Harvest Now, Decrypt Later (HNDL): A Look at This Current & Future Threat
1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5, rated)
Loading...

Harvest Now, Decrypt Later (HNDL): A Look at This Current & Future Threat

HNDL retrospective decryption attacks are a major concern for more than half of the professionals surveyed by Deloitte. We’ll explore what these quantum-related future threats are and how you can future-proof your enterprise against them

Bad guys, right now, might be loading up your most sensitive data like it’s clearance day at their favorite warehouse store.

Your data is encrypted? They don’t care. Threat actors are putting your data “on ice,” storing it until quantum computing capabilities come along that can break modern encryption schemes. (And Q-Day might be here sooner than you think!)

This activity is known as a “harvest now, decrypt later” attack. We’ll explore what HNDL attacks are and how you can harden your cyber defenses and data against these threats now and in the future.

Let’s hash it out.

What Is a Harvest Now, Decrypt Later (HDNL) Attack?

Harvest now, decrypt later is a surreptitious two-part cyber attack in which threat actors collect sensitive information now for use at a later date. It’s about collecting a wealth of encrypted data now that can be capitalized upon “tomorrow” (i.e., whenever these silicone-based systems become available outside a laboratory setting). For this reason, this method is also called “store now, decrypt later” and “catch now, break later” attacks.

Bad guys are biding their time until quantum computers are readily available, simply collecting and storing the information in the meantime. After all, why should they invest all of the time, effort, and resources required to break cryptographic algorithms that future quantum computers will be able to break within a matter of minutes, hours, or days?

Why Quantum Computing Is the Key to HNDL Attacks

Quantum computers harness the power of the quantum mechanics superposition principle (i.e., the ability for elements to exist in multiple states simultaneously). This computational power is central to concerns about harvest now, decrypt later attacks. This is why quantum-safe (or, more accurately, quantum-resistant) cryptosystems must withstand the processing power of quantum computers. As such, data must be cryptographically secured using quantum-resistant algorithms (i.e., post-quantum cryptography).  

Cryptographically relevant quantum computers are expected to break the factorization problem that’s at the heart of modern public key encryption schemes. Basically, any data secured by modern public key encryption schemes alone would be at risk of compromise once the quantum tools are available. It doesn’t matter whether you’re a small business or one of the world’s biggest enterprises; we’ll all require the same post-quantum encryption and key exchange algorithms that are specifically designed to combat quantum computer-based attacks.

Shor’s Algorithm is poised to break the public key cryptography schemes we rely on today that are based on the discrete logarithm (ECDH) and prime factorization (RSA) integers. Wondering how it all works? Rather than me trying to explain it, you can hear it straight from the horse’s mouth and get the low-down from mathematician Peter Shor himself:

Hybrid Algorithms Help You Bridge the Gap in the Meantime

The crypto-agile approach of using hybrid algorithms aims to nip in the bud the security issues posed by Shor’s Algorithm. This is why the Internet Engineering Task Force (IETF) recommends using hybrid public key encryption (HPKE) algorithms to fend off modern attacks and protect data against future cryptographic attacks (like HNDL).

An example of an HPKE algorithm is X25519Kyber768Draft00. This hybrid algorithm — the combination of the traditional elliptic curve cryptography [ECC] key exchange algorithm X25519 and the Kyber-768 Module Lattice Key Encapsulation Mechanism [ML-KEM] — is used by Google Chrome and Cloudflare as of 2023). Zoom announced in May 2024 that it deployed Kyber-768 to enable end-to-end encryption (E2EE) for its Zoom Meetings with plans to employ it for Zoom Phone and Rooms products next.

Lattice-based algorithms are mathematically difficult problems to solve as doing so requires figuring out the shortest and closest vectors. (Lattices are typically multi-dimensional charts. The more dimensions that are taken into account when calculating the lattice points [bases], the more challenging the lattice is to solve.) Putting it simply, these algebraic problems are nightmares for mathematically challenged individuals but great for PQC digital security.

Here’s a quick primer on how lattice-based cryptography works, if you want to learn more:

How a Harvest Now, Decrypt Later Attack Works

Unlike many other modern cyber attacks that give attackers instant gratification, harvet now, derypt later attacks require patient attackers who are willing to wait for more reliable quantum capabilities. HNDL attackers can set up eavesdropping tools to collect a plethora of encrypted data that they can then sit on for the next 3-10 years.

An illustration demonstrating a harvest now, decrypt later attack (HNDL)
Image caption: A basic illustration showing what an HNDL attack is and how it’s dangerous for users and businesses.

Of course, there’s no rush or time limit to decrypt certain types of information. For example, an HNDL attack is ideally suited for evergreen data such as social security numbers, bank account information, government secrets, and other sensitive data that aren’t prone to change much (if at all) and/or have perpetual value.

For example, secret plans for a nuclear weapon or your company’s most secret intellectual property aren’t likely to lose their value within the next few years.

This differs from, say, credit cards, which change more frequently due to the owners’ name changes, card expiration dates, and reported fraud issues. This isn’t evergreen data and cybercriminals know it can lose its intrinsic value if it’s not used quickly.   

Attackers Are Getting Smarter About What They Choose to Save

Let’s face it: there’s a ridiculous amount of data in the world, and the overwhelming amount of data businesses generate and store is growing at an inordinate rate. And attackers want to get their hands on your most valuable secret data.

Effective HNDL attacks aren’t about harvesting every scrap of data attackers can get their hands on. It behooves attackers to make more educated guesses about which data payloads to steal to achieve the highest value, as data storage costs can certainly add up over time, particularly when someone is storing massive quantities for years.)

So, how do HNDL threat actors figure out which encrypted data to store or dump? On the surface, you can’t. All encrypted data just looks like a bunch of gibberish without the necessary decryption key. But there are contextual clues that cybercriminals can analyze to figure out which data might hold the most value:

  • Transmission source and destination IP addresses (i.e., to whom or where it is being sent or received from)
  • Transaction frequencies  
  • Application connection behaviors and patterns
  • Data transmission sizes

Who’s Thought to Be Responsible for HNDL Attacks?

Technically, anyone can be an harvest now, decrypt later attacker. If you have a way to get your hands on organizations’ encrypted sensitive data payloads, then you have the potential to carry out “store now, decrypt later” attacks in the future with the help of quantum computing technologies.

However, when people within the industry discuss these types of attacks, they typically refer to the threats posed by nation-state threat actors and other large groups of bad actors. Basically, the biggest threats are the groups of individuals or government-sponsored entities that have more resources and data storage at their disposal rather than necessarily the individual attackers (though they still pose threats as well).  

Knowing all of this, what steps can you take to help protect your data now against these retrospective decryption attacks in the future?

How to Protect Your Organization Against HNDL Attacks

1. Start Planning Your PQC Strategy Now (If You Haven’t Already Done So)

Back in November 2023, we shared our top takeaways from the second annual PKI Consortium’s Post-Quantum Cryptography Conference. One of the key insights shared by many of the experts is that it’s a mistake for organizations to wait to start figuring out a game plan.

Adopting PQC isn’t simply a matter of swapping out classical PKI digital certificates for shiny new PQC certs; there’s a lot more to it that’s required. It also boils down to implementing a wealth of new policies, processes, procedures, and technologies.

For example, here are a few of the ways you can start preparing your organization for an inevitable Quantum future:

  • Inventory your cryptographic assets so you know what you need to secure.
  • Closely manage your PKI lifecycle to address any vulnerabilities that pop up quickly.
  • Integrate quantum-based threats and considerations into your ongoing risk analyses.

NIST and Other Global Experts Are Finalizing a Standardized Approach

The National Institute of Standards and Technology (NIST) has been working hard with other industry experts over the past several years to finalize new PQC standards. The NIST PQC Team has been holding a series of seminars and their goal is to publish finalized standards this year that organizations can implement in the near future.

For example, they’ve published four draft algorithms (one key encapsulation algorithm and three digital signature algorithms) that are nearing final standardization:

  1. CRYSTALS-KYBER (a module lattice-based key encapsulation algorithm that’s used for key establishment and encryption)
  2. CRYSTALS-DILITHIUM (a module lattice-based general-purpose digital signing algorithm)
  3. SPHINCS+ (another digital signature algorithm featuring stateless hash-based security properties)
  4. FALCON+ (a third digital signature algorithm, but one that’s NTRU lattice-based and will be applicable for more specific use cases)

The first three PQC algorithms are expected to be released sometime this summer (2024). However, the fourth (FALCON+) likely won’t be released until later in the year.

2. Enable the Kyber Hybrid Key Exchange Algorithm in Chrome

If you haven’t done so already, enable the X25519Kyber768Draft00 algorithm in your organization’s Google Chrome web clients. Also, ensure your employees are keeping their endpoint devices’ browsers up to date so they have the latest protections and updates.

Of course, once NIST finalizes the PQC standards for its chosen algorithms, be sure to adopt support for the latest version and remove support for X25519Kyber768Draft00 at that time.

3. Upgrade Your Private PKI Certificates to PQC

For enterprises that want to secure their internal IT server infrastructure, software apps, users, and endpoint devices, you don’t have to wait to use hybrid cryptographic algorithms. DigiCert Trust Lifecycle Manager offers several certificate templates that support PQC Module Lattice Digital Signature Algorithm (ML-DSA) keys.

Implementing a hybrid approach means that bad guys will have to break not one, but two cryptosystems in order to gain access to your plaintext data.

4. Swap Out Your Long-Term Keys for Ones Generated Using PQC Algorithms

Some digital certificate uses and applications within your organization may entail using certificates with longer device and cryptographic key lifespans than others. For example, IoT devices have lifespans ranging upwards of 20 years!

There are plenty of legitimate reasons why companies may not actively change out their IoT device keys, with reasons ranging from physical logistics to some devices not being capable of over-the-air (OTA) updates. But regardless of the reason why, it means that if those devices rely on classical cryptosystems, they’re at risk of store now, decrypt later attacks.

As you can imagine, swapping out the keys for these devices whenever possible is critical, particularly if you’re expecting them to remain active on your network or within your IT ecosystem for years to come.

5. Look Out for Publicly Trusted SSL/TLS Certificates in the Future

Unfortunately, PQC SSL/TLS certificates from publicly trusted certificate authorities (CAs) aren’t available yet. (Creating an entirely new set of cryptographic algorithms isn’t exactly a walk in the park — these things take time, after all!) ­But once they are available, you’ll want to implement these algorithms across your networks and IT infrastructure as soon as possible. 

Final Thoughts on Harvest Now, Decrypt Later Attacks

Harvest now, decrypt later attacks are real-world threats that will affect your organization and customers now and more acutely in the future. As you’ve learned, you can take steps to fight back against these dual-pronged attacks.

CRQCs are coming; few dispute that. But even knowing this, there’s no reason to panic. Use the time now to prepare for the worst so that your organization is as prepared as possible. This approach puts you in the best position possible to deal with any curveballs that may come your way.

By implementing hybrid PQC algorithms now within your ecosystem, you’re taking steps to prevent bad guys from decrypting and using your sensitive data against you (and your customers) later.    

Be the first to comment

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *

Author

Casey Crane

Casey Crane is a regular contributor to and managing editor of Hashed Out. She has more than 15 years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.