Much of our current IT infrastructure relies on DNS to route traffic securely. Securing that infrastructure in turn relies heavily on encryption, but there is a threat looming.
Quantum computing will provide a level of processing power that could render existing encryption technologies obsolete, and that’s a problem for all of the internet and networking worlds. We spoke to Peter Lowe, principal security researcher at DNS filterto discuss the potential impact of quantum computing on security and what can be done to counter the threat.
BN: Why is encryption so essential to the DNS?
PL: Encryption is the basis that Domain Name Security (DNS) servers use for verification as part of DNS Security Extensions (DNSSEC). To achieve verification through the use of digital signatures or symmetric keys, DNS must confirm that the signer and the data are who and what they claim to be—and strong encryption is the only way to ensure that we can trust the results.
BN: How does quantum computing put this at risk?
PL: Unlike a conventional computer that encodes information in bits, a quantum computer encodes information in quantum bits (qubits) which work in a different way. Qubits enable quantum computing to not only encode information faster, but store more information at once, threatening cybersecurity as we know it.
Quantum computing has the speed and power to break encryption algorithms, enable hackers to securely access data that was previously encrypted, and store and decrypt that data later. It is relatively easy to access the data “on the wire” by performing a man-in-the-middle attack, but it is useless if the transmitted data is encrypted. Right now, the data would just look like a random sequence of bytes, and without the threat of quantum computing, it could stay that way for hundreds of years into the future. Quantum computing has the potential to enable hackers to decrypt this more easily, and data may not remain secure for as long as it was originally intended.
Furthermore, quantum computing poses key and signature size challenges, which are much larger than current algorithms. Post-quantum cryptography uses larger key sizes than we are currently used to, which is a good thing in itself. But due to limitations in the protocol used by DNS servers, called Universal Datagram Protocol, or UDP, packet sizes can become larger than the server is designed to handle. Not to mention that larger key sizes will require exponentially increased computational resources on the servers themselves.
To protect against these cryptographic threats, the industry has begun to look into rolling out post-quantum algorithms. However, DNSSEC is particularly challenging to move beyond quantum algorithms because of potential infrastructure implications. Updating ciphers is a risky process, especially for those using root servers: if the passphrases used to generate the keys are compromised, it may be possible to falsify any domain verification performed. Every three months, a carefully designed key-signing ceremony is held to generate the keys used at the top of the DNSSEC chain. This process must be thoroughly reviewed if any changes occur, which means literally every validated DNS request on the Internet — trillions every day — could be hacked.
BN: How can organizations start planning for a post-quantum world?
PL: For organizations to prepare for a post-quantum world, it is essential to change our way of thinking to let go of the idea that some messages will remain private forever. We are regularly assured that encryption protects our data from hackers, and while that is the case as it is, it is important to keep in mind that encryption is going to break at some point. The biggest difference with quantum computing is that it can happen Many faster than we imagined.
One example is messages. There are many messaging systems that provide end-to-end encryption (E2EE), and are used to exchange messages securely without worrying that if messages are intercepted, they can be read by hackers in the foreseeable future. Quantum computing speeds up this timeline by an amount. Therefore, data storage may become a viable option for determined hackers.
High-risk institutions, such as banks and governments, should start preparing to use post-quantum algorithms as early as possible. While there is still plenty of time to do this, it will be a long process, so the earlier you start, the better.
The first step is to prepare: determine where encryption will be used within the entire organization, document the current procedures and algorithms used, and define retention requirements for each type of data stored. In addition, security professionals need to abandon the strict measures: the more stringent the measures, the more difficult it will be to update later. To prevent these challenges in the future, security teams must ensure that any existing practices are as flexible as possible.
For stored data, the safest option is always to simply delete it. For data that needs to be kept forever, there should be preparations to re-encrypt it when updated standards are ready. For software and hardware that otherwise use encryption, see if the provider has any plans to upgrade its algorithms and explore alternatives.
Staying abreast of the latest developments in quantum computing will be another key factor in planning for a post-quantum world, whether it’s reading industry newsletters or paying close attention to benchmark updates from the US Department of Commerce’s National Institute of Standards and Technology (NIST).
BN: Are there post-quantum solutions available or in the pipeline?
PL: In July of 2022, NIST selected four cryptographic algorithms to add to NIST’s Post-Quantum Encryption Standard, expected to be available within about two years. There are also plans to announce another round of algorithms soon.
The challenges in the DNS world are largely practical rather than algorithmic: hardware will need to adapt to growing computational demands, and protocols will need to be modified or introduced without the current limitations that hold back those in use today.
One option on the table is to use hash-based signatures, which hold up well against quantum postcoding and have less overhead when they need to be changed. But, even low overheads are still important.
Currently, there is no complete solution to solve this problem. However, industry discussions are underway, and I’m excited to see what’s in store.
Image credit: Pepperite/Depositphotos.com