Episode 14 - Harvest Now, Decrypt Later: The Shift to Post-Quantum Cryptography
Episode 14 - Harvest Now, Decrypt Later: The Shift to Post-Quantum Cryptography
0:00 / 0:00
About the episode
The emergence of quantum computing has introduced a definitive expiration date for classical encryption, fueling a "harvest now, decrypt later" strategy among sophisticated nation-state actors. In this episode, Vince Stoffer joins Richard Bejtlich to demystify Post-Quantum Cryptography (PQC) and explain why organizations must move beyond a "set it and forget it" mentality regarding their encryption standards. They explore the critical role of Automated Cryptography Discovery and Inventory (ACDI) and how Network Detection and Response (NDR) provides a unique, passive vantage point to identify vulnerable cipher suites and track the real-time negotiation of quantum-resistant algorithms. By maintaining a clear picture of the cryptographic assets on the wire, defenders can proactively secure sensitive data against future decryption and meet the rising demands of modern regulatory standards.
Episode transcript
Download transcriptEpisode 14 - Harvest Now, Decrypt Later: The Shift to Post-Quantum Cryptography
Welcome to Corelight Defenders. I'm Richard Bejtlich, strategist and author in residence at Corelight. In each episode, we explore insights from the front lines of NDR, network detection and response.
Today, I'm speaking with Vince Stoffer, Field CTO at Corelight. Welcome back, Vince. Hi, great to be with you again, Richard. The topic for today is post-quantum cryptography. Can you give us some context for this technology? So like what is it, and how does it relate to our network detection and response.
focus? So the idea of post-quantum cryptography, or PQC as it's often known, um, i-is really discussing the idea that there are new, uh, kind of quantum resistant algorithms, um, that can be used, uh, in place of what they're, what are called classical algorithms now to, to do that protection, uh, of our most sensitive data to, to, you know, provide the algorithms that underpin our encryption technologies.
Uh, and so the, the, the piece that is changing, uh, is, is really kind of under the hood, right? So many of the protocols that we're using now, TLS, uh, which is, you know, used most often in HTTPS, uh, and a bunch of other protocols, um, that doesn't look much different to the average person, right? They go to their Gmail, they go to their web browsing, uh, and it all looks the same. But, uh, but under the hood, these algorithms are changing. Uh, and they're changing because there is this potential risk in the future of these classical algorithms, um, being cracked by quantum computers. So quantum computing is using an entirely different approach, uh, to how to solve problems.
Uh, and one of the ways that it is, uh, capable of solving problems is by challenging some of the very ways that this kind of current encryption, this, uh, traditional or classical computing, uh, type of encryption that's being used, um, is protecting the data.
So there, there's an algorithm called Shor's algorithm, uh, that quantum computing at some point will be able to kind of unlock and do these, these crazy calculations that will, uh, essentially unlock the current encryption technologies and a-allow people to essentially eavesdrop on that communication. So the question is still, well, why does that matter now if we're not actually doing it? Which we're not, right? Quantum computers and, uh, you know, the ability for them to, to crack current encryption algorithms are, are... it's not there yet. Uh, but the, the prospect that this could happen in some indeterminate period of time, one years, two years, five years, ten years, twenty years, no one really can predict when the capability of quantum computing is gonna be able to breach this sort of current encryption.
Uh, but what we do know is that there's still a risk that attackers, uh, especially sophisticated nation states and financial actors, uh, can capture traffic now, take that traffic and hold it for some period of time, and then decrypt it in the future.
Uh, so that's actually the potential problem we're fighting against now is, is called the harvest now, decrypt later types of attacks. Uh, so this is where networking and NDR comes into play, both, uh, being able to identify what types of encryption algorithms are being used on the network, are being used with your various services and applications and computers and hosts on your network, uh, and also watching for changes in the way that attacks might be happening in the future. So one of the first things we're seeing is that there's a, a, a massive need for people to understand what type of cryptographic, uh, you know, assets they have in their environment. And so that, that involves, uh, the types of cryptographic algor-algorithms that are being used, how those are tied to various services and applications within their environment, and how to just get a good handle or a list of everything that shows up in your environment right now. Wow. So that is something I' never considered. I, I've always sort of been a set it and forget it type person when it comes to cryptography.
But the idea of not only do you need an asset management or you need a service management, but that you'll need cryptographic management is, is pretty interesting. Yeah, it's interesting, and it's a complicated topic. So when, when I describe this to people, I always like to say, you know, we're just playing one piece of the puzzle here, right? Uh, to really do a cryptographic inventory involves a whole bunch of different systems, a whole bunch of different technologies, uh, that span across your entire enterprise, especially when we're talking about something like a federal agency or a big multinational corporation.
So you're gonna have, uh, you know, a component that exists in your, uh, you know, certificate and key management infrastructure. You're gonna have a component that exists in your, uh, you know, CI and CD infrastructure, where people are checking in code.
You're gonna have, you know, the individual applications and the system owners who really understand and know what cryptographic algorithms are being used, how they're being used, how they tie to the different aspects of usage of those applications, you know. Uh, is it, uh, you know, uh, for authentication or for, you know, long-term storage on disk, et cetera? And so some of those are more or less affected by the sort of post-quantum computing, uh, conundrum that we have.
Uh, but the networking view, as always, has this amazing capability to have a broad and complete picture of what's happening on the network. So for all of those network communications, if someone is communicating from an internal application in your emp- in your enterprise to the internet, to a client or, uh, you know, some sort of user out on the internet, you're gonna have to see that on the network, and you're gonna be able to understand, uh, and identify a number of the different components of the encryption, of the protocols that are being used, of the cipher suites that are being used, et cetera. And so that's where it really comes in, is, uh, having a, an ability to see and have that broad view, uh, as well as using a bunch of these other tools to build that complete crypto inventory. So this sounds like kind of a, a, a specialized capability then. If you think about-Traditional alerting, you might see some aspect of traffic that you can write a rule for, and then you'll get an alert. And I imagine that you can do a certain amount of that for cryptographic suites, but it sounds like it's probably a little bit more complicated than that.
Is that, is that true? So there's certainly some, uh, alerts that you can generate, and some of this is, you know, kind of a tried and true, uh, set of features that network and detection and response have, have helped with before, right? So think of outdated encryption algorithms, right? Still classical encryption, uh, not, not threatened by post-quantum computing, uh, but -- or quantum computing, not, not post-quantum crypto, uh, but still a problem if you're running TLS 1.1, which has been vulnerable for years and is able to crack, uh, be, be cracked by attackers in a number of different ways. So we've already used NDR and that network visibility lens to, to find potentially, uh, vulnerable algorithms and cipher suites in the past. So really, it's just extending that into the future, into, well, how are these cipher suites being used? How are they being rolled out as we make the transition from essentially classical encryption into post-quantum computing, uh, and post-quantum encryption.
Uh, and, and that journey definitely involves this kind of hybrid stage, which we're in now, right? Where you still have to kind of support, uh, the old style of an- of classical encryption, and you wanna have post-quantum, uh, you know, encryption a-available wherever it can be used. Uh, and so that's part of this story as well is, is making sure that you can identify what's being used on the wire, uh, as well as actually what the capabilities of those clients and servers are. Yeah, that capabilities part is interesting because there may be a set of capabilities that are only used or that are used on the wire, but others that are not used, although they still exist. So I imagine you'd have to have some kind of host-based, well, I guess either host-based or remote querying where you try a bunch of different crypto offerings and see which ones are used, and then you can have your network s- uh, system watching that as well. But it sounds like this will have to be part of a, of a bigger approach. Yeah, that's a really interesting, uh, point to, to dig in on a little, right? So there's, there's obviously a couple different approaches, even on the network side, right? We have the active approach, which is you could go out and start scanning some of your applications, or perhaps you're already using a set of tools, you know, vulnerability management or asset management tools that are doing some of that active scanning. Uh, and if that's the case, then NDR could just see that on the wire. Um, we of course are a completely passive tool, so all we're doing is just observing what we see in terms of those exchanges that we see on the network. Um, but because of our, uh, ability to really deeply analyze SSL and
TLS traffic, uh, we can see those capabilities exchanges, uh, at least, you know, with certain types of the TLS protocol. So you can see that a server has offered, uh, a set of PQC capable ciphers, uh, and then the client has said,
"Look, I, I don't have any of those. I can't negotiate that. We're gonna have to roll back, to a classical type of encryption." Uh, so you can see when a client or a server might have the capability to move to
PQC, uh, but the other side isn't able to. And that's definitely important for that inventory piece because you can say, "Not only do I have, uh, information about, you know, where I have PQC enabled and where, where it might be working, uh, but I also have, you know, hotspots of, of trouble." Maybe, you know, my set of administrative offices, uh, is using an older browser that's not able to communicate with the kind of PQC that we have running our application, et cetera. So you get to tell the full story as you're doing and creating that inventory. Okay, so that's interesting. I hadn't considered that simply by seeing the negotiation, you could see what each side is offering. I kind of thought, well, you have to go through with whatever the connection is in order to see what's used. But if you see the offers from each side, that is really, uh, that'll tell you the story that you need, I guess. Yeah, and like I said, it, it definitely does depend on protocol.
Um, uh, you know, TLS 1.3 and, and future versions of this, uh, can, can change the game a little bit. But y-you also have to remember
PQC, uh, you know, cipher suites are used in a variety of different protocols and applications. So for instance, SSH and RDP are two other common uses, uh, above and beyond TLS, uh, where you might see PQC being used. You might be able to record it, uh, and report on it. Well, I'm glad you mentioned that because it reminds me of some of the concerns I had when, uh, DNS over HTTPS was first introduced.
It seemed to me that we were just shifting all of the exposure of our browsing habits or other habits using DNS to the provider of that DoH server. And so for a lot of people, I won't, I won't name who they are, but there's a couple of providers who already know everything about web browsing because they host the largest
CDNs, uh, and then you're just handing over your DNS data to them as well. So I've personally avoided that and, and stuck with either, uh, local DoH or, um, or just regular, uh, resolution handled by, by, by my ISP 'cause I, I don't like the idea of just giving those few large DoH providers even more data about people's browsing habits.
Uh, yeah, I agree. I, I think a, a number of enterprises that I've talked to, uh, feel the same way, and they have kept those capabilities in-house. Uh, I, I found it, uh, you know, the language a, a little thin, uh, to say that the reason, you know, these, these big providers are saying, "Well, the reason you need to use DoH or, or DoT is, is to, you know, protect these communications and make sure no one can eavesdrop on them." And yet they're the ones handling all those and collecting all that information and using it, in some cases, for probably marketing purposes or at least product improvement purposes. So it's, uh, it seems a little thin. Is there anything our listeners could do to learn more about this or possibly even to experiment with it? Like, are, are we... I, I, every once in a while I see that some of these algorithms are being added to SSH or whatever, but, uh, is there anything like that that we could take a look at sort of hands-on?
Perhaps surprising fact is that this is already being widely used, right? So PQC-capable algorithms are being used by default by, by Chrome, uh, by Firefox now, I believe, by Safari. So I mean, these algorithms, uh, at least in hybrid mode, are being used widely.
Uh, and so I think the thing is just we're seeing a lot of interest, especially driven by federal government regulations, uh, to do this cryptographic inventory piece, a-and that's also trickling down into the financial sector and others who have really high risk or, uh, you know, real, really high concern about this potential of harvest now and decrypt later attacks.
Uh, I think once, uh, you know, it trickles down to the, the average person, um, you know, they're, they're definitely less concerned about the type of, uh, data that m-might be harvested on their behalf, uh, but their financial institutions, et cetera, should be concerned about that and our governments. And so I think we're, we're seeing the, the focus at the right point now. I see. So you're saying that if you're using probably some type of modern browser and you're surfing to different websites, that these algorithms are already being used with HTTPS?
Yep, exactly. Organizations that are doing break and inspect, in other words, they're, they're terminating a, an encrypted connection, and then they're monitoring at that break point, and then they're re-en- uh, not re-encrypting, but they're establishing that new connection to the ultimate destination. Is there anything different with these new algorithms? Are they resistant to that, or are we just gonna see people who do break and inspect continue to do that? I don't think there's a big difference in terms of if, if you have the keys, uh, you're still able to do break and inspect, right? So w-whether the keys are, you know, a classical encryption algorithm or a hybrid or PQC, uh, that hasn't changed. The mechanism of how to do it, uh, and the technologies that do it may have changed a little bit, but the, the idea is still the same.
Um, what will change in the future is just the more around those encryption algorithms, as we talked about, as, uh, TLS 1.3 and whatever comes next, um, continues to hide more and more away, uh, that can be understood and seen by network tools such as NDR, uh, that, that makes the situation harder for anyone who's not doing break and inspect. So I think there's still plenty of technological ways to, uh, you know, instrument decryption in a way that gives an enterprise visibility, um, but the, the visibility for the, the broader world who is not doing that targeted decryption is kind of slowly slipping away. Well, one of the takeaways
I have, or probably the, the number one takeaway for me, is this idea that it makes sense to start thinking of a, uh, some type of inventory of the encryption that's used in your environments so that y-you can't take steps... Well, I suppose some people do take steps without being aware, but it's better to take steps after you're aware of what the scope of the problem is, and this is definitely an area where if you've got a, a properly, uh, robust NDR, you could do that sort of inventory. So one of the acronyms you may see related to this is ACDI,
Automated Cryptography. Discovery and Inventory. Uh, that's something that the federal government, uh, has been using in terms of its focus? to drive this, uh, process forward. And, uh, indeed, at some of the federal agencies we talked to, they have entire teams, uh, dedicated to creating this inventory, understanding, uh, where cryptographic assets are in the environment, uh, and then ultimately, of course, influencing and helping guide the plan to, to move those from classical encryption to post-quantum capable encryption algorithms, in the future. There's always a new acronym out there, and so we have a new one today. Well, uh, Vince, thank you so much. This is very enlightening. This is a topic I had not thought about at any real depth, and now I realize that there's plenty of things to, be done. So thank you for being back on, the podcast.
Thanks for having me, Richard. Thank you for joining us on the Network Defenders podcast, sponsored by Corelight. We will see you on the network. You've been listening to, Corelight Defenders.
To, stay informed with expert intelligence on today's cybersecurity challenges, please subscribe to ensure you never miss an episode. We'll see you on the network.
Today, I'm speaking with Vince Stoffer, Field CTO at Corelight. Welcome back, Vince. Hi, great to be with you again, Richard. The topic for today is post-quantum cryptography. Can you give us some context for this technology? So like what is it, and how does it relate to our network detection and response.
focus? So the idea of post-quantum cryptography, or PQC as it's often known, um, i-is really discussing the idea that there are new, uh, kind of quantum resistant algorithms, um, that can be used, uh, in place of what they're, what are called classical algorithms now to, to do that protection, uh, of our most sensitive data to, to, you know, provide the algorithms that underpin our encryption technologies.
Uh, and so the, the, the piece that is changing, uh, is, is really kind of under the hood, right? So many of the protocols that we're using now, TLS, uh, which is, you know, used most often in HTTPS, uh, and a bunch of other protocols, um, that doesn't look much different to the average person, right? They go to their Gmail, they go to their web browsing, uh, and it all looks the same. But, uh, but under the hood, these algorithms are changing. Uh, and they're changing because there is this potential risk in the future of these classical algorithms, um, being cracked by quantum computers. So quantum computing is using an entirely different approach, uh, to how to solve problems.
Uh, and one of the ways that it is, uh, capable of solving problems is by challenging some of the very ways that this kind of current encryption, this, uh, traditional or classical computing, uh, type of encryption that's being used, um, is protecting the data.
So there, there's an algorithm called Shor's algorithm, uh, that quantum computing at some point will be able to kind of unlock and do these, these crazy calculations that will, uh, essentially unlock the current encryption technologies and a-allow people to essentially eavesdrop on that communication. So the question is still, well, why does that matter now if we're not actually doing it? Which we're not, right? Quantum computers and, uh, you know, the ability for them to, to crack current encryption algorithms are, are... it's not there yet. Uh, but the, the prospect that this could happen in some indeterminate period of time, one years, two years, five years, ten years, twenty years, no one really can predict when the capability of quantum computing is gonna be able to breach this sort of current encryption.
Uh, but what we do know is that there's still a risk that attackers, uh, especially sophisticated nation states and financial actors, uh, can capture traffic now, take that traffic and hold it for some period of time, and then decrypt it in the future.
Uh, so that's actually the potential problem we're fighting against now is, is called the harvest now, decrypt later types of attacks. Uh, so this is where networking and NDR comes into play, both, uh, being able to identify what types of encryption algorithms are being used on the network, are being used with your various services and applications and computers and hosts on your network, uh, and also watching for changes in the way that attacks might be happening in the future. So one of the first things we're seeing is that there's a, a, a massive need for people to understand what type of cryptographic, uh, you know, assets they have in their environment. And so that, that involves, uh, the types of cryptographic algor-algorithms that are being used, how those are tied to various services and applications within their environment, and how to just get a good handle or a list of everything that shows up in your environment right now. Wow. So that is something I' never considered. I, I've always sort of been a set it and forget it type person when it comes to cryptography.
But the idea of not only do you need an asset management or you need a service management, but that you'll need cryptographic management is, is pretty interesting. Yeah, it's interesting, and it's a complicated topic. So when, when I describe this to people, I always like to say, you know, we're just playing one piece of the puzzle here, right? Uh, to really do a cryptographic inventory involves a whole bunch of different systems, a whole bunch of different technologies, uh, that span across your entire enterprise, especially when we're talking about something like a federal agency or a big multinational corporation.
So you're gonna have, uh, you know, a component that exists in your, uh, you know, certificate and key management infrastructure. You're gonna have a component that exists in your, uh, you know, CI and CD infrastructure, where people are checking in code.
You're gonna have, you know, the individual applications and the system owners who really understand and know what cryptographic algorithms are being used, how they're being used, how they tie to the different aspects of usage of those applications, you know. Uh, is it, uh, you know, uh, for authentication or for, you know, long-term storage on disk, et cetera? And so some of those are more or less affected by the sort of post-quantum computing, uh, conundrum that we have.
Uh, but the networking view, as always, has this amazing capability to have a broad and complete picture of what's happening on the network. So for all of those network communications, if someone is communicating from an internal application in your emp- in your enterprise to the internet, to a client or, uh, you know, some sort of user out on the internet, you're gonna have to see that on the network, and you're gonna be able to understand, uh, and identify a number of the different components of the encryption, of the protocols that are being used, of the cipher suites that are being used, et cetera. And so that's where it really comes in, is, uh, having a, an ability to see and have that broad view, uh, as well as using a bunch of these other tools to build that complete crypto inventory. So this sounds like kind of a, a, a specialized capability then. If you think about-Traditional alerting, you might see some aspect of traffic that you can write a rule for, and then you'll get an alert. And I imagine that you can do a certain amount of that for cryptographic suites, but it sounds like it's probably a little bit more complicated than that.
Is that, is that true? So there's certainly some, uh, alerts that you can generate, and some of this is, you know, kind of a tried and true, uh, set of features that network and detection and response have, have helped with before, right? So think of outdated encryption algorithms, right? Still classical encryption, uh, not, not threatened by post-quantum computing, uh, but -- or quantum computing, not, not post-quantum crypto, uh, but still a problem if you're running TLS 1.1, which has been vulnerable for years and is able to crack, uh, be, be cracked by attackers in a number of different ways. So we've already used NDR and that network visibility lens to, to find potentially, uh, vulnerable algorithms and cipher suites in the past. So really, it's just extending that into the future, into, well, how are these cipher suites being used? How are they being rolled out as we make the transition from essentially classical encryption into post-quantum computing, uh, and post-quantum encryption.
Uh, and, and that journey definitely involves this kind of hybrid stage, which we're in now, right? Where you still have to kind of support, uh, the old style of an- of classical encryption, and you wanna have post-quantum, uh, you know, encryption a-available wherever it can be used. Uh, and so that's part of this story as well is, is making sure that you can identify what's being used on the wire, uh, as well as actually what the capabilities of those clients and servers are. Yeah, that capabilities part is interesting because there may be a set of capabilities that are only used or that are used on the wire, but others that are not used, although they still exist. So I imagine you'd have to have some kind of host-based, well, I guess either host-based or remote querying where you try a bunch of different crypto offerings and see which ones are used, and then you can have your network s- uh, system watching that as well. But it sounds like this will have to be part of a, of a bigger approach. Yeah, that's a really interesting, uh, point to, to dig in on a little, right? So there's, there's obviously a couple different approaches, even on the network side, right? We have the active approach, which is you could go out and start scanning some of your applications, or perhaps you're already using a set of tools, you know, vulnerability management or asset management tools that are doing some of that active scanning. Uh, and if that's the case, then NDR could just see that on the wire. Um, we of course are a completely passive tool, so all we're doing is just observing what we see in terms of those exchanges that we see on the network. Um, but because of our, uh, ability to really deeply analyze SSL and
TLS traffic, uh, we can see those capabilities exchanges, uh, at least, you know, with certain types of the TLS protocol. So you can see that a server has offered, uh, a set of PQC capable ciphers, uh, and then the client has said,
"Look, I, I don't have any of those. I can't negotiate that. We're gonna have to roll back, to a classical type of encryption." Uh, so you can see when a client or a server might have the capability to move to
PQC, uh, but the other side isn't able to. And that's definitely important for that inventory piece because you can say, "Not only do I have, uh, information about, you know, where I have PQC enabled and where, where it might be working, uh, but I also have, you know, hotspots of, of trouble." Maybe, you know, my set of administrative offices, uh, is using an older browser that's not able to communicate with the kind of PQC that we have running our application, et cetera. So you get to tell the full story as you're doing and creating that inventory. Okay, so that's interesting. I hadn't considered that simply by seeing the negotiation, you could see what each side is offering. I kind of thought, well, you have to go through with whatever the connection is in order to see what's used. But if you see the offers from each side, that is really, uh, that'll tell you the story that you need, I guess. Yeah, and like I said, it, it definitely does depend on protocol.
Um, uh, you know, TLS 1.3 and, and future versions of this, uh, can, can change the game a little bit. But y-you also have to remember
PQC, uh, you know, cipher suites are used in a variety of different protocols and applications. So for instance, SSH and RDP are two other common uses, uh, above and beyond TLS, uh, where you might see PQC being used. You might be able to record it, uh, and report on it. Well, I'm glad you mentioned that because it reminds me of some of the concerns I had when, uh, DNS over HTTPS was first introduced.
It seemed to me that we were just shifting all of the exposure of our browsing habits or other habits using DNS to the provider of that DoH server. And so for a lot of people, I won't, I won't name who they are, but there's a couple of providers who already know everything about web browsing because they host the largest
CDNs, uh, and then you're just handing over your DNS data to them as well. So I've personally avoided that and, and stuck with either, uh, local DoH or, um, or just regular, uh, resolution handled by, by, by my ISP 'cause I, I don't like the idea of just giving those few large DoH providers even more data about people's browsing habits.
Uh, yeah, I agree. I, I think a, a number of enterprises that I've talked to, uh, feel the same way, and they have kept those capabilities in-house. Uh, I, I found it, uh, you know, the language a, a little thin, uh, to say that the reason, you know, these, these big providers are saying, "Well, the reason you need to use DoH or, or DoT is, is to, you know, protect these communications and make sure no one can eavesdrop on them." And yet they're the ones handling all those and collecting all that information and using it, in some cases, for probably marketing purposes or at least product improvement purposes. So it's, uh, it seems a little thin. Is there anything our listeners could do to learn more about this or possibly even to experiment with it? Like, are, are we... I, I, every once in a while I see that some of these algorithms are being added to SSH or whatever, but, uh, is there anything like that that we could take a look at sort of hands-on?
Perhaps surprising fact is that this is already being widely used, right? So PQC-capable algorithms are being used by default by, by Chrome, uh, by Firefox now, I believe, by Safari. So I mean, these algorithms, uh, at least in hybrid mode, are being used widely.
Uh, and so I think the thing is just we're seeing a lot of interest, especially driven by federal government regulations, uh, to do this cryptographic inventory piece, a-and that's also trickling down into the financial sector and others who have really high risk or, uh, you know, real, really high concern about this potential of harvest now and decrypt later attacks.
Uh, I think once, uh, you know, it trickles down to the, the average person, um, you know, they're, they're definitely less concerned about the type of, uh, data that m-might be harvested on their behalf, uh, but their financial institutions, et cetera, should be concerned about that and our governments. And so I think we're, we're seeing the, the focus at the right point now. I see. So you're saying that if you're using probably some type of modern browser and you're surfing to different websites, that these algorithms are already being used with HTTPS?
Yep, exactly. Organizations that are doing break and inspect, in other words, they're, they're terminating a, an encrypted connection, and then they're monitoring at that break point, and then they're re-en- uh, not re-encrypting, but they're establishing that new connection to the ultimate destination. Is there anything different with these new algorithms? Are they resistant to that, or are we just gonna see people who do break and inspect continue to do that? I don't think there's a big difference in terms of if, if you have the keys, uh, you're still able to do break and inspect, right? So w-whether the keys are, you know, a classical encryption algorithm or a hybrid or PQC, uh, that hasn't changed. The mechanism of how to do it, uh, and the technologies that do it may have changed a little bit, but the, the idea is still the same.
Um, what will change in the future is just the more around those encryption algorithms, as we talked about, as, uh, TLS 1.3 and whatever comes next, um, continues to hide more and more away, uh, that can be understood and seen by network tools such as NDR, uh, that, that makes the situation harder for anyone who's not doing break and inspect. So I think there's still plenty of technological ways to, uh, you know, instrument decryption in a way that gives an enterprise visibility, um, but the, the visibility for the, the broader world who is not doing that targeted decryption is kind of slowly slipping away. Well, one of the takeaways
I have, or probably the, the number one takeaway for me, is this idea that it makes sense to start thinking of a, uh, some type of inventory of the encryption that's used in your environments so that y-you can't take steps... Well, I suppose some people do take steps without being aware, but it's better to take steps after you're aware of what the scope of the problem is, and this is definitely an area where if you've got a, a properly, uh, robust NDR, you could do that sort of inventory. So one of the acronyms you may see related to this is ACDI,
Automated Cryptography. Discovery and Inventory. Uh, that's something that the federal government, uh, has been using in terms of its focus? to drive this, uh, process forward. And, uh, indeed, at some of the federal agencies we talked to, they have entire teams, uh, dedicated to creating this inventory, understanding, uh, where cryptographic assets are in the environment, uh, and then ultimately, of course, influencing and helping guide the plan to, to move those from classical encryption to post-quantum capable encryption algorithms, in the future. There's always a new acronym out there, and so we have a new one today. Well, uh, Vince, thank you so much. This is very enlightening. This is a topic I had not thought about at any real depth, and now I realize that there's plenty of things to, be done. So thank you for being back on, the podcast.
Thanks for having me, Richard. Thank you for joining us on the Network Defenders podcast, sponsored by Corelight. We will see you on the network. You've been listening to, Corelight Defenders.
To, stay informed with expert intelligence on today's cybersecurity challenges, please subscribe to ensure you never miss an episode. We'll see you on the network.
Subscribe now
