信息安全 网络数据加密_未来的加密安全网络安全

信息安全 网络数据加密

By Frank Ohlhorst

弗兰克·奥尔霍斯特(Frank Ohlhorst)

Originally published on Sept. 2, 2020, on Hewlett Packard Enterprise’s Enterprise.nxt, publishing insights about the future of technology.

最初于2020年9月2日发布在Hewlett Packard Enterprise的Enterprise.nxt上，发布了有关技术未来的见解。

The next generation of computing — think quantum and beyond — could soon threaten current asymmetric encryption technologies, including PKI. Here’s what you need to know.

下一代计算(无论是量子计算还是其他)，都可能很快威胁到当前的非对称加密技术，包括PKI。 这是您需要知道的。

Threats to current encryption techniques are on the horizon. The National Institute of Standards (NIST) predicts that within the next few years, the most credible of these technologies, sufficiently capable quantum computers, will become a viable threat. The concern is that these systems will be built to break essentially all asymmetric encryption schemes in use, effectively rendering public key infrastructure (PKI) encryption useless.

当前对加密技术的威胁​​已迫在眉睫。 美国国家标准研究院(NIST)预测，在未来几年内，这些技术中最可靠的技术，即功能强大的量子计算机，将成为可行的威胁。 令人担忧的是，这些系统将被构建为打破使用中的所有非对称加密方案，从而有效地使公钥基础结构(PKI)加密无用。

While fully functional quantum computers may still be several years away, recent technological strides potentially have accelerated the timeline. Advances include the claim that researchers have achieved quantum supremacy, where a quantum computer can perform a calculation beyond the capability of even the currently most powerful classical supercomputers.

虽然功能齐全的量子计算机可能还需要几年的时间，但最近的技术进步可能加速了时间表。 进展包括声称研究人员已经实现了量子霸权，即量子计算机可以执行的计算甚至超出目前最强大的经典超级计算机的能力。

Quantum computing algorithms that are a threat to public key encryption, or asymmetric encryption algorithms, have been developed. One bright spot is that symmetric encryption algorithms, such as Advanced Encryption Standard (AES), are thought to be more resistant to quantum computing algorithms, and an efficient quantum computing algorithm is not yet known to break these encryption technologies.

已经开发出对公钥加密构成威胁的量子计算算法或非对称加密算法。 一个亮点是，对称加密算法(例如高级加密标准(AES))被认为对量子计算算法有更高的抵抗力，而高效的量子计算算法还无法打破这些加密技术。

Discover More Network: New original series from HPE

发现更多网络：HPE的新原始系列

Watch Now

立即观看

This means that protocols that use asymmetric algorithms at any point are vulnerable. It is why a state actor could capture all Transport Layer Security (TLS) traffic in the hope of one day being able to decrypt the data. This would likely be too expensive for cybercriminals — currently, the costs outweigh the benefits.

这意味着在任何时候使用非对称算法的协议都容易受到攻击。 这就是为什么状态参与者可以捕获所有传输层安全性(TLS)流量，以期有一天能够解密数据的原因。 对于网络犯罪分子而言，这可能太昂贵了-目前，成本超过了收益。

If the scientific world is that much closer to building a fully functional quantum computer, cybersecurity specialists may need to start rethinking how encryption will work in a post-quantum computing world. This is the goal of the process NIST has initiated to solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms.

如果科学世界距离构建功能齐全的量子计算机那么近，那么网络安全专家可能需要开始重新考虑加密在后量子计算世界中的工作方式。 这是NIST发起的征求，评估和标准化一种或多种抗量子公用密钥密码算法的过程的目标。

后量子密码学：即将到来的标准 (Post-quantum cryptography: The coming standards)

Preparing for the worst-case scenario, even with the unlikelihood of it becoming an issue in the near term, NIST recognizes the importance of post-quantum cryptography (PQC), stating, “Historically, it has taken almost two decades to deploy our modern public key cryptography infrastructure. Therefore, regardless of whether we can estimate the exact time of the arrival of the quantum computing era, we must begin now to prepare our information security systems to be able to resist quantum computing.”

NIST认识到后量子密码学(PQC)的重要性，他说：“从历史上看，部署近代我们花了近二十年的时间，即使在短期内为最坏情况做好准备，NIST也意识到了这一点的重要性。公钥密码基础结构。 因此，无论我们是否能够估计出量子计算时代的到来的确切时间，我们都必须立即开始准备我们的信息安全系统，以抵抗量子计算。”

To that end, NIST has been requesting submissions for PQC standards and working with industry leaders to come up with a methodology to address the future threats posed by quantum computing-powered attacks. That process has recently entered round three, where proposed PQC algorithms will be further evaluated for their resiliency against quantum computers. The third-round finalists may very well set the stage for what will become a set of standards for PQC and redefine how PKI, digital signatures, and other encryption techniques are deployed.

为此， NIST一直在请求提交PQC标准，并与行业领导者合作，提出一种方法来应对由量子计算驱动的攻击所构成的未来威胁。 该过程最近进入了第三轮，其中将进一步评估所提出的PQC算法对量子计算机的弹性。 第三轮决赛入围者很可能为成为PQC的一组标准奠定了基础，并重新定义了PKI，数字签名和其他加密技术的部署方式。

展望未来，保持最新安全性 (Keep security current by looking ahead)

Although new NIST standards are being worked out, businesses can still ready themselves for when the need for these standards becomes a reality. Potentially, the threats are imminent, and cybercriminals may already be hoarding encrypted data in the hope of using quantum computers to break into that data. Experts from numerous digital security firms, such as DigiCert, Gemalto, Ultimaco, and several others, are offering intelligence and advice on how to prepare for a post-quantum world. While most point to their own services or products, all agree to several basic ideas in the quest to ready businesses for a post-quantum world:

尽管正在制定新的NIST标准，但当对这些标准的需求变为现实时，企业仍可以为自己做好准备。 潜在的威胁迫在眉睫，网络罪犯可能已经在ho积加密数据，以期希望使用量子计算机将其分解为数据。 来自众多数字安全公司的专家，例如DigiCert ， Gemalto ， Ultimaco和其他一些公司，正在就如何为后量子世界做准备提供情报和建议。 尽管大多数人都指向他们自己的服务或产品，但所有人都同意一些基本构想，以期为进入后量子世界的企业做好准备：

• Improve crypto-agility: Crypto-agility, as the name implies, is the process of identifying and managing cryptographic algorithms. Pretty much any connected organization uses some type of crypto, and if it is using a secure environment, there is some type of cryptography involved. Organizations must identify every element — such as servers, protocols, libraries, algorithms, and certificates that utilize encryption — and then be able to manage those. The key here is to be able to manage the lifecycle of crypto technologies. Organizations can turn to a certificate management platform to achieve much of that. It is also critical to create a plan about how to identify and resolve encryption issues, such as expired certificates or weak algorithms. Once all crypto resources are identified, organizations will need to work with their third-party vendors to determine how those vendors plan to protect against quantum threats.

  改善加密敏捷性：顾名思义，加密敏捷性是识别和管理加密算法的过程。 几乎所有连接的组织都使用某种类型的加密，如果使用的是安全环境，则涉及某种类型的加密。 组织必须识别每个元素，例如利用加密的服务器，协议，库，算法和证书，然后才能进行管理。 这里的关键是能够管理加密技术的生命周期。 组织可以使用证书管理平台来实现大​​部分目标。 创建有关如何识别和解决加密问题(例如过期的证书或算法不完善)的计划也很重要。 一旦确定了所有加密资源，组织将需要与第三方供应商合作，以确定这些供应商计划如何防范量子威胁。

• Catalog all hardware security modules (HSMs): Many organizations use HSMs to safeguard and manage digital keys. HSMs also perform encryption and decryption functions for digital signatures, strong authentication, and other cryptographic functions. Most important, HSMs are often found in card payment systems or smart card access systems and are becoming ubiquitous in many organizations. It is critical to identify all HSMs, understand how they are being used, and determine if the HSMs can be upgraded to support the next set of threats to encryption. That will require contacting the HSM vendors and verifying if there is an upgrade or replacement path.

  对所有硬件安全模块(HSM)进行分类：许多组织使用HSM来保护和管理数字密钥。 HSM还执行用于数字签名的加密和解密功能，强身份验证以及其他加密功能。 最重要的是，HSM通常在卡支付系统或智能卡访问系统中发现，并在许多组织中变得无处不在。 识别所有HSM，了解它们的使用方式以及确定是否可以升级HSM以支持下一组加密威胁至关重要。 这将需要与HSM供应商联系，并验证是否存在升级或替换路径。

• Maintain best practices for TLS deployments: These are the most vulnerable points of attack in the post-quantum encryption world. Best practices will keep you on the leading edge of security and encryption updates. When somebody builds a viable quantum computer, we’ll all need to upgrade our TLS libraries.

  维护TLS部署的最佳做法：这些是后量子加密世界中最脆弱的攻击点。 最佳做法将使您处于安全性和加密更新的领先地位。 当有人建造可行的量子计算机时，我们所有人都需要升级TLS库。

• Have a plan and test it: Identifying the parts and pieces that are subject to a quantum threat is only the beginning of a plan. Organizations will also need to define what to do if a potential threat is encountered, which is already a best practice in the realm of cybersecurity. The key here is to identify critical elements and build a plan that addresses those elements. The plan should also be frequently tested. For example, if an organization is notified of a certificate compromise, it may want to be immediately ready to deploy a replacement certificate, and the only way to be fully ready is to have tested such a scenario in the first place. Many organizations create sandboxes or build non-production test systems for the purpose of validating changes before applying those changes to a production network.

  制定计划并进行测试：确定受到量子威胁的零件和零件只是计划的开始。 组织还需要定义遇到潜在威胁时的处理方法，这已经是网络安全领域的最佳实践。 这里的关键是确定关键要素并制定解决这些要素的计划。 该计划也应经常测试。 例如，如果将证书泄露通知给组织，则它可能希望立即准备好部署替换证书，并且准备就绪的唯一方法是首先测试这种情况。 许多组织创建沙箱或构建非生产测试系统，目的是在将更改应用到生产网络之前验证更改。

Next-generation computing technologies and quantum computing present threats to the current encryption technologies in place. However, the most ominous threat may not materialize for some time, with some experts suggesting that a fully functioning quantum computer could still be decades away while others claim that quantum computing will become viable in just a few short years. Either way, there is no harm in preparing for the next generation of hardware threats now instead of later. After all, improving one’s crypto-agility offers real-world benefits today and helps to mitigate current cybersecurity attack vectors while helping organizations to be more prepared for other threats as well.

下一代计算技术和量子计算对现有的加密技术构成了威胁。 但是，最不利的威胁可能不会在一段时间内实现，一些专家建议，一个功能全面的量子计算机可能还需要数十年的时间，而另一些专家则声称，量子计算将在短短几年内变得可行。 无论哪种方式，现在为以后的下一代硬件威胁做准备都没有害处。 毕竟，改善个人的加密敏捷性可在当今为现实世界带来好处，并有助于减轻当前的网络安全攻击媒介，同时也帮助组织为其他威胁做好更多准备。

This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.

本文/内容由确定的个人作家撰写，不一定反映Hewlett Packard Enterprise Company的观点。

翻译自: https://medium.com/enterprise-nxt/future-encryption-security-cybersecurity-95fe3233fb0

信息安全 网络数据加密