Google’s post-quantum upgrade is a start, but let’s not get too carried away
Quantum computers, though not functional today, will usher in a new era for cryptography and digital security. As we all know by now, these machines will compromise the cryptographic security of our entire digital infrastructure, impacting everyone from hospitals to banks.
Even more concerning, however, is that some of our sensitive information today is vulnerable to such devices even before they’re up-and-running. Known as Harvest Now, Decrypt Later (HDNL) attacks, encrypted data can be stolen and held on to with the intention of decrypting later once the technology has developed. As well as occurrences of internet traffic being re-routed for no apparent reason before resuming its path, security agencies like the NSA and MI6 have confirmed the existence of these attacks; it’s fair to say that this is an immediate threat – and a priority for security.
In August, Google announced it was taking action against these threats, with the newest version of its browser, Chrome 116, being upgraded to include the post-quantum encryption algorithm Kyber. The update represents the first significant milestone in the post-quantum transition for the world’s largest browser. It has undertaken a hybrid approach, this means that traditional Elliptic Curve cryptography has also been left in place alongside Kyber, which helps mitigate risk and provide continued tried and tested protection from attacks with today’s classical computers. This step also insures against someone managing to break the new Kyber algorithm.
Let’s start with the positives: Google is operating on the basis that the advent of a quantum computer is not a matter of if, but when, and as such they are looking to secure their digital infrastructure as far as possible before a cryptographically relevant quantum computer is functioning. A good step in the right direction, considering how widely used the product is.
But it’s important to not get carried away, particularly if you are an organization that needs to shield its data for a long time. So far, it seems that Google has only upgraded their browser security on the client side – so any link that has not been upgraded, will not be quantum safe. This may lead people to falsely assume that their browsing is secure.
Perhaps most importantly, every cloud application will also need to upgrade to Kyber for Google Chrome’s security protections to ensure a secure connection. However, as Kyber hasn’t yet been fully standardized – it is unlikely that apps will migrate to Kyber just yet, leaving web browsers as vulnerable as ever.
For instance, if someone were to access their online bank through Chrome, if the bank had not upgraded to Kyber, the connection would not be quantum resistant. Meaning that, much of what we do online – and need quantum resistant encryption for, will not be secured by this upgrade.
Beyond user experience, there is also the question of how information is secured behind the scenes. Everyday our activity and data is stored in and between data centers, if these are not afforded quantum-resistant security, there is little point securing it on the surface. But, this is another beast and would likely require a separate solution, like the VPN network in use at NATO.
On balance, Google breaking ground in their post-quantum migration is encouraging and a welcome move. As mentioned, it has enormous symbolic value and legitimates years of warnings from cybersecurity experts. But as it stands, it is not a total solution – and until Kyber is fully standardized we are unlikely to see businesses follow Google, limiting the scope of the quantum security afforded by the update.
It also highlights the importance of enterprises acting for themselves, rather than waiting for those in control of shared public infrastructure to make the first move. For example, rather than waiting for public infrastructure to be upgraded, if you’re an organization worried about HNDL attacks, you should already be working on creating bespoke end-to-end infrastructure that’s quantum-safe by design, where everything from your business processes to day-to-day internal communications are protected.
We’ll be watching Google’s next move closely and applaud it for kick-starting its migration, but it’s vital that those that are high risk see the update in a broader context. In doing so, it’s plain to see the need to chart your own migration path as soon as possible.
Sponsored by Post-Quantum.