0

Why do we still use RSA 2048 when we know that quantum computers can crack RSA as fast as classical computers can create the key?

Providers, governments, APTs, etc. can sniff all the traffic and as soon as the day comes when quantum computers are mass-capable, all the traffic in the world, including past traffic, is public and the world burns.

Are there any security measures to prevent this and what are they?

nobody
  • 11,251
  • 1
  • 41
  • 60
NikolaTesla
  • 17
  • 2
  • "the traffic, inluding past traffic, is public" - That's where the idea of "Forward Secrecy" comes into play. –  Dec 23 '21 at 16:09
  • 3
    @MechMK1: Diffie Hellman as the key exchange for forward secrecy is also affected by quantum computing. – Steffen Ullrich Dec 23 '21 at 17:14
  • There are plenty of people still using DES, despite the fact it can be cracked relatively cheaply with commodity hardware. It takes a *long* time for everyone to migrate to newer crypto. – Gh0stFish Dec 23 '21 at 17:48
  • 1
    *...Are there any security measures to prevent this...* None whatsoever. *...and the world burns...* it's always burning. – President James K. Polk Dec 23 '21 at 18:30

2 Answers2

3

There are several factors in play here:

  • We don't have a quantum computer yet, which is capable enough to break RSA 2048. It will still take several years to get these capabilities, if we get these at all.
  • While there are several candidates for new algorithms which are safe against quantum computing, these are mostly fairly new and have several drawbacks regarding key size, performance ... So there is no good alternative yet which is both proven and efficient.
  • The majority of the information protected today are not interesting anymore once the current encryption is broken. So the risks are low.
  • While it is possible to sniff information today, the costs of storing such a huge amount of data is high. Even governments don't have unlimited resources, so they need to select what they want to preserve.
  • Many relevant information can be retrieved already today by analyzing meta data like communication pattern, compromising devices, adding backdoors to software, bribing, ... . If the information is really relevant it is likely that such methods are used to get the information today instead of sniffing today and get these information only in 10 or 20 years.
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Relevant information for me would be, whats your bank account password, which p*rn sites you visit, whos your 2nd secret girl friend. Meta data is nice but doesnt give a full picture. And compromising, backdoors are just another problem but not an excuse. – NikolaTesla Dec 23 '21 at 17:28
  • 1
    @NikolaTesla Bank account credentials not an issue if you use 2FA, your visits to adult sites are already public to anyone in an MITM position because TLS does not generally encrypt the domain name, relationships can be inferred through metadata. Quantum computing does not really change anything in your scenarios, and it's a looong way to go until this is a practical threat for individuals. – amon Dec 23 '21 at 17:33
  • @NikolaTesla: *"And compromising, backdoors are just another problem but not an excuse."* - Again, there is currently no proven and efficient algorithm, so that one has to use what is available. And again, there are other problems apart from encryption and it makes no sense to focus on protecting against breaking encryption for high costs in the future if one can simply get to the information much cheaper today. – Steffen Ullrich Dec 23 '21 at 17:33
  • @amon Yes true but you get my point. Everyday critical information is shared. Its a long way, but there is a way. Im not an expert but I think I have enough knowledge to understand the issue. Imagine what could happen once every traffic can be reversed. – NikolaTesla Dec 23 '21 at 17:37
  • @NikolaTesla:: Once every traffic can be reversed most of the information which could have been collected are irrelevant anyway. Don't overestimate the value of your data compared to the costs needed to decrypt these. Anyway, it is not that all blindly trust the existing algorithms. Active research is done and standardization are done for post-quantum cryptography for several years. – Steffen Ullrich Dec 23 '21 at 18:49
  • @NikolaTesla The human race is, as history shows, reacting to threats, rather than proactively trying to prevent them. We had a lot of lethal car accidents, before we invented seatbelts. It's the same with crypto: Only when quantum crypto becomes a genuine, immediate threat, then we will act. –  Dec 23 '21 at 19:56
2

First, it's not like we have much of a choice: public-key cryptosystems are standardized and widely available, change in this field is slow. We definitely need PK cryptography to secure the internet. The standardized PK protocols we have are unfortunately vulnerable to quantum computers.

Second, because the threats of quantum computers are still distant. Right now, RSA and elliptic curves are probably still secure. Recent years have shown advances in connecting more qubits, but we're still very far off from a general-purpose quantum computer that could be used to accelerate an attack on PK cryptography.

Third, because of forward secrecy, but this is a weak defense in the quantum context. In an interactive context such as TLS, RSA isn't used as an encryption algorithm but rather for authentication. The actual communication is instead encrypted using a symmetric cipher, and the ephemeral symmetric key is negotiated via a key exchange protocol. Symmetric ciphers like AES are not threatened by quantum computers. Unfortunately, common key exchange protocols like Diffie-Hellman or ECDH are a kind of PK crypto and are also vulnerable to quantum computing.

Fourth, because post-quantum cryptosystems are fairly young and have seen less analysis. For RSA and elliptic curves, we have a pretty good idea of the advantages and problems. For protecting communications right now, they are the best bet. In particular, current methods are perfectly suitable for ensuring the integrity and medium-term confidentiality of messages. But when a threat model has a horizon of decades, using one of the proposed post-quantum cryptography techniques could be more appropriate. Such long term choices are a bet about what happens first: do attackers first obtain practical quantum computers, or do they first learn about an exploitable flaw in one of the proposed post-quantum algorithms?

amon
  • 1,068
  • 7
  • 9
  • I do know that its just for the authentication, but by decrypting the auth you get the symmetric keys. "RSA and elliptic curves are probably still secure" You also made a point here which is my concern, its STILL secure. And what happens today which might be safe can be decrypted tomorrow. For me it sounds like, there is no solution and every traffic till now can be decrypted in the future. – NikolaTesla Dec 23 '21 at 17:28
  • 1
    @NikolaTesla It is not practical to record *everything*, especially as it could still be over a decade until the NSA gets some quantum computing toys. Even then, I think they'll be busy for a while decrypting diplomatic cables before they turn their attention to normal citizens. Again: consider the actual horizon of your threat model. With regards to forward secrecy, the issue isn't that RSA could be broken (this alone would still preserve forward secrecy), but that a recorded Diffie-Hellman key exchange can be broken as well which would then disclose the symmetric key. – amon Dec 23 '21 at 17:37
  • A decade sounds a lot at first, but its not a lot if you think of the power the one gains who has access to "everything" - even if you have to wait 50 years. – NikolaTesla Dec 23 '21 at 17:39