Root Causes 256: What Is Harvest and Decrypt?

Hosted by

Tim Callan

Chief Compliance Officer

Jason Soroko

Fellow

Original broadcast date

November 16, 2022

As we prepare for the reality of quantum computers breaking RSA and ECC, a keenly important concept to understand is "Harvest and Decrypt." The practical impact of Harvest and Decrypt is that for secrets with a reasonable lifespan, the quantum computer threat is much closer than you might think, including as early as today. In this episode we explain why that's the case and how this attack is likely to roll out.

Podcast Transcript

Lightly edited for flow and brevity.

Tim CallanWe’ve been talking a lot over the last few years about post-quantum cryptography, what we used to call quantum safe cryptography before the industry settled on a term and, some of these concepts of quantum computers are gonna progress over time and, there will be various stages along the line where they are more powerful and ultimately, this concept, Mosca’s concept of a concept of a z date. And an important thing that figures into this whole conversation is the concept of harvest and decrypt. And I know that you and I have certainly touched this in the past. I’m not sure if we’ve used that phrase but, we thought that would be a worthwhile thing to just kind of talk through today and make sure everybody is thinking in these terms.

So, in the world of post-quantum cryptography, there’s an idea called harvest and decrypt. Why don’t you get us started? So, what’s the basic idea here, Jason?

Jason SorokoTim, when you visit a website and there is https up in your address bar, most of the browsers now take that information away unfortunately, but for the most part, when you are on an encrypted site there is of course an SSL certificate at the web server that is encrypting, working with the browser and basically encrypting traffic between your browser and the web server. And you might think, well, that’s great. Thank you very much. I’m just happy to know that my banking session is encrypted between the two points. Anybody listening in the middle is not really gonna see anything useful and furthermore, anybody who might even be recording the packets going between the browser and the web server over the network – I’m thinking of tools like Wireshark, Tim. That’s a very common tool to capture packets and record packets off of a network. Those sets of packets and the session itself of communication can be recorded. It won’t be useful to the attacker at that point in time because of the fact that it is encrypted but, on the other hand, as we know, the whole basis of the quantum apocalypse is that encryption which is being performed by a legacy cryptographic algorithm such as RSA or ECC, the issue of course is that in a quantum apocalypse scenario whenever a quantum computer along with probably Shor’s algorithm is powerful enough to factorize, find the equivalent of the private key and essentially unravel that encryption and turn that encrypted session into clear text then a lot of information obviously can then be derived. Now, of course, I use, Tim, the example of browser and web server session but it can be anything that’s ever been encrypted. This is the point. Anything that is intercepted, recorded will have the same issue whenever quantum computers and Shor’s algorithm have that ability to factorize and break the legacy of cryptographic algorithms.

Tim CallanAnd one of the things that we may have talked about is obviously the number of stable qbits you have available to use could increase over time, which means that the amount of time that it takes to break these algorithms will go down over time. So you can imagine that there is a date in the nearer future where maybe you’d have to compute something for four months before you broke it and then there’d be a date further down the line where maybe you’d have to do that same thing for four days. And so, if it’s gonna take four months, most secrets probably aren’t worth it but maybe a few are. The really good secrets. And then when it gets down to the point where it’s four days you are still not gonna be able to use that to do anything in real time. It’s not like you can sit and spoof somebody in the middle but if you have this data that you’ve captured, you are still gonna be able to open it. So, part of what you are talking about is I think there’s a difference between being able to act on something instantly and being able to capture something that you can act on at another time.

Jason SorokoReal-time decryption. I think that’s for the movies, Tim. Unfortunately, I think that’s what people think when we talk about the quantum apocalypse, that that’s possibly what it means is a real-time decryption of an SSL stream, for example.

Tim CallanAnd a long enough time horizon with enough computing power that would be a possibility but that’s not the imminent threat?

Jason SorokoNo and I think we’ve talked about this before on this podcast but quantum apocalypse, if you really want to put a definition to it is what happens if an attacker could record an important session, a known important session – encrypted session. And then decrypt that within three months.

That’s probably something you could consider quantum apocalypse. If it’s down to a month, if it’s down to a day, well, you are talking about an incredibly high speed of decryption and factorization. I’m thinking though that if we get it under a year - -

Probably depending on how important the communication is - -

Tim CallanDepending on what it is. If these are the keys to the kingdom, if you are a global bank that is routing billions of dollars around and, it might be worth crunching something for a year if it gives you the access you can use to then go in and siphon off a heart stoppingly large amount of money, for instance.

Jason SorokoSure. Military communications, police investigation communications, legal communications. There’s a lot of things that would be of interest to nation states and others that would be worth for the bad guy to record and take a full year, take six months to decrypt and, probably the every day fraud that we often think about when we think about these bad guys and the lack of encryption, that’s probably gonna be later on in the cycle of factorization as quantum computers become more powerful.

Tim CallanThat script kiddie in Vietnam isn’t going to be an early adopter of this. It’s going to be that state-sponsored advanced persistent threat. And that’s gonna be the Day 0, Year 0 kind of threat and then later on, the democratization of this just like with other attacks. It will work its way downward over time.

Jason SorokoThat’s exactly right, Tim. So, therefore, we’ve talked before about various nation states having their own big quantum computing engineering investments and that’s part of the reason why. They want in.

First of all, they want to be able to counter any kind of attacks but I think this is a very offensive first world, Tim, and that’s the crazy thing about this is it’s an offensive first world which is I want to get to the state of being able to decrypt RSA and ECC first so that I have an advantage. And I think every nation state is looking at that right now.

Tim CallanWe referenced this in our recent podcast on about whether or not China is out-investing the West in terms of this and, certainly that’s one of the reasons why what we talked about, is how it’s an advantage. But, again, to bring this back to the point here, it specifically in near term will be an advantage in this harvest and decrypt scenario. So just, not to point too fine a point on it, the idea is that somehow someone gets access to your encrypted data. Maybe they get into your network and they can just plain grab files or maybe they can sit in the middle and they can record everything that’s going over the wire, like you said. And these binary lab objects, these blobs, they just take them and store them. I don’t know what’s in them or maybe I do think I know what’s in them but not the point where I can read them but what I can do is I can store them. It’s cheap and it’s easy and then I wait. Catalog them well, make sure the stored versions don’t get lost, do good backups and wait. And then one day when I have enough quantum computing power available, I will begin allocating that; probably in a prioritized order based on how likely they are to have the stuff I want and how much I want the stuff they have against these blobs. And like you said, it’s gotta run for a year. If it’s a good enough secret and you’ll have a quantum computer five years from now that’ll do the job, that means six years from now you’ll have the secret. And so, um, that’s the harvest and decrypt scenario and one of the important things to think about with the harvest and decrypt scenario is the harvest part, from a computer science perspective, the harvest part is already there. The harvest part is trivial. If I can get into your network or if I can get in the middle and I can just store it. The harvest part is well understood and most people who think about this think it’s probably happening routinely now.

Jason SorokoIt’s been happening for a while. You are right.

Tim CallanFor a while. And the decrypt part is inevitable. It’s only a matter of time and none of us knows exactly how long but I don’t think there are a lot of serious thinkers in this space who think that it won’t happen. And so that means that arguably to a degree, the damage is already being done right now. We are just not gonna feel the effects for some years.

Jason SorokoExactly, Tim. I’m trying to think of what the future might look like. Probably the things that will first be decrypted, that have already been recorded, Tim, are such important secrets that you’ll probably never hear about it. That will be in the cloak and dagger world and it’ll probably never hit the news but it’ll send reverberations into governments. And I think that those folks who have those level of secrets already know what they are risk at. This is some smart people. Because they do risk mitigation for a living. That’s what they do. I want to add to this for those of you who are taking your action items from a podcast like this saying, hey, what’s my homework? What should I do here? I’d like to expand the list so, of course, what are ECC and RSA used for right now? We are talking about things that are encrypted. Especially things that are encrypted and sent in transit and then stored by somebody who is malicious who is capable of listening to your network. I also want to add in the idea of signing. Because it’s not just encryption. There’s also signing. And so, do you have signed documents out there that you are presuming cannot be altered? Or if those documents were altered or if the signing mechanism were altered, would you be at some kind of risk? I’m imagining the answer is yes to a lot of organizations because even though those documents might not be a secret, the presumption that the signed document cannot be altered is an important aspect that lives over time and sometimes over long periods of time.

Tim CallanWell, sure. And if nothing else, that could enable other attacks because if I can sign my malware and have it look like the legitimate code modules that are supposed to be operating in my network now, I can put in a backdoor. So, absolutely.

Jason SorokoThis is really, really important stuff to consider when you are adding to your list. I would say the worries about authentication are probably less because obviously authentication is a form of signing if you will. Signing a challenge document. But because of the nature of authentication that’s more real time. So, it’s really mostly about encryption and signing and for those of you who might be asking the question, well, what about AES encryption, which is different? Well, I think we’ve talked about this on this podcast before. That’s probably a little bit less to worry about. Maybe even a lot less because of the quantum resistant nature of AES encryption. We are talking very specifically here about anything that’s encrypted on the fly such as using RSA and ECC.

Tim CallanI don’t know. It might be kind of a little bit of dire end to this one in particular because I think I know the answer but what do we do? Like when it’s already too late, what do we do?

Jason SorokoIt is already probably too late and what do we do? I think, Tim, the lesson here is whenever you are hearing about the content delivery networks that are using draft forms of post-quantum algorithms right now, that’s part of the impetus for why to do that. In other words, it might be time to start using hybrid certificates sooner than later especially when you are dealing with higher levels of secrets.

So, what to do is this. I think like the guys and girls out there who are doing really, really big secrets. Important secrets. Military and nation state, super-duper big high finance. They are already taking inventory of secrets that they know would be of value to the bad guys.

And I think in any risk mitigation scenario, just assume all of your communication has been recorded and therefore, take inventory of what are the most important secrets you are transmitting within your enterprise that whether it’s intellectual properties, some kind of trade secrets that you would never-ever over the next five to ten years want to get into somebody’s hands. That’s a smaller list than just your average every day, everything you are doing cryptographically. So, take inventory of signed documents. Take inventory of anything that’s encrypted outside of AES. Like very, very, very specifically using AES and RSA especially in terms of things that are communicated between systems. I’m not talking about just the average chatter between IoT devices or browser sessions of human beings to say your CRM. I’m talking about what are the big secrets you have that are transmitted in that way. Take that inventory and at least you know where your crown jewels are. Everybody should have that list. Don’t assume that those secrets are going to be in safe hands in the next five to ten years.

Tim CallanAnd then, of course, obviously, there may be a lot of stuff that hasn’t been harvested and to the degree that you can successfully remain vigilant and prevent it from being harvested, you get around this problem. But part of the assumption on this concept is that despite all of our best efforts, it doesn’t always succeed. People do get in and this happens. There are zero days. There are errors. There are social engineering attacks, you and I cover this all the time. That you have to have a security profile that assumes that you may be compromised and what are you gonna do when you are?

And then, I guess the other thing is we’ve talked in the past in previous episodes about how it’s going to take your industry and your vendors and things are gonna take some time to get there but don’t be a laggard on this one. As soon as you can start putting that post quantum crypto in place, you, at least for those secrets and communications, once it’s in place, you are knocking out that scenario and so when the time comes you don’t want to be the last kid on the block to move over to these new algorithms. That’s something you are gonna want to move on pretty quickly.

Jason SorokoYes. You are absolutely right, Tim. I would say that, at risk of becoming a real broken record, the time to get your hands dirty with this is now.

And if after part of your inventory work you determine that you have secrets that you have encrypted with those particular algorithms that are going to live or be dangerous to get in other people’s hands within the next five to ten years, then perhaps it is time to start looking at using hybrid certificates with post-quantum algorithms against those high-level secrets sooner than later. Don’t wait until everything is absolutely in place and all the answers are answered. If you have secrets that are that important, the time to start acting is right now.

Tim CallanI agree. So, anyway, there you go. Harvest and decrypt. It is a phrase we may have used in the past. It is a phrase we absolutely will use in the future and it’s something that’s kind of emerging into the dialogue about post-quantum crypto in a greater way and so, that’s your definition. Thank you very much. Thank you, Jay.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!