As technology advances, the question of digital security rises in prominence too, with businesses of all sizes increasing their budget spending on data encryption against fraudulent activity.
We spoke to Nils Gerhardt, Chief Technology Officer at Utimaco, as he discussed how tech is evolving security and bringing a new layer to verification methods through digital signatures.
How has the role of digital signatures evolved?
Nils Gerhardt: Long gone are the days when the internet was a loose collection of non-interactive web pages and message boards. Today you can administer your whole life from your phone, but this convenience can come at the cost of security.
In a pre-digital world, everything from the letters you sent to employment contracts or a loan agreement would be secured and authenticated with a handwritten signature. While there are still circumstances that will require you to sign a paper document, they are becoming rarer as time goes on.
Can you tell us about some of the potential risks and fraud threats involved in digital signatures?
Although falsifying a handwritten signature is difficult, it can be achieved, so most major countries now consider a digital signature to be just as valid as a written one. That’s because digital signatures make forgery almost impossible, secured by mathematical operations that would take trillions of years for even the fastest computers to solve.
However, as new generations of quantum computers are being built, this makes it possible to crack the powerful encryption that forms the root of trust in digital life.
How can quantum computers compromise the safety of digital documents?
Today, whether you are sending an email or signing a digital contract, you will almost always be working with public key infrastructure (PKI). One party will sign a piece of information, such as an email, with a large and mathematically complex ‘private key’ that only they have access to – the recipient can then verify the signature with a public key that can be shared with anyone.
However, if a bad actor had a public key, trying to derive a private key from it would be almost impossible. A key with 128 bits would have an astronomical amount of possible combinations, taking an estimated one billion years to forcibly unlock the AES encryption (a symmetrical form of encryption), assuming each bit is either a zero or a one.
Quantum computers, however, are not constrained by rules in which a maximum of four sequential tries (or four synchronised systems each trying once) would be needed to guess a two-bit code. Because of quantum superpositioning, a quantum bit, or qubit, can be in more states than one and able to verify different combinations.
With greater numbers of qubits, symmetric and asymmetric cryptography becomes much easier to break. Currently, China’s Zuchongchi 2.1 holds the record with 66 qubits, but a successor is already being trialled that will almost double that. Therefore, a bad actor with access to a quantum computer could break the asymmetric encryption or digital signatures securing important information at speed.
What role can blockchain technology play in the process of tightening security around digital documents?
As distributed digital ledgers, blockchains have a strong application in preventing digital documents from being retroactively altered. Blockchains store the digital ‘fingerpints’ of a document and its history – when it was created, if it has been edited etc. If a bad actor was to alter a document, the digital fingerprint of the new and old documents wouldn’t match, so at the very minimum it would be extremely easy to see if a document had been altered.
Blockchains are not a silver bullet for all document security problems though. It is possible to alter blockchains, though it requires an incredible amount of computing power, and the cryptographic methods that create the ‘digital fingerprints’ in blockchain technology need to stay secure. This means that there is still the need for hardware security modules, and quantum-agility in blockchains as we move forward.
Do you believe the regulatory framework can change to better safeguard against digital signature fraud?
Determining which pieces of data need to be secured and how to go about re-securing them is clearly going to be a huge task and will involve governments and technology providers, as well as businesses themselves. Regulatory and legal changes will have to be made as we get closer to the point at which quantum computing could be used for criminal activity. For example, this could include a requirement for documents to be quantum-secure before being considered legally valid.
Is re-encrypting every single quantum unsafe digital signature sustainable and cost-effective for businesses?
Given the colossal amount of data that will need to be secured, companies should look at their own inventory of data and assess how it is currently protected. The majority of outdated documents may have no value to cybercriminals. Therefore, they will not need to be secured in the same way that other data will.
Many companies will soon need to introduce crypto agility in their organisations, so it is key to start getting under the skin of what this will mean for their business and what steps they can take now.