A New Metric for Cybersecurity: The QWERX Security Index


How do you measure the level of protection a machine identity system is providing in an environment rife with data breaches and compromised digital credentials?

The only current measure is the strength of the key in bits, but if the attack vector is the theft of the credential, the number of bits in the key becomes almost irrelevant. Certainly, the key has to be strong enough that it can’t be easily broken, but breaking the key is not the tactic commonly used to break into secured networks. It takes time to break keys. Even very modest keys take considerable time to break. All keys can be stolen in an instant; for example, as long as it takes to conduct a social engineering attack.

The QWERX Security Index (QSI)

QWERX has devised a security index. The QSI that combines the strength of a key and the time it would take to break or steal the key into a numerical value we call the QWERX Security Index, or QSI. The higher the number, the stronger the security.

Here is how it works. Take the number of bits in the key and divide it by the number of seconds the key in the credential has to exist. The concept that a 256-bit key is stronger than a 64-bit key is well known, even though a 64-bit key can produce 18,446,744,073,709,551,616 distinct values.

Conventional thinking measures strength by contemplating how long it would take a fast computer to break a strong key. The number is usually returned in years and that is considered to be good enough. There are two basic problems with this approach:

  1. Computers are getting faster, and quantum computers will be astonishingly fast when they are fully realized.
  2. It only takes a fraction of a second to steal a key, regardless of how strong it might be.

For example: A very strong key, like a 2048-bit key refreshed every 30 days, which is the best of best practices, would have a QSI value of 2048 (bits) divided by 2,592,000 (the number of seconds in 30 days). This is a QSI of 0.00079012345679.

A 64-bit key refreshed every tenth of a second in a QWERX-protected device would be treated as a value of 64 (bits) divided by 0.1. This results in a QSI value of 640 -- 810,000 times stronger than the 2048-bit key refreshed every 30 days in actual application for securing device authentication.

Rotation Frequencies

As described above, today’s best practice QSI is 0.00079012345679.

  • For a High Security Environment, we recommend key rotation 10 times per second. This degree of security would challenge even nation state attackers. A 64-bit key rotated 10 times a second is the example shown above with a QSI of 640, or 810,000 times stronger than today’s best practice recommendation.
  • For a Commercial-Grade Environment, we recommend one rotation per second. This degree of security defeats every known approach to either stealing or breaking keys known today and has a QSI of 64, or 81,000 times stronger than today’s best practice recommendation.
  • For a Base Installation, we recommend key rotation every 10 seconds. This also uses a 64-bit key, producing a QSI of 6.4, or 8,100 times stronger than today’s best practice recommendation.

Use Case: A Lying in Wait Attack

Assume a QWERX-protected device is secured with a 64-bit key. An attacker choses to lay in wait using just one 64-bit value, continuing to try it every time the key is rotated until the connection eventually occurs.

There are 18,446,744,073,709,551,616 different 64-bit values, so it could be a long wait, or the attacker could just get lucky. Even with keys rotating 10 times per second, we are looking at millions of years for all of the 64-bit values to be used. On top of that, QWERX won’t be using just a single 64-bit value, but strings of them, interspersed with padding and keys of other values.

Sooner or later, someone does win the lottery. But, even if the attacker is incredibly lucky, they get thrown out on the next key rotation a fraction of a second later.

Defense moving faster than offense is a new cybersecurity reality with QWERX.

Leave a Comment