Hacking Network Security Quantum Computing Cybersecurity Use Cases Postquantum Security Innovation

A New Metric for Cybersecurity: The QWERX Security Index

John Ellingson
John Ellingson
wormhole

How do you measure the level of protection a machine identity system is providing in an environment rife with data breaches and compromised digital credentials?

The only current measure is the strength of the key in bits, but if the attack vector is the theft of the credential, the number of bits in the key becomes almost irrelevant. Certainly, the key has to be strong enough that it can’t be easily broken, but breaking the key is not the tactic commonly used to break into secured networks. It takes time to break keys. Even very modest keys take considerable time to break. All keys can be stolen in an instant; for example, as long as it takes to conduct a social engineering attack.

The QWERX Security Index (QSI)

QWERX has devised a security index. The QSI that combines the strength of a key and the time it would take to break or steal the key into a numerical value we call the QWERX Security Index, or QSI. The higher the number, the stronger the security.

Here is how it works. Take the number of bits in the key and divide it by the number of seconds the key in the credential has to exist. The concept that a 256-bit key is stronger than a 64-bit key is well known, even though a 64-bit key can produce 18,446,744,073,709,551,616 distinct values.

Conventional thinking measures strength by contemplating how long it would take a fast computer to break a strong key. The number is usually returned in years and that is considered to be good enough. There are two basic problems with this approach:

  1. Computers are getting faster, and quantum computers will be astonishingly fast when they are fully realized.
  2. It only takes a fraction of a second to steal a key, regardless of how strong it might be.

For example: A very strong key, like a 2048-bit key refreshed every 30 days, which is the best of best practices, would have a QSI value of 2048 (bits) divided by 2,592,000 (the number of seconds in 30 days). This is a QSI of 0.00079012345679.

A 64-bit key refreshed every tenth of a second in a QWERX-protected device would be treated as a value of 64 (bits) divided by 0.1. This results in a QSI value of 640 -- 810,000 times stronger than the 2048-bit key refreshed every 30 days in actual application for securing device authentication.

Rotation Frequencies

As described above, today’s best practice QSI is 0.00079012345679.

  • For a High Security Environment, we recommend key rotation 10 times per second. This degree of security would challenge even nation state attackers. A 64-bit key rotated 10 times a second is the example shown above with a QSI of 640, or 810,000 times stronger than today’s best practice recommendation.
  • For a Commercial-Grade Environment, we recommend one rotation per second. This degree of security defeats every known approach to either stealing or breaking keys known today and has a QSI of 64, or 81,000 times stronger than today’s best practice recommendation.
  • For a Base Installation, we recommend key rotation every 10 seconds. This also uses a 64-bit key, producing a QSI of 6.4, or 8,100 times stronger than today’s best practice recommendation.

Use Case: A Lying in Wait Attack

Assume a QWERX-protected device is secured with a 64-bit key. An attacker choses to lay in wait using just one 64-bit value, continuing to try it every time the key is rotated until the connection eventually occurs.

There are 18,446,744,073,709,551,616 different 64-bit values, so it could be a long wait, or the attacker could just get lucky. Even with keys rotating 10 times per second, we are looking at millions of years for all of the 64-bit values to be used. On top of that, QWERX won’t be using just a single 64-bit value, but strings of them, interspersed with padding and keys of other values.

Sooner or later, someone does win the lottery. But, even if the attacker is incredibly lucky, they get thrown out on the next key rotation a fraction of a second later.

Defense moving faster than offense is a new cybersecurity reality with QWERX.
John Ellingson

John Ellingson

Follow me on LinkedIn Follow me on LinkedIn

John Ellingson is the Chief Technology Officer at QWERX. John started his digital career with the Boeing Company working on the 747 aircraft in the late 1960s. He became a computer-literate attorney performing what is today known as forensic accounting. As the founding chairman of the ABA/YLD Subcommittee on Tax Treatment in Bankruptcy, John worked with the Congressional Joint Tax Committee to create the Internal Revenue Code Provision enabling the tax-free merger and acquisition of debtor corporations. This law became part of the Bankruptcy Tax Act of 1980. John had a national M&A practice in this area and obtained the first IRS Private Letter Ruling on this Code section. As a result of this practice, he observed a frequent element of white-collar crime in many bankruptcy cases, and he subsequently developed and patented a method to detect identity fraud. The product derived from that patent is still deployed at most retail banks throughout the U.S. today. This success started John on a path of protecting digital systems and identity management. He continued in this role with American Operations Corporation and ASM Research before founding infOsci LLC and later QWERX, Inc. John holds numerous method patents in digital system security. John was appointed to the United States Air Force Academy and medically separated before graduation. He holds a Bachelor of Science degree from the University of Wisconsin and a Juris Doctor degree from Seattle University. For 20 years John served as a liaison officer with the United States Naval Academy and the United States Military Academy. He also served on the Service Academy Selection Boards for two U.S. Senators.

Leave a Comment