Harvest-Now Decrypt-Later

Harvest-now Decrypt-later

An attacker in a harvest-now decrypt-later attack simply saves encrypted internet traffic with the intent to decrypt it as quantum computers mature in 5-10 years. Data like medical records, photos, and even browser history still has relevance in 10 years, and so is highly vulnerable to these attacks. In order to keep data secure for the long-term, sensitive data in a server's database as well as it's Key Management System (KMS) need to be secured with quantum-resistant algorithms. Otherwise an attacker can simply record traffic with the KMS and use it to decrypt traffic with the database

Locky can be used to load an encryption key for sensitive data onto servers in a way that is secure from future attacks by quantum computers. This key is then used as an encryption and decryption key for data in a database, extending quantum-proof protection to the database. An adversary recording all traffic (or that gets ahold of a database copy) won't be able to later decrypt it with a quantum computer due to the algorithms in use by Locky.

Types of Data that need protecting

Sensitive data can be roughly divided into two categories: Auth and Personally Identifiable. Auth data is passwords, API credentials, server certificates, etc. Anything used to prove that you are who you say you are, and you can do what you are trying to do. Personally Identifiable data is names, social security numbers, pictures, documents, medical records, etc. This is information attached to a person that tells something meaningful about their life. While both are vulnerable to quantum computing attacks, Personally Identifiable data is more important to protect today. Most Auth data can be rotated and replaced with a new credential at any time. Quantum computers are not powerful enough yet to break encryption. A future quantum computer might be able to break old encrypted traffic and see an old credential, but if it has been replaced with a new quantum-safe credential it is no longer useful to an attacker. On the flip-side, people cannot simply 'rotate out' their medical records, pictures, browser history, or documents. Traffic that contains this information is vulnerable to being recorded and decrypted later, as this is information that has value both today and once quantum computers are powerful enough to break encrypted traffic. Personally Identifiable data is important to protect today from Quantum Computing attacks.