Chitambar解释说。Chitambar还领导该学院的量子信息小组。
我们确实知道会发生什么,Soutar说。“针对量子计算机的网络攻击可能是访问网络的不良行为者,并寻找它包含有价值的数据流量的指标,这些数据流量随后将被捕获和解密,”他观察到。“今天在线被盗数据可能已经是HNDL攻击的结果,因此重要的是我们更好地识别这些攻击,并普遍保护对此类数据的访问。
二、预防措施
Chitambar说,领先量子攻击者一步的最佳方法是将当前的数据加密方法更改为“量子安全”策略。“量子安全算法是一种使用传统计算机的安全方法,即使对于量子计算机也很难破解,”他解释说。另一种可能的途径是考虑使用量子计算机安全地存储和传输信息。Chitambar指出,已经有已知的用于安全通信的量子方法,这些方法可以安全地抵御量子网络攻击。“在这种情况下,我们将与量子对抗量子。
虽然“Q-Day”可能还需要至少5-10年的时间,但它的到来速度比大多数安全专家所希望的要快。组织现在应该考虑开发和部署抗量子安全策略,国防技术公司雷神公司的首席创新官兼首席技术研究员Torsten Staab说。
Staab说,进行企业范围的量子风险评估以帮助识别可能最容易受到量子攻击的系统将是一个很好的起点。他还建议部署企业级量子随机数生成器(QRNG)技术来生成抗量子加密密钥。这种方法承诺加密敏捷性、量子密钥分发 (QKD) 的实施和量子抗性算法的开发。“随着我们迈向量子计算时代,采用零信任架构将变得比以往任何时候都更加重要,”Staab说。“零信任原则,如’从不信任,始终验证’、’网络微分段’和’最小特权访问’,将是任何组织安全协议的关键。
好消息是,密码学社区多年来一直致力于解决量子威胁。“我们的想法是将更复杂的数学应用于公钥加密,这样即使是量子计算机也无法破解其安全性,”Gomi说。最新的加密策略是后量子密码学(PQC)。PQC的主要优点是,尽管它具有更复杂的数学基础,但广泛部署的硬件可以以类似于当今公钥系统的方式处理加密/解密过程。
三、结语
Staab说,建立一个有效的量子准备战略,包括解决所有潜在威胁的路线图,是至关重要的。他指出,在从今天的经典世界过渡到明天的量子加密世界的过程中,IT/OT解决方案将不得不更新以支持这两种技术,以便在包括传统和下一代PQC系统的混合环境中正常运行。
英文原文:
Will Quantum Computers Become the Next Cyber-Attack Platform?
Quantum computing promises unprecedented levels of speed and power. Cyber attackers can hardly wait.
At a Glance
- The timeline for quantum cyber attacks depends on the widespread availability of sufficiently powerful quantum computers.
- Conducting an enterprise-wide quantum risk assessment to identify systems vulnerable to an attack is a good place to start.
- The cryptographic community has been working to address quantum threats for several years.
Giving a cyber attacker access to a quantum computer is kind of like handing the keys to a Ferrari Portofino M to a 12-year-old.
You really don’t want to think about the possible consequences.
It’s not a question of if, but when, the security risks posed by quantum computers become a significant danger, warns Colin Soutar, a Deloitte & Touche managing director and US cyber quantum readiness leader, as well as a member of the World Economic Forum’s Expert Network. He observes that some threats are already impacting organizations. “Adversaries are targeting organizations via Harvest Now-Decrypt Later (HNDL) attacks, which enables them to steal sensitive data with the intent to decrypt it once quantum computers become [widely] available.”
The security of today’s public key encryption is based on the fact that huge computational resources are required to solve factoring problems, especially for large integers, says NTT Research CEO, Kazuhiro (Kazu) Gomi. This may no longer be true in the years ahead, he warns. “Shor’s algorithm, running on a scalable quantum computer, will change this environment entirely,” Gomi predicts. With scalable quantum computers, factoring problems will no longer be difficult to achieve, and attackers will be able to determine secret-keys from public-keys. “Once the secret-key is known, the bad actors can complete many different attacks, including pretending to be the legitimate party in exchanging sensitive information,” he notes.
The timeline for the arrival of quantum cyberattacks depends on the widespread availability of sufficiently powerful quantum computers. “Progress in quantum computing is ongoing, and various organizations, including technology companies and research institutions, are working on quantum hardware and algorithms,” Gomi says. “However, it’s important to note that building stable and scalable quantum computers is an extremely challenging task, and significant technical hurdles remain.”
Attack Detection
A quantum cyberattack would likely be similar to today’s identity theft and data breaches. “The only difference is that the damage would be more widespread, since quantum computers could attack a broad class of encryption algorithms rather than just the particular way that a company or data center implements the algorithm, which is how attacks are currently done,” explains Eric Chitambar, associate professor of electrical and computer engineering at the Grainger College of Engineering at the University of Illinois Urbana-Champaign. Chitambar also leads the college’s Quantum Information Group.
We do have some idea of what to expect, Soutar says. “A cyberattack targeting quantum computers could [be] a bad actor accessing a network and looking for indicators that it includes valuable data traffic that would be subsequently captured and decrypted,” he observes. “Stolen data online today may already be a result of a HNDL attack, so it’s important we become better at recognizing these attacks, and of generally protecting access to such data.”
Preventative Measures
The best way to get a step ahead of quantum attackers is to change current data encryption methods to “quantum-safe” strategies, Chitambar says. “A quantum-safe algorithm is a security method using conventional computers that [would be] difficult to break, even for quantum computers,” he explains. Another possible path is to consider using quantum computers to store and transmit information securely. There are already known quantum methods for secure communication, and these would be safe against quantum cyberattacks, Chitambar notes. “In this scenario, we would be fighting quantum with quantum.”
While “Q-Day” might still be at least 5-10 years away.
It’s coming faster than most security experts would like. Organizations should consider developing and deploying quantum-resistant security strategies now. Says Torsten Staab, chief innovation officer and principal technical fellow at defense technology firm Raytheon.
Conducting an enterprise-wide quantum risk assessment to help identify systems that might be most vulnerable to a quantum attack would be a good place to start, Staab says. He also recommends deploying enterprise-wide Quantum Random Number Generator (QRNG) technology to generate quantum-resistant encryption keys. This approach promises crypto agility, implementation of Quantum Key Distribution (QKD) and the development of quantum-resistant algorithms. “As we head toward a quantum computing era, adopting a zero-trust architecture will become more important than ever,” Staab states. “Zero-trust principles such as ‘never trust, always verify’, ‘network micro-segmentation’. And ‘least-privilege access’, will be key to any organization’s security protocol.”
The good news is that the cryptographic community has been working to address quantum threats for several years. “The idea is to apply more complex mathematics to public key encryption so that even quantum computers cannot crack its security,” Gomi says. The latest encryption strategy is Post Quantum Cryptography (PQC). PQC’s key benefit is that although it has a more complex mathematical basis, widely deployed hardware can handle encryption/decryption processes in a manner similar to today’s public key system.
Final Thought
Staab says that building an effective quantum-readiness strategy, including a roadmap that addresses all potential threats, is essential. He notes that during the transition from today’s classical to tomorrow’s quantum crypto world. IT/OT solutions will have to be updated to support both technologies in order to properly function within mixed environments that include both legacy and next-generation PQC-enabled systems.
本文由数字化转型网(www.szhzxw.cn)转载而成,来源于数智化转型网;编辑/翻译:数字化转型网默然。
免责声明: 本网站(http://www.szhzxw.cn/)内容主要来自原创、合作媒体供稿和第三方投稿,凡在本网站出现的信息,均仅供参考。本网站将尽力确保所提供信息的准确性及可靠性,但不保证有关资料的准确性及可靠性,读者在使用前请进一步核实,并对任何自主决定的行为负责。本网站对有关资料所引致的错误、不确或遗漏,概不负任何法律责任。
本网站刊载的所有内容(包括但不仅限文字、图片、LOGO、音频、视频、软件、程序等) 版权归原作者所有。任何单位或个人认为本网站中的内容可能涉嫌侵犯其知识产权或存在不实内容时,请及时通知本站,予以删除。
