Cloudflare has set out its post-quantum roadmap, aiming to be fully post-quantum (PQ) secure including, crucially, post-quantum authentication by 2029.
This comes as Google last month accelerated its post-quantum migration timeline, also to 2029. In addition Google has placed a priority on quantum-secure authentication over mitigating harvest-now/decrypt-later attacks.
Cryptographically relevant quantum computers (CRQCs) don’t exist yet, but many labs across the world are pursuing different approaches to building one. It’s also likely that future progress will not be in the public eye.
Up to now the focus has tended to be on post-quantum cryptography (PQC) to stop harvest-now/decrypt-later (HNDL) attacks. Broken authentication is potentially much more catastrophic though. Any overlooked quantum-vulnerable remote-login key is an access point for an attacker to do as they wish, whether that’s to extort, take down, or snoop on your system. Protecting login keys against quantum attack therefore needs to be a priority.
This means not only disabling quantum-vulnerable cryptography, but also ensuring all secrets such as passwords and access tokens previously exposed in the quantum-vulnerable system are rotated.
Cloudflare’s principal research engineer, Bas Westerbaan, writes on the company’s blog, “For businesses, we recommend making post-quantum support a requirement for any procurement. Common best practices, like keeping software updated and automating certificate issuance, are meaningful and will get you pretty far. We recommend assessing critical vendors early for what their failure to take action would mean for your business.”
You can find out more about Cloudflare’s roadmap and see further recommendations on the company’s blog.
Image credit: ArtemisDiana/depositphotos.com
