1. Introduction
Critical infrastructure (CI), including areas such as finance, transportation, and utilities, depends largely on well-protected yet easily accessible services. Maintaining the appropriate balance between ease of access and restriction of access is a critical objective. Furthermore, the recent emergence of advanced cyber threats has introduced challenges that are prompting significant research investment in authentication technologies. However, for CI, it is important to not only secure but also simplify. Zero-Trust Architectures (ZTAs), where users, services, and networks are compartmentalized and permissions-on-demand are as close as possible to the operational groups and data they restrict, align with the network segmentation necessary to maintain secure traffic between network zones in CI.
The requirement for authentication at the core of these architectures presents opportunities for simplification and the exploitation of quantum-resistant cryptographic techniques. The challenge that the growing contribution to quantum-resistant technologies of complex proactive key management is magnified in network traffic security-centric ZTAs. Collaboration is a ubiquitous concept of authentication, for example, with technologies that range from cryptography to biometrics to proof of work, while we show opportunities for hashing to be used to anonymize collaboration. This concept could be used to simplify ZTA design, especially for CI sectors where identifiers could be blurred in applications where users do not have unique identifiers. We find that quantum computing has the potential to revolutionize authentication systems, aiding in the search for effective demonstration mechanisms to allow anonymous transactions with trustworthy clients and encouraging genuine participants to adopt the principles of defense-in-depth guidance.
1.1. Background and Rationale
Cybersecurity vulnerability is becoming an ever-increasing issue as industry and personal interests merge in cyberspace, and traditional perimeter security ideals fail to secure the gigantic explosion of users and untrusted devices accessing territorial enterprise systems. State and non-state actors are targeting national critical infrastructure systems, establishing a security state of zero trust, effectively removing inherited assumptions about data, systems, and entities: no party” either on the network or back office” should be given inherently trusted access rights. Zero trust implies shifts in authentication and authorization, breaking identity and access management and shifting these to policy-driven, strictly enforced rights, not just codes. With ultra-high-security capabilities not enjoyed by classical computers, quantum computing will not break the zero trust ideal of currently underpinned classical cryptographic solutions but will potentially change the way in which cryptographic keying security should be approached within existing enterprise domains. A careful game-theoretic assessment of the impact and timing of quantum computer use on threat and access policies is needed to inform risk management, notwithstanding the challenges of modifying systems and processes to accommodate the deployment of quantum-resistant and quantum-assured algorithms. The ideal quantum-ready state has not been reached; neither has such intervention a priority in the psychologies of all stakeholders who control critical infrastructure ecosystems with their varied and diverse concerns. This text picks up and examines a cluster of issues pertinent to zero trust and quantum cryptography applied to critical infrastructure environment access control from a value assessment perspective” the enterprise security players’ jigsaw puzzle as reflected in the mix and interplays” joined up with the available futures of quantum computing. We provide some food for thought on a potential security extensibility roadmap.
Firstly, we explore the quantum threat to current critical infrastructure cybersecurity key control.
Subsequently, we present a composite zero trust architecture with quantum-resistant components. Thirdly, we overlay the famous diamond model known as the open community triple helix in intersecting national security clusters to conduct some cross-examination of enterprise stakeholder motivation for quantum readiness. Finally, by way of a number of illustrators to some typical critical infrastructure stakeholders, we present final results and comment hereon with some suggested ways forward to our readers.
2.Fundamentals of Quantum Computing
While the classical computer uses bits, which always exist in one of two states (0 or 1), a quantum system uses qubits, which are in a state of quantum superposition. The number of superposed states of qubits combinatorilly increases: the more qubits, the greater the potential power of quantum computing. Moreover, as defined by the laws of quantum mechanics, two entangled particles may share one common wave function. Thus, the net result is that any prospective system built using quantum properties is able to exploit parallel and entangled processing. Therefore, computation with quantum algorithms is expected to have a significant impact on the ability to solve a wide variety of complex computational problems.
Administration can be further enhanced by using superpositions and entanglements of qubits, as the strong potential benefit of quantum processes is the resilience of the technology that is used to build stronger methods of encryption and to quickly break contemporary encryption globally by using quantum computing.
In a quantum computer, as it is today with traditional computers, the information is accessed via a power demeanor defined in quantum mechanical form. Unlike traditional bits, quantum computers store their information in logical units, which are a very different type of quantum bit. The adversity of the quantum technique derives from the inability to accurately investigate or control these quantum bits, and computational errors will persist, showing that the use of qubits allows for the incorrectness of a simple state. The encapsulated quantum state can be tremendously fragile, creating the processing of any ‘classical’ error correlation. Qubits are expected to demonstrate recursive error feedback to the pieces that have lost this continuity. Furthermore, the efficient algorithms that illustrate quantum parallelism only solve problems at a polynomial speed in n for information n. Such a polynomial offers a lucrative way to solve complex problems whose results cannot be obtained through the use of classical computing.
2.1. Basic Principles
Quantum computing, as an innovative advancement in computational concepts, takes advantage of previously unconsidered behaviors to carry out operations that are dissolved and rejected by classical computers. A quantum computer is one that operates in a fashion in perfect accordance with the general laws governing quantum mechanics. Ideas implemented to represent data and direction of control in a classical computer are replaced by qubits and quantum gates, in a concept that demands a complete and new global perspective that is coherently non-linear and probabilistically robust. Generally speaking, a quantum computer can theoretically handle an intricate web of 3 qubits with the degree of complexity raised to the power of 2n, where n represents the number of qubits.
All indications argue that some prevalent cryptographic standards are expected to be vitally negated by a powerful quantum computer, and so the technology seems to be inherently insecure based on the rules of today’s cybersecurity. Accordingly, the cryptography business must inevitably and immediately complete a flawless quantum-indifferent cryptographic standard to ensure the security of data transmitted over the internet in the quantum era, even for comparatively old data. Codable features or quantum security products can coax demand and justify the expensive trade-offs, as attractive solutions are becoming apparent that are not necessarily bereft of technology deficiency and general weaknesses. Even while a quantum computer is still a distant project, within 10–50 years the technology is assumed to be applicable and widely deployed, so creating a general state of denial by acting as if a dangerous event would be unlikely.
3.Authentication Systems in the Era of Quantum Computing
The paper embarks on traversing the impact quantum computing brings to mission-critical use cases in the authentication domain from a zero-trust perspective, notably critical infrastructure. The realm of authentication systems is analyzed in terms of cryptographic methods that are vulnerable to quantum attacks and the emerging quantum-resistant solutions. Quantum computing has existed so far as somewhat obscure, especially in the area of cryptography. At the time of this writing, quantum computers have only demonstrated capability at a limited scale of qubits to run computations. But that is the chronicle of classical computing from 80 years ago. The strides in quantum computing demonstrate the potential of surpassing the statistical mechanical limitations of binary state machines. This has already set off an accelerated development in building functioning quantum machines. In fact, the era when a large enough quantum computer can break most contemporary public-key cryptographic algorithms is not too remote. While secure, unclonable cryptographic techniques will be responses to part of that predicament, they will have limitations. The practical way of coping with the imminent threat has been to start developing and implementing quantum-resistant cryptographic solutions.
3.1.Current Challenges
Authentication challenges to be addressed in this paper are derived from the specific context and requirements of a critical infrastructure component that requires high-assurance access control to sensitive system resources. As such, the component must be operated in a zero-trust mode, where intense authentication and real-time access control are essential to protect critical assets and ensure service continuity. After a general mapping of the particular challenges in the area, specific zero-trust security models were analyzed, with the purpose of recognizing and extracting the capabilities and characteristics necessary for any modern authentication/authorization process designed to fit zero-trust architectures. Such analysis led to the gathering of a list of potential quantum-resistant algorithms and mechanisms, which were also cross-referenced with the accessibility to cryptographic standardization guidelines and large-scale commercial public acceptance, in order to allow such solutions to be tested against a representative quantum adversary.
In general, the majority of security systems currently in place operate on the premise of an initial trust environment, where systems and services may trust each other and are not expected to realize that they are potentially compromised, making it very difficult to detect a phishing attack. This adds an advantage to the adversary given the time element for updates to catch up with new vulnerabilities and, at times, to the users who do not correctly install updates and updated configurations, and selectively interfere with predefined updates during runtime. Modern cryptographic solutions are based on hard mathematical problems, like the integer factorization problem that RSA is based on, and consequently, turn into weak cryptographic algorithms when faced with attacks from quantum computation. Those solutions comprise a significant part of most developed systems, both in private and government organizations.
4. Zero-Trust Architectures
Zero trust network architectures allow for real-time defense and situational awareness capabilities and facilitate the consolidation of security services. Zero trust implies the need for strict user access control and validation. Besides, it also involves the use of secure communication systems. The goal of generating security solutions that are transparent to users has been progressively sought after, although it has yet to be fully realized in practice. The underlying approach is the opposite of security by obscurity, which states that security should not be based on the secrecy of the algorithm or only on the unknown parameters of the keys. The zero-trust security model states that trust must not be a requirement for user access, for instance, for accessing applications or endpoints inside the corporate network. This model proposes a set of assumptions and rules that state trust cannot be granted and must be verified indistinctly from inside or outside of the corporate network. The technological principle that enables a critical assessment of the trust of endpoints and access opportunities is the synchronized permanent and in-depth evaluation of all secure and nonsecure passages. To implement a security model, it is necessary to define the Operations Centre and Cyber Security Operations Centre organizations and to have a technical infrastructure platform that implements zero-trust protocols in various technologies; otherwise, it is not possible to interact without exposing corporate assets by usurping authorization levels. The pillars of the zero-trust model state with justifiable cause that you must authenticate and certify the identity and integrity of the person, entity, or device, authorizing all or part of access, locales, and information, and have granular visibility and control of every device and user within your company.
4.1. Concepts and Principles
The Zero Trust model operates under three major principles: all network traffic is untrusted and must be inspected for capability; all users should be considered unidentified and unable to browse or even detect all hands-on activities; and security credentials must be available and verifiable for all users, software, and devices trying to connect to the network. Security features already integrated into operating systems, the use of advanced memory protection and access controls, and the convergence of software, telecommunications, and data science are some of the methods already successfully implemented.
Most security threat scenarios rely on six security constraints defined in a study about security models and architecture’s relationship: the four major P’s: privacy, property, privilege, and protection; with identification and authentication as the two primary aspects. In secure communications, a secure channel establishment is needed. During this establishment, a claim about an identifier’s bond with a client must pass minimal validation to prove the client’s identity. A client authenticator is the client knowledge used in this protocol. Privacy should not require constant monitoring or disclosure, which means privacy may seem in opposition to security and integrity. Security in data security refers to confidentiality, which means preventing sensitive information from unauthorized access. Encrypted data, unused logins, and logs are examples.
5. Quantum-Resistant Solutions for Authentication
The need for safe and habitually remote access introduces a requirement for innovative and practical authentication systems, especially when developed for critical infrastructure. The fact that quantum computers are radically changing the paradigms of cryptography validity is acknowledged by experts. However, the possibility of post-quantum threats combined with the lack of knowledge about the impacts of quantum computing on industries carrying out critical activities reinforces the need for research about the potential impact of quantum computing on cyber and security solutions, where authentication stands out in this context. This paper performs a critical review and describes the main research being conducted in this area related to quantum-resistant authentication solutions, to support the development of authentication solutions in zero-trust architectures for critical infrastructure, as well as the guidance and trade-offs for experts who want to develop innovative quantum-resistant authentication solutions.
Quantum-Resistant Solutions for Authentication The main issues of encryption vulnerabilities and safe channels being exploited by quantum computers and their impacts on authentication systems are why researchers have focused on solving them. Shared secrets of quantum key distribution or one-time pad, signature hashes, public-key encryption, post-quantum hash-based cryptosystems, and supersingular isogenies were the possible solutions to consider. As we can observe, it is only necessary to use public quantum-resistant algorithms such as lattice-based and code-based systems. Additionally, post-quantum hybrid key exchange methods can be used to build hybrid authentication systems, making communications more effective in the near future.
5.1.Cryptography Algorithms
RSA Algorithm The RSA algorithm is named due to the initial letters in the last names of these cryptographers who introduced it in 1977, becoming one of the first asymmetric key algorithms and probably one of the most famous to date, as well as the basis for key establishment in integrity mechanisms and confidentiality protocols, which are widely used in communication systems, including not only information technology but also embedded systems and critical infrastructure. Essentially, public key encryption depends on a trapdoor function, a function one could easily perform in one direction, but is very difficult to perform in reverse. The RSA algorithm is based on the difficulty of factoring large numbers that are a result of the multiplication of two prime integers. This makes its classical, in a large and classically confirmable computing environment, asymmetric cryptography vulnerable, which is why 768-bit primes are identified as unread or obsolete, and 1024 bits are certainly not enough, with 2048 keys currently being considered sufficient until 2030.
6. Case Studies and Practical Applications
The European Cyber Infrastructure Protection Cluster has developed a modular and cost-effective approach to zero-trust architecture using a quadruple novation architecture. Named Q-NILM, it provides the quadruple assurances of system operations, data confidentiality, data integrity, and data provenance essential for ZeroTrust Architecture. Q-NILM augments the Isolated Trust Extensibility with an overlay Wireless Sensor Network using incentive capability to deliver both security and monitoring of renewable energy assets. Our simulations demonstrate the efficacy of Q-NILM and the interoperability of its traffic flow in a hyperconnected environment when integrated with legacy installed technologies. The complexity is shown to be for any chosen node. The faster capability is derived from a faster reservation search time, compared to the existing reservation search time.
The innovation and relevance of Q-NILM are the ability to use limited and cheap renewable energy sequestered resources in security assurance for the delivery of renewable energy management information according to the need-to-know basis. The modular components provide flexibility for architectural modularity, especially in the event of a security breach. Q-NILM offers a unique and flexible countermeasure capability that provides current sensing, avoids oversight loops, and generates both data provenance and a ground truth platform to verify the accuracy free from malicious interference. This highly scalable technology has immediate application in the fast shipment and installation of Mobile Energy Solutions Networks. Within it could be used to provide electricity power and air monitoring for remote mini-data centers in the enabling of digital cities.
6.1.Implementation in Critical Infrastructure
Section 6.1. Implementation in Critical Infrastructure
A quantum-resistant solution may be developed using two-factor authentication within a Zero Trust Architecture. To implement two-factor authentication, the ZTA must use a dedicated circuit for authentication data traffic, in conjunction with authenticator software running on trusted authentication hardware. Specifically, for each network session, the authenticator runs proof of authorization checks for each network access point. Zero Trust authenticator checks ensure access point security posture, user account data, and device attestation data. Result verification takes place, and verification results are reported to allow or deny confirmation of the network session. In the case of access, the authenticator notes security posture admission, applies the necessary network trust protocols for the security posture, and dispositions network access. However, in the case of access refusal, the no-access status result could only dictate network disconnect or quarantine network execution.
A simple two-factor virtual private network implementation can be accomplished by configuring transport layer security. The task sequence runs to authenticate remote users. The user must have a valid certificate configured on the client and the enterprise firewall, which allocates the VPN and must also include the client certificate. Upon authenticating both the user and the certificate, the VPN task completes the SSL handshake and enables the client VPN session. However, passwordless secure key routing implementation for two-factor remote-access VPNs is additionally running, and TLS is performed on the network device. The process includes user input; the user must provide the necessary identity information so the network device can perform the necessary user and device security posture integrity and validation functions. Upon successful validation of both the user and machine identity, the device security store runs the network device to authenticate and request identity information from the authenticator. The device security store uses this identity to communicate the network posture to the local device network for proper network execution. Upon successful verification of the device security store of the network device authentication, the user request for access to the network is invoked, and the device security store delivers the network device a secure certificate request token. Finally, successful user, device, and network authentication, as well as a successful certificate token exchange, are all validated. Upon validation, positive network execution instructions are transferred to the key client, establishing secure client-keying and user-session encryption for the client.
7. Challenges and Future Directions
IAM systems with QR features have not been implemented or tested in real zero-trust networks. This section outlines IAM issues in the current quantum computing security discussion and suggests some solution directions. For example, QR solutions secure keys by implementing random operations, such as quantum resistant code-based key validation in asymmetric encryption schemes. Points to address correspond to choosing the right code from the candidate list and knowing when to vet QR solutions. Long-term challenges include designing long-term zero-trust networks. In the zero-trust segmentation model, keynote speakers explained the security and zero-trust deployment challenges and initiatives regarding QR solutions. The list of code-based asymmetric designs was compared in a workshop on quantum-resistant cryptographic solutions. Participants advised using a provably ideal candidate code KEM scheme in the post-quantum cryptography standardization process. The speaker stated their commitment to reverse assumptions of PEKS schemes to round-3 candidates.
QR solutions secure shared secrets in their data plane (authentication/authorization responses/requests). Corresponding security challenges about the KEM scheme, code list, and challenge response effects are repeated. For example, a re-computation mechanism is needed for some schemes, and the diversity result must be evaluated for all QR resources requested by a protocol. Since replacing SHA-256 with a QR/postquantum secure hash algorithm in the scheme has not been done yet, no QR solution has been standardized in the QR token binding process. Concerning session management: whether there may be a use for QR solutions to strengthen repeatability against pattern attacks or to use QR token expiry attributes in some cases. Post-quantum secure instant messaging is in the R&D phase. QKD/R-based networking may be used in a new generation of trusted instant messaging platforms.
7.1. Emerging Threats
Quantum computers threaten the security of much electronic communication and computing infrastructure. Quantum-resistant solutions are being developed, but these solutions are not finished, and half-baked solutions have limitations and high costs. We investigate Quantum Key Distribution, lattice-based cryptography, supersingular isogeny Diffie-Hellman, multivariate quasigroups, code-based cryptography, and hash-based signatures. Quantum Key Distribution was found to mitigate some of the quantum security issues, but it requires longer transmission distances and lossy fibers. It is not suited for non-line-of-sight communication. Lattice-based cryptography is the most robust quantum-resistant option. However, it is computationally intense and slow. Most applications require significant performance improvements. Codebased cryptography is not suited for general digital signature applications. It is only suited for secure systems with specific attributes. Multivariate quasigroups, supersingular isogeny Diffie-Hellman, and Merkle’s scheme have limitations that make them unsuited for general use. Quantum computer technology advances present a real threat to global security. The threat starts when quantum computers are deployed to protect information while classical computers retain the ability to decrypt. The threat will increase over time as the technology evolves until it reaches a level when all encrypted data is readable. The threat from quantum computers is widely documented, but there is little understanding of the impact on specific authentication methods and authorization systems that use those methods. This paper reviews quantum-resistant security methods that are thought to be suitable for providing some level of quantum security for packet authentication in zero-trust systems. The results show that developing quantum-resistant security adds significant complexity and delay. It is also costly to fix security in the future if it is not done properly now. We currently assume that quantum-resistant solutions will be available when required, and it is safe to defer the cost. We recommend that these quantum-resistant solutions be embedded into all current authentication systems now because the cost of waiting is too high, and current systems will become targets for decryption of sensitive information in the not-too-distant future.
8. Conclusion
The general aim of the research is to explore and analyze potential impact in the secure execution of zero trust architecture authentication systems due to classical cryptography’s vulnerability to quantum computing. To discuss the somatic issue linked to difficulty implementing zero-trust authentication within a critical infrastructure environment. This research is concerned with a literature review to explore the development and dissemination of quantum-resistant cryptography. All other aspects of quantum safety including the deployment of quantum-resistant cryptographic components, post-quantum crypto solutions and quantum safety controls, quantum-resistant algorithm testing, and cryptographic agility and quantum safety are still in the nascent stages. This research focused on examining the functionality of zero-trust authentication and how it interacts with critical infrastructure and high reliability systems. The research was interested in the threat of vulnerability of quantum computing might have on zero-trust cryptographic interactions with high reliability systems. The examination in the review was conducted by researching articles within a database. This search provided an analysis of articles focusing on zero trust networks in the sphere of large organizations including government and corporate bodies. The aim of the research was to investigate how zero-trust networks operate as well as explore zero trust implementation within large corporations and government departments and any corresponding weaknesses and threats to the system. The research concentrated on civil infrastructure cyber-security concerns. The need for civil infrastructure resilience needs to be served. This is compounded by society’s growing dependence on information and communication technology systems.
8.1. Key Findings
In this chapter, we reviewed current quantum-resistant solutions for authentication systems in ZTAs for protecting critical infrastructure deployments and identified the technical and non-technical challenges and research gaps in deploying these solutions. The study identified two technical challenges, namely, poor support for modern cryptographic algorithms and the large increase in transmission cost, which are unsolved by the five quantum-resistant authentication solutions in ZTAs under review. Additionally, it identified four non-technical challenges, including the lack of a unified framework and planning to adopt these solutions, the lack of professional infrastructure for the cryptographic protocols, the lack of definitions for key technical terms that would influence the deployment, and the lack of a clear argument to refute the threat of quantum computing. Finally, this chapter identified three research gaps in deploying quantum-resistant solutions, namely, the presence of few vendors, the lack of a verification mechanism, and the lack of public policies to push for these solutions.
In essence, this chapter aimed to provide a critical analysis of authentication approaches that can be integrated into the ZTA quantum-resistant security architecture. The findings were outlined at the early stages to understand the current considerations and to provide a comprehensive breakdown of the key advancements gleaned from the practices and research studies, thus adding to current knowledge.
Accordingly, the main contributions of this study comprised a review of how fundamental factors of quantum computing may impact zero-trust security principles, including the type of authentication system that will be supported by the future ZTAs and its potential challenges and limitations. These points are not emphasized in the existing quantum-resistant research, which instead tends to focus on cryptography.
