While the potential opportunities quantum brings are impressive, the seismic risk it poses to current encryption methods cannot be ignored. Do you know the steps your organisation should be taking now to reduce your quantum cyber risk?

Last week Rob Sumroy, head of Slaughter and Mays Tech practice, spoke at ITech laws European conference on this very subject. He was joined by Dr Ali El Kaafarani (a visiting professor at Oxford University and founder of PQShield) and Professor Yasser Omar (Professor at IST University of Lisbon and President of the Portuguese Quantum Institute).

The problem quantum will break commonly used PKC

Put simply, we know that our data and systems need to be kept secure, and encryption methods like RSA (a type of public-key cryptography or PKC) help us do this. However, a cryptographically relevant quantum computer will, in the future, be able to solve the mathematical problems on which these encryption methods are based exponentially faster than a classical computer can. This means that an encryption algorithm that would have taken thousands of years to break (making it unbreakable in practice) could be cracked in a day or so by a quantum computer, creating both a current, and future, risk:

The solution

Thankfully, a number of solutions to the encryption problem exist, and there are steps organisations can take now to prepare.

The international community has been developing quantum-proof encryption based on both classical computing (quantum-safe cryptography) and quantum mechanics (quantum key distribution).

What can organisations do?

Organisations should consider the quantum risk now, and build transitioning to quantum-safe products and services into their future plans. Preparations include:

For more information on quantum, please see our quantum computing podcasts series, which includes a podcast on Cyber security in the era of quantum with Dr Ali El Kaafarani and Robert Hannigan (Chairman of BlueVoyant International and ex Director of Government Communications Headquarters (GCHQ)).

See the original post:
Will you be ready when quantum breaks encryption? Steps to take now to prepare - Lexology

Photo: Alberto Garcia Guillen (Shutterstock)

With over two billion active users, WhatsApp is one of the most popular messaging apps globallyand its also one of the few apps that offer end-to-end encryption by default. This means that no one other than you the other party can read your conversations. Even WhatsApp cant read your conversations because it doesnt have the key to un-encrypt your chats.

This was all true, except for one scenario: WhatsApp chats backed up to iCloud were all unencrypted, so if anyone got their hands on your iCloud backup, they could read all your messages pretty easily. But now, WhatsApp has an optional feature to protect your WhatsApp backups with the same two-factor authentication using a password or a secure key.

Before we begin, you should know that WhatsApp end-to-end encryption depends on a password or a 64-digit secure key. If you lose your password, you wont be able to restore your chats, so make sure you use a secure yet recognizable password. If you use something complicated, make sure to save it on your password manager (it can be iCloud Keychain or a third-party service like Bitwarden).

To get started, first update your WhatsApp application to the latest version. WhatsApp is slowly rolling this feature out to its two billion users, so if you dont see it yet, try again in a couple of days.

Open WhatsApp, and from the Settings tab, go to Chats. Here, select Chat Backups and tap the End-to-End Encrypted Backup button. Tap the Turn on button and from the next screen, choose the Create Password option.

G/O Media may get a commission

Screenshot: Khamosh Pathak

Here, create a password that includes at least six characters, and one letter. Then, tap the Next button.

Once everything is set up, tap the Create button to switch to the end-to-end encrypted backup. Give WhatsApp some time to transition to encrypted backups.

Screenshot: Khamosh Pathak

If you want to disable this feature, come back to Settings > Chats > Chat Backup > End-to-end Encrypted Backup > Turn off.

While WhatsApp has switched over to encrypted backups, your iPhone is still backing up the entire iPhone data to iCloud, in the same un-encrypted format. For the sake of security, we would suggest you disable iCloud backups altogether. To do this, open the Settings app and tap your Profile banner from the top. Then go to iCloud and disable the iCloud Backup option.

Go here to see the original:
Why You Should Encrypt Your WhatsApp Backups in iCloud - Lifehacker

Image Analyzer wins UK Government grant to develop CSAM-detection technology for end-to-end encrypted services

- Safety Tech Challenge Fund awarded to AI-powered visual content moderation pioneer, working in partnership with Galaxkey and Yoti -

Gloucestershire, UK, November 17th 2021, visual content moderation software company, Image Analyzer, has been selected to receive a share of the UK Governments Safety Tech Challenge Fund to find new ways to detect Child Sexual Abuse Material (CSAM) sent via encrypted channels, without compromising citizens privacy. Image Analyzer will work in partnership with content encryption technology provider, Galaxkey, and digital identity and age verification technology company, Yoti, to develop AI-powered visual content analysis technology that works within messaging services that employ end-to-end encryption.

Cris Pikes, CEO and founder of Image Analyzer commented, Image Analyzer is delighted to be collaborating with Galaxkey and Yoti to deliver this exciting, first-of-a-kind technology pilot that recognises the importance of protecting users data and privacy whilst addressing the inherent risks to children associated with end-to-end encryption. As a ground-breaking technology collaboration, the Galaxkey, Yoti and Image Analyzer solution will enable users to access all of the benefits related to encryption whilst enabling clean data streams and offering reassurance within specific use case scenarios such as educational sharing.

End-to-end encryption (E2EE) is already included within the WhatsApp and Signal apps. In April, the Home Secretary and NSPCC decried Facebooks plans to implement E2EE within Instagram and Messenger, citing the increased risks to children if law enforcement agencies cannot compile evidence of illegal images, videos and messages sent by child abusers. The government and child safety organisations warned that E2EE drastically reduces technology companies abilities to detect and prevent proliferation of CSAM on their platforms and prevents law enforcement agencies from arresting offenders and safeguarding victims. The NSPCC has estimated that up to 70% of digital evidence will be hidden if Facebook goes ahead with plans to introduce E2EE in Instagram and Messenger.

Child protection experts warn that encrypted messages could shroud evidence of grooming and coercion of children and the sharing of indecent and illegal images and extremist material.

The NSPCC also observed that encryption could create a technical loophole for technology companies to avoid their duty of care to remove harmful material when the Online Safety Bill becomes law, by allowing them to engineer away their responsibility to monitor and remove harmful content.

In response to these heightened risks, the Safety Tech Challenge Fund was announced by the UK Government in September. The UK Government has awarded five organisations up to 85,000 each to prototype and evaluate new ways of detecting and addressing CSAM shared within E2EE environments, such as online messaging platforms, without compromising the privacy of legitimate users. The Safety Tech Challenge Fund provides a mechanism for government, the technology industry, non-profit organisations and academics to discover solutions and share best practice. Fund recipients have until March 2022 to deliver their proofs of concept.

Image Analyzer holds European and U.S. patents for its automated, artificial intelligence-based content moderation technology for image, video and streaming media, including live-streamed footage uploaded by users. Its technology helps organizations minimize their corporate legal risk exposure caused by people abusing their digital platform access to share harmful visual material. Image Analyzers technology has been designed to identify visual risks in milliseconds, including illegal content, and images and videos that are deemed harmful to users, particularly children and vulnerable adults, with near zero false positives.

Pikes continues, Law enforcement agencies depend on evidence to bring child abuse cases to court. There is a delicate balance between protecting privacy in communications and drawing a technical veil over illegal activity which jeopardises children. Hidden doesnt mean its not happening. The UK Online Safety Bill will bring messaging apps into scope for the swift removal of harmful text and images. However, where content is encrypted end-to-end, this will significantly reduce Ofcoms ability to prevent the most serious online harms. Working in partnership with encryption specialists at Galaxkey and identity verification experts at Yoti, well help organisations to address online harms, while protecting the privacy of their law-abiding users.

##

About Image Analyzer

Image Analyzer provides artificial intelligence-based content moderation technology for image, video and streaming media, including live-streamed footage uploaded by users. Its technology helps organizations minimize their corporate legal risk exposure caused by employees or users abusing their digital platform access to share harmful visual material. Image Analyzers technology has been designed to identify visual risks in milliseconds, including illegal content, and images and videos that are deemed harmful to users, especially children and vulnerable adults. The company is a member of the Online Safety Tech Industry Association (OSTIA).

Image Analyzer holds various patents across multiple countries under the Patent Co-operation Treaty. Its worldwide customers typically include large technology and cybersecurity vendors, digital platform providers, digital forensic solution vendors, online community operators, and education technology providers which integrate its AI technology into their own solutions.

For further information please visit: https://www.image-analyzer.com

References:

Gov.UK, press release, 17th November 2021: Government funds new tech in fight against online child abuse, https://www.gov.uk/government/news/government-funds-new-tech...

Safety Tech Network, 8th September 2021, Government launches Safety Tech Challenge Fund to tackle online child abuse in end-to-end encrypted services https://www.safetytechnetwork.org.uk/articles/government-lau...

Safety Tech Network, Safety Tech Challenge Fund, https://www.safetytechnetwork.org.uk/innovation-challenges/s...

Computing AI and Machine Learning Awards Winners 2021: AI & Machine Learning Awards 2021 (ceros.com)

Gov.UK, Draft Online Safety Bill, 12th May 2021 https://www.gov.uk/government/publications/draft-online-safe...

The Daily Telegraph, Priti Patel accuses Facebook of putting profit before childrens safety, 19th April 2021 https://www.telegraph.co.uk/news/2021/04/18/priti-patel-accu...

The Guardian, Priti Patel says tech companies have moral duty to safeguard children, 18th April 2021, https://www.theguardian.com/society/2021/apr/19/priti-patel-...

Wired, The Home Office is preparing another attack on encryption, 1st April 2021: https://www.wired.co.uk/article/uk-encryption-facebook-home-...

PA Consulting - The Daily Telegraph, Keeping Children Safe Online,11th December 2019,https://www.paconsulting.com/newsroom/expert-quotes/the-dail...

Media Contact:Josie HerbertPhiness PR07776 203307josie@phinesspr.co.uk

See more here:
UK Government awards 555k to help fund new ways to protect children within end-to-end encrypted environments - ResponseSource

Thales High Speed Encryptors Combined with Phio TX Offers Immediate Quantum-Resistant Network Security for Protecting Data in Motion with No Limitations

BETHESDA, Md., Nov. 15, 2021 /PRNewswire/ -- Quantum Xchange, delivering the future of encryption with its leading-edge key distribution platform has collaborated with Thales to offer immediate quantum-safe and crypto-agile key delivery capabilities. The resulting quantum-resistant network solution enables end-users to future-proof the security of their data and communications networks; overcome the vulnerabilities of present-day encryption techniques, e.g., keys and data traveling together; and protect against man-in-the-middle, harvesting, and future quantum attacks.

Quantum (PRNewsfoto/Quantum Xchange)

Quantum Xchange's groundbreaking out-of-band symmetric key delivery system, Phio Trusted Xchange (TX), is a simple architecture overlay that works in tandem with conventional encryption systems, in this instance Thales High Speed Encryptors (HSEs), and any TCP/IP connection (wireless, copper, satellite, fiber) to decouple key generation and delivery from data transmissions. With Phio TX a second, quantum-enhanced encryption key is sent down a separate quantum-protected tunnel and mesh network to multiple transmission points. This presents an attacker with the enormous challenge of having to defeat the combined security of Key Encrypting Key (KEK) where a second key is in play and sent independently of the data path. Continuous key rotation takes place on every transfer, further heightening the system's security today and in the quantum future.

Phio TX embraces crypto agility, supporting quantum keys generated from any source, i.e., Quantum Key Distribution (QKD), Quantum Random Number Generator (QRNG), or a combination, and all Post-Quantum Cryptographic (PQC) candidate algorithms being evaluated by the National Institute of Standards and Technology (NIST) scheduled for standardization by 2022. The FIPS-validated network security appliance also meets the European Telecommunication Standards Institute (ETSI) protocol for QKD. With Phio TX, users can start with PQC, then easily scale to QKD protection levels with no interruptions to their underlying infrastructure and no network downtime.

Story continues

"Phio TX used in combination with Thales High Speed Encryptors (HSEs) arm customers with a powerful, enterprise security solution capable of making native encryption keys immediately quantum resistant," said Eddy Zervigon, CEO of Quantum Xchange. "The standards-based solution can easily meet the risk mitigation needs of a business at any time and delivers an infinitely stronger cybersecurity posture to any network environment."

"Quantum computing will be one of the biggest technological achievements in recent memory, but it comes with a lot of security risks," said Todd Moore, Vice President Encryption Products at Thales. "While there is no such thing as a silver bullet when it comes to cybersecurity, deploying crypto-agile systems, or those with the ability to update cryptographic algorithms, keys and certificates quickly in response to advances in cyber-attacks is the next frontier in protection against the emerging threats. Today Thales is enabling businesses to deploy security algorithms in a flexible way that include quantum-resistant algorithms that provide mitigation techniques to the current and future security risks presented by the evolution of quantum computing. NIST is currently selecting finalists amongst the quantum-safe encryption algorithms being developed. In anticipation of this, Thales already supports the current finalists including Thales' Falcon algorithm."

To learn more about the key advantages and features of Thales network encryption solutions with Phio TX, download the solutions brief here.

About Quantum XchangeQuantum Xchange gives commercial enterprises and government agencies the ultimate solution for protecting data in motion today and in the quantum future. Its award-winning out-of-band symmetric key distribution system, Phio Trusted Xchange (TX), is uniquely capable of making existing encryption environments quantum safe and supports both post-quantum crypto (PQC) and Quantum Key Distribution (QKD). Only by decoupling key generation and delivery from data transmissions can organizations achieve true crypto agility and quantum readiness with no interruptions to underlying infrastructure or business operations. To learn more about future-proofing your data from whatever threat awaits, visit QuantumXC.com or follow us on Twitter @Quantum_Xchange #BeQuantumSafe.

Cision

View original content to download multimedia:https://www.prnewswire.com/news-releases/quantum-xchange-collaborates-with-thales-to-enable-quantum-safe-key-delivery-across-any-distance-over-any-network-media-301424239.html

SOURCE Quantum Xchange

Read the original here:
Quantum Xchange Collaborates with Thales to Enable Quantum-Safe Key Delivery Across Any Distance, Over Any Network Media - Yahoo Finance

Quantum computers will rapidly solve complex mathematical problems. This includes the ability to break both RSA and ECC encryption in seconds. In response, NIST has been leading an effort to define new cryptographic algorithms that will withstand attacks from quantum computers.

NIST started this process in 2015. Beginning with almost 70 candidate algorithms, NIST narrowed the field down to a set of finalists over 3 selection rounds. We now have a well-defined set of algorithms that are potential replacements to the currently used algorithms. Implementations of each finalist are available. NIST is expected to announce the initial set of algorithms to be standardized within just a few months.

With implementations of the finalist algorithms available and standards forthcoming, companies will begin in earnest to migrate from classical crypto solutions to the new post-quantum crypto (PQC) algorithms. As companies begin this process, some of the questions they must answer are: where are hardware implementations required, and where are software implementations sufficient?

Migration to PQC algorithms is a major undertaking. Digital certificates using RSA or ECC encryption are used to provide identities and enable secure communication for everything from websites, DevOps processes, credit cards, and cloud services to connected vehicles, IoT devices, electronic passports, document signing, and secure email. Use of ECC and RSA encryption is pervasive; all systems using RSA and ECC encryption will need to be updated to use the new PQC algorithms.

Many large enterprises are already planning for this migration. Some have created a Crypto Center of Excellence or similarly named group to lead this effort. Due to the number of systems requiring updates, and the interdependencies of these systems, this will be a large, multi-year project for most enterprises.

For most enterprises the first step is cataloguing their systems using encryption. Next, companies must determine the risk associated with each system. They can then begin developing a roadmap for migration to PQC.

As part of this process, companies need to identify the details of crypto implementations, including:

Once this information is available, a roadmap to update crypto components can be developed. RSA and ECC encryption are frequently used for secure communication, so companies must take into consideration dependencies between systems and devices. If one device is updated, but the systems it communicates with are not, the devices will either fail to communicate or will revert to using classical crypto until all devices are updated.

With a full inventory of systems using cryptography in hand including details on algorithms, crypto libraries and hardware accelerators used they can begin planning to migrate to PQC. Planning must take into consideration where systems are sourced and what systems are internally controlled vs. externally controlled. Many enterprise systems include hardware and software components developed by third-party vendors. The process of upgrading will require coordination across the entire supply chain.

Crypto implementations may be built into many different layers of the technology stack. Hardware platforms often include crypto acceleration and hardware-based secure key storage. The operating system may utilize the hardware crypto primitives but may also include a crypto library. Furthermore, applications may include their own crypto libraries.

On systems with multiple applications, several crypto implementations may be present and each needs to be updated. Furthermore, these systems rely on digital certificates issued by a PKI system or certificate authority that must also be updated. Migration to PQC algorithms requires all these systems to be updated in a coordinated fashion.

In addition to supply chain considerations, organizations need to address interoperability with partners, customers, and third-party service providers. These systems will also require updating, and these updates must be coordinated to ensure ongoing compatibility.

It should be clear by now that migration of existing systems to PQC algorithms requires significant coordination between internal software development groups, vendors, partners, and customers. For each system, both internal and external, it is important to determine where the crypto algorithms should be implemented. Should software-based crypto libraries be used? Or is there a need for hardware-based crypto primitives?

It will be no surprise, there is no one-size-fits-all answer to this question.

For many systems, initial migration to PQC will require use of software libraries with PQC algorithms implemented in software. This is the fastest upgrade path. It will allow independent upgrades to software applications, without dependency on new hardware or operating systems. Given the complex set of dependencies, this is a necessary step.

Starting with software-based PQC reduces dependencies on long hardware design lifecycles and hardware update schedules. New hardware designs generally take 12-24 months. Even if companies are starting now, platforms will not support PQC algorithms in hardware for at least a year or two. Once new hardware designs are available, companies will need to plan the rollout of new hardware. Generally, companies cannot afford to replace all hardware systems at once.

Once hardware support for PQC becomes available, companies can begin migrating to hardware-based PQC, but it will take years to replace all platforms with new systems providing PQC in hardware. Software-based PQC solutions provide a critical migration path.

The flip side of this argument, however, is that hardware-based support for crypto implementations provides a greater level of security than software-based systems. Current security best practices rely on using a crypto co-processor such as a TPM chip, Secure Element, or HSM to perform security critical operations. This allows isolation of cryptographic keys in hardware that cannot be accessed by application code; protecting them, even if the device is compromised by a cyberattack. These crypto processors also provide countermeasures to side-channel attacks.

The use of hardware-based security for PQC implementations is particularly important when you consider the threat landscape for PQC. PQC is needed to protect systems from attacks using quantum computers to break encryption. Quantum computing technology is rapidly advancing but is still in the early stages of development.

For the foreseeable future, quantum computing will remain the province of very large corporations and nation-states. This will change over time, but early adopters of PQC are companies and systems that include nation-state actors in their threat model.

Nation-state actors have extremely deep pockets and sophisticated capabilities to carry out cyberattacks. They often have access to zero-day vulnerabilities allowing them to defeat software-based security solutions and penetrating security perimeters. As a result, they can often install malware on target adversaries computing devices. With malware on a target computer, nation-states can monitor any operations performed in software, including crypto operations.

In this manner, they can discover crypto keys even on systems using PQC. While they have not defeated the PQC algorithms, they would be able to defeat the overall security solution. This is akin to a robber getting hired by a bank as a trusted employee and then stealing the vault codes. The robber may not have cracked the safe, but is still able to gain access to its contents.

RSA and ECC-based encryption systems started with software-based implementations. Over time, hardware security co-processors, security elements, and TPM chips have become increasingly cost effective and widely available, allowing a migration to hardware-based crypto. Security critical systems were early adopters of these hardware-based security solutions.

PQC algorithms will follow a similar path. Companies are beginning to invest in hardware-based crypto for securing critical systems. Over time, hardware-based solutions will become cost effective and be widely adopted for PQC. For security-critical applications, companies can begin implementing hardware-based PQC now.

See original here:
When it comes to securing systems against quantum computers, there is no one-size-fits-all solution - Help Net Security