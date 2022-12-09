Listen to the audio version of the article

Extension of the already well-known Software Bill of Materials (SBOM) concept of software supply chains – a sort of bill of materials of the software, an inventory that allows to precisely detail all code components, their lineage, libraries and dependencies on which an application is built – the new Cryptography Bill of Materials (CBOM) approach developed by IBM researchers describes cryptographic assets while extending existing software supply chain tools.

Designed and developed to simplify the creation and management of a cryptographic inventory across disparate software, services and infrastructures, the CBOM approach allows complex cryptographic components to be added to established tools and processes for assessing supply chain security and integrity of the software.

Goal, understand how to migrate to secure quantum cryptography (better known as post-quantum cryptography). The cryptographic inventory developed by IBM, in fact, aims to discover the presence and use of cryptography in systems, software or Software as a Service (SaaS), understand its effectiveness and eventually plan the migration to more effective systems , such as those of post-quantum cryptography.

Three steps of the CBOM approach:

1) discover, through a complete scan of IT environments, all the encryption in use, identifying any critical issues;

2) analyze the main causes of any critical issues, identify and verify the possible need for a migration to more secure cryptographic systems;

3) upgrade security by switching to secure quantum cryptography.

For this last step, IBM researchers have developed a simplified system for “drop-in replacements”, ready to update systems and software and move to a quantum-safe, quantum-proof software repository.

Why we need post-quantum cryptography

Quantum computing will help us solve the most complex problems of science and business (especially in the Finance, Energy and Healthcare areas), but there are risks related to data security that cannot be ignored and must be resolved now, before quantum computing reaches its full maturity. Current encryption schemes, even the most advanced ones used for example to protect sensitive data, financial data and information or health data, are completely inadequate in the face of the potential of quantum computing. Quantum secure cryptography is the design and implementation of protocols that are believed to be secure against the additional computational capabilities of quantum computers. In essence, the field of quantum cryptography is concerned with creating public-key cryptography, which can be implemented on standard devices, that can resist quantum attacks. The World Economic Forum recently estimated that more than 20 billion digital devices will need be upgraded or replaced in the next 10-20 years with these new forms of quantum encrypted communication. Because while it is true that the impacts of quantum computing will be seen in the future, the threat is starting to be felt now, in the present. A present made of the speed with which quantum computers scale and continuous improvements in quantum algorithms or the discovery of new algorithms, accompanied by the difficulty of adding mitigating approaches to threatened systems.

The risks of quantum computing

To understand the dimensions of the threat it is useful to examine the impact that an improper use of a large quantum machine could have in the future (for which – it should be remembered – many years of research and development will still be needed): • the confidential data that has been collected (but also stolen or lost) over the years could be decrypted very easily; • resources on blockchain could be transferred fraudulently; • digital signatures used to legally validate transactions could be questioned; legacy systems could be targeted with fraudulent software updates; digital evidence could be manipulated; the list could go on with many more points. The fact is that these are real threats involving all data, systems and technologies that will not be made quantum secure. The new CBOM approach must therefore be seen as a Quantum Safe risk management system, which must consider the “time value of security” of systems and data, i.e. examining and accounting for the value of a vulnerability in the future. Systems where the security impact of a breach is high for years to come will need mitigating actions well in advance of the expected arrival date of large-scale quantum computers.

Fully homomorphic encryption, train AI models with encrypted datasets

A new tool for data privacy also comes out of the IBM research laboratories in Zurich, especially for datasets used to train machine learning systems and other systems based on Artificial Intelligence techniques. Homomorphic encryption allows you to train AI models with encrypted datasets, without making the secret key available in cloud environments. To guarantee levels of security on the data to be used in machine learning systems, now almost all accessible via the cloud, we usually proceed with the anonymization of the data which, however, requires a lot of time and there is the risk of not being able to fully benefit of machine learning models. Fully homomorphic encryption (FHE) from IBM, available and accessible as a cloud service, allows companies to deploy their own machine learning models and use encrypted data to train them.