Welcome to Heavy Networking, the flagship podcast from the Packet Pusher's podcast network

delivering you all the package with no drops and no jitter. I'm Ethan Banks, Drew, Conry Murray. And guys, I'm going to dispense with the rest of the intro that I normally go on about because I want to get right into this discussion with our guest. We are covering today how to prepare your cryptography infrastructure end-to-end for the post-quantum world. The production IT operations are almost certainly using cryptography libraries that are not

quantum safe.

So, unless you're a government agency, so secret, you have your memory wiped every time you walk out the door like on severance, that's probably not you as far as you know. So the time to begin planning a cryptography overhaul is now. But if you started to think about this, this is likely to be one of the most daunting projects you're ever going to be a part of because it touches absolutely everything. Clients and servers and apps and network devices, middle boxes and so on. And once you start thinking the challenge through, it quickly feels overwhelming. Our guest is Ritu, Chana Kashava from Palo Alto Networks, our sponsor for this episode today. And as we begin working through the challenge of implementing post-quantum cryptography with RitU, it becomes obvious that she has spent a lot of mental energy working through the complexities presented by post-quantum cryptography as well as a framework for addressing those issues. So we're gonna get into algorithms, a little bit of math, just a little believe me. Not the depths of cryptography, a little bit of math. Capacity plan and considerations when selecting ciphers and related topics like that. So listen to this episode for a head start on making your organization post-quantum safe. Unless you're already a cryptography nerd, you're going to learn about things that you didn't even know were things. So reach you, welcome to the podcast and we got to start with some essentials. How does post-quography deliver from the pre quantum variety, the stuff that we're using today? Or maybe another way to put this, why are existing cryptographic algorithms threatened by quantum? And how does PQC address that? Before I get into that, Ethan and Drew, thank you so much for having me. I am a big fan of the show for the last 15 years that I've already talked to you about. All right, let's jump right in. So pre quantum cryptographic algorithms, which you're referring to are the RSA and the elliptical curve algorithms. So let's take RSA, for example, it works on prime number multiplication, but factoring those prime numbers and figuring out what those two prime numbers were is the challenging complex mathematical problem. And that's why RSA was the choice of algorithm or cryptographic key exchange and signature algorithm for the last 30, 50 years. That is, if I take two prime numbers, multiply them together, I get a result. Figuring out what the two numbers were that got me that result is a really hard math problem. And so that makes our modern, our current cryptography pre-quantum cryptography safe. And so the point is, it's a very hard math problem from a computational sense when the prime numbers that you initially took to multiply are very large. Right? So that's where the computational challenge comes in to reverse engineer and figure a factor. Those two original large prime numbers was is and was very difficult for an existing supercomputer or a classical computer. Now you take quantum computer to your point, Ethan. It just becomes certainly a child's play, or at least theoretically, with short-sal告 on them, we can prove that quantum computers can factor those two large prime numbers in the least amount of time. So it's from a theoretical sense, classical or supercomputers could take billions of years, and this is what the academicians say, but apparently a quantum computer, a cryptographically quantum computer can take a couple of days, which is very scary, because a hundred% of today's internet applications support RSA. And maybe a good subset of them also support elliptical curves which are based in discrete logarithms. And that is yet another complex math problem that we know that Shore's algorithm can also reverse engineer. So that is the... You just mentioned Shore's algorithm there. Can you mention that? Because it's kind of a pivotal point in my mind. It kind of separates pre and post quantum cryptography is what happened with Shore's algorithm. That is correct. So asymmetrical encryption is what we are talking about to get a little deeper into this. So RSA, elliptical curve used for asymmetrical encryption, which is what the entire internet digital infrastructure relies on today, be it keeps change or digital signature algorithms and certificates and so on. Peter Schoer in the 90s came up with this algorithm based on quantum mechanics that we knew at that time

that should a quantum computer become viable, his algorithm can be used to reverse engineer these complex mathematical problems. And who knew in the 90s that a quantum computer could become a reality? Nobody knew because that that we built this foundation of trust on the internet using these cryptographic algorithms. We didn't think about replacing them. We didn't think about building automation or agility into switching between algorithms. We trusted them. So that's where we're at today. And knowing that quantum computing has reached an accelerated innovative space that it has seen some viability in pharmaceuticals, for example, Cleveland labs is working on customized antibiotics and so on. Without getting into the depths of how quantum computing

can become a reality and add value to our society, the negatives of that is that you could also build

a strong enough quantum computer purpose built to break RSA using Schorz algorithm. So that's

where we are at today. So is this all at the moment just theoretical and that short algorithm is sort of a potential to happen or has someone actually used a quantum computer and broken current like a prime-based encryption algorithm? There are some good research papers that have come out of the Europe, that have come out of China in the last couple of years to prove that RSE2K keys can be broken, on a sufficiently strong quantum computers. And against the strength of quantum computers defined by the qubits and the stability of the qubits, as well as error correction, all of that has to get to a place where you have sufficient qubits Shor's algorithm supposedly requires a million physical qubits then map to some amount of logical qubits So to your question Drew, this is a Possibility that there is a definite possibility to build a Parallelized qubit based significantly large qubit quantum computer. Now, when is that going to happen? When are we going to achieve that stability and that error correction to run short algorithm? The different answers, right? There's an answer by the academics. There's an answer by the analyst. There's now based on the threat of clear assumption by the different federal governments across the globe who say irrespective of when we need to act now. So to your question, Drew, there's no guaranteed answer that when a computer like this is going to be viable, but there is a very clear path to the viability of a CRQC and today, Schwarz algorithm is what is known to break asymmetric encryption. There's some concerns with symmetric, which is Grovers algorithm is also another one built in the 90s that threatens symmetric encryption, but not in the way that Schwarz does. So Grovers algorithm is more of a brute force method. I'm going to do trial and error to figure out if a certain hash function can be engineered or can be picked out of the many answers that I get using a quantum computer versus a source which is true reverse engineering to the source. We're going to be throwing around a lot of terms. I just you mentioned CR CRQC, that's cryptographically relevant quantum computer. Just in case that comes up again, and I'm sure it will. Okay. Another point about the timeline. We don't, right, we don't have a general agreement in the industry of one that, the timeline of when a cryptographically relevant quantum computer might exist, we have a million qubits. But I've seen speculation anywhere from 2029, just a few years out to decades off, all depending on who's doing the thinking about it. But there seems to be a general consensus that within 10 years is plausible? Is that sound right to you, Richard? Yes, I think the 10-year timeline is also coming from different compliance and mandates put down by federal governments. So if you're following NIST and commercial NSA two-dot-or timelines, they say you need to start adopting the more safer cryptographic algorithms, which we'll talk about, which are the post-quantum cryptographic algorithms PQC as early as 2025 is what CNA says, you need to start migrating to PQC's. In fact, NIST announced that they're going to dedicate RSA and elliptical curves by 2029, even this allow these two algorithms by 2035. Right? So, and then UKS and CSC standard body algorithms by 2035. And then UK's NCSE standard body says by 2035 or as early as 2030s when the migration should have been implemented successfully and should have taken to production. European Commission signaled by 2030 they're going to put together quantum safe communication network. I think these are strong enough indicators to say that threat is real and you cannot wait and that's why different federal agencies are putting down timelines from compliance and an actionable perspective. Now, to truly answer the question, when is the CRQC going to be real, going to be viable? There's Gautner and McKinsey saying as early as 2027, 2029, then there are academicians saying, could be 15 years, 20 years? We don't know, but it's definitely going to happen. So it's that little bell curve. So the ones who are speaking, the loudest about this, are the ones who really fear the threat of data being harvested, which are the nation states, which are the government agencies, of the critical infrastructures, the financial institutions of the world. Then there are maybe the others who may not see the threat as impending, but we'll talk about why you could succumbumb to it even if you don't feel the threat today. So those are different timelines driving this migration right now. And 2030 isn't far away anymore. It seems like that. Oh, that's forever away. Yeah, that's like five years out. So I think you bring up a key point here. Why isn't 2030 so far enough? It's because of the sheer scale of the migration. We are talking about cryptographic migration. As you earlier said, it's in cryptography is everywhere. It's in your browser, it's in your VPN agent, it's in your operating system, on your laptops, it's in your application, it's in your Wi-Fi access point. It's in your little camera, your indoor camera that watches your cat all the way to all the way to infrastructure nodes, data stores, cloud service provider infrastructures, your private cloud infrastructure, your data center infrastructures. It is a fundamental piece to the internet, which is why we trust and rely on it to get to the internet in a safe and secure manner. So the scale of this migration is very vast and that's why 2030 seems like tomorrow. That's why it feels daunting. And the issue here is now that we do have cryptographic algorithms that we can migrate to here in the US, the National Institute of Standards and Technology has approved a suite of them. Can you talk about some of the key ones and what they're used for? Absolutely. I think we're going to talk about the key ones and the keys. There we go. So National Institute of Standards Technology NEST has been working on this project for at least a decade. That is the significance of how much work they've put in as well as the academicians and the researchers have put into submit newer cryptographic algorithms and let's define them. So these are called PQCs, post quantum cryptography algorithms. PQCs are not based in quantum mechanics. The moment quantum plays a word in the name of it, it feels like it's some sort of a quantum algorithm. It isn't. It isn't based on quantum computing or quantum mechanics. It's just based on new set of complex mathematical problems that we believe cannot be broken or reverse engineered or brute-forced by a quantum computer as well as of course a classical computer the ones that we used today. So those are the net-new algorithms based on newer set of complex mathematics. Now, NIST has standardized three. There's a fourth and a fifth in order in the draft stage to get to the standards. The three are in two different categories. One is the key exchange with MLKEM is the final list that's been selected for key exchange. HQC is apparently being put in as a second order standard algorithm there. Also for key exchange. Also for key exchange. Yes, hqc for key exchange as well. So double clicking on key exchange, this is a session that is established between two nodes that don't trust each other, which is your browser talking to a service or an application, which it has never established a session with. That's essentially web application, internet-based PKI, public key infrastructure system. So for that key exchange, you, the MLK more lattice-based key exchange mechanism is what NIST has put forward as a standard. Now alternative to that was the HQC that we were talking about. Though there are these two new recommended standards, what we have to note is adopting PQC is going to be moving away from a set of standards are a theoretical curve that have been wetted for the last 10, 20, 30, 50 years in case of RSA. And we're moving away from that to net new algorithms, net new library implementations, and sort of refreshing ground up from the operating system and these endpoint perspectives. So what the industry has decided from mitigating risk is to be able to approach this from a hybrid key exchange perspective. So we are going to retain a classical key exchange algorithm and concatenate that with a post-quantum key exchange algorithm. In case of MLKM, you will see hybrids being used, which are elliptical curve hybrid along with MLKM. And that's what the browsers have moved forward with. You'll see that being adopted in web applications. Same is true for your firewall providers like ourselves at Palo Alto and so on. So that is a risk mitigation strategy as this migration has been enforced and we will stay in this world for the next 15 years, 10 to 15 years, until there's sufficient wetting of the PQC. There's enough proof that MLKEM has which stood the test of a CRQC and potentially we will switch to a true MLKEM. Now I know I jumped off into talking about hybrid key exchange mechanisms. I also want to shine light on the other standards from NIST, which are for digital signature algorithms, which are MLDSA, as well as the stateless has DS, which used to be called Springs Plus. I still remember it as Springs. So these are two new standards and it's third ones in the works, which is Falcon. I did a little reading on MLCam just to start to get a sense of what's different about this for key exchange versus historically what we've abuse for key exchange? And the key seems to be lattice math. We're doing math with lattices. That seems to be the focus on a lot of the cryptographic algorithm changes that make them quantum resistant, if you will. Is that a valid observation? That is correct. That is correct.

And to your point,

a lot of math is supposed to be extremely complex.

I know earlier in the call we were talking about

how it introduces 100 or maybe a quadratic amount of measurements.

Yeah, before we hit the record button,

yeah, as much as 100 dimensions,

according to some of the watching and reading I was doing.

Yeah.

Yeah.

Okay, so we don't need to understand lattice math

as network engineers.

But I thought it was just an interesting note

that that seems to be what's changing in these algorithms

that is making them cryptographically relevant quantum computer

...