Harvest Now, Decrypt Later: A Growing Cybersecurity Threat

The rise of quantum computing has brought about a new and significant concern in the field of cybersecurity: Harvest Now, Decrypt Later (HNDL) attacks. According to a survey by Deloitte, more than half of the professionals in the industry are deeply worried about the potential impact of these retrospective decryption attacks. In this blog post, we’ll delve into what these quantum-related threats entail and discuss how you can future-proof your enterprise against them.

Understanding Harvest Now, Decrypt Later (HNDL) Attacks

A Harvest Now, Decrypt Later attack is a two-part cyber-attack where malicious actors collect sensitive, encrypted information today, with the intent to decrypt it in the future. This strategy relies on the assumption that quantum computing, once fully developed, will have the power to break modern encryption schemes that are currently considered secure. This approach is also known as 'store now, decrypt later' or 'catch now, break later.

In simple terms, bad actors are gathering and storing encrypted data, anticipating the day when quantum computers could render today's encryption methods obsolete. Instead of investing time and resources into cracking cryptographic algorithms now, they’re banking on future quantum capabilities to do the heavy lifting for them.

The Role of Quantum Computing in HNDL Attacks

Quantum computers utilize the principles of quantum mechanics, particularly the concept of superposition, which allows them to process vast amounts of data simultaneously. This capability poses a potential threat to current encryption methods. As a result, there is a pressing need to develop quantum-resistant cryptosystems that can withstand the computational power of quantum computers.

Current cryptographic algorithms, such as those based on the factorization of large numbers, are particularly vulnerable. Quantum computers are expected to break these encryption schemes with ease, putting any data secured by these methods at risk. This threat is universal, affecting organizations of all sizes, from small businesses to large enterprises. To mitigate this risk, the industry is moving towards post-quantum encryption and key exchange algorithms designed to resist quantum-based attacks.

Bridging the Gap: Hybrid Cryptographic Algorithms

In the meantime, a crypto-agile approach using hybrid algorithms offers a way to mitigate the risks posed by quantum computing. Hybrid public key encryption (HPKE) algorithms are designed to provide security against both current and future threats. For example, the X25519Kyber768Draft00 algorithm, which combines traditional elliptic curve cryptography (ECC) with a post-quantum cryptographic method, is already being used by major platforms like Google Chrome and Cloudflare.

These hybrid solutions provide a necessary bridge, allowing organizations to defend against both modern attacks and the future quantum threat. The use of lattice-based algorithms, which are particularly difficult to solve, further enhances the security of these systems, making them a strong candidate for post-quantum cryptography.

How a Harvest Now, Decrypt Later Attack Works

Unlike typical cyber-attacks that provide immediate rewards to the attacker, Harvest Now, Decrypt Later attacks require patience. Attackers set up eavesdropping tools to collect a large volume of encrypted data, which they then store for years, waiting for quantum computing to mature.

This type of attack is especially concerning for data that has long-term value, such as social security numbers, bank account details, government secrets, and intellectual property. These types of evergreen data do not change frequently and can remain valuable for extended periods, making them prime targets for HNDL attacks.

In contrast, data like credit card information, which changes more frequently, is less attractive to HNDL attackers because its value diminishes over time.

Why HNDL Attacks Are a Growing Concern

The advent of quantum computing could render current encryption methods obsolete, posing a significant threat to organizations of all sizes. The risk is not just hypothetical—nation-state actors and well-resourced cybercriminals are already believed to be stockpiling encrypted data in anticipation of future quantum capabilities.

How to Protect Your Organization Against HNDL Attacks

Start Planning Your Post-Quantum Cryptography (PQC) Strategy Now
Begin planning for the transition to post-quantum cryptography. Quantum-resistant algorithms are essential for future-proofing your organization’s data security. Start by assessing your current cryptographic methods, identify vulnerabilities, and develop a roadmap for integrating PQC. Ensure your IT and cybersecurity teams are trained and prepared for this transition.
Enable Hybrid Cryptographic Algorithms
Implement hybrid cryptographic algorithms that combine traditional encryption with quantum-resistant techniques. These algorithms, like X25519Kyber768Draft00, offer protection against both current and future threats. Ensure thorough testing and stay updated on developments in hybrid cryptography.
Upgrade Your Private PKI Infrastructure
Enhance your private PKI infrastructure by incorporating post-quantum cryptography. Start by inventorying your digital certificates and gradually transition to quantum-resistant algorithms, focusing first on critical certificates.
Transition Long-Term Encryption Keys
Prioritize transitioning long-term encryption keys to quantum-resistant algorithms. Generate new keys using quantum-safe methods and implement robust key management practices to minimize risks during the transition.
Prepare for Quantum-Resistant SSL/TLS Certificates
While quantum-resistant SSL/TLS certificates are still in development, start preparing by monitoring industry progress and collaborating with your vendors. Plan for seamless integration of these certificates into your existing infrastructure.
Stay Informed and Adapt
Continuously educate your cybersecurity teams on quantum computing and PQC developments. Regularly reassess your organization’s exposure to quantum threats and be adaptable in your strategies as new information and technologies emerge.