September 2023 Update: Marking a nearly seven-year process and the final steps towards the world’s first post-quantum cryptography standards, the U.S. National Institute of Standards and Technology (NIST) released draft standards for quantum-safe algorithms on Aug. 24.
The transition to quantum-safe cryptography will hinge on two steps: inventorying all cryptographic assets and achieving crypto-agility through automation and centralized management. DigiCert’s customers investing in crypto-agility have deployed DigiCert® Trust Lifecycle Manager, which provides a comprehensive solution to discover, manage and automate digital trust across their organization.
For additional guidance on preparing for the transition to quantum cryptography, please refer to this blog.
Quantum computers will change the way many industries operate, and the impacts of quantum computing will affect all aspects of society. Quantum computers could be used to solve complex problems faster and more accurately than traditional computers, leading to new discoveries and breakthroughs in various sectors (read our predictions about quantum’s impact by sector here). However, quantum computers could break many of the encryption algorithms currently used to secure digital trust. Thus, we’re exploring how quantum computing will impact security of various interactions that businesses and individuals rely on in everyday life in a series of blog posts.
First up, email security. With the increasing amount of sensitive information being exchanged through email, it is crucial that this information is protected from unauthorized access. Attacks on emails are on the rise; at the end of 2022 phishing was at the highest on record, according to the Anti-Phishing Working Group. Additionally, phishing is costing American businesses alone about $43 billion in the last five years according to the FBI. However, with the advent of quantum computing, the traditional methods of email security may no longer be sufficient. In this blog post, we will explore the potential impact of quantum computing on email security and what can be done to prepare for this new era of computing.
But first it is important to understand the fundamental differences between classical and quantum computing. While classical computers use bits to store and process information, quantum computers use qubits. Qubits can exist in multiple states at once, which allows quantum computers to perform certain calculations much faster than classical computers. This has the potential to greatly impact the field of cryptography, which is the science of secure communication.
For securing email, the key is authenticity and encryption, i.e., is the email really from who it says it is, and have the contents remained private in transit? The latter is dependent on the former, because if I can lie about who I am, I might have opened your mail, resealed it and resent it (to use a real-world analogy). Thus, there needs to be a way to ensure that an email is from who it says it is so that it can be trusted.
The way trust is established in email is with a protocol known as Secure/Multipurpose Internet Mail Extension (S/MIME), which dictates how to send digitally signed and encrypted email messages. S/MIME is widely used and has just adopted the first industry-wide standards for improving email security, expected to become enforced in September. The S/MIME protocol typically uses one of the most widely used encryption algorithms, RSA. RSA relies on the fact that it is currently infeasible for a classical computer to factor large prime numbers. However, a quantum computer could potentially factor these numbers much faster, rendering RSA encryption ineffective. This would leave the sensitive information exchanged through email vulnerable to unauthorized access, essentially meaning the authentication process of proving the identity of email senders will need to be upgraded.
Furthermore, emails are often stored for long periods of time. For legal and other reasons, it's often important to be able to validate the digital signature on an email that was sent previously, perhaps even years or a decade ago. Signatures on stored email are going to slowly lose strength, as it becomes easier and easier to forge them over time with quantum computers and other advances. It may be desired or necessary in some use cases to re-sign emails or documents with a stronger signature and an assertion that the previous signature was valid so it can continue to be trusted, but doing so has its own sets of complexities and challenges. Thus, post-quantum cryptography (PQC) standards groups are currently working on ways to secure stored, signed data. Expect more information on this to come in the future.
So what can be done to prepare for the era of quantum computing? The first step is to remain crypto-agile — to know where crypto is being used in your organization and have the tools to identify issues and fix them quickly. Crypto-agility is a security best practice regardless, but with quantum computers on the horizon, it will be even more important so that organizations can quickly swap out their crypto for quantum-resistant encryption methods.
DigiCert’s customers investing in crypto-agility have deployed DigiCert Trust Lifecycle Manager, which provides a comprehensive solution to discover, manage and automate digital trust across their organization. DigiCert Trust Lifecycle Manager is redefining the meaning of certificate management by integrating CA-agnostic certificate management across public and private trust to deliver centralized visibility and control, prevent business disruption and secure identity and access.
Additionally, read three additional ways to secure email and install digital trust in the inbox.