Quantum computers could read all your encrypted data. This ‘quantum-safe’ VPN aims to stop that
To protect our private communications from future attacks by quantum computers, Verizon is trialing the use of next-generation cryptography keys to protect the virtual private networks (VPNs) that are used every day by companies around the world to prevent hacking.
Verizon implemented what it describes as a “quantum-safe” VPN between one of the company’s labs in London in the UK and a US-based center in Ashburn, Virginia, using encryption keys that were generated thanks to post-quantum cryptography methods – meaning that they are robust enough to withstand attacks from a quantum computer.
According to Verizon, the trial successfully demonstrated that it is possible to replace current security processes with protocols that are quantum-proof.
VPNs are a common security tool used to protect connections made over the internet, by creating a private network from a public internet connection. When a user browses the web with a VPN, all of their data is redirected through a specifically configured remote server run by the VPN host, which acts as a filter that encrypts the information.
This means that the user’s IP address and any of their online activities, from sending emails to paying bills, come out as gibberish to potential hackers – even on insecure networks like public WiFi, where eavesdropping is much easier.
Especially in the last few months, which have seen many employees switching to full-time working from home, VPNs have become an increasingly popular tool to ensure privacy and security on the internet.
The technology, however, is based on cryptography protocols that are not un-hackable. To encrypt data, VPN hosts use encryption keys that are generated by well-established algorithms such as RSA (Rivest–Shamir–Adleman). The difficulty of cracking the key, and therefore of reading the data, is directly linked to the algorithm’s ability to create as complicated a key as possible.
In other words, encryption protocols as we know them are essentially a huge math problem for hackers to solve. With existing computers, cracking the equation is extremely difficult, which is why VPNs, for now, are still a secure solution. But quantum computers are expected to bring about huge amounts of extra computing power – and with that, the ability to hack any cryptography key in minutes.
“A lot of secure communications rely on algorithms which have been very successful in offering secure cryptography keys for decades,” Venkata Josyula, the director of technology at Verizon, tells ZDNet. “But there is enough research out there saying that these can be broken when there is a quantum computer available at a certain capacity. When that is available, you want to be protecting your entire VPN infrastructure.”
One approach that researchers are working on consists of developing algorithms that can generate keys that are too difficult to hack, even with a quantum computer. This area of research is known as post-quantum cryptography, and is particularly sought after by governments around the world.
In the US, for example, the National Institute of Standards and Technology (NIST) launched a global research effort in 2016 calling on researchers to submit ideas for algorithms that would be less susceptible to a quantum attack. A few months ago, the organization selected a group of 15 algorithms that showed the most promise.
“NIST is leading a standardization process, but we didn’t want to wait for that to be complete because getting cryptography to change across the globe is a pretty daunting task,” says Josyula. “It could take 10 or even 20 years, so we wanted to get into this early to figure out the implications.”
Verizon has significant amounts of VPN infrastructure and the company sells VPN products, which is why the team started investigating how to start enabling post-quantum cryptography right now and in existing services, Josyula adds.
One of the 15 algorithms identified by NIST, called Saber, was selected for the test. Saber generated quantum-safe cryptography keys that were delivered to the endpoints – in London and Ashburn – of a typical IPsec VPN through an extra layer of infrastructure, which was provided by a third-party vendor.
Whether Saber makes it to the final rounds of NIST’s standardization process, in this case, doesn’t matter, explains Josyula. “We tried Saber here, but we will be trying others. We are able to switch from one algorithm to the other. We want to have that flexibility, to be able to adapt in line with the process of standardization.”
In other words, Verizon’s test has shown that it is possible to implement post-quantum cryptography candidates on infrastructure links now, with the ability to migrate as needed between different candidates for quantum-proof algorithms.
This is important because, although a large-scale quantum computer could be more than a decade away, there is still a chance that the data that is currently encrypted with existing cryptography protocols is at risk.
The threat is known as “harvest now, decrypt later” and refers to the possibility that hackers could collect huge amounts of encrypted data and sit on it while they wait for a quantum computer to come along that could read all the information.
“If it’s your Amazon shopping cart, you may not care if someone gets to see it in ten years,” says Josyula. “But you can extend this to your bank account, personal number, and all the way to government secrets. It’s about how far into the future you see value for the data that you own – and some of these have very long lifetimes.”
For this type of data, it is important to start thinking about long-term security now, which includes the risk posed by quantum computers.
A quantum-safe VPN could be a good start – even though, as Josyula explains, many elements still need to be smoothed out. For example, Verizon still relied on standard mechanisms in its trial to deliver quantum-proof keys to the VPN end-points. This might be a sticking point, if it turns out that this phase of the process is not invulnerable to quantum attack.
The idea, however, is to take proactive steps to prepare, instead of waiting for the worst-case scenario to happen. Connecting London to Ashburn was a first step, and Verizon is now looking at extending its quantum-safe VPN to other locations.