The French and Germans like each other more than they did in past centuries, but they still compete.
A month ago I wrote about the French company Thales and its efforts to develop a quantum-resistant smartcard called the MultiApp 5.2 Premium PQC. (PQC stands for post-quantum cryptography.)
“In recent months, Bundesdruckerei GmbH and G+D [Giesecke+Devrient] have established a unique technical foundation for this transformation [of the German identity card]. The federal technology company and the international SecurityTech leader jointly initiated the development of a demonstrator together with the German Federal Office for Information Security (BSI), implemented on specialized chips produced by semiconductor manufacturer Infineon.
“Germany’s transition to quantum-secure ID cards will occur in two stages. First, personal data will be protected from forgery using a quantum-resistant digital signature scheme. The second phase will involve a full transition to quantum-secure technology.”
Let’s take a step back from Module-Lattice-Based Digital Signature Standards (NIST FIPS 204) and see what quantum-infused fraudsters can do to bypass your security protections. Your “practically unbreakable” security system today may be wide open in 10 years…or 5 years.
Shor’s Algorithm
To understand how fraud can occur, you need to understand (Peter) Shor’s Factoring Algorithm.
According to Classiq, Shor’s Factoring Algorithm can find the prime factors of any number, including very large numbers.
“Factoring numbers with Shor’s algorithm begins with selecting a random integer smaller than the number to be factored. The classically-calculated greatest common divisor (GCD) of these two numbers, the random number and the target number, is then used to determine whether the target number has already been factored accidentally. For smaller numbers, that’s a possibility. For larger numbers, a supercomputer could be needed. And for numbers that are believed to be cryptographically secure, a quantum computer will be needed.”
So what? I appreciate that people like the late Richard Crandall were into finding prime numbers with 20th century technology, but how does that relate to whether a fraudster can drain my bank account?
Breaking RSA encryption
It definitely relates, according to the MIT Technology Review. This article was written back in 2019.
“[C]omputer scientists consider it practically impossible for a classical computer to factor numbers that are longer than 2048 bits, which is the basis of the most commonly used form of RSA encryption.
“Shor showed that a sufficiently powerful quantum computer could do this with ease, a result that sent shock waves through the security industry.
“And since then, quantum computers have been increasing in power. In 2012, physicists used a four-qubit quantum computer to factor 143. Then in 2014 they used a similar device to factor 56,153.”
The largest recent record number that I found was 261,980,999,226,229, as described in this paper. It should be noted that many of these numbers were factored by a variety of methods: using a pure Shor’s Factoring Algorithm, the maximum number factored so far is 21.
What does this mean?
So what does this mean for 2048-bit encryption? 2048 bits is equivalent to hundreds of decimal digits. I’ve found different numbers of decimal digits, but for all practical purposes I can’t calculate them anyway. Heck, I can’t calculate trillions in my head. And there’s RSA-4096 encryption, but…well, we’ll get to that.
But when quantum calculating abilities can crack algorithms, then it’s trivial to compute the number of combinations to crack an encryption…or guess a password…or generate a face.
“Brute force attacks function by calculating every possible combination of passwords. As the password’s strength increases, the amount of time to crack it increases exponentially. So, in theory, if hackers tried to brute force their way into a key with AES-128 encryption, it would take approximately 1 billion years to crack with the best hardware available today [2023].
“But what if we lived in a post-quantum computing world? How long would a brute-force attack on popular cypher technologies take?…[We’re] likely still a decade or two away from Quantum computers that can easily break many of the cypher technologies in use today….
“[I]n a recently published report from Global Risk Institute (GRI), the time to break RSA-4096, which is practically impossible to break with classical computing technology, is under three days with a theoretical 1 megaqubit computer. While we are still a long way from a 1 megaqubit computer, the resources and time required are reducing rapidly at the same time we see advancements in Quantum computing which are in development.”
I have no idea how much lattice-based access control mitigates these threats, but if you go around saying that strong encryption will never be broken, you are a fool.
In this edition of The Repurposeful Life, I’m revisiting a prior post (“Is the Quantum Security Threat Solved Before It Arrives? Probably Not.“) and extracting just the part that deals with the National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 204.
Thales used the NIST “FIPS 204 standard to define a digital signature algorithm for a new quantum-resistant smartcard: MultiApp 5.2 Premium PQC.”
The NIST FIPS 204 standard, “Module-Lattice-Based Digital Signature Standard,” can be found here. This is the abstract:
“Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can use a digital signature as evidence in demonstrating to a third party that the signature was, in fact, generated by the claimed signatory. This is known as non-repudiation since the signatory cannot easily repudiate the signature at a later time. This standard specifies ML-DSA, a set of algorithms that can be used to generate and verify digital signatures. ML-DSA is believed to be secure, even against adversaries in possession of a large-scale quantum computer.”
ML-DSA stands for “Module-Lattice-Based Digital Signature Algorithm.”
Now I’ll admit I don’t know a lattice from a vertical fence post, especially when it comes to quantum computing, so I’ll have to take NIST’s word for it that modules and lattice are super-good security.
“A lattice is a hierarchical structure that consists of levels, each representing a set of access rights. The levels are ordered based on the level of access they grant, from more restrictive to more permissive.”
You can see how this fits into an access control mechanism, whether you’re talking about a multi-tenant cloud (NordVPN’s example) or a smartcard (Thales’ example).
Because there are some things that Tom Sawyer can access, but Injun Joe must not access.
I’ll confess: there is a cybersecurity threat so…um…threatening that I didn’t even want to think about it.
You know the drill. The bad people use technology to come up with some security threat, and then the good people use technology to thwart it.
That’s what happens with antivirus. That’s what happens with deepfakes.
But I kept on hearing rumblings about a threat that would make all this obsolete.
The quantum threat and the possible 2029 “Q Day”
Today’s Q word is “quantum.”
But with great power comes great irresponsibility. Gartner said it:
“By 2029, ‘advances in quantum computing will make conventional asymmetric cryptography unsafe to use,’ Gartner said in a study.”
Frankly, this frightened me. Think of the possibilities that come from calculation superpowers. Brute force generation of passcodes, passwords, fingerprints, faces, ID cards, or whatever is necessary to hack into a security system. A billion different combinations? No problem.
“The good news is that technology companies, governments and standards agencies are well aware of the deadline. They are working on defensive strategies to meet the challenge — inventing cryptographic algorithms that run not just on quantum computers but on today’s conventional components.
“This technology has a name: post-quantum cryptography.
“There have already been notable breakthroughs. In the last few days, Thales launched a quantum-resistant smartcard: MultiApp 5.2 Premium PQC. It is the first smartcard to be certified by ANSSI, France’s national cybersecurity agency.
“The product uses new generation cryptographic signatures to protect electronic ID cards, health cards, driving licences and more from attacks by quantum computers.”
So what’s so special about the technology in the MultiApp 5.2 Premium PQC?
Thales used the NIST “FIPS 204 standard to define a digital signature algorithm for a new quantum-resistant smartcard: MultiApp 5.2 Premium PQC.”
Google Gemini.
The NIST FIPS 204 standard, “Module-Lattice-Based Digital Signature Standard,” can be found here. This is the abstract:
“Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can use a digital signature as evidence in demonstrating to a third party that the signature was, in fact, generated by the claimed signatory. This is known as non-repudiation since the signatory cannot easily repudiate the signature at a later time. This standard specifies ML-DSA, a set of algorithms that can be used to generate and verify digital signatures. ML-DSA is believed to be secure, even against adversaries in possession of a large-scale quantum computer.”
ML-DSA stands for “Module-Lattice-Based Digital Signature Algorithm.”
Google Gemini.
Now I’ll admit I don’t know a lattice from a vertical fence post, especially when it comes to quantum computing, so I’ll have to take NIST’s word for it that modules and lattice are super-good security.
Certification, schmertification
The Thales technology was then tested by researchers to determine its Evaluation Assurance Level (EAL). The result? “Thales’ product won EAL6+ certification (the highest is EAL7).” (TechTarget explains the 7 evaluation assurance levels here.)
France’s national cybersecurity agency (ANSSI) then certified it.
However…
…remember that certifications mean squat.
For all we know, the fraudsters have already broken the protections in the FIPS 204 standard.
Google Gemini.
And the merry-go-round between fraudsters and fraud fighters continues.
If you need help spreading the word about YOUR anti-fraud solution, quantum or otherwise, schedule a free meeting with Bredemarket.
This may mean nothing. On the one hand, Davidson had been with the company a long time, having joined Oracle in 1988 AFTER a career in the US Navy as a civil engineer. So perhaps she just retired.
Then again, Larry Ellison is 81 years old, so people don’t HAVE to retire.
And it appears that Davidson’s departure wasn’t announced in a press release, but was buried in a June filing.
The one word associated with Davidson is the word “unbreakable.”
“[D]uring a 2002 interview with Businessweek, she described the challenges of making sure the firm’s products lived up to a marketing campaign envisioned by Ellison that touted the company’s products as ‘unbreakable’….She explained at that time, saying, ‘‘Unbreakable’ gives us something to live up to,’ adding, ‘It really does concentrate the mind wonderfully. The general thought is don’t embarrass the company. Nobody wants to be the group that makes us violate it.'”
(And yes, the red glow in the unbreakable oracle in the picture is intentional. If you have ever attended a San Francisco Oracle OpenWorld with hundreds of red and white banners, you’ll understand…)
“The new Sophos logo nods to our history, but it’s reimagined with a shield that represents our defense against cyberattacks. Inside that shield lives the dual strength of Sophos: AI-native technology and world-class human expertise. Together, they create unmatched defense that adapts as fast as threats evolve.”
Oh, and the consultation:
“Our partners are core to our success, and their feedback on the rebrand has been energizing…”
My bet is that Sophos will not have to withdraw this logo, like another logo change that was recently reversed.
Have you ever used the phrase “sort of unique”? Something is either unique or it isn’t. And International Mobile Equipment Identity (IMEI) numbers fail the uniquness test.
Claims that International Mobile Equipment Identity (IMEI) numbers are unique
Here’s what a few companies say about the IMEI number on each mobile phone. Emphasis mine.
Thales: “The IMEI (International Mobile Equipment Identity) number is a unique 15-digit serial number for identifying a device; every mobile phone in the world has one.”
Verizon: “An IMEI stands for International Mobile Equipment Identity. Think of it as your phone’s fingerprint — it’s a 15-digit number unique to each device.”
Blue Goat Cyber: “In today’s interconnected world, where our smartphones have become an indispensable part of our lives, it is essential to understand the concept of IMEI – the International Mobile Equipment Identity. This unique identifier plays a crucial role in various aspects of our mobile devices, from security to tracking and repairs.”
These and other descriptions of the IMEI prominently use the word “unique.” Not “sort of unique,” but “unique.”
Which means (for non-person entities, just like persons) that if someone can find a SINGLE reliable instance of more than one mobile phone having the same IMEI number, then the claim of uniqueness falls apart completely.
Examples of non-uniqueness of IMEI numbers on mobile phones
“In theory, hackers can clone a phone using its IMEI, but this requires significant effort. They need physical access to the device or SIM card to extract data, typically using specialized tools.
“The cloning process involves copying the IMEI and other credentials necessary to create a functional duplicate of the phone. However, IMEI number security features in modern devices are designed to prevent unauthorized cloning.”
So don’t claim an IMEI is unique when there is evidence to the contrary. As I said in my April post:
“NOTHING provides 100.00000% security. Not even an IMEI number.”
What does this mean for your identity product?
If you offer an identity product, educate your prospects and avoid unsupportable claims. While a few prospects may be swayed by “100%” claims, the smarter ones will appreciate more supportable statements, such as “Our facial recognition algorithm demonstrated a 0.0022 false non-match rate in the mugshot:mugshot NIST FRTE 1:1 laboratory testing.”
When you are truthful in educating your prospects, they will (apologizes in advance for using this overused word) trust you and become more inclined to buy from you.
If you need help in creating content (blog posts, case studies, white papers, proposals, and many more), work with Bredemarket to create the customer-focused content you need. Book a free meeting with me.
On the long-standing debate on the mix between automation and manual operations, here’s what the Cyber Security Hub says:
100+ AI security startups claim they can replace Tier 1 and Tier 2 SOC analysts with 24/7 LLMs. They promise AI can triage, detect, and respond—no humans needed.
But here’s the reality:
AI tools hallucinate and miss context
Custom attacks slip by without human insight
Escalations stall when no one’s validating alerts…
…This isn’t about rejecting AI. It’s about using it wisely—and never cutting people out of the loop.
“[A]ccess reviews aren’t inherently about security — they’re about satisfying auditors.”
The Jedi’s assumption is that the access review is a periodic one, completely satisfied by manually checking boxes.
Because it’s easier to evaluate whether a box is checked than to evaluate whether the system is truly secure, and people who no longer deserve access don’t have it.
The solution
But companies move beyond check boxes anyway, because they realize the other point that the Identity Jedi made.
“Instead of waiting for quarterly reviews, implement continuous access evaluation that flags high-risk or out-of-policy access the moment it happens — not months later.”
Many cybersecurity and TPRM vendors have implemented continuous access evaluation. Has yours?
For the continued access evaluation vendors
And if you are a vendor of a continued access evaluation solution, do your prospects know about why it’s critically important, and the benefits that such a solution provides?
If you haven’t told your prospects about the benefits of continuous access evaluation, it’s time.
Check this article from cyberdaily.au regarding a reported third-party breach. This one is from Danish jewelry brand Pandora.
“The company said that impacted data includes names, birthdates and email addresses, but that financial information, government identifiers and passwords were not accessed by the threat actors.”
“While Pandora has not shared the name of the third-party platform, BleepingComputer has learned that the data was stolen from the company’s Salesforce database.”
Not that it’s necessarily Salesforce’s fault. Access could have been granted by a Pandora employee as part of a social engineering attack.
Bredemarket 