I was reading this article yesterday about how hackers keep harvesting data so that they can decrypt it in 10 years when quantum computers may be available to do just that.

Me being a Msc student of software engineering I decided to give a shot at a potential solution, so here is my idea on how to tackle the problem.

I believe that there is no possible strong protection against a computer that can perform an insane amount of calculations in a short period of time, so the next best thing that can be done is obfuscation.

Assuming that the storage capacity of cloud services keeps growing and that most sensitive data is not in a media format (like videos or pictures), and assuming perhaps too that in the future there may be such thing as “quantum hard drives” that would allow to store larger amounts of data than it’s possible today in the same physical space, it might be feasible to design a system that stores useless information that would generate such noise that the actual information could be hidden effectively among it.

The concrete steps of the system would be as it follows:

1. Let there be a user X that requires the storage of an input X’ as an attribute associated with X, whenever a new user is created, an arbitrary large number of randomly generated entries (X1′, X2’… Xn’) gets created and associated to the user X
2. Let there be an attribute XKp associated with X’ as a primary key meant to ease finding X’, and let there be an n number of keys also associated to each individual Xn’ known as XKn
3. When a user X inputs X’ for the first time, she could either create XKp as a second password or be given a randomly generated XKp.
4. When the user needs to read X’ she will need to input XKp to retrieve X’.
5. Let’s also assume that in order to input XKp, user X need to authenticate with a good old fashioned system that requests username and password, that his associated information is encrypted and that all of Xn’ are associated to his user account.
6. When a computer decrypts and finds all the information associated with X, X’ should be undistinguishable from any Xn’ and thus X’ is effectively obfuscated and harder to use.
7. For every attribute Z that X wants to input into the database, there should be Zn’ and ZKn where ZKp = XKp

And that’s it, simple.

This method may not always be useful or practical but it may work for things like a credit card number.

How this should look from the point of view of the user?

The user creates an account with a password that is used to encrypt all the data (including XKn, and all ZKn generated), then the user either inputs a second password or receives this second password that will be used to locate her information and after that it’s business as usual.

How would this look from the point of view of a hacker with a quantum computer that has penetrated and decrypted the data?

There is a user X with 100k entries that could be her credit card, the hacker knows that the real number is there but doesn’t know which one is it. If there was a database with 10 users, there there would be 1.000.000 entries that contain 10 real passwords but there is no way to know which one is the real one.

This system has 1 great vulnerability and it is the fact that it also assumes that there is no man in the middle attack performed by a quantum computer that can decrypt information as it is being transmitted.

Ah well, I gave it a shot, a humble student can dream, can’t he?

This site uses Akismet to reduce spam. Learn how your comment data is processed.