Quantum Computers Are Coming. Beware
June 17, 2022
Story
We’ve known for a long time that quantum computers are under development. Such computers may solve fundamental problems in the simulation of chemical reactions at the atomic and molecular levels, targeted design of medications, or innovative materials. But we’ve also known for a long time that such computers have the potential to crack many of the security techniques, especially of conventional cryptography, that are in use today.
In fact, the situation is so critical that there have been a series of Presidential declarations, executive orders, and national security memorandum to take care that we are prepared when the time comes. These directives specifically pertain to IoT security and migration to quantum resistant cryptography. When those advanced quantum computers capable of breaking cryptographic schemes will appear is still somewhat of a guess, with experts predicting that it’s most likely about ten years out.
The U.S. government and many private sector individuals and organizations, including the Department of Homeland Security and Infineon Technologies, have been working diligently to develop what’s called post-quantum cryptography (PQC). Such PQC algorithms should replace or augment some of the existing schemes like RSA and elliptic curve cryptography (ECC). An official program that focuses on standardization of such schemes is being sponsored by NIST with the goal to gather inputs from academia, industry, and governmental participants.
The plans developed by the government agencies will include the critical infrastructure industry, because if attacks should occur, the negative possibilities could be catastrophic. Industries that could be impacted include but are not limited to finance, healthcare, agriculture, logistics and transportation, chemical plants, and oil and gas. The embedded systems security that’s being developed provides the mechanisms to protect a system from all types of malicious behavior—but only when that technology is implemented properly.
Hardware Versus Software Security
Embedded security generally falls into two categories: hardware and software. Password managers, firewalls, and data encryption are all examples of software security that operate at the front end. Software-based security has proven to be effective, to a point. It can be breached by a sophisticated attacker who can find and exploit a vulnerability in the software, firmware, or hardware. A key upside to software security is that upgrades generally happen regularly and seamlessly, continually keeping the platform up to date.
Hardware-based security features built in at the silicon level can protect the stack, providing a trusted foundation. It’s implemented with dedicated security ICs, specially designed to provide cryptographic functions and protect against attacks. It provides immunity from inherent vulnerabilities and a variety of security holes that may exist in the software. Hardware security employs a specialized device, usually an MCU, to help protect files through encryption and decryption.
While hardware-based security tends to be more expensive upfront than software security tools, it is a safer option that makes breaking the security features more difficult. It is also a very hands-off solution as it typically doesn’t require any interaction with the user or the host system’s processes, thereby streamlining the encryption/decryption process.
A trusted platform module, or TPM, is based on a common hardware security strategy. The TPM helps prove a user's identity and also stores the encrypted information (passwords, certificates, encryption keys, etc.) that’s used to authenticate the system stack.
A standardized TPM was developed by the Trusted Computing Group (TCG), and is used in many industrial and embedded applications. In general, the TPM generates, stores, and limits the use of cryptographic keys; provides platform integrity by using metrics that can detect changes to past configurations; and allows platform device authentication with TPM's RSA key.
The obvious goal of PQC is to develop cryptographic systems that are appropriately secure against all types of attacks, including those using quantum computers, while operating with existing communications protocols and networks. While the latest in TPM technology will not make a system completely impenetrable, it does provide a great start.
The OPTIGA TPM SLB 9672 hardware-software solution meets the international Common Criteria standard (ISO/IEC 15408), is compliant with the TCG 2.0 specification, and meets the latest NIST standard. The OPTIGA TPM SLB 9672, which includes a PQC-protected firmware update mechanism, is compatible with popular CPUs, including x86 and ARM, covering just about any embedded platform (Note: this product is being shown at embedded world in the Infineon booth, Hall 4A, Booth 138).
The new device, part of an existing family, adds stronger cryptographic algorithms such as RSA 3k and 4k, SHA-384, and ECC 384. An important feature of the OPTIGA TPM SLB 9672 is its firmware update mechanism that employs XMSS signatures, making the firmware update quantum resistant. The Infineon update authority can handle stateful XMSS keys, keeping firmware updates appropriately secure and allowing for continuity for future implementations of PQC.
Using Infineon’s GUI-based OPTIGA TPM 2.0 Explorer tool, which is available on the company’s GitHub repository, designers can initialize a TPM 2.0, display all properties, and perform a complete reset when necessary. The GUI provides immediate visual feedback, allowing commands run and responses received to be reviewed very quickly.
The bottom line that you needn’t (and shouldn’t) wait to protect your valuable assets. And now you don’t have to.
Guillaume Raimbault is a Senior Manager of Product Marketing and Management for IoT Security in the Connected Secure Systems division at Infineon Technologies. He is in charge of the TPMs aimed at consumer/IoT and industrial applications. Guillaume holds an engineering diploma in electronics from INP - Phelma in Grenoble, France, and a master’s degree in marketing from the Grenoble Business School, France.