Let’s get ready for Post-Quantum Cryptography in Dashlane
A key component of Dashlane's “North Star” mission statement is to make security simple. To best protect the data of our customers, we have to stay tuned to emerging innovations. As a result, I have spent the last three months investigating Post-Quantum Cryptography and its future integration in Dashlane. Here are some takeaways.
What is Post-Quantum Cryptography? Why it is important?
Post-Quantum Cryptography is cryptography that runs on classical computers, like yours and mine, but which we believe is resistant to quantum computers: computers using quantum physics properties.
Wait! Classical cryptography is not enough?
You may have heard of classical asymmetric ciphers such as RSA, Diffie-Hellman, and ECDH. The algorithms' security in these examples rely on a mathematical problem known as the discrete logarithm problem. However, security specialists already know this problem is not secured anymore with quantum computers.
Quantum computers that are currently built do not seem powerful enough to crack real-world cryptographic keys, but the domain is evolving quickly and many big tech-firms such as Google, Microsoft, Amazon, Intel and IBM are involved in this race. So much so that the White House released a National Security Memorandum in January that gave the NSA (National Security Agency) 90 days to “revise and make available to Chief Information Officers [...] quantum resistant protocols, and planning for use of quantum resistant cryptography where necessary.” Furthermore, this memorandum gives agencies 180 days to “identify any instances of encryption not in compliance with NSA-approved Quantum Resistant Algorithms [or the other NSA-approved algorithms]”.
New standards for asymmetric cryptography
The goal is to use new algorithms whose security relies on other problems rather than discrete logarithm that we believe are resistant to quantum computers.
Many new algorithm schemes have been released in previous decades, and in 2016, NIST (the National Institute of Standards and Technology) started a competition to designate Post-Quantum algorithms standards. This kind of competition is not uncommon. Both AES and SHA-3 have been standardized in this manner and they help unite researchers from around the world to build the best cryptographic algorithms.
Though this competition is ongoing, four winners have been identified as July 5, 2022 that will be standardized. There will be one encryption algorithm: CRYSTALS-Kyber, and three signature algorithms: CRYSTALS-Dilithium, Falcon and SPHINCS+.
The next step will be the release of the standards and the associated implementations.
Impact on Dashlane and what we are building
Symmetric cryptography, which is currently used to encrypt your personal passwords, is considered safe against quantum computers.
However, Dashlane is currently using asymmetric cryptography when passwords or notes are shared between users. We plan to use the new Post-Quantum standards as soon as possible once they are standardized. As a result, we have conceived of a Proof-of-Concept to study how they can be integrated into our existing software.
But how can we trust those algorithms that are still new?
We currently operate using a hybrid mode, and will likely continue doing so.This mode consists of both Pre-Quantum (like RSA) and Post-Quantum (like CRYSTALS-Kyber) algorithms and ensure that we still have the security of the previous algorithms if a new algorithm is broken. Furthermore, if Quantum Computers become powerful enough to crack Pre-Quantum ciphers, we have the security offered by the Post-Quantum ones.
We get the best of both worlds.
You can also test your ability to integrate it into your environment
Until the standards are released, you can also test and benchmark the different bindings on this playground we have designed: https://dashlane.github.io/pqc.js/.
Let's all get ready for a world in which quantum computers exist! Want to take an even deeper dive into our security? Read our white paper.