Quantum Computing is transforming the Cibersecurity
Interview with Héctor Plaza, REALSEC’s R&D Manager
- Recently, we have published a REALSEC article on the importance of HSMs in authentication and validation processes in the use of methods of payment, known as PDS2. What are the technological strengths offered by REALSEC for the financial sector?
Banking, due to the nature of the data it handles and the inherent risks associated with its activity, is one of the sectors where some security devices, such as HSMs, have been more widely used for years; being one of the sectors where REALSEC is mostly present.
From this point of view, the entry into force of the PSD2 Directive will not entail the introduction of unknown security devices, previously in the financial sector, although possibly the generalisation of their use.
On the other hand, this new directive opens a door to the incorporation of new players into the financial sector, due to the accessibility to the services of banks by third parties at the request of users (such as Fintech or could be the case of technology, which already have payment services such as Amazon Pay or Google Pay, among others). As a result, these new players will have to incorporate security into their processes, as they will deal with sensitive user information. Therefore, they will have to implement robust and reliable security devices, such as HSMs.
In addition, users will notice a change in the way they authenticate to perform certain banking operations as a result of this new strong customer authentication system (StrongCustomerAuthentication), which involves the use of at least two different authentication factors. In the same way that when making a card payment, physically, in a commercial establishment, the card is necessary as well as entering the pin (unless they are smaller transactions); in online transactions it will no longer be enough with just the holding of the card to enter the number, expiration date and CVV as it sometimes happens. It will be imperative that our bank authenticates us in a more secure way, if it has not done so already, as in the case that it sends us an SMS with a PIN code that will only be used for a particular transaction.
- In recent times we have heard the term quantum computing a lot. How does this technology relate to cybersecurity?
The arriving of quantum computing is going to mean a very large transformation of technology on which much of today’s cybersecurity is based. Cybersecurity is technically supported in the use of cryptography, among other things, to provide confidentiality and integrity to the data, as well as to provide security services such as authentication.
Well, some of the cryptography currently used will be rather with the emergence of quantum computers that are powerful enough. The security of the cryptography we use now is based on the need for many years of calculations (with current computers) to break a key, making it safe in practice; whereas with quantum computers, this time will be reduced in such a way that it will be feasible to access all the information encrypted with the current algorithms.
This is nothing new, in fact, it has been known for decades. What is recent are the advances that have been made in the field of quantum computing, with the participation of tech giants such as Google, IBM or Microsoft, who are working with their first prototypes. It is true that prototypes are still far away from having the ability to pose a security risk that we currently employ, but it is the first time that this threat does not simply remain in the theoretical field. So much that the NIST, already in 2017, made a call to start the selection process of what will be the cryptographic algorithms that we will have to use in the future, the so-called post-quantum cryptography, which in the coming years will become standard.
- Why are REALSEC hardware security modules (HSMs) a key element for securing projects developed with Blockchain technology?
Blockchain is a distributed data record that has the speacial feature that anyone can verify its content at all times, and that it is also the basis for different cryptocurrencies, whose best known example is Bitcoin.
To protect these cryptocurrencies and to be able to trade them, it is necessary to make use of private keys, which as the name suggests, must be kept in an appropriate and secure manner.
In this key protection, the use of a hardware device plays a major role, as it makes it difficult for third parties to access these keys as well as their copying and distribution.
On a private level, the most cautious cryptocurrency users have already to their disposal the acquisition of hardware wallets, which are small physical devices (similar to a pendrive) where the keys are stored. Also, when a user conveniently prefers to use an online service that protects the keys, the user should ensure that the service custodies the keys on a secure hardware device, such as an HSM.
Another advantage for using such devices is that the security of their systems is based to some extent on the generation of random numbers, and on HSMs; these are generated with specific certified hardware, avoiding possible security failures related to these numbers, as has happened in the past for example with wallets on Android devices.
- What technology would you bet on for the protection of the Internet of Things (IoT)?
The technology to be used for the Internet of Things (IoT) protection can be very diverse as the number of devices that are being interconnected. First, it must depend on the type of device you want to protect, as well as the risk of a commitment to the security of that device. The same technology will not be applied to ensure a home automation system to raise or lower the blinds of a home as to protect a device that processes information related to a person’s health.
For all this, the use of technologies such as digital certificates issued by a reliable public key infrastructure (PKI) may not be applicable to all scenarios for cost or capacity reasons of the devices, but they would be desirable in cases where the risk is higher. An example could be the case of a car equipped with a SIM card to have Internet connectivity, in which this own SIM card has the cryptographic capabilities to store the keys of an electronic certificate, even more if more modern algorithms such as elliptical curves are used, that require less computational power for the same security level.
In this world of IoT, it would be important for the system security to be taken into account from the design standpoint, and not to be patched later which turns out to be usually more expensive and inefficient. It is also essential to consider the variety of security knowledge that different IoT device manufacturers from different industries may have, as some will have had to provide information security to their systems beforehand, whereas others will be their first time to incorporate security into their designs.
R&D Manager, REALSEC