data in transit
Yes, but then it is stored unencrypted on github. Ready to be used as training data by github.com/ Microsoft or whoever. Which isn’t bad per se for i. e. public repositories. Just pointing out, that the weakest link in your chain of security measures is the… weakest link.
If you wanted to secure your code, you could store it on-site, behind a firewall, in its own network segment, with encrypted offsite backups. Elliptic curve cypto would help too in this scenario. And MFA. And access restrictions. Many possible measures.
If you are like me and not sure what “post-quantum SSH security” means, you should read this. TL;DR it’s an algorithm believed to be unbreakable by quantum computers.
Yet
AFAIK quantum computing’s only demonstrations of being able to break encryption using Shore’s algorithm was in a toy problem where they already knew the answer and it was like 5 bits long and satisfied a particularly easy pattern. I’ll be impressed when it can break 192-bit encryption with proper entropy.
The threat model is that all communication is recorded and will be decrypted once the technology becomes available. The question then becomes for how long you want your data to be secure. If its for example 40 years, you need to chose an algorithm today that is still secure in 40 years.
Would you like to know more?: https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later
I believe quantum computers are only going to really threaten asymmetric encryption, like the one used in SSH keys. Things like RSA, DSA, and ECDSA, as well as Diffie-Hellman key exchanges are potentially weak to future quantum computers brute forcing those integers.
Symmetrical encryption should hold up much better against quantum. An algorithm like AES or ChaCha20 should be fine with a bit key length of 256 or higher.
Or just move to the post-quantum algorithms to be safe.
Meh. I think quantum computers are technological hocuspocus that is used as justification for companies like D-Wave to generate billions of dollars for a few financial executives. The science is real. The engineering is real. The technology is a toy and its uses are extraordinarily limited and out-competed by normal computers.
Can it optimally solve the travelling salesman problem? Sure. With many thousands of bits. Can a classical computer with a fancy algorithm get close enough for practical use cases? Yes. With today’s technology and enough power to run an old lightbulb.
You’re right. Only thing is that this is currently being worked on by multiple nation states as well, as these theories do have a military advantage. There will be money and resources pouring into this field for decades.
Even if it takes another 3 or 4 decades, the goal posts are planted, and I think Q-Day will eventually happen. Of course, im just assuming and can’t know the future. For now, it is a toy as you have said.
If you haven’t already switched to more secure algorithms you’ll be impressed and also penniless when it can break 192-bit encryption with proper entropy.
NIST says 2035 should be the target date for organizations to get to something quantum resistant. The talk I saw at DefCon this year laid out a very convincing argument that due to advancements in the implementation of Shorr’s, as well as one other algorithm, that’s not an aggressive enough target and we should really be shooting for 2030. Apparently IBM has never missed a target date, and they’re looking at having enough logical Qubits by 2032 or so.
