Wednesday, March 3, 2021

Defending against quantum-computer hacking using biometrics

In 1978, BBC radio ran a satirical exposé about a group of hyper-intelligent pan-dimensional beings who were trying to get inside the brain of a human named Arthur Dent, who was a fugitive from the planet Earth. The radio show was so popular that it went on to become a book, a TV series, a movie and recently has been re-released on CD for future generations in its original audio format. 

The story, called The Hitchhiker's Guide to the Galaxy, was told from the perspective of Arthur, who had no idea the importance of his former home, Earth, which had been destroyed shortly after he escaped. Neither did Arthur have an understanding of the tremendous significance of his own brain. The pan-dimensional beings, which appeared to him as mice, were actually the administrators of a massive planet-sized computer. They regarded Arthur as just a circuit in the computer that they managed. The mice had been conducting experiments on humans from inside Skinner boxes in the laboratories of human psychologists for many years. (Meanwhile, the psychologists believed it was they who were experimenting on the mice!)

Deep Thought, on the future computer, Earth
The Earth had been planned by another more primitive computer, called Deep Thought, which argued that life forms would be the circuits of this great future computer that could come up with the great question of "life the universe and everything." Humans would therefore wander its, staring at Brownian motion in their tea cups, pondering the existential question for the benefit of all sentient beings in the galaxy, who eagerly awaited the outcome. Deep Thought had already revealed that the ultimate answer was 42. But determining the ultimate question would require millennia of pondering. The story alleges that finally a woman in a cafe in London had come up with the ultimate question while staring at her tea. This made the unfortunate destruction of the Earth very frustrating to the mice who'd been working on the surface of the planet for millennia prior. The mystery of the ultimate question was to remain hidden until the Earth could be replaced.

Martin Freeman as Arthur, facing interrogation by mice
However, the mice had reason to believe Arthur might have remnants of the great question inside his mind, as he was the last vestige of the original Earth program. From their perspective this secret question was much more valuable to the galaxy than his brain was of value to Arthur. Yet Arthur was reluctant to yield his brain. He was ultimately able to avoid being diced up by the mice. But he did end up marooned on the surface of Earth Mark II, a rebuilt computer based on the original Earth blueprints after the mice decided to start again from scratch.  (Find out what happened to Arthur on Earth Mark II, starting at Episode 6 of the BBC radio show to hear of his adventures thereafter.)

Rising up from the perspective of the radio series, we may assume that we humans are actually on the second coming of Earth. In our own narrative, humans have just built their own hyper-intelligent computers which we call quantum computers. These crafty computers have circuits that can think three-thoughts instead of just two as with their predecessors, binary computers. A great deal can be achieved by allowing a circuit to go from thinking yes/no (0 or 1 in a logic gateway) to thinking yes/no/maybe! Just two years ago in Nature magazine we read pronouncements that a group of scientists had used a quantum array of circuits to demonstrate “Quantum Supremacy” for their particular computer in terms of a high-speed of calculation. While this is great news for anyone with a quantum computer, it was suddenly bad news for everyone else's non-quantum computers, as it implied that the rest of us would have to go back to the drawing board to try to figure out how to secure our binary-logic computers and computer networks that were suddenly deemed less supreme.

There may be no hyper-intelligent pan-dimensional beings trying to hack our skulls. But there are a bunch of ordinary folk who plan to use these computers, like those pesky mice, to peer into our networks and steal our secret questions, as they've been doing with binary computers and phishing exploits for decades. Our legacy means of encrypting networks have been based on introducing complex hashes of data. Introducing hashes with mathematical complexity, referred to as "introducing entropy" or "cryptographic salts," makes the decryption of such data without access to keys too complex for a binary computer. As we saw with the Sycamore quantum array, a process that could take 10,000 years for a binary super-computer, takes mere 200 seconds for a quantum array. (This was followed by the Jiuzhang computer which claimed to be even faster.) Theoretically such a fast computation process could be used to apply Shor's algorithm to factor RSA-level crypto-keys while the keys were still in use.  This implies that we need to introduce greater algorithmic complexity to eliminate this vulnerability should such computers be used for decryption in the future.

PQ Solutions, has been working on this challenge of protecting legacy networks and software from threats emerging in the post-quantum era with a means that is both backward compatible with RSA networks, yet future-proof against decryption attacks regardless of computer speed. While we're currently standardizing this cryptographic approach with the US Department of Commerce NIST working group, we are also introducing products in the market today to allow other companies to have cryptographic-agility to layer in this new standard once the NIST process is complete. (Final Post-quantum cryptographic standards will be announced next year and required for all government service providers thereafter.)

Our identity validation platform Nomidio, allows companies to ensure that they only authenticate users for access to their secure/private networks after they've been biometrically proven to be who they say they are. You may wonder why we think biometrics are the key to quantum-safe encryption. We will be presenting on this topic in the upcoming conference Quantum Business Europe. Please join us if you're available to hear about our products and our philosophy of networks protected against such threats. But for those who can't join the conference demos, I'll elaborate on our approach.

Computers will be better over time at factoring large numbers which we use in defense against binary computers for RSA encryption. So we need to change the game with something that computers can't factor or decrypt. We can borrow a concept from Deep Thought, that humans are the answer for the challenge. Computer-stored passwords are a vulnerability we all know because they are static in time and typically stored partially in the clear through a process called public-key cryptography. We are among a broad consensus of security companies that advocate for transitioning to passwordless network protection. Just like the increasing incidence of car theft by capturing radio signals from the key fobs, we now have to ensure our keys are not left in a place where their signals can be captured. 

PQ Solutions' approach to securing network end-points is by introducing live performance of biometric proofs into the encryption process. Quantum computers can be used to simulate incredibly complex mathematical equations and physical systems. But a quantum computer wouldn't be able to simulate a human. By sampling behavioral elements of a live authentication flow we can ensure machine-based intrusions are not able to access a network or breach static encrypted files signed with the biometric hash. Unlike car keys and their RFID signals, your identity can't be stolen from you.

The benefit of using an "Identity as a Service" (IDaaS) platform is that companies don't themselves have to hold any biometric data on their servers. Remember the European privacy regulation GDPR which tightly regulates data collection and protection? That's why a company's chief technical officer does not want to build an in-house biometric database of their users.  Nomido IDaaS provides a zero-knowledge cloud-based solution for identity validation so CTOs can delegate access for proven individuals internally, while outsourcing identity proofing in their access management technology stack. Our goal with Nomidio is to give companies vault-like biometric authenticity checks without causing a large data footprint for our relying parties and partners.

A secure network is like the hull of a submarine. Deep underwater the hull of a submarine is hardened against leaks. If you wanted to put a window in a sumbarine, you'd have to ensure that it was as pressure-tight as the hull of the submarine itself. Nomidio does just that. As a user is granted access into a network they have to provide a multi-factor proof that they are who they say they are. Their biometrics are then woven into the encrypted session access key used to grant visibility while certifying that their access token and cannot be duplicated, captured or recreated by any person who is not them. This is beyond just proving they have the phone or the RSA key-fob of the formerly-approved employee, as in the case with 2-factor apps or SMS based systems. With Nomidio, a user must match the live facial likeness of an authenticating user, along with an authenticity check of their biometric voiceprint as they log in. Both of these, as separate factors in the multi-factor authentication, cannot be attached to each other and cannot pass based on past recordings or images of the same person.

If you're interested to learn more, attend our free-pass demonstrations at Quantum Business Europe, or visit nomidio.com to learn how to integrate using open protocols OpenID or SAML. We provide a 1 month free access demo account in Amazon Web Services and Azure Marketplace.

Please enjoy our videos from the Post Quantum Europe conference. (n.b. PQ Solutions is a platinum sponsor of this conference.)

  • Christopher's speech on leveraging biometrics in network defense: Link to Youtube
  • Andersen Cheng's summary of the timing of the quantum hacking threat: Link to Youtube
  • CJ Tjhai's presentation on hybrid encryption with post-quantum cryptography: Link to Youtube


For more information on Hitchhiker's Guide to the Galaxy visit:
2005 Cinema version: https://www.imdb.com/title/tt0371724/ BBC TV version: https://www.justwatch.com/us/tv-show/the-hitchhikers-guide-to-the-galaxy BBC HHGTTG Legacy Link: https://www.bbc.co.uk/programmes/b03v379k/episodes/guide Recently re-published CD collections:  https://www.amazon.com/Hitchhikers-Guide-Galaxy-Primary-Phase/dp/1787533204