Free trial

Introducing quantum-resistant encryption to OneSpan Authentication Suite Server SDK

Authentication
Frederik Mennes,
quantum resistant encryption

Quantum computers have the potential to break the cryptographic algorithms that protect our digital world today, leaving sensitive data vulnerable. While the risk is only theoretical at present and there is no way of knowing for certain if quantum computers capable of breaking cryptographic algorithms will ever actually exist, it is good security practice to be prepared.

That is why we are drawing your attention to OneSpan’s Authentication Suite Server SDK, our core authentication engine. OneSpan Authentication Suite Server SDK provides functionality to validate one-time passwords and transaction authentication codes generated by authenticators, either in hardware or software, according to the Digipass, Cronto, and OATH authentication algorithms.

Authentication Suite Server SDK receives the cryptographic keys used to validate these one-time passwords and transaction authentication codes in files adhering to the DPX-file format and stores them inside data structures called BLOBs. The content of both DPX-files and BLOBs is encrypted using symmetric cryptography to protect the confidentiality of the cryptographic keys.

The encryption mechanism utilized for the DPX files and BLOBs must be secure. This is particularly important also in light of new attacks made possible by advances in quantum computing technology. At OneSpan, we have been working to ensure the encryption mechanism is based on post-quantum mechanisms and is therefore quantum resistant.

This article provides an overview of the risk posed by quantum technology to symmetric data encryption and explores the solution implemented in our newest release of Authentication Suite Server SDK.

Exhaustive search with classical, non-quantum computers

A possible approach to decrypting data encrypted with an unknown symmetric cryptographic key is to try all possible keys until the correct key is found. This is generally called an exhaustive key search or a brute-force attack.

As an analogy, suppose Bob has a vault that is locked with a key and a box containing 100 keys. Bob knows the key to unlock the vault is in the box, but he does not know which one it is. In order to find the key to unlock the vault, Bob can try all keys one by one. Bob might be lucky and pick the correct key on his first try. He might also be very unlucky and pick the correct key upon the 100th try. On average, Bob will need to try 50 keys from the box before he finds the correct one. More generally, if the box contains N keys, Bob will need to try on average N/2 times and in the worst case, N times.

In real-world cases, N should be so large that an exhaustive key search is infeasible. A large value of N ensures that finding the correct key would take too much time and effort. Bob might give up if he has to try thousands or millions of keys, depending on his perseverance and the value of the vault's contents.

In the world of data encryption using classical, non-quantum computers, a value of N equal to 2^112 is often considered the minimum. This is provided by the algorithm 3DES-112, for example. Many applications use larger values though, such as 2^128 and 2^256, as provided by AES-128 and AES-256 respectively.

Harvest now, decrypt later attacks

No one knows if large-scale, robust quantum computers capable of attacking cryptographic algorithms or cryptographic systems – sometimes called Cryptographically Relevant Quantum Computers (CRQCs) – will ever be built.

Nevertheless, well-resourced adversaries can already prepare for the possibility of their arrival by taking advantage of the steep decrease in modern data storage costs. The premise is simple: Adversaries can collect large amounts of today’s encrypted data and file it all away for future reference. Even though they cannot decrypt any of this data today, they can retain it until they acquire a quantum computer that can decrypt it in the future.

This attack is referred to as harvest now, decrypt later, as the adversary gathers the data today and decrypts it once a sufficiently powerful quantum computer is available.

Speeding up exhaustive search with quantum computers

The reason why harvest now, decrypt later attacks might work is that quantum computers may be capable of performing exhaustive searches of the encryption key, as described above, faster than classical, non-quantum computers do.

In 1996 Lov Grover, an Indian-American computer scientist, published an algorithm intended for database searches that can also be used for exhaustive searches. Using Grover’s algorithm, the exhaustive key search process can be sped up to √N, or the square root of N, attempts. This is a much smaller value than N/2 attempts with classical computers.

Back to our vault example. For a box of 100 keys, using Grover’s algorithm, Bob would need to try only √100 or 10 keys in order to find the correct key! That’s much less than the 50 or 100 attempts required with a traditional search.

There’s a caveat though. The practical implementation of Grover’s algorithm on quantum computers might not be as efficient as can be expected in theory. This is caused by the necessity to perform error corrections on quantum computers, and the fact that Grover’s algorithm is difficult to implement in parallel. Various organizations, such as the U.S. National Institute of Standards and Technology (NIST) and the U.K. National Cyber Security Centre (NCSC), state that Grover’s algorithm will likely not result in the exhaustive search speed-up in practice that might be expected in theory.

Introducing quantum-resistant data storage in OneSpan Authentication Suite Server SDK

If a sufficiently powerful quantum computer existed, Grover’s algorithm would still require √2^256 or 2^128 attempts to recover the encryption key of a DPX-file or BLOB using brute force. This number is well beyond what is considered feasible today and even in the foreseeable future.

To protect data that needs to remain confidential and secure against novel attacks, both now and well into the future, today’s data should already be encrypted with quantum-resistant cryptographic algorithms. The latest release of Authentication Suite Server SDK provides the possibility to encrypt DPX-files and BLOBs with the AES-256 algorithm using 256-bit keys.

Migrating to Authentication Suite Server SDK 4.0.1 gives you peace of mind that your sensitive data will be protected against harvest now, decrypt later attacks. Therefore, we recommend customers use our latest release of Authentication Suite Server SDK.

Authentication Suite Server SDK
Webpage

Authentication Suite Server SDK

Learn how you can elevate your organization’s security and enhance customer trust. 

Learn more
Frederik Mennes
Frederik Mennes

Frederik Mennes is Director of Product Management & Business Strategy at OneSpan. In this role, he is responsible for defining and implementing OneSpan’s business strategy for specific industry verticals, and to determine how OneSpan responds to security and regulatory market trends. Previously, Frederik led OneSpan's Security Competence Center, where he was responsible for the security aspects of OneSpan's products and infrastructure. He has an in-depth knowledge of authentication, identity

Go To Top
Share