The impending arrival of post-quantum cryptography (PQC) is exposing what experts in cryptography already knew: crypto is in everything today. Pretty much everything that connects digitally relies on cryptography and public key infrastructures (PKIs) to deliver digital trust.
Cryptographically relevant quantum computers (CRQCs) are quantum computers powerful enough to threaten traditional asymmetric algorithms like RSA and ECC. The solution is post-quantum cryptography, which are cryptographic algorithms based on math problems that are carefully chosen to be difficult for even quantum computers to solve. CRQCs need to be much larger and more powerful than the early quantum computers that exist today, but they are coming and the time has come to prepare to transition to the new algorithms.
The move towards PQC means that all the connected infrastructure we have built over the past few decades is in need of a complicated upgrade. The good news is that we have time, but organizations need to start the process of figuring out what this transition means for them. It’s the breadth and scale of this transition that make it such a struggle to deal with.
That process is in the works, and the United States is also pushing federal agencies along. Last fall, the Office of the National Cyber Director (ONCD) released specific instructions to federal agencies on inventorying their cryptographic systems as they prepare to transition to the area of quantum-resistant cryptography, per the White House’s National Security Memorandum 10. The guidelines instructed agencies on how to inventory their most critical cryptographic systems with a deadline of May 4, 2023, to submit their list of prioritized inventories of cryptographic systems.
But some agencies may have struggled to meet the deadline. It’s understandable that identifying their cryptographic systems can be a challenging and complex process, and we see this across any type of organization. It goes back to cryptography covering everything today — it poses a real challenge to track things your organization may not even be aware of.
But what about enterprises? While they didn’t have a May 4 deadline, it's equally important for them to identify their crypto assets and manage them proactively. So, for enterprises, federal agencies, and any other organization that deals with cryptographic assets, here is where to start making the PQC transition.
To start, organizations need to inventory all their cryptographic systems, including certificates and algorithms, and prioritize them based on their level of criticality. From there, they can determine what needs to be upgraded or replaced to ensure the security of their systems in the era of quantum-resistant cryptography.
Understanding what crypto assets are within your environment, what algorithms certificates are using, who issued them, when they expire, the domains they’re protecting, and even determining what software is being signed with what key are just a few of the complexities that need to be addressed. Does your software package or device automatically download updates? Connect to a backend server? Is it associated with a website or portal? Is that website or portal operated by a third party or cloud provider? Since the answer to all those questions is basically yes for pretty much everything these days, you then need to contact all those providers and find out who they rely on. What software packages do they use? What services do they rely on? What backend providers are involved? Repeat ad nauseum.
Identifying your organization's digital footprint can be daunting, but it's essential in today's world of interconnectedness. The answer to how to protect your organization's crypto assets lies in understanding them.
The place to start swapping out encryption algorithms is with the crypto that produces signatures that need to be trusted for a long time: think roots of trust, firmware for long-lived devices and so on. And yes, producing inventories of software and devices and where their crypto comes from. As the U.S. memo 10 emphasizes, encrypted data can be recorded now, and later decrypted by operators of a future quantum computer in a practice called “harvest now, decrypt later.” Thus, any encryption that will be used long-term is the first priority.
NIST selected their final algorithms for PQC standardization last year. But NIST is still working to develop standards and documentation on how to implement, test and deploy these algorithms securely. It could still be two years before these algorithms become commonplace. However, implementors of cryptographic libraries and security software need to start integrating these algorithms into their products now. Additionally, organizations can start exploring how to incorporate the selected PQC algorithms, as there will be some effort required to accommodate them.
If you need help identifying and managing your cryptographic assets, consider working with a trusted provider like DigiCert. For instance, we offer a test hybrid RSA/PQC certificate in our PQC Tool Kit. Contact DigiCert sales to access the tool kit.
In conclusion, while the deadline for federal agencies to submit their inventories of cryptographic systems may have passed, the need for all organizations to identify and manage their crypto assets proactively remains. The transition to quantum-resistant cryptography is a significant undertaking, but by identifying and managing their crypto assets, organizations can lay the foundation for a secure and trusted digital future.