Quantum 101: Part Two: Why Quantum Computing is Transforming IT Security

July 13, 2010

Curious about quantum computing’s potential to transform computing and IT security for good? This is Part Two of Countdown’s two-part Quantum 101 series by Steve Gold, technology and business journalist for over 20 years

In part one of this blog, I explained what quantum computing was and why you should sit up and take notice. In part two I will explain why—and how—quantum computing will change your approaches to data protection.

First up, the security of data today is invariably protected through the use of encryption technology and the use of “keys,” or passphrases known only to two or more people.

Cracking an encryption system requires two steps: understanding how the encryption functions and knowing what the passphrase (key) is to a given encrypted file.

The first step—understanding how the encryption functions—requires the presence of the same crypto engine that created the file. The second step is far more complex, since knowing a given file’s passphrase or key typically involves stepping through all possible combinations of a passphrase until the correct one is discovered.

Until the arrival of specialist software from Russian password recovery specialist Elcomsoft (http://bit.ly/o3i2E) a few years ago, this brute-force methodology to cracking encryption passwords was viewed as both time-consuming and costly.

Elcomsoft changed the ballgame by developing software that significantly increased the processing power of a given PC by harnessing the number-crunching capabilities of one or more graphics cards installed in the machine.

If six high-end graphics cards were installed, Elcomsoft’s password recovery engine  would reportedly accelerate the speed of a brute-force password cracking system by a factor of 100 or more. (NB: an amusing cartoon depiction of a brute force attack is available here: http://bit.ly/cCbh9Q)

The technology is sufficiently powerful for IT security researcher Moxie Marlinspike to have developed an online WiFi password cracker that he claims can crack a WPA WiFi password in around 20 minutes. The process would take a conventional high-end dual-core desktop PC around 120 hours.

To use the service, Internet users upload a copy of the handshake file that occurs when a WiFi device starts negotiating a link with a WiFi access point. The site then advises whether the password is crackable or not.

What’s notable about the service is that it does not use rainbow tables.

A rainbow table, in case you were wondering, is a large table that lists every possible permutation—a “hash”—of all passwords within a certain set of characters (e.g. a-z or A-Z or 0-9).

These tables save a lot of time when running a brute-force password cracking routine, but they take up A LOT of computer memory or hard disk space. You are basically trading memory and hard disk space in return for a shorter password cracking timeframe.

The problem with rainbow tables and WiFi passwords is that they change depending on which network you’re trying to crack. You could spend a long time trying each permutation and still not hit the right sequence.

Marlinspike therefore started the programming required to drive his 400-node computer array from scratch. It is this platform that drives his WPAcracker service. It works well and has been used `in the field’ by a number of researchers.

Quantum computing changes the passphrase ballgame by making passphrase encryption keys almost as redundant as a trading standards officer in a London flea market.

Like Elcomsoft’s password recovery platform and WPAcracker.com, quantum computing will advance the speed with which passwords can be brute-force-cracked, but by many more factors than these existing technologies already do.

Search giant Google is reportedly working with the US government and a Canadian firm called D-Wave (http://bit.ly/9ZJwQI) to develop real-world quantum computing (QC) technology.

Why the interest? Well, QC-based technology is reportedly invulnerable to conventional hacking attack vectors, simply because QC  has  a totally different architecture than that of conventional PCs, since QC is based on qubits, rather than conventional bits of data.

Qubits, as I mentioned in Part One, exist not only as a 0 or a 1, like conventional bits, but also in states somewhere in between.

The bad news here is that, just as conventional cybersecurity attack vectors are invalidated by the complex architecture of QC-based technology, so conventional IT security defence methodologies also become ineffective.

QC-based technology harnesses the unique behaviour of sub-atomic particles.

Researchers have come to view quantum physics as a distinctly separate discipline from classical physics, which, of course, makes data interfacing with a QC-based platform all the more difficult. You need a lot more than a USB cable to connect the two environments!

Current thinking suggests that while a QC-based environment is beyond a private enterprise’s ability to create, a suitably equipped government agency could develop such a platform, although the costs involved with the research would be prohibitive.

But the rewards of developing a QC-platform that can be replicated at least a few times over would be immense. A government that had access to this level of technology would be able to decrypt any transmission or data block presented to the interface.

Furthermore, if a sufficient number of decryption processes were carried out on a defined set of data files, then it would become possible to differentiate–or extrapolate-the complex underlying pattern that public key cryptography is based upon.

This would place us in the interesting situation of having created a universal decryption table system that— like the rainbow tables we mentioned before—would allow lower-power, conventional PCs to decrypt any high-level encrypted stream or block of data.

The good news is that this same process could be reversed to create what would be essentially unbreakable encryption codes.

While Google and the US government bring, respectively, processing power and money to the research table, Canada’s D-Wave is where the real grunt work of QC-based technology research appears to lie.

The firm has reportedly spent almost 30 million pounds over the last five years trying to create a chipset that would feature 128 total qubits.  And in a demonstration held late last year, a Google-style search algorithm could differentiate objects in several thousand still images.

According to Geordie Rose, a senior researcher with D-Wave, a universal QC-based computer “is the most powerful computer possible in our universe.”

It’s almost certain that, as QC-based technology evolves, more and more IT security vendors will start developing technologies that are multi-layered—or have the ability to layer interface with other vendors’ products—right out of the box.

For businesses, this means that it will be possible to source a firewall  “brick,” an IT security appliance and an anti-spam appliance, and plug them into each other without any software or hardware conflicts.

Furthermore, it will be possible to manage those security devices by using a single integrated software dashboard, in much the same way a VMware hypervisor (aka “virtual machine monitor”) can control multiple concurrent instances of different operating systems on a single platform.

This  “Lego Brick” approach to IT security means that as existing defences become devalued by the developments in the world of quantum computing, these defences can be replaced or augmented without too many problems for the IT platform the defences are protecting.

However, it is still difficult to envisage exactly how this nonstop and modular approach to IT security can be transposed to a consumer environment. This difficulty suggests that as QC-based technology evolves, consumers may have to migrate to thin-client IT architectures to ensure high levels of security.

But that, as they say, is another story…


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: