Making Encryption Harder, Better, Faster and Stronger
In response, the industry is advancing encryption on several fronts. Some efforts are focused on increasing key sizes to protect against brute-force decryption. Other efforts are looking at new cryptographic algorithms. For example, the National Institute of Standards and Technology is evaluating a next-generation public key algorithm intended to be quantum safe.
The trouble is that most quantum-safe algorithms aren’t efficient in classical computer architectures. To address this problem, the industry is focused on developing accelerators to speed up algorithms on x86 platforms.
A third area of research is homomorphic encryption, an amazing concept that allows users to perform calculations on encrypted data without first decrypting it. So, an analyst who needs to can query a database containing classified information without having to ask an analyst with higher clearance to access the data or request that the data be declassified.
A big advantage of homomorphic encryption is that it protects data in all its states — at rest (stored on a hard drive), in motion (transmitted across a network) or in use (while in computer memory). Another boon is that it’s quantum safe, because it’s based on some of the same math as quantum computing.
A downside is that homomorphic encryption performs very poorly on traditional computers, because it’s not designed to work with them. The industry is collaborating to develop x86-style instructions to make these new cryptosystems operate at cloud speeds. Practical applications are still a few years away, but we’re confident we’ll get there.
Encryption Innovations Agencies Can Use Today
In the interim, a new encryption capability has emerged that organizations can take advantage of right now: confidential computing. Confidential computing safeguards data while it’s being acted upon in computer memory; for example, while a user is conducting analytics on a database.
Confidential computing works by having the CPU reserve a section of memory as a secure enclave, encrypting the memory in the enclave with a key unique to the CPU. Data and application code placed in the enclave can be decrypted only within that enclave, on that CPU. Even if attackers gained root access to the system, they wouldn’t be able to read the data.
With the latest generation of computer processors, a two-CPU server can create a 1 terabyte enclave. That enables organizations to place an entire database or transaction server inside the enclave.
The functionality is now being extended with the ability to encrypt all of a computer’s memory with minimal impact on performance. Total memory encryption uses a platform-specific encryption key that’s randomly derived each time the system is booted up. When the computer is turned off, the key goes away. So even if cybercriminals stole the CPU, they wouldn’t be able to access the memory.
Confidential computing transforms the way organizations approach security in the cloud, because they no longer have to implicitly trust the cloud provider. Instead, they can protect their data while it’s in use, even though it’s being hosted by a third party.
One major cloud provider already offers a confidential computing service to the federal government, and more will surely follow. Agencies can now build enclave-based applications to protect data in use in a dedicated cloud that meets government security and compliance requirements.
The need for strong data encryption won’t go away, and the encryption challenges will only increase as quantum computing emerges over the next several years. In the meantime, innovative new encryption capabilities are delivering tighter cybersecurity to agencies today, and the industry is investing in the next generation of cryptosystems to protect government information for the next 25 years.