Mary Quantum of Scots

[Music]

hey there thanks for joining me my name is peter scheffler um i'm a security solutions architect with f5 um my um you know and thanks for joining me today to talk a little bit about mary quantum of scots you're probably interested to know what this convoluted title is but a little context myself i'm a security solutions architect with f5 i sort of work on security solutions my background software development for a very long time security probably now for a little over 20 years um and um sort of a meld of a bunch of things and i'm maybe a nerd as well um so i've i stumbled onto this quantum thing a couple years ago and i've been sort of interested in

crypt analytics you know breaking encryption and encryption and all that kind of stuff over the last last while and this sort of all came together as an interesting um merge of my my passions i guess and that's actually fairly relevant recently i had a conversation with a customer where they just conducted a security audit and as security audits are want to do they uh they came up with some findings and some things that needed to be needs to be addressed with that organization so they're a very large finserve company and they one of the things that one of the findings that was uncovered was that their private keys weren't properly being being protected there are many ways you can protect your

private keys and protecting your private keys is very important because if someone were to get those keys then they could decrypt your your whatever you've encrypted with those those keys there's a private and a public key right so the private key can be stored on a say a hardware security module so in hsm there's you know there's a bunch of tools you can buy that would encrypt this it's not something that company had you could store it on a file system and ensure that people aren't able to access that that's kind of a hope and pray kind of security model necessarily the best and that's actually what the security finding found you can also use openssl to

encrypt these files as a file so normally those files just exist on a on a disk and they're readable you can open them with a text editor or you know just cap the file if you wanted and see what the contents are and that's the key itself so whether that's the private or the public key and so the findings said they needed to encrypt these so we we we use the open ssl technology to to actually add past passphrases to them so that's that's that's a that's a good thing and hopefully i still have your attention because maybe you're now thinking okay what's my how my key is stored right and this is a this is a this is a real

common problem i think that a lot of people have and and and i think maybe you're you know the the next question you're thinking is well what's the worst that can happen if someone were to get my keys well if we um we sort of look at the uh the the the the very worst case that can happen that would certainly be as happens here um you lose your head um or your life um because someone has got your keys um and this literally um you know this is this is the story of of of queen mary or quantum mary as we're going to as we're going to call it today um because this really happened

um if we sort of go back to the story um it's it's the you know october 1586 um queen mary she is a queen um you know she enters the courtroom or the the the the throne room she sees the throne across the room all the eyes are on her she's walking with her head held high she feels confident that um you know that you know that everything is good in her world um but she's she's turned and ushered unceremoniously over to the um the defense chair where she sits all alone all by herself she's not even allowed to have any lawyers or courtiers or anybody to help her she's literally on defense on her on uh by herself

and the throne sits empty the queen queen elizabeth doesn't even deign to come to this to to to the court um mary's co-construction conspirators in this in this this whole case um well they they this is a picture of what happened to them um they were drawn quartered sliced diced um sent through probably you know a blender of some sort and their bodies burned they were disposed of horribly um one of the worst cases that's you know in history but mary feels that she's used encryption in such a way that she's gonna be protected there's nothing that could possibly happen her private keys are secure um so she's not gonna end this is not gonna be a this is not gonna be uh

her fate um a little bit about queen mary so we're going to talk a little bit about queen mary and queen elizabeth so we've got two queens we need to keep straight straighten our heads but queen mary um she's she's born in the in the early 1500s so 1533 she's born um she's she's born as a as a as a as uh to the to the king of the scotland um and uh fairly you know her mother's family is very powerful as well but at six days old her father dies um and she becomes queen so she's a six day old queen um and her mother becomes her regent and and and she actually lives a very blessed life in

her early years um and enjoys the the beauty of being a part of uh you know the the the court she gets you know great schooling um all the things that would be afforded to a to a queen or a princess is all for her she even moves to paris and um is betrothed to you know the the the heir to the throne in france the dolphin of france everything is fantastic her life is blooming this is fantastic right um she's never going to end with with her head in the chopping block well things don't don't go so well um with with things in france um unfortunately uh the dauphin of france does not live very long they don't get married

she doesn't become the queen of france they don't become the you know the the marriage of of of uh convenience that everybody had hoped that france and england would be you know joined in in in a big union um there's a lot of turmoil in england and so she gets sent back to scotland um and even there things don't go go well for her so mary's life starts very nicely doesn't end all that nicely queen elizabeth is very different queen elizabeth born to henry viii yes that henry viii henry eighth i am um and and she is actually the very the one of the reasons why the church of england gets created her mother is the very first uh queen of

england that is after uh henry viii creates the the church of england um and this is a big problem because a lot of people think that you know that it's a bestowed thing from god that that creates this whole lineage and this is a lot of turmoil um and um and and queen elizabeth gets carted off king henry viii very well known for going through lots of lots of queens um so elizabeth's mother gets uh um beheaded and and uh you know a lot of a lot of blood and guts in this in this talk and she's she's sent off she's not even part of the court or anything like that she never sees her

father um and and it's it's a long time before uh before she can even return she doesn't have any money she has no uh no schooling she literally lives a very hard life and she's compared all the time to queen mary who is seen as a catholic um which is in the time is very you know very controversial um that she you know queen mary probably should be the queen and this goes back and forth and back and forth but queen mary when she comes back to scotland has all kinds of problems or some scandal there's an affair with murder and intrigue and you know we could probably spend hours just talking about that story unto

itself but when queen elizabeth finally gets to the throne um she says enough enough is enough i can't have this you know this this battle between me and queen elizabeth uh queen mary and queen elizabeth back and forth um and she actually um has queen mary abdicate her throne for her one-year-old son well come on she took she became queen when she was six days old a kid at one year is gonna be you know more than ready for it right so here's a picture of uh of of queen mary abdicating your throne she's she's kicked out of scotland she has she she comes back to she comes to england um and queen elizabeth puts her right into

uh in into into a castle um or a bunch of castles and she's she's literally a prisoner um in many castles she is a queen right so you gotta understand what what that means probably a little different than a prisoner today but over the course of 18 years she is constantly trying to become queen she is badgering queen elizabeth um her suitors the people that come see her all kinds of things go back and forth and there's constant battles going on and there's lots of people people like just like like everyday people and uh you know commoners and the the royals that there's a big battle a big uh constant battle between queen elizabeth and queen mary um

i i know this is about cryptography we're going to get there and we're getting there right now so i know people are like scratching that okay where are we talking about security and encryption and this is where it starts and it starts with a man named anthony babington so anthony babington um was uh was a was a a gentleman in england in london and he strongly he's one of those people that strongly believed that queen mary should be the queen of england that that you know being a catholic was the reason that she could be the queen over queen elizabeth and um as many things happen uh you know like all of us he hatches a plan in in in a

pub in london um uh to to to get her you know get queen mary to the throne um he's gonna overtake uh queen elizabeth and this is gonna be it well this is nearly you know the the 17 18 year time frame with that queen queen mary's been been uh in in her castles and and she no longer even has the ability to go from castle to castle um she can't alt she can't uh send letters out anymore queen elizabeth has completely shut her off um you know she's the queen mary would talk to her her people in in france and and and and her followers in london all of this has stopped there's no way

for her to communicate and so babington is lost he's like how am i gonna be able to get in touch with queen uh queen mary how how am i gonna be able to help her overthrow queen elizabeth well here's an answer there's a gentleman named gilbert gifford who comes to babington and says hey i i i i am a i'm a spy extraordinaire i'm a i'm a ordained minister but i'm a spy extraordinaire and i i am on your side as a side note he's such a good spy there's literally not a picture of of gifford on the internet i searched i could not find it so we're going to call him mr x in these

pictures but he comes to to to gilbert gifford says hey or so to anthony babington and says hey i have the the means to to uh to smuggle stuff i'm a smuggler extraordinaire i'm a spy extraordinaire i can make this happen so badminton says this is fantastic this is great so so now he has a means to communicate with queen mary or queen queen mary and with her trapped into her in her inner castle babington um uses it sends a letter using gilbert gifford um and it's actually in the bottom of a of of a beer keg of course it has to be somehow related to beer um in in and out of the castle and and

gifford is is a fantastic smuggler he gets this in and he gets us out he gets the message back and forth and they actually now build build a plot to to overthrow queen elizabeth this is fantastic so now so now babington says okay i've got this this is great um now i said we're coming to the the the encryption side of things right and say i don't normally share information but when i do it's always secured right so if i'm on the internet i'm making sure that i'm you know we got some private keys um that the the data is encrypted well you know what queen queen mary was actually a very savvy uh courtier and she understood the need of

of using um you know security um and and and uh and encrypting your traffic um so she actually used this cipher this is actually the cipher that that queen mary used it's actually pretty complex it's it's pretty high tech for uh you know uh for a of of uh a 14th century um uh encryption mechanism right um they have several different things that they've added in here right so they they use uh uh coded you know they don't use the letters right so the letters are are mixed around with different symbols and and and different values so it's hard to hard to be able to interpret it um they use something called nulls so so they actually just randomly

throw things into this into there so whenever you see that double f symbol it literally doesn't mean anything it just so when you're decrypting it you ignore it so you could sprinkle those through so things where you would use um you know uh uh looking for repeated letters like obviously in today's english language e is the most common letter right so you look for e and you look for s and you look for t right um and so you can do substitution but when you throw these nulls in there you can just randomly throw them in there and and increase and decrease values so it makes it very hard for people to to figure these out

and then they also use uh code word so they don't necessarily use the different words they throw these different codes in here so in this case with width they wouldn't use the word width they would put the symbol 4 in there so again it gets very complex and it looks hard to to break and this is this was you know state of the air in in the 14th century and this is a fantastic way to communicate so this is how they were sending their their their stuff back they're using a smuggler right so so they're they're they were they were using a a a tunnel they were encrypting the data inside the tunnel they're doing all the things we

would normally do with a secure uh mechanism right everything that we would want to do with our uh of their ssl transactions today when we're doing banking transactions we're going to want to have a tunnel we're going to want you know so that's our that's our our our beer jug right our beer keg and we're sending that traffic back and forth um and we're encrypting it it's all it's we're doing everything we possibly can do except one thing um the one thing they didn't worry about is repudiation um so remediation is knowing exactly um that the messages is sent properly and and received properly right so that we we get the traffic through this um and

and there's something called a man in the middle attack so a man of the middle attack is is when you know you've got alice and bob they're sending data back and forth between them um and um you know we got evil eaves in the middle um listening and and if evil eve can't decrypt that traffic um well they can't do anything with it right it's it's just it's just gerbildy goop right so that the traffic can can be passed um in in necessarily in you know in open in in the open world but they can't read it well if we think about the traffic that's going through in this case we have gilbert gifford sending our traffic back

and forth the problem was gilbert gifford um was the man in the middle um he was a really good smuggler he was a really good spy actually he's twice the good spy he was actually a double double agent he was actually put in contact with babington by people on queen elizabeth's uh payroll so her literally uh her her leader uh of of uh uh put the two of them together um actually rewrote messages um completely broke this down this this gentleman um had uh you know uh some some of the best cryptographers um and some of the best means to break this that break this traffic um and this is a real problem right so

so um and we're kind of at that point today because when i said she used the best 14th century technology um well she was actually in the 16th century um right unfortunately her technology was a little outdated and people were able to break those kind of ciphers that she was using at that time um and we're today kind of at that point where where crypt uh quantum computing is actually one of those things that we that we need to think about when we we talk encryption now when we talk about quantum computers quantum computers aren't going to necessarily be uh you know something where we're going to have a cryogenically cooled uh phone in our pocket to be able to uh

shop on amazon that's that's not necessarily where we're going to see uh quantum technology when it comes about we're going to see this you know in in in certain areas we're going to see it with with state actors we're going to see it with with very large organizations um you know organized crimes syndicates those kind of things we'll we'll see that and we'll probably see that in the next few years it's not here today and and to understand what quantum cryptography is um and quantum cryptanalytics is really what we're going to talk about now and that's actually using it to break uh break the code um which could send i'm going to just level the playing field so everybody

understands what today's encryption is we have two dominant cryptography technologies right we saw the rsa algorithm um it was invented in 1977 by the rsa team you could argue that it was gchq in the early 20th and early early 1970s but they have a patent so we'll give them we'll give them the the prize but essentially it's two very large prime numbers multiplied till we get to together to create what's called a semi-prime really that means that that number can only be created by by two prime numbers there's no factoring it out or anything like that um and and we look at those numbers as very very large numbers so that the the the math to re to

reverse engineer to factor those out it's called being intractable it's not impossible it's just really really really really really hard um and it makes it almost impossible for someone to be able to reverse that so again when we look at those private keys the private keys have our um our factors in them right so they have our numbers that we're going to use in that and those numbers um we want to protect them so in the case of this customer where where they needed to um add the security on it if anybody had access to those files before they were encrypted they could just read those files and get the get their their their their factors and get

their private key um we want to be able to lock those down we want to protect those and and we also have uh ecc that's the other main technology today um so elliptical curve cryptography um so that was discovered in 1985. actually kind of interesting that that that we say discovered for ecc and invented for rsa but i think that's the the maybe just because this has always been around it because no one knew it yet but essentially these are curves um and so the private key is some points on the curve that that allow you to define this and this actually becomes much even more intractable because we've been able to break the rsa

code up to certain a number of bits and so we've seen over the last few years cases where we've got you know numbers in the you know 700 600 bit range these are very large numbers understand that these are these are you know um several hundred digits long these these numbers they aren't they aren't they aren't uh trivial um and it takes a long time for a classical computer to to to factor this out even even a super computer would take you know years of of grinding to be able to calculate this out um when when they did the the initial ones um back in the in the uh in in the early 90s mid 90s

um you know it would be the equivalent of 2 000 years of uh amd opteron uh computer to be able to calculate it so that's that that gives you the idea of the amount of compute that needs to happen on these so it it makes it very hard and and we can make it even harder by using something called perfect forward security or sometimes perfect security depending on how you want to want to refer to it but essentially we derive a session key from our private key um and and then use that to communicate back and forth but we only use that session for a very short time we're constantly changing those keys um and that again that just increases

that intractability so that that that the math just becomes harder and harder and harder to to to get to um and this is how classical computers work so they work on on a linear algorithm basically it's going to be it's you know is three times five the number is you know seven times three the number like it's really just a matter of figuring out you know okay i'm gonna i'm gonna go through and multiply two prime numbers until i get that number and understand when we're looking at numbers that are hundreds of digits long this is a really really really big time in a long long time to get to get these numbers so that's why it takes us thousands of

compute hours or compute years to calculate this out so now with the advent of of quantum computers so quantum computing um isn't here today um but maybe a basis on what quantum computing is um it's it it's where computing is is going to go so we it was it's based on the mechanics of quantum mechanics which was discovered in the um you know in the 1930s um and quantum computing was sort of invented in the in the 1960s as a concept a conceptual idea and quantum computers of a couple uh you know a very small amount have have been created but they don't last very long so there's some real challenges because we're we're dealing with the the world of the

very very small and and i i understand we're you know we're going to get into little math and uh hopefully not gonna panic anybody too much but we don't necessarily need to be sheldons to understand this but it sort of gives us an idea of of where we're going um and and what quantum computers is based on is is something though there's a there's there's a there's a couple uh main concepts right so so we have subatomic particles um um and then we we create those we have those subatomic particles um give us something called quantum bits or qubits right so so they're they're bits that are um that are entangled right um and those bits can not

necessarily be one or zero like a traditional electronic computer or classical computer we call that so they can actually be anything between one and zero all the same time um to to explain this a little more in depth um we end up with something called um the the shorting your the shorter years cat experiment right so schrodinger proposed this thought experiment um that um if we if we have um a cat um and we put that cat in a box and we seal the box up and along with that cat we put a little tray of cyanide and a a tube of cyanide sorry and a and a hammer that's held back by um something that

generates something truly random it's a essentially an atomic level uh randomness um when it's going to drop and break the the cyanide gas the and which will kill the cat kind of a dark thing again you know but it it it's you don't know if the cat is alive or dead um until you open the box so one of the things with these these qubits is they exist in in a in a one through zero state all the time throw and it's not just one or zero it's it's literally every state in between it um and so we have the same concept as as the schrodinger's cat with these qubits so that we can have a a essentially a

qubit that is that is all these values should i go back to sheldon's picture again did we do we need to take a little breath yeah i know it's it's a little crazy and and and a little uh a little little confusing but essentially that's the concept behind quantum computing and one of the things that makes quantum computing um so fast is is the ability for it to calculate things um in in a quadratic uh level was supposed to post a linear where where classical computer goes and and tests things individually um we we get the ability to do logarithmic math or and and and essentially do things at a much higher uh higher speed um and and

where we are with this um quantum computers today um we have essentially um test computers today we have some uh quantum computers that are uh short-lived because we really need to make things very very cold um so the picture here is is what um intel's quantum computer looks like and if we sort of look at the bottom of this uh thing and to me it looks like the an upside down uh you know a robot from uh you know sort of just kind of if we look at the bottom part of there each level as we go down becomes colder and colder and colder and colder because we need to bring things down to almost um absolute zero almost to 273

degrees below zero or zero degrees kelvin um and and and have that things essentially not moving like at the at the atomic level and allows us to have that um and be able to to work at the at the sub-atomic particle level to be able to do this math um but we're we're not we're not there yet right so um we're just at that at the initial phases um if we look at sort of the quantum timeline this is sort of what intel sort of puts the the timeline as you know we had the the initial sort of look at the world in the in the early you know the 1950s to 1990s um that was really just the cons the

concept phase really people were envisioning what a quantum computer would look like um we had the experimental phase where people were actually experimenting and being able to cool things down so we had super super cooling happening in the in the 1990s um even into the mid and early 20 you know 20 to 2010 um there really wasn't that much created um what had been created really was more conceptual and um sort of an envision of what it would be and using classical computers like really traditional computing to simulate you know a one or a two bit maybe a four bit uh or four qubit uh computer so it isn't really there yet um and now we're at the point where

people are actually creating larger computers so they're so ibm d-wave google intel um alibaba these companies are actually at the point where they're starting to create quantum computers that can actually maintain their life for you know several seconds in in some cases um and and what we're seeing is sort of the world is gonna be in the in the next five to ten years where we're actually going to have uh quantum computers that are that are tangible um and that's that's important like we need to understand this again because if we go back to the analogy of of of mary quantum of scots right she was using technology that she thought was secure that couldn't be broken nobody knew that that

you could go and really use some some some uh some fancy math on on the on on the ciphers to be able to figure out um you know what the what possible letter e was right and and so the frequency analysis that they had they had come up with in the 1500s was very new and so we're at that point now where this is this is where we need to st we need to start thinking and so what's happening today is ibm is making the computing uh you know quantum computers available in a classical back end essentially using a supercomputer to be able to do some calculations and so with these simulations we're able to start to figure things out

and so um when we started with with quantum computers um we we you know we started to think okay what's going to happen with factoring large numbers or figuring out the the points on a curve of you know of complex numbers where which is really one of the things that we do with our our with today's encryption um and and the feeling is that we're gonna get these answers not in years or millennia but in minutes and seconds yeah exactly because because of the way that the system can factor factor math or factor big large numbers it's entirely different than than what um than what a classical computer can do and in the 90s uh there's a a gentleman

named peter shore obviously a very smart man because his name's peter but he he came up with with schwarz algorithm which actually has been used um to factor some prime numbers um we've successfully factored 15 5 times 3 i don't need a 15 digit number or a 2 to the 15. i literally mean the number 15. um and and and a couple other numbers we've done 21 7 times 3 again these are prime numbers multiplied by uh you know into another number um and and so so we've we've come up with some some some case cases where this works now it doesn't go much larger the the shores algorithm today doesn't go much more than that there's there's a

couple other algorithms that are that are that are in use today um that's allowed us to factor some some significantly large numbers um in in the order of you know five and seven and maybe ten digits long remember we're talking hundreds of digits long for rsa uh keys this is really really really really large numbers right um so we've we've come that far in and and just maybe a dozen years of being able to to work this through and we don't have real qubit computers yet like we have computers that have three four you know maybe you know as intel said they got a 49 cubic computer it's really not going to be able to do the

the math that we need to be able to factor these these you know 2 to the 248 or 40 40 40 48 numbers or 4096 you know um rsa numbers um that that's not going to be possible with just 49 qubits we're probably gonna need something in the order of two and three or maybe 500 qubits and and we see that as as something that that is tangible probably in the next five to 10 years maybe outside maybe we're looking at the next 15 years um and that moves us into what we call the post post post-quantum cryptography area these are things now that we need to think about and understand what this means for for

us and there's a couple things that we need to think about while we're while we're making these decisions and and two it is is we need to we we need a long-term plan and we need a short-term plan right so we need something strategic um and so nist is working on the long-term plan so so they're working on actual cryptography that's going to be hard for a uh quantum computer to to to to factor that doesn't mean that this is not going to be possible it might be that if you know 50 years someone comes up with some fancy math um but right now we're looking at something you know lattice-based cryptography is is is one of the things that is thought

of that could be hard for a quantum computer to to reverse engineer so this is using matrix math so you can see we have an a b c or a b and e here coming up with a value of b where the e is actually errors that get introduced so there are random errors that get introduced to make it hard for somebody to be able to refactor those numbers out so you need to know those values um to be able to reverse compute it um so you'll be able to to use these and so nist is actively working on uh calculating or creating um standards for uh quantum encryption or quantum safe encryption this so this is done

still on a classic computer so the so be on the on your on your phone on your pc or whatever but this is a means for a different technology than just using rsa or using ecc this would be using these technologies and so your private key would be a combination of of probably the s and the e here and and the a would be the input you know the the the plain text that gets inputted into the into the equation so these become things that are are much harder for a quantum computer to to to uh to factor out um and become even more intractable for a classical computer to be able to do but still be able to have a classical

computer encrypt it so that it's still usable and and decrypt it if it knows those factors so that that's that's something that we're actively working on today um and you know and but how do we avoid our head on the chopping block today how do you stop um you know somebody from reverse engineering your to your the data that you're encrypting today so there's again there's a few factors that we need to think about when we when we when we put this in mind um so first of all how long do you need to secure something is it seconds is it minutes is it days right so um are you securing um a transaction that's ephemeral

on you know for a banking transaction that's going to happen and it's going to be gone um and if somebody were to decrypt that in 10 years it has no has no transient value it's not something that they could reuse on you um but maybe you're encrypting something that lasts for years maybe you're encrypting email data today that needs to live for you know some um discovery uh time frame maybe it needs to live for seven years well seven years gets you already into the beginning of that post-quantum world where we might have quantum computers so you need to understand what the impact of that is or maybe you have something that needs to exist for 60 years maybe it's medical

records so you have to have the for the life of the person but it still needs to be privately and and and locked down and secure so now you have to you're well into the post quantum world so so you have to figure out what that means for you as well and then if we look at um how long will it take you to migrate and and mitigate that threat right so um is there it can even do today you might say well i'm just going to use uh nist's latest technology well are there implementations that work for you you know are are there things that you know will a browser be able to to

to do the handshake and be able to decrypt that how do you generate a key so all those things you need to think about how long is it going to take you to to adopt that um so maybe it just means you're going to increase your secure uh you know we know that even a quantum computer is going to have you know time to to to decrypt um and hack a a large number so maybe you know a large rsa number so maybe you say for things i need to store for a long time i'm going to use 8-bit key you know or 8k keys or i'm going to use 16k keys or something crazy

like that um and and maybe your government is even saying things that says how you could encrypt or decrypt traffic data so those are all things that you need to think about as you as you know what where that falls in the in the time in the time frame and then finally when will that collapse happen so they literally are calling the term the collapse when when when we have post quantum computers and we're now in the post quantum world um and and it's not a matter of if it's a matter of when um and depending on who you think right now that we think that that it's going to be another 15 years before we see a broken

rsa 20 you know 2k key um you know maybe 12 15 year time frame um we're you know um we we have some experts saying that we're gonna see things in the uh the 2030 range for for uh for for for quantum computers that's a 50 chance that it happens before then right so so quite likely it's going to happen around 2030 um and and this is putting in the 20 20 35 range when we're gonna have this so so again we need to think about what we can do to protect ourselves so we might want to adopt um larger uh larger ciphers we might want to have uh you know you use sha-256 um

use uh larger rsa keys or larger ecc uh keys right so we're we're saying right now probably want to use you know 2k keys for for rsa you want to use 384 bit keys for for ecc um we want to really increase that protections that so that we're giving you the ability to get farther and farther into that post quantum world and you could also look at your website too so i'm a big fan of of the ssl labs capability so being able to run a report and find out what your your cipher strength is there and it'll look at what keys you're using what keys you you might have what what you know what

shaw level you might have you know are you using cbc or um you know there's a whole bunch of things that that it can bring to the table to say how secure your website is and it's something you shouldn't do once and never come back to it should be something that you do as a standard audit of your website so again going back to the customer that had that security uh audit this should be something that you put in your standard you know if not annual maybe semi-annual kind of thing where you're you're pulling this in once or twice a year um and and having a look at all your all your different your different

keys and also validate that your keys are properly and securely stored again um do you you know do you have an hsm do you have a means to store them somewhere do you have a means to store them securely even if they're being stored securely then add you know if they're if they're rsa keys or ecc keys um you can add the a cipher on a passphrase onto them and then cipher those files so that again adds another level of protection and so again just just sort of recap protect your data right so if you're if you've got hash functions you want to use shot 2 or sha 256 if you can um and and use the

longest wherever possible and again that's a balance of how quickly do you need to and sign it and and and have that signature read when you're using symmetric keys you want to use aes um or triple des hopefully you're not using des anywhere or anything else anything low like that um but you want to make sure that you're you're using the best possible crypto that that's out there if you have uh export cipher somewhere please remove them i hope you don't have them anywhere anymore um but if you do those are things where you can get a really quick win and be able to remove them if you if you have the opportunity to turn on perfect forward security

um it's a mandate for tls 1.3 to use uh pfs um so turn on perfect perfect security if you're using tls 1.3 um you can turn that on and again that's the ability to have uh various uh uh short session uh cipher uh session keys uh generated so again that just increases the interactability that makes it harder for someone to break that because they're not just breaking one key they're breaking multiple keys so they might be able to break one part of your message but the next part of your message with a different key is garbage to them again so it's another two thousand years for them to figure that out um and your rsa as i said earlier

keys should be should be rsa 2048 or larger um again if you're doing regular uh you know banking website stuff 2k keys is probably good um it gets expensive on a phone from a battery perspective to go much higher than that but there's cases where you might need to go to a 4k key or or or an 8k key for for data storage there's a lot of a lot of opportunities for there and then for ecc you want to use the 224 bits sorry i think i said 384 earlier but that's that's again something where you can use you get the same level of security with a 224 bit ecc that you would within with an rsa2048

again because the the computational requirements are less um to figure those points in the curve um it's it's it's much it's a much better way of doing it um and and so you can use a smaller key which again lessens the impact on your clients your phones typically they're talking to your website and and you know reduce the battery consumption on those devices but interestingly enough ecc is is intractable and more intractable than rsa for a classical computer but it's been not proven yet but it the indication is that ecc will actually be easier to factor with a quantum computer than rsa keys are so if you're looking at something that's going to be a very long term again back to those

healthcare records that might be decades long you might want to be better off staying with an rsa key to protect those so i again what i'm hoping that we we can do to do here is is sort of bring the world back to um hope removing your head off that chopping block um mary relied on technology that she thought was secure she probably needed to do a security on it she probably should have talked to uh different people to find out who this uh this this this gilbert gifford guy was um before she relied on her uh relied on him to to to transport uh her her messages so i hope you do the same

that you take the time to to audit your secure security um adopt some of the the suggestions i have here on on this slide um and hopefully you'll you'll be better prepared when the collapse happens in seven to 20 years who knows um but um we all want to be secure so thanks very much um and um um i think i'll be available uh on the discord uh hopefully for questions if anybody wants to come by um we're also uh gonna be giving away a um a nice bottle of scotch to go along with the mary quantum of scots uh idea here so um i would hope um i hope to see you over in the discord channel

and um um i'd love to hear what you have to think uh of of the talk um and also what you uh what you do to to increase your own security thank you very much and thanks for the b-sides group for uh for allowing me to

talk

you