Securing Your Network Today for a Post-Quantum Future: Why and How
Learn how we’re hardening our inter-service network at Intuit to protect against future quantum threats.
This blog post is co-authored by Intuit’s Laëtitia Kahn , Software Engineer, and Anil Attuluri , Principal Software Engineer, with Yaron Sheffer, Fellow Engineer.
Nobody knows when quantum computers will become a reality. Many people believe this can happen by the end of this decade, but others are more skeptical. What we do know is that if full-scale quantum computers become a reality, their existence promises to revolutionize cryptography. The algorithms we currently use to secure all our network traffic would become easily breakable by attackers with enough resources.
This post recounts the steps that Intuit’s infrastructure teams have taken to protect the company’s network traffic — and our customers’ data — from this potential threat, by deploying quantum-resistant encryption methods to protect communication between our backend services.
For decades we’ve known that RSA (Rivest, Shamir, Adleman) asymmetric encryption algorithm and ECDH (Elliptic Curve Diffie Hellman) key-sharing algorithm, two of the main building blocks of the modern TLS (Transport Layer Security) protocol, can be efficiently broken by a quantum computer. TLS, also known as SSL (Secure Sockets Layer), is the protocol that underlies all HTTPS traffic.
Imagine a world where you can no longer secure your social interactions or financial transactions. Now, think of the chilling effect it would have on the Internet as we know it.
Cryptographers identified this problem several years ago, and the community is working hard to address it. The solution is known as Post-Quantum Cryptography (PQC), otherwise referred to as Quantum-Resistant Cryptography. These are cryptographic systems that ideally serve as replacements for the at-risk algorithms, and are resistant to attacks by both quantum and classical computers.
Post-Quantum Cryptography should not be confused with the ongoing work using physical quantum effects to achieve secure networking. This is known as quantum cryptography, and the best-known example is quantum key distribution (QKD). This technology is completely unrelated to post-quantum cryptography. Moreover, since QKD requires custom hardware, there is widespread skepticism about it ever gaining industry traction.
For many years the security community has strongly favored standardized cryptographic algorithms. The standards review process adds a great deal of assurance that the algorithm is truly secure and, in fact, all widely known cryptographic algorithms and protocols, such as RSA, ECDSA, AES, and SHA-256 are specified in standards documents.
Post-quantum algorithms are no exception, and it is everybody’s preference that they go through a rigorous standardization process. The process of PQC algorithm standardization has been driven in the last few years by the U.S. National Institute of Standards and Technology (NIST) post-quantum cryptography competition. Once NIST has picked one or several winning algorithms, other standards organizations such as Internet Engineering Task Force (IETF), World Wide Web Consortium (W3C), etc. are expected to follow with protocols based on these algorithms.
The majority of industry players are waiting for the multi-year NIST process to conclude and for the selected algorithms to be widely implemented in cryptographic libraries, such as OpenSSL, in browsers, in web servers, and so forth. Then, people will be able to “turn on” quantum-resistant cryptography in their applications, much as they can now configure the algorithms used in TLS implementations.
But, there may be good reasons to implement PQC, even before the standards are finalized. Some enterprises are concerned about the long-term security of their network traffic. This is security against powerful, possibly nation-state attackers, that could record encrypted network packets today, and decrypt them in the future when the quantum-based technology to do so will have matured.
Intuit is a trusted steward of our customers’ data. This includes more than 100M consumers and small businesses who use products and services, such as QuickBooks, TurboTax and Mint. We’re fully committed to ensuring the security of their data, even under the far-reaching threat model we just laid out. That’s why we have spent the last year ensuring that our service infrastructure is quantum resistant.
Put technically, we configured our network to use a hybrid PQC handshake for TLS traffic between our backend services. The notion of a “hybrid” algorithm in this context is worth going into: it refers to a cryptographic algorithm that combines the properties of PQC and classic cryptographic algorithms in a special way. The hybrid approach guarantees that even if the PQC algorithm turns out to be weaker than expected (given that most PQC algorithms have undergone a limited amount of scrutiny, so far), the combined algorithm will be just as secure as the classic algorithm, namely today’s ubiquitous RSA and ECDH. And of course, if the PQC algorithm is in fact as secure as it has been designed to be, we also get quantum resistance on top of all the classic security properties of TLS.
Intuit’s Service Mesh, a modern run-time environment for thousands of backend services that underlie our applications, is built using the Istio open-source service mesh. To implement our hardened network, we extended the Istio provisioning subsystem to allow more flexible TLS configuration, including granular control of the TLS version and the elliptic curve groups used in the key exchange. We then were able to deploy the CECPQ2 hybrid key exchange using Google’s BoringSSL library. Before and during our large-scale deployment, we measured the performance effects using a standard performance benchmark. The results were encouraging, with barely any noticeable slowdown compared to the default use of TLS 1.3 with ECDH.
While it might take longer for the broader PQC ecosystem to mature, we hope that this blog post motivates you to join us as we forge ahead in creating a secure future for our customers with quantum-resistant encryption. Intuit’s Security R&D and Developer Experience Core Systems teams are proud of our contributions to date, and committed to being well-prepared for the post-quantum era.
Lastly, we would like to thank Intuit’s Boaz Sapir, Principal Software Engineer, and Jason Webb, Distinguished Software Engineer. It takes a strong team to develop code for a leading open source project, and to have it accepted into the code base. This feat would not have been possible without your support!
PS: it’s been just over a week since we published this blog, and big things happened. The US National Institute of Standards and Technology (NIST) published its round 3 selection of post-quantum algorithms. For key exchange, NIST picked Kyber rather than NTRU, the algorithm that underlies CECPQ2. This was mainly on performance grounds and NIST noted that it is “confident in the security” that NTRU provides (page 18 of the full NIST report). Following the NIST announcement, Google published a blog post where it revealed that similarly to our strategy, it is moving to protect its internal network with post-quantum cryptography and a hybrid key exchange.
