Secrets Management Considerations for a Post-Quantum World

How will quantum computing change secrets management? That seems like a pertinent question to ask, now that Google has claimed to invent a quantum computer, and AWS has rolled out a quantum computing cloud service — signs that cost-efficient, real-world quantum computers may be closer to reality than many people imagined just a few years ago.

With that reality in mind, here’s an (admittedly speculative) overview of what quantum computing might mean for secrets management, and how teams can prepare their secrets management strategies for a post-quantum world.

Quantum computing and secrets

If quantum computing becomes practical to use on an everyday basis, it will totally upend the approach that developers and IT teams have taken to managing secrets for the past fifty years.

The reason is pretty straightforward: Because quantum computers can crunch numbers at a rate that is tremendously faster than conventional computers, they will be able to brute-force passwords, encryption keys, and other secrets with ease. Google claims that its quantum processor (which it calls Sycamore and developed in partnership with NASA) can complete in 200 seconds a computational task that would take a conventional computer 10,000 years.

Thus, even very long and complex passwords and encryption keys stand to be broken quickly simply by letting quantum computers guess random combinations until they hit upon the right one.

Adapting secrets management for the quantum age

Given that everyday quantum computing has yet to become practical, designing a secrets management strategy for the quantum age remains a speculative exercise. Still, here are some pointers that might prove critical for managing secrets effectively if and when quantum computers throw conventional password security and encryption out the window.

Quantum secrets

Probably the most straightforward answer to the threat that quantum computing poses to secrets management is to make the secrets themselves quantum.

What that means is taking advantage of the fact that photons (which are the basis for quantum computing, by the way, though actually explaining how quantum computing works is beyond the scope of this blog post) can exist in multiple states at once to store information in such a way that it cannot be modified without the modification being known. Messages can then be exchanged securely, or at least in a way that prevents eavesdroppers from reading them.

When used effectively, quantum secrets could replace traditional encryption keys to protect data. It’s currently a bit harder to see how they would replace password-based authentication too, although — by secretizing data itself — they may remove the need for passwords in the first place.

More complex secrets

Quantum computers may be able to crunch data much, much faster than conventional computers, but everything’s relative. If you make secrets complex enough, even quantum computers may struggle to break them.

To be sure, this is not an ideal strategy, for two reasons. The first is that secrets would need to become millions of time more complex, which would make them impractical for some use cases. A password that consists of millions of random characters is not one that an end-user can use to log into a workstation. However, when used with secrets management software that authenticates automatically, the length of the secret is less important.

The other downside to more complex secrets is that they are probably only a temporary solution. Quantum computers will likely grow more powerful over time, so you’ll have to keep making secrets even longer (or more complex in other ways) to keep up.

More secrets

In addition to making secrets more complex, it’s possible to envision a future where we simply rely on many more secrets. Today, many applications need only one set of secrets (a username and password, or an API key) to authenticate. If you do two-factor authentication or used RBAC to help regulate access, you’re ahead of the curve.

But in a post-quantum world, it may become necessary to rely on thousands of different secrets to perform a single authentication. That way, not only would many more secrets need to be compromised in order to breach security, but all of the secrets would also have to be shared at the right time and in the right order to allow an authentication to occur. Even with the computing power of quantum processors, it may be difficult for attackers to circumvent these safeguards.

Obviously, having thousands of secrets for a single authentication wouldn’t work if humans are entering secrets by hand. But with automated secrets management software, it’s feasible. When secrets are stored and shared automatically, it doesn’t really matter whether you are working with a handful or ten thousand; your secrets manager does the hard work for you.

Conclusion

If there’s one sure thing we can say about how secrets management will work in a post-quantum world, it’s that it will be a lot more complex. However, the fundamentals of secrets management are likely to remain the same. Whether the development teams of the future are working with secrets that are themselves quantum in nature, or simply with secrets that are much longer or more numerous, they’ll likely be relying on the same automated, centralized secrets management functionality that tools like Conjur provide today.