BLOG - Incorporating Quantum Cryptography In Cybersecurity Education

Cryptography has been a central element of cybersecurity since even before the Internet was created. We have used encryption technologies to secure the most sensitive information, not just in recent history, but even as far back as the times of the Roman Empire. The ancient methods were rudimentary and could easily be broken by even the weakest of computers today. And now, the strongest algorithms of today are potentially at risk if the dreams of quantum computing ever become reality. To that end, anyone working in the cybersecurity field should be looking for cryptographic methods that can withstand attacks from quantum computers. This also necessitates professors teaching their students about how to prepare for a potential increase in computing power before that capability is realized. 

What is Quantum Computing? 

The dream of quantum computing is to create computers that use the rules of quantum physics to solve problems exponentially faster than what is currently available today. It is not a completely theoretical field of science. Small-scale quantum computers have already been created, but scaling them to something necessary to truly make a difference in the computing world has not yet occurred. These are topics professors need to address in the classroom. Every computer science major needs to be aware of what the future may hold in this field, and in cybersecurity specifically, they need to understand the security implications of such a potentially powerful technology. 

Within cryptography, quantum computing has the potential to factor large numbers very quickly, which could lead to the breaking of modern encryption and the spilling of a lot of secrets. Students do not need a course in quantum physics to sort this out, but professors should provide, at least at a high level, the primary weak points of currently used algorithms when applied to a quantum computing scenario. Cybersecurity students need to understand that two of these weak points are key length and using algorithms that have mathematical computational infeasibility. In one method, the longer the key, the less likely a computer is to break the encryption. In the other method, the more difficult the algorithm, the less likely a computer is to break the encryption. This is oversimplified, but both are destroyed by much more powerful computing capabilities. 

Preparing for the Future 

Cybersecurity professors should prepare their students for this potential future by training them to use more advanced algorithms now. If someone were to store encrypted information using today’s technology and hold onto it until the day quantum computing becomes a full reality, they would be able to run that old data through a quantum computer and quickly decrypt the information. But if we start using stronger algorithms now, they will still be secure from these types of attacks in the future. Students need to be prepared for current technology and future technology; otherwise, they will be trying to catch up and leave a lot of data insecure. 

One of the reasons for this being a big challenge today is that cryptography is no longer used strictly for sensitive information. The internet necessitated the use of encryption for more data, primarily due to privacy implications. Cybersecurity students are already aware of the encryption being used to secure communications between computers and web servers, within some mobile chat applications, and to encrypt data in some cloud storage services, but they may not be aware that all of these capabilities are at risk. This is where professors need to fill in the gaps and make their students aware of the algorithms that currently exist and are considered to be quantum-proof. 

Using Symmetric Encryption 

In symmetric encryption, which is useful in securing stored data on hard drives, in databases, and in encrypted containers, the Advanced Encryption Standard (AES) has been the go-to cipher since 2001. Students should understand that the power of AES lies in the length of its keys. AES-128, which uses a 128-bit key, is good for today, but AES-256 is necessary to stay safe in the future. Professors should instruct their students to start using the 256-bit key now.  

In public-key encryption, which has many applications, such as email communication, secure text messaging, virtual private networks, and web security, the Rivest–Shamir–Adleman (RSA) and Elliptic Curve Cryptography (ECC) methods are used to secure communications. These have existed since 1977 and 1985, respectively, and have been updated over time to stay ahead of computational increases. In this category, professors should explain that the strength of RSA and ECC is in maintaining computational infeasibility, which they will not be able to do in a quantum computing environment. A newer algorithm, Kyber, is a perfect replacement that can be used now in many applications. The table below shows replacement algorithms for other capabilities, and each one of these should be included in classroom instruction.    

One of the bedrock principles of cybersecurity is to maintain a level of security that keeps unauthorized users out of computers, sensitive data out of their hands, and sensitive communications out of their ears. Cryptography is used in all of these cases. Cybersecurity programs already include some form of cryptography course, but those courses should be updated to include capabilities that will continue to protect computers and information into the future. As with many other things in this field, professors cannot be complacent. We need to be aware of where technology is headed and get our students ahead of that path now so they will be fully prepared for a long-term career.