Quantum Untangled: Are Harvest Now, Decrypt Later attacks actually happening?
Follow us down a cryptographic rabbit hole.
By now, readers of this newsletter will be familiar with the rationale behind post-quantum encryption. In about a decade’s time — or sooner, if you’re more optimistic — scientists will manage to build a quantum computer capable of harnessing hundreds of logical qubits. From there, it will be possible to build more powerful machines capable of running Shor’s Algorithm and cracking open any messages protected by RSA encryption standards. At that moment, any country or company with a sufficiently powerful quantum computer could run riot across the internet and purloin national security secrets and sensitive corporate data at their leisure.
The more pressing concern is that this purloining may have already started. In so-called "harvest now, decrypt later” (HNDL) attacks, experts have theorised that rogue nation-states and cybercriminals could hoover up masses of encrypted data with the express intention of waiting until the moment when it can be decoded with great ceremony by a quantum computer. Some have implied that this is happening already. Earlier this month, for example, Deloitte’s quantum readiness leader Colin Soutar was quoted in Information Week as saying that “[a]dversaries are targeting organizations via Harvest Now-Decrypt Later attacks.”
It’s a prospect that Western governments and companies are taking seriously. Since 2015, the US National Institute for Standards and Technology (NIST) has been working assiduously with cryptographers around the world on a set of post-quantum encryption standards capable of resisting the blunt force of tomorrow’s quantum machines, standards that have been adopted by firms including Signal, Google, Thales and IBM, among others. In December, meanwhile, President Biden signed the Quantum Computing Cybersecurity Preparedness Act into law, which forced all federal agencies to develop plans to transition their systems to post-quantum encryption standards capable of surviving the arrival of ‘Q-Day.’ The UK government has issued its own gloomy advisories. Although a cryptographically relevant quantum computer (CRQC) does not yet exist, the National Cyber Security Centre wrote back in 2020, “the possibility of one is a relevant threat now to organisations that need to provide long-term cryptographic protection of data.”
But how relevant? More specifically, are attackers actually now, right this minute, scooping up vast amounts of encrypted data to sit on until Q-Day?
While many cybersecurity analysts and cryptographers are happy to attest to the threat of HNDL attacks, few are willing to openly claim that they’re actually happening. For his part, Soutar wasn’t willing to join the latter camp when Tech Monitor asked him to clarify his earlier comments to Information Week. “At Deloitte, we encourage clients to move away from guesswork about when a CRQC becomes available or from attempting to gauge the possibility of HNDL attacks,” Soutar said, via email. “Instead, we recommend that organizations focus their efforts on understanding what their exposure might be and planning a migration to quantum-readiness and crypto-agility in an orderly manner.”
In a similar vein, security vendor BlueVoyant’s chairman Robert Hannigan warned the Slaughter and May podcast in 2021 that HNDL attacks were a “current problem,” insofar that many companies are holding onto sensitive data — medical records, perhaps, or the specs for critical national infrastructure — that hostile actors would absolutely want to acquire and sit on in the hope that one day they can use a machine to read it properly. The ex-GCHQ director wasn’t willing to go much further when Tech Monitor followed up with him last week.
“Data that is stolen is not going to be labelled ‘for decryption later when quantum computers arrive’,” said Hannigan, given that most of it is usually swiped in the name of short-term financial gain. “But it would be prudent to assume that hostile actors may be scooping up large amounts of encrypted data and may be storing it away for future decryption. That is at least a sensible working assumption.”
Andersen Cheng is less circumspect. “You’re speaking to the person who coined the phrase ‘harvest now, decrypt later,’” says the founder of Post-Quantum, a cybersecurity start-up focused on quantum-safe encryption. “I started saying it back in 2015, and most people thought I was a lunatic.”
No longer, says Cheng, who claims in our interview and elsewhere that the heads of multiple Western intelligence agencies have warned that HNDL attacks are happening “right in front of our eyes,” so much so that the acronym has evolved into an initialism among US intelligence analysts (“They call it the ‘handle.’”)
Diverting internet traffic through a border gateway protocol (BGP) hijack would be one way to do it, he says. This type of attack, explains Cheng, is the equivalent of tricking someone into driving to, say, Basingstoke along a series of B-roads where their car can be covertly photographed. They may get to their destination, and the photos may not even prove useful today, but someday, somehow, they will be — and the driver won’t be any the wiser.
BGP rerouting failures are not uncommon, with traffic being diverted along zany routes thanks to various accidental ISP outages. Several cases, however, seemingly fit the profile of an HNDL attack. In 2016, for example, internet traffic heading to South Korea from Canada was mysteriously and repeatedly ending up in China. Four years later, data from over 200 networks belonging to the likes of Google, Facebook and Amazon was siphoned through Russia (a summary of these incidents can be found in this fantastic piece on post-quantum encryption by Rob Hastings.)
Are these the HNDL attacks we were warned about? Yuval Shavitt has co-written several papers over the years about these mysterious diversions, which the Tel Aviv University professor refers to as “deflection attacks.” “Some of them are quite large-scale, which makes you wonder what is done with these large volumes of data,” Shavitt tells Tech Monitor. Even so, he adds, “the purpose of any special deflection is beyond our ability to investigate.”
Cheng himself concedes that he cannot definitively label any such incident as a HNDL attack, or recall any specific statement from Western intelligence agencies doing the same thing. “In fact, they would never do that,” he says. “They will never pinpoint a specific incident, because then they would be giving away how they had detected it.”
HNDL attacks are certainly plausible, explains Ross Anderson, a professor of security engineering at Cambridge University. Just look at the Venona project, says Anderson, when the NSA spent decades decrypting thousands of Soviet messages it captured during the height of the Second World War. As far as modern-day surveillance is concerned, however, the cryptography expert is convinced that Western, Russian and Chinese agencies are much more interested in exploiting existing vulnerabilities in telecoms networks than they are acquiring masses of internet traffic and waiting until a CRQC comes along to decrypt it.
“In addition to that, as 5G beds in, there will no doubt be various bugs and protocol misconfiguration and feature interactions and so on,” says Anderson. “The guys at KAIST keep on finding these, but it’s a hard job to do, because of the sheer complexity of the 5G specifications… it’s just too complicated for one person to understand it all.”
Perhaps unsurprisingly, Anderson is very much the quantum sceptic. “When it comes to civilian uses of cryptography, I think that the risks from quantum computers have been vastly overhyped,” he says. Skip Sanzeri takes the opposite view. The founder of QuSecure, Sanzeri earnestly believes that global cryptography needs the kind of makeover that only NIST-approved post-quantum algorithms can provide. But like Anderson, he doesn’t necessarily believe that we have to wait until the arrival of a CRQC before intelligence agencies based in Washington or Beijing can crack stolen encrypted data.
“A group called Memcomputing down in San Diego was tasked by the [US] Air Force under an SBIR to see if they could hack RSA 2048 with an ASIC chip,” says Sanzeri. On paper, at least, they claimed to have proved such decryption was possible. “This is no longer a quantum problem. Public key encryption? It’s done.”
Anderson seems less enthused. “People have been using ASICs [for decryption] for a generation,” he writes, referring to the use of the EFF DES Cracker chip (incongruously nicknamed “Deep Crack”) to brute-force a 56-bit key standard back in 1998.
It is, nevertheless, a timely reminder that some encryption standards are more vulnerable than others — though whether or not they are now prey to HNDL attacks remains, for now, impossible to confirm.
Partner Content
The security challenges of digitalising the energy grid - Tech Monitor
How do we restore trust in the public sector? - The New Statesman
Brands must seek digital fashion solutions - Tech Monitor
The new to direct capital deployment to decarbonise household electrification - Capital Monitor