Google's Post-Quantum Upgrade Doesn't Mean We're All Protected Yet

Google's announcement was the product of a long chain of events, triggered by NIST choosing Kyber as the candidate for general encryption last year.
As a result, Google has announced that it has added Kyber, beginning with version 116 of its Chrome browser.
This was done through a bespoke implementation by Google within TLS, a widely used standard across Internet communications.
Further, Google's implementation of Kyber is hybrid, which means that traditional elliptic curve cryptography has also been left in place alongside Kyber, which helps mitigate risk and provide continued tried-and-tested protection from attacks that use today's classical computers.
Why You're Not Safe Yet Google's action is significant in many respects: The world's largest Internet browser, used globally by online users everywhere, kick-started its migration to post-quantum cryptographic protection.
First, Google appears to have upgraded the Chrome browser only on the client side.
For any link to be quantum-safe, the server(s) in question also needs to be upgraded to Kyber, but Google doesn't appear to have done this for its own apps yet.
Adding to this is that the surface area we need to protect goes beyond just securing connections - we need to consider the apps beyond the Google environment.
Every cloud application provider will also need to work on the server side to ensure that Chrome users can establish a secure connection with them using Kyber, which isn't going to happen anytime soon.
This all gets more complex when we consider that the TLS protocol, within which Google has added Kyber on a bespoke basis, is managed by the Internet Engineering Task Force.
IETF hasn't yet ratified a standard way for companies to add post-quantum algorithms as part of TLS, which also needs to happen for any widespread adoption to take place.
The final caveat is that there is also the question of how communication links deeper behind the scenes, such as how data center to data center links are protected.
For many, the above shopping list of caveats will not exactly be good news, and even more so for those needing to keep highly sensitive data secure for a long time.
You can't wait until the new post-quantum algorithms are integrated into shared, public infrastructure, because you'll likely be waiting over a decade.
As a result, the Google news emphasizes the urgency for organizations to chart their own migration journey, rather than waiting to be pushed by others.
Rather than waiting for public infrastructure to be upgraded, set your sights on, for example, creating bespoke end-to-end infrastructure that's quantum-safe by design, where everything from your business processes to day-to-day internal communications are protected.
You can have the protection you need for the next 50 years, today.
The First Mile/Last Mile Problem Is Still There Google's update doesn't relieve the pressure for a lot of people, but it's definitely a milestone if we look at it through the lens of a wider, public infrastructure upgrade.
For organizations that need the most urgent protection from the quantum threat, a bespoke approach is needed.
A hybridized approach, where multiple post-quantum and traditional encryption algorithms are combined, offers truly interoperable public-key cryptography that is resistant to quantum and traditional threats.


This Cyber News was published on www.darkreading.com. Publication date: Wed, 13 Mar 2024 01:50:09 +0000


Cyber News related to Google's Post-Quantum Upgrade Doesn't Mean We're All Protected Yet