By Timothy Hollebeek, Industry Technology Strategist, DigiCert
The rise of post-quantum cryptography (PQC) is shedding light on the pervasive nature of cryptography in our digital world. Virtually every digital connection relies on cryptographic techniques and public key infrastructures (PKIs) to establish trust. However, the emergence of cryptographically relevant quantum computers (CRQCs) poses a threat to traditional asymmetric algorithms such as RSA and ECC. The solution lies in post-quantum cryptography, which encompasses cryptographic algorithms designed to be resistant to quantum computer attacks.
While CRQCs need to be more powerful and larger than currently available quantum computers, their development is progressing, and organizations must prepare for the eventual transition to post-quantum algorithms. This transition poses a significant challenge, necessitating a complex upgrade of the vast digital infrastructure built over the past few decades. Although organizations have some time to adapt, they need to initiate the process of understanding the implications of this transition.
In the United States, federal agencies have been instructed by the Office of the National Cyber Director (ONCD) to inventory their cryptographic systems in preparation for the shift to quantum-resistant cryptography. The guidelines, outlined in the White House’s National Security Memorandum 10, required agencies to submit their prioritized inventories of cryptographic systems by May 4, 2023. However, meeting this deadline has proven to be challenging for some agencies. The complexity of identifying cryptographic systems is not limited to federal agencies alone; it applies to organizations across all sectors. Cryptography’s ubiquitous presence makes it difficult to track assets that organizations may not even be aware of.
Although not subject to the May deadline, Enterprises must also identify and proactively manage their cryptographic assets. It is crucial for all organizations to follow a structured approach for transitioning to a post-quantum world. Consider the following steps:
Step 1: Inventory
The first step is to inventory all cryptographic systems, including certificates and algorithms, and prioritize them based on their level of criticality. This process entails understanding the crypto assets within an organization’s environment, including the algorithms certificates used, their issuers, expiration dates, the domains they protect, and even the software signed with specific keys. Additionally, organizations must investigate whether their software packages or devices automatically download updates, connect to backend servers, or operate on websites or portals managed by third parties or cloud providers. Establishing these details requires extensive communication with various providers and backend entities.
While identifying an organization’s digital footprint may seem daunting, it is essential in today’s interconnected world. Understanding crypto assets is the key to protecting them effectively.
Step 2: Prioritize
The next step involves prioritizing the replacement of encryption algorithms that generate signatures requiring long-term trust. This includes securing the roots of trust, firmware for long-lived devices, and other critical components. The urgency arises from the fact that encrypted data can be recorded now and decrypted later by operators of future quantum computers, a practice known as “harvest now, decrypt later.” Therefore, any encryption intended for long-term use should be the first priority for replacement.
Step 3: Test
Furthermore, organizations need to explore and test the incorporation of post-quantum cryptography algorithms. The National Institute of Standards and Technology (NIST) has already selected the final algorithms for PQC standardization, but the development of standards, documentation, and secure implementation methods is still underway. It may take up to two years before these algorithms become widespread. However, implementers of cryptographic libraries and security software should start integrating these algorithms into their products now. Organizations can also begin exploring how to incorporate the selected PQC algorithms, as there will be a certain level of effort required to accommodate them.
While the deadline for federal agencies to submit their inventories of cryptographic systems has passed, the need for all organizations to identify and manage their crypto assets proactively remains. The transition to quantum-resistant cryptography is a significant undertaking, but by understanding and managing their crypto assets, organizations can lay the groundwork for a secure and trustworthy digital future.
It is crucial to start the process now and stay informed about the developments in post-quantum cryptography to ensure a smooth transition when the time comes.
About the Author
Timothy Hollebeek is the Industry Technology Strategist at DigiCert. He has more than 20 years of computer security experience, including eight years working on innovative security research funded by the Defense Advanced Research Projects Agency. He remains heavily involved as DigiCert’s primary representative in multiple industry standards bodies, including the CA/Browser Forum, striving for improved information security practices that work with real-world implementations. A mathematician by trade, Hollebeek spends a lot of time considering security approaches to quantum computing.
Tim can be reached online at (tim.hollebeek@digicert.com) and at our company website http://www.digicert.com/