QuantumLock Overview
Introduction
Secret Server's quantumlock is a feature that provides an additional security layer by protecting secret data using asymmetric encryption (a public/private key pair) where the private key is a human-generated password. This feature is independent of regular permissions, Secret Server login access, or physical access to the machine running Secret Server.
A shortcut way of thinking about quantumlocks is as an extra password for secrets that is held by a set group of users. In addition, both the password and the group of users are reusable for other secrets. In addition, quatumlocks future-proof our digital security infrastructure against the advancing capabilities of quantum computing.
Quantumlock is an upgrade of the earlier doublelock feature. Besides the name change, the difference is quantumlock offers the option to use a quantum-safe algorithm for encapsulation to protect the private key, specifically CRYSTALS Kyber-1024, which is designed to counter the potential threat from quantum computers to current encryption methods. That threat is closer than you might think—"harvest now, decrypt later" attacks steal encrypted data now for later decryption by quantum computers.
Today's asymmetric-key encapsulation methods, such as RSA (Rivest-Shamir-Adleman) and ECC (Elliptic Curve Cryptography), rely on the difficulty of solving mathematical problems, such as factoring large numbers or solving discrete logarithms, with classical computers. However, quantum computers, which operate on principles of quantum mechanics, could solve these problems much faster, rendering these encapsulation methods vulnerable.
Quantum-safe or post-quantum (PQ) algorithms are cryptographic methods that are believed to be secure against quantum computer attacks. They are based on mathematical problems that are considered difficult for both classical and quantum computers to solve, ensuring the security of encapsulated keys, even in the era of quantum computing. PQ algorithm types include lattice-based cryptography, hash-based cryptography, code-based cryptography, and multivariate polynomial cryptography, among others.
The PQ cryptographic algorithm Kyber-1024 is specifically designed for key-encapsulation mechanisms (KEM), a process where a key is encapsulated (encrypted ) with a public key, sent over an insecure channel, and then decrypted with a private key. Typically a symmetric key algorithm, such as AES-256 (Advanced Encryption Standard) , is used for encrypting the message content itself because symmetric-key algorithms are faster and more efficient for large amounts of data than asymmetric-key algorithms. Algorithms like AES are examples of symmetric cryptography.
Comparing RSA-2048 to Kyber-1024
QuantumLock without the quantumlock feature enabled is essentially the same as its predecessor, doublelock, and relies on RSA-2048 for key encapsulation.
Comparing the encryption, decryption, and key-generation speeds of RSA-2048 and Kyber-1024 involves understanding the efficiency of these algorithms under practical implementations. The specific speeds can vary based on the software and hardware used for the implementation, but here is a general overview based on their cryptographic principles and typical use cases.
RSA-2048
-
Key Generation: RSA-2048 key generation is relatively slow because it involves finding two large prime numbers and calculating their product along with other related mathematical operations. This process is computationally intensive.
-
Encapsulation: RSA-2048 encryption is faster than its key generation. However, compared to Kyber-1024, RSA-2048 encryption is usually slower because it involves modular exponentiation, which is a heavy operation especially for large key sizes like 2048 bits.
-
Decapsulation: RSA-2048 decryption is also computationally intensive, similar to encryption, because it requires modular exponentiation. RSA decryption is generally slower than encryption due to the nature of the private key operations.
Kyber-1024
-
Key Generation: Kyber-1024 generally has faster key generation than RSA-2048. This efficiency comes from its use of lattice-based cryptography, which involves operations on vectors and matrices that are more efficient than the prime number operations in RSA.
-
Encapsulation: Kyber-1024 is designed for fast encryption operations. It uses simple arithmetic operations on small integers, making it very efficient and faster than RSA-2048 encryption.
-
Decapsulation: Like its encryption, Kyber-1024 decryption is also fast and efficient. The algorithm benefits from the same lattice-based operations, optimized for quick decryption times.
Summary
-
RSA-2048 is generally slower across all three operations compared to Kyber-1024. The difference in speed is primarily due to RSA's reliance on large prime numbers and modular arithmetic, which are computationally heavier, especially as key sizes increase to improve security.
-
Kyber-1024, being a post-quantum algorithm designed with efficiency in mind, uses lattice-based cryptography that allows for quicker key generation, encryption, and decryption operations. This makes it particularly suitable for environments where speed and efficiency are critical.
When to Use QuantumLock
Both Kyber-1024 and RSA-2048 QuantumLocks
Enabling quantumlock (or the earlier doublelock) on any secret only grants users access if they have access to the quantumlock and enter their quantumlock password. Enabling quantumlock disables the RPC features for the secret. It also prevents heartbeat. Thus, quantumlock should not be used for secrets that require a password rotation or heartbeat check.
QuantumLock use cases include:
-
Global admin passwords
-
Root account passwords
-
Bank account passwords
-
PINs, Social Security numbers, or other personal information.
When users protect secrets with quantumlock, only that user has access to the secret. If multiple users are in a group, members have access to the secret, but each will have their own unique quantumlock.
Kyber-1024 QuantumLocks
Enabling the PQ feature of quantumlock depends on your circumstances. NIST believes quantum computers could break current public key encryption as early as 2025 or as late as 2030. It might be wise to apply it sooner rather than later for long-term data and devices. However, Kyber-1024 is not yet an industry standard, and RSA-2048 is currently uncrackable.