Intersection Security

A blog that informs about security topics in the small intersection between IT and OT.

[
[
[

]
]
]

Marie Antoinette, a Swedish Count and Quantum Computing

When Marie Antoinette, the Queen of France, was arrested on the 17 of January 1792 she wrote a letter to a Swedish count, Axel von Fersen. The rumours that they were lovers had been whispered about for a long time but no proof had ever been shown.

In the letter she expressed her fear the arrest brought and also asked for help to escape Paris. Before this Axel von Fersen had been involved in several attempts to free the Queen and King but none had so far been successful.

 

But, you might wonder, what could this ever have to do with the modern world and Quantum Computers? The things is, Marie and Axel did not just write letters in plain text to each other but they encrypted them. They used a polyalphabetic system to encrypt their letters. At the time no-one ever deciphered the letters so their content was unknown.

Had the content been revealed at the time it had probably led to the swift death of both of them but the encryption kept them alive, for now.

It was not until modern day research, x-ray technology and, code breaking that some of the contents became known. This is also true in modern day cryptography, if you keep your private key private there is no risk that your data will be deciphered.

But as it was for Marie and Axel, new technology is coming that might upset everything you learned about cryptography. The scare is that a quantum computer can break your private key crypto in no time, no matter the key length.

This will not be about the specific algorithms that can be used with quantum computers, e.g., Shor’s or Grover’s, or why quantum mechanics can be used in this way but rather about the impact they will have on cryptography with special focus on impacts and remedies on systems controlling critical infrastructure.

Threats posed by Quantum Computers

If you are running a power plant or commissioning trains for transportation or anything else that classifies as critical infrastructure (e.g., an Essential Service under the NIS 2 directive within EU) here is a list of things that quantum computers could impact that you should think about:

  1. Breaking encryption (mainly a threat to PKI based, e.g., Secure Boot)
  2. Challenge the Integrity of information (e.g., audit trails, digital documents, etc.)
  3. The Risk of SNDL (Store Now, Decrypt Later) attacks
This is by all means not a complete list but I think on a high level it captures the things you need to consider. Let’s break it down to manageable, actionable pieces.

What to do?

First, analyse the threats against your system. Are they really threats you need to think about? In critical infrastructure systems I rarely see the need for encryption but rather a focus on integrity and availability. If someone were to find out the data in your system it might not be that big deal but tampering attacks against the integrity could have fatal implications. But the main point is that you need to do your own threat analysis.
But as pointed out above, quantum computers is mainly a threat against PKI-based encryption in that the threat is against the private key. It does not matter if you use RSA or ECC. You will require more qubits to break the ECC (~6n instead of 2n+3 for the RSA) but since the key length is significant shorter that will even it out in the number of qubits needed. So when does this affect critical infrastructure?
I have recently seen a push towards using products with secure boot. This is a very good move since it gives you the possibility to boot in a known state BUT since this is always based on a PKI this would be vulnerable to quantum computer attacks, in essence breaking your trust chain. I think you should take the following actions on this right now:
  • Monitor the news and follow what is happening in the quantum computing space. How close are we to actually make practice of the theory.
  • Follow NIST:s work regarding quantum computer secure algorithms. They have a couple shortlisted and will during 2024 post their results.
  • Ask your suppliers what they are doing regarding this. Very few will probably have a definitive answer but if they have started to look into the question and can give thoughtful answers they are probably ahead of the game.
But what happened to the Swedish Count Axel von Fersen and Marie Antoinette, the Queen of France?
That they used encryption, stopping their enemies from reading the letters, probably kept them alive for a little bit longer but they both met gruelling ends. Marie, being who she was, were executed by guillotine in October 1793 and Axel was caught by a lynch mob in Stockholm in June 1810 and killed but their secrets stayed hidden for another 200 years.
My hope is that we are bit more on top of our game and by following the few bullets above we can hopefully avoid the fate of Marie and Axel 😉

Leave a comment