Public key infrastructure (PKI) is a term that pretty much means ‘the encryption used on nearly all web pages’ – if you’ve visited a website today, you’ve probably been protected by PKI. Many organisations also use it to secure internal communications as well – it’s the most popular encryption and key delivery tool used today.
What is PKI?
Invented in the 1960s by the British intelligence bods at GCHQ, it was then honed further by the US government, who scaled it and introduced it to the public a decade later. It hasn’t changed materially since then – mathematics is used to encrypt data before it’s sent and a key is needed before the receiver (be that machine or human) can decrypt and read it.
As Josh Fruhlinger of CSO magazine explains: “PKI gets its name because each participant in a secured communications channel has two keys. There’s a public key, which you can tell to anyone who asks and is used to encode a message sent to you, and a private key, which you keep secret and use to decrypt the message when you receive it. The two keys are related by a complex mathematical formula.”
The PKI system also allows for authentication, providing a certificate so that you know the people sending and receiving the data (and the key) are who they say they are. This is done by a certificate authority, of which there are hundreds.
Most websites use SSL or TSL to make sure that you’re really connecting to the website you want, and to prevent anyone hijacking that connection.
For communications to be secure, we need certificates to authenticate the entities doing the communication – and to encrypt the communications to protect passwords and data from hackers.
All in all, PKI’s digital signature technology has worked really well for the past 50 or so years. Yes, it’s old, but old isn’t necessarily bad, and, as the saying goes, if it ain’t broke, don’t fix it.
But, are we so sure it’s not broken?
Where PKI lets us down
There are a few ways that PKI isn’t secure – after all, if it was perfect, there wouldn’t have already been a record number of hacks this year if it was fully secure.
The main weaknesses of PKI come at certain junctures: the fact that the certificate authority itself can be dodgy, the fact that one key is public and can be viewed by anyone, the fact that PKI doesn’t actually solve most of the vulnerable areas that mal actors exploit – and the fact that, one day, it will stop working completely.
That’s right, you heard me: technology will one day exist that means that the complex mathematics used to create the keys for PKI encryption and decryption will be solvable just like that *finger snap*.
So, how soon is “one day”? Actually, it’s incredibly soon. Quantum computing is already drinking milk and taking names and, it would seem, the race to create a scalable, commercially viable quantum computer is at the top of the tech wishlist for most governments and corporations.
In fact, China’s government and IBM both think they’ll have the prototype for a self-correcting quantum computer within the next five years.
But how does this affect the internet and how we use it?
PKI only works thanks to the math involved at key generation point. The answer is devastatingly simple: quantum computers can solve complex mathematical problems in a matter of seconds.
As security adviser Roger Grimes puts it: “One of the biggest promises of Quantum computing, whenever it finally gets perfected, is that it will be able to immediately break open PKI-protected secrets. Sometime in the near- to mid-term future, useful Quantum computers will become a reality. When they do, most public crypto will fall.”
“Anyone with a Quantum computer will be able to break anyone else’s secret.”
That means PKI will be instantly obsolete and, without exaggeration, those who don’t have quantum security/cryptography in place could be left completely in the dark. As that may be most of the world, this could be the real Y2K – and not just a hypothetical issue that never comes to fruition, this time.
The solution, of course, to the massive worldwide upgrades needed to get rid of PKI’s tired legacy is to get quantum security!
Thankfully, there are a few movers and shakers out there who have anticipated this issue and have already come up with the fix – a much better scenario than waiting around like a sitting duck.
Fan favourite for those in the know is Arqit, a company backed by the British government and staffed by some of those clever heads from GCHQ mentioned above – and they have the founder of SSL on the board. Not too shabby! You can read about their elegant, but simple quantum security fix here.