Xsette Quantum-Resistant Encryption Methods

Quantum computing is advancing rapidly, bringing unprecedented processing power that threatens traditional encryption methods. The "collect now, decrypt later" strategy underscores the urgency of preparation, adversaries are already harvesting encrypted data with the intent to decrypt it once large-scale quantum computers become viable. Fortinet is leading the way in quantum-safe security, integrating NIST PQC algorithms, including CRYSTALS-KYBER, into FortiOS to safeguard data from future quantum-based attacks. "A recent real-world demonstration by JPMorgan Chase (JPMC) showcased quantum-safe high-speed 100 Gbps site-to-site IPsec tunnels secured using QKD. The test was conducted between two JPMC data centers in Singapore, covering over 46 km of telecom fiber, and achieved 45 days of continuous operation." "The network leveraged QKD vendor ID Quantique for the quantum key exchange, Fortinet’s FortiGate 4201F for network encryption, and FortiTester for performance measurement." This is not just a theoretical concern, organizations are already deploying quantum-safe encryption solutions. As quantum computing capabilities advance, organizations must adopt quantum-resistant security architectures and take proactive steps now to safeguard their sensitive information against future quantum-enabled attacks. These proactive methods include: -adopting hybrid cryptographic approaches, combining classical and PQC algorithms, ensuring interoperability and a phased transition -implementing crypto-agile architectures, for seamless updates to encryption mechanisms as new quantum-resistant standards emerge -leveraging PQC capable HSMs and TPMs -evaluating network security architectures, such as ZTNA models -ensuring authentication and access controls are resistant to quantum threats. -identifying mission-critical and long-lived data, that must remain secure for decades. -implementing sensitivity-based classification, determine which datasets require the highest level of post-quantum protection. -conducting risk assessments to evaluate data exposure, storage locations, and current encryption standards. -transitioning to quantum-resistant encryption algorithms recommended by NIST’s PQC standardization efforts. -establishing data-at-rest and data-in-transit encryption policies, mandate use of PQC algorithms as they become available. -strengthening key management practices -developing GRC frameworks ensuring adherence to post-quantum security. -implementing continuous cryptographic monitoring to detect and phase out vulnerable encryption methods. -enforcing regulatory compliance by aligning with emerging PQC standards. -establishing incident response plans to handle quantum-driven cryptographic threats proactively. Fortinet remains committed to pioneering quantum-safe encryption solutions, enabling organizations to stay ahead of emerging cryptographic threats. Read more from Dr. Carl Windsor, Fortinet’s CISO!

Last week #NIST released three post-#quantum #encryption standards. Why is this significant? Put simply, from a practical standpoint: risk management and compliance. First, on risk management: experts now say that quantum computing is less than a decade away. Quantum computers are expected to have the power to search large keyspaces very quickly, which means they will be able to decrypt current encryption. Moreover, it is entirely plausible that encrypted information recorded today is being stored for decryption when quantum computing becomes available. If you speculatively apply quantum-resistant encryption to your data now, you will reduce the risk of an adversary being able to successfully exploit your data when they have access to quantum computing. Second, on compliance: NIST is the governing body for standards in the USA, and many other nations take their encryption standards from NIST, as they do not have resources at the same scale as NIST. You can be certain that NIST-approved post-quantum algorithms will start being mentioned in various compliance checklists, as is the case currently with algorithms such as AES-256 and SHA-256. Note well that these algorithms have #FIPS numbers associated with them - meaning "Federal Information Processing Standard". Briefly, the approved algorithms are: 🔒 ML-KEM, for encrypted key exchange, as FIPS 203 🔒 ML-DSA, for digital signatures, as FIPS 204 🔒 SLH-DSA, for stateless hash-based digital signatures, as FIPS 205 There is a fourth algorithm, FN-DSA, also used for digital signatures, that is expected to be released in the next year.

 NIST’s Post-Quantum Cryptography Standards: ‘The Start of the Race’ NIST's finalized standards for post-quantum cryptography mark a critical step in addressing the looming cybersecurity risks posed by quantum computing. This development is being hailed as the beginning of a new era in cryptographic resilience, with sweeping implications for governments, businesses, and other stakeholders.  The Threat of Quantum Computing Quantum computers are advancing rapidly, posing a significant risk to current public-key cryptographic systems. Algorithms such as RSA and ECC, widely used to secure digital communications and data, could be rendered obsolete by quantum computing's capacity to break these cryptographic codes. The "harvest now, decrypt later" strategy, where encrypted data is collected now for decryption by future quantum computers, highlights the urgency of transitioning to quantum-resistant cryptography.  NIST’s Standards and Their Importance NIST has been spearheading efforts to establish post-quantum cryptography standards. This multiyear process involved a global competition to identify algorithms robust enough to withstand quantum threats. Four algorithms have been selected for their resilience and efficiency: - CRYSTALS-Kyber for general encryption. - CRYSTALS-Dilithium, Falcon, and SPHINCS+ for digital signatures. These standards are intended to secure systems against quantum attacks while maintaining compatibility with existing infrastructure.  Implementation Challenges Transitioning to post-quantum cryptography is a monumental challenge. Organizations must replace or upgrade cryptographic tools across various devices, systems, and processes. The process will require significant collaboration among hardware manufacturers, software developers, and cybersecurity teams. A particular concern lies in systems where cryptography is deeply embedded, such as in IoT devices and industrial control systems, which may require extensive retrofitting or redesign.  Federal and Industry Implications NIST’s standards will become mandatory for federal agencies, but the private sector, especially industries like finance, telecommunications, and healthcare, is expected to follow suit. Critical infrastructure operators are also being encouraged to transition proactively to quantum-safe solutions.  Timing and Urgency Experts estimate that practical quantum computers capable of breaking current encryption could arrive within 5 to 10 years. However, given the complexity of transitioning to post-quantum cryptography, organizations are urged to begin the process immediately.  Strategic Recommendations Organizations are advised to: 1. Assess Risks: Inventory systems using vulnerable cryptographic algorithms and evaluate the risks. 2. Collaborate: Work with supply chain partners and industry peers to ensure a cohesive transition. 3. Invest in Upgrades: Allocate resources for upgrading cryptographic systems and devices.

💡 Wow! This past week marked a major leap forward in rolling out post-quantum cryptography algorithms to protect against “store now, decrypt later” attacks with major updates in OpenSSL 3.5.0 & OpenSSH 10.0 ⬇️ 🔐 What is a “Store Now, Decrypt Later” attack? It’s a forward-looking threat, where adversaries capture encrypted data today and hold onto it, waiting until large-scale quantum computers are powerful enough to break current encryption algorithms (like RSA & ECC) using Shor’s algorithm and decrypt the data. This is particularly dangerous for sensitive long-term information like financial records, important intellectual property and national security data. 🛡️ Why last week’s updates matter: Both OpenSSH and OpenSSL took big steps in implementing post-quantum cryptography (PQC), algorithms designed to remain secure even against quantum computers. 🧩 OpenSSH 10.0 Highlights (https://lnkd.in/gP5q3q7M): • 🚫 Deprecated outdated DSA & classic Diffie-Hellman key exchanges. • 🔐 Default key exchange now uses MLKEM-768, a quantum-safe and NIST-standardized algorithm. • 🔒 Isolated the SSH authentication process into a separate memory space using ssh-auth, mitigating the impact of login-related vulnerabilities like Terrapin or RegreSSHion. 🔐 OpenSSL 3.5.0 Highlights (https://lnkd.in/gmtgVVzv): • ✅ Adds support for three newly standardized PQC algorithms: ML-KEM (Key Encapsulation), ML-DSA (Digital Signatures) & SLH-DSA (Hash-Based Signatures). • 🔄 Sets AES-256-CBC as the new symmetric default over older, weaker ciphers. • 📅 This is a Long-Term Support (LTS) release, supported through 2030. Kudos to the maintainers and contributors pushing these critical projects forward. The future of secure communication just got a lot more resilient. 😁 #CyberSecurity #PostQuantumCryptography #OpenSSL #OpenSSH #QuantumResistant #StoreNowDecryptLater #Encryption #Infosec #TechLeadership #PQC #NIST

X-CUBE-PQC: STM32 Post Quantum Cryptographic firmware library software expansion for STM32Cube With the advent of quantum computers, traditional asymmetric cryptographic algorithms such as RSA, ECC, DH, ECDH, and ECDHE become vulnerable. In response, NIST has selected a new set of algorithms designed to be resistant to quantum computing attacks. The STM32 post-quantum cryptographic library package (X-CUBE-PQC) includes all the major security algorithms for encryption, hashing, message authentication, and digital signing. This enables developers to satisfy application requirements for any combination of data integrity, confidentiality, identification/authentication, and nonrepudiation. It includes both the PQC Leighton-Micali signature (LMS) and the extended Merkle signature scheme (XMSS) verification methods, which are used mainly for secure boot code authentication. It also includes the ML-KEM lattice-based algorithm, which can replace the current use of key exchange mechanisms to establish a secret key between two parties. ML-DSA is included for digital signatures. ML-DSA can replace ECDSA, EdDSA, and RSA-PSS in protocols, for instance in high-level applications as a method of authentication, of attestation, or both. https://lnkd.in/gTjstZfm

Energy Consumption of Post Quantum Cryptography: Dilithium and Kyber Beat Our Existing TLS 1.3 Performance Like it or not, our existing public key methods will be easily cracked by quantum computers. We must thus look to new quantum robust methods to provide our key exchange, digital signing and public key encryption methods. Thus, TLS 1.3 and above will have to migrate away from anything that uses RSA and ECC, and towards quantum robust methods, such as with lattice techniques. For this, NIST recently started the standardization of Kyber for key exchange and public key encryption and for Dilithium in digital signatures. There will be others coming along behind them, though, possibly with Bike, FrodoKEM and Falcon for key exchange and Sphincs+ for digital signatures. But, there’s a feeling that Post Quantum Cryptograph (PQC) will not be as fast and be more costly for energy consumption than our existing public key methods. Now, a relatively new paper puts this fear aside and shows that the best PQC methods can beat our elliptic curve and RSA methods for a TLS 1.3 handshake. https://lnkd.in/e3RUG7_u

𝐖𝐡𝐲 𝐐𝐮𝐚𝐧𝐭𝐮𝐦-𝐑𝐞𝐬𝐢𝐬𝐭𝐚𝐧𝐭 𝐄𝐧𝐜𝐫𝐲𝐩𝐭𝐢𝐨𝐧 𝐢𝐬 𝐭𝐡𝐞 𝐅𝐮𝐭𝐮𝐫𝐞 𝐨𝐟 𝐂𝐨𝐧𝐧𝐞𝐜𝐭𝐞𝐝 𝐕𝐞𝐡𝐢𝐜𝐥𝐞𝐬 The automotive industry is going digital—but 𝐢𝐬 𝐲𝐨𝐮𝐫 𝐯𝐞𝐡𝐢𝐜𝐥𝐞 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐩𝐫𝐞𝐩𝐚𝐫𝐞𝐝 𝐟𝐨𝐫 𝐭𝐡𝐞 𝐪𝐮𝐚𝐧𝐭𝐮𝐦 𝐞𝐫𝐚? With the rise of Software-Defined Vehicles (#SDVs), cyberattacks are becoming more sophisticated. Today’s encryption methods like #RSA and #ECC will soon become obsolete due to quantum breakthroughs. Quantum computers can solve mathematical problems exponentially faster than traditional computers, meaning: 1. Hackers can bypass encryption and take control of your vehicle 2. Vehicle-to-everything (V2X) communications can be intercepted 3. OTA software updates could be manipulated, leading to safety risks Quantum Cryptography/Computing (#QC) To secure vehicles against quantum threats, OEMs and Tier-1 suppliers must transition to: ✅ Lattice-based cryptography ✅ Hash-based cryptography ✅ Code-based cryptography 🔹 Ensures secure OTA updates and firmware protection 🔹 Prevents unauthorized vehicle hacks and remote takeovers 🔹 Guarantees data privacy and regulatory compliance Leading companies are already working on quantum-secure solutions. Are you? #PostQuantumSecurity #AutomotiveCybersecurity #SDV #OEM #Tier1 #CyberThreats #QuantumComputing #IDPS image credit:rinftech