Swimming Mechanics

In the 2016 Rio Olympics, 35-year-old Anthony Ervin captured a gold medal in the 50-meter freestyle, becoming the oldest individual swimming gold medalist. As a swimmer myself, watching Anthony perform so well motivated me to become better at a sport I’ve enjoyed for over 20 years now.

So shortly after that, I hired a coach. During our first training session together, I told him I was hoping to become an even better swimmer, despite the experience I already had. He told me to jump in the pool and swim a few laps.

According to my coach, my form was less than ideal and I had a lot of work to do before I was ready for gold. I was a little shocked, considering I’d been doing this for so long, but I listened to his advice and continued training with him. Over the course of a few months, we worked on, among other things, extending my arm further in front of me, bringing my elbow out of the water more and shortening my kicks. The process was slow and challenging, but over time, I started to see improvements.

I learned two things from this experience: first, I’m not cut out to become an Olympic athlete. Second, I realized that having a good mechanical foundation was imperative to my success as a swimmer.

Security in Healthcare

Let’s compare this idea to the healthcare industry. Hospitals and clinics around the world use and store patient information, including images including X-rays, MRIs, and CT scans. This data is created and stored through a system called picture archiving and communications systems (PACS).

Medical device manufacturers that engineer PACS systems are good at building devices, but in recent years we’ve identified a flaw in their mechanics: the devices don’t account for security risks. What makes this so dangerous is the devices are now connected to the internet, causing a significant emerging cyber threat. If these devices are compromised, patient health information could be lost and images and data manipulated, with such devastating consequences as misdiagnosis of symptoms.

Having been swimming for 20 years, I had a set way of doing it. Likewise, many of these device manufacturers have been building devices for decades and have very established processes for doing so—with nonexistent cybersecurity measures in place. And just as my swimming mechanics needed some work, these processes also need improvement to prevent patient data from being stolen and exposed.

Securing Picture Archiving and Communication Systems

Changing the way things are done is hard. However, to ensure that patient data is being protected within healthcare, it is vital that the industry take steps to increase cybersecurity defenses.

Luckily, the National Institute of Standards and Technology (NIST), in partnership with DigiCert and companies including Cisco, Philips, Hyland and Clearwater, has been working to reduce threats within PACS ecosystems.

NIST recently issued a guide made specifically for healthcare delivery organizations to help them implement better cybersecurity practices within PACS ecosystems. DigiCert has been involved in authenticating connections and making sure all actors within PACS ecosystems are trusted. We are proud to be a part of this initiative and ask that organizations review and implement the guide to make our healthcare ecosystem more secure.

When I was training to become a better swimmer, it took months of a concerted effort for me to see significant progress. Likewise, strengthening healthcare cybersecurity will take focused effort, repetition, and practice, working with security professionals. The NIST guide is meant to provide organizations with assistance in this process to make security easier to implement. And though the process might be a little painful, the outcome will be worth it as valuable data and identities will be protected from attacks around the world.

Click here to view the NIST guide.

DigiCert-sponsored study finds PKI investments improve security and modernize business processes

We’ve released new research by IDC showing that the number of businesses using PKI as part of their broader security programs, beyond TLS for websites, has more than doubled in the last decade, to 65% in 2018. The IDC Data Services for Hybrid Cloud Survey, which includes interviews with more than 400 chief information security officers (CISOs), security architects, IT security and data management specialists in Europe and North America, shows that PKI is increasingly viewed by security leaders as essential in securing digital transformation initiatives across a variety of business use cases. As PKI deployments grow, proper management of digital certificates is critical. IDC research found that the average cost of downtime industrywide is $250,000 per hour, and one unmanaged digital certificate that expires can hurt the bottom line.

“PKI, if properly deployed and managed, is one of the most powerful tools organizations can use to avoid costly and reputation-damaging data breaches,” states Rob Westervelt, Research Director, Security Products at IDC. “Our research found a growing number of organizations are revisiting their encryption and key management strategy to gain situational awareness, and in turn bolster their security postures.”

According to the study, today’s business processes can be supported by PKI to increase automation, reduce friction, and streamline the processing of digital information and electronic transactions. Security teams use PKI as an essential element in addressing new data privacy and data security regulations. PKI serves as an enabler of new business projects designed to improve customer satisfaction by allowing customers to securely conduct sensitive transactions from the comfort of their homes.

The growing use of cloud services is increasing attack surfaces and allowing hackers to seize on weaknesses associated with IT infrastructure complexity and configuration issues. In addition to reputation damage, direct costs and regulatory sanctions, cyberattacks can result in unplanned downtime, loss of competitive trade secrets and permanent data loss. Among those surveyed, 37% called the complexity of security solutions one of the top three greatest threats their organization is facing in the next two years. CISOs agree, however, that streamlined PKI implementations minimize complexity and that managed PKI services can reduce overhead and costs, freeing up security teams to work on other pressing matters.

Here at DigiCert, we understand the importance of PKI for scalable security within enterprises and are continually working to simplify certificate management for our customers through automation and other features that eliminate the pain points and potential for error.

Organizations count on PKI for reliable operations and to protect sensitive data

PKI is the backbone for many organizations that value cybersecurity resiliency, enabling them to automate the process of enforcing data security policies and procedures using digital certificates and public-key encryption. PKI establishes validated and trusted connections between systems while providing unhindered user access to sensitive resources. DigiCert has built a robust PKI platform to help organizations secure all of their connection points and data traversing their networks with scalable digital certificate deployment and management.

Organizations reported using digital certificates and PKI to support a variety of functions, including:

Upgrade your account now
• Secure BYOD: Supporting unmanaged BYOD initiatives and maintaining secure access to enterprise resources, without sacrificing the mobile user experience
• Secure Authentication: Strongly authenticating individuals to applications containing sensitive information
• Secure Remote Access: Strongly authenticating employees and partners to a wireless network or VPN for secure access to CertCentral.
• Secure Email: Enabling end-users and partners to send encrypted and digitally-signed emails across all corporate devices
• Document Signing Integrity: Validating the integrity and authenticity of digital signatures on critical documents
• Secure IoT Devices: Providing device identity and establishing root-of-trust, and maintaining the integrity of software and firmware on sensitive IoT devices

CISO interviews reveal what’s driving increasing PKI investments

A manufacturer’s email and file transfer systems were particularly vulnerable and resulted in a Ransomware attack. In response, the company implemented two-factor authentication and client certificates to eliminate weak passwords and validate the identity of their email accounts.

A regional bank relied on PKI to support mobile users for smart card authentication. Facing challenges associated with fragmentation, the bank outsourced its PKI and now has a streamlined certificate lifecycle management for its 40 branches.

A technology manufacturerlooking to lock down access to critical resources chose PKI to support its device identity, VPN access and zero-trust environment.

A payment processor in Europe secures tens of thousands of point-of-sale system devices using a managed PKI service that enables trusted, third-party, mutual authentication of devices to networks. They also leverage PKI to securely rotate certificates.

For more on these use cases and additional findings from the IDC White Paper, sponsored by DigiCert Inc., PKI Investments Help Organizations Improve Security and Modernize Business Processes, Study Finds, August 2019, click here.

DigiCert on Quantum 4: NIST Second PQC Standardization Conference

In the last article, we discussed how to figure out when to start switching to post-quantum algorithms. In the next few articles, we will discuss the available post-quantum techniques and how to transition to them. The first step is discussing cryptographic primitives. These are the low-level building blocks that form the basis for secure algorithms and protocols. Traditional cryptography uses asymmetric algorithms like RSA and ECC as the basis for key agreement, digital signatures, and authentication. As we’ve discussed, these cryptographic primitives are vulnerable to compromise by future quantum computers.

The process for selecting new quantum-safe cryptographic primitives is being led by the United States National Institute of Standards and Technology (NIST). Cryptographers from all over the world have collaborated in teams and have contributed various candidate algorithms for consideration. The process has been underway for about two years now and is expected to take about three more years to complete. As part of this effort, NIST recently hosted their Second PQC Standardization Conference in Santa Barbara, Calif., with over 250 cryptography experts in attendance.

The process started with 69 candidate algorithms, and 26 algorithms still remain in the competition. Some algorithms were withdrawn due to security concerns and findings, while others were determined to be inferior to other similar algorithms that remain in the competition. Some teams even chose to merge and submit new candidates that had the best aspects of their original independent submissions. NIST is still open to future mergers and intends to select multiple algorithms at the end of the process, instead of a single winner. This is because none of the candidates are drop-in replacements for RSA and ECC. The algorithms contain various trade-offs between key generation time, key sizes, signing speed, and signature sizes, and it is unlikely that one single algorithm is best for all possible use cases.

The selection process is divided up into multiple rounds. During Round I, the primary focus was whether the algorithms delivered the security properties that they claimed to deliver. That is still important in Round II, but in this round, the performance of each algorithm plays a larger role. Round II will last 12-18 months, possibly followed by a third round. The results of Round I were published in NIST IR 8240.

The Round II candidates are distributed as follows:

Distribution of NIST Round II Candidates

“Signatures” and “Key Exchange / Encryption” are the two main use cases for asymmetric quantum-safe algorithms. The primitives are based on different hard mathematical problems than traditional cryptography. These hard problems are carefully selected to be hard both for quantum computers and traditional computers. If the attacker cannot solve the problem, they cannot break the cryptosystem.

Here is a very brief summary of each category:

Lattice-based cryptography: A lattice is a mathematical term for an infinite, n-dimensional grid formed from integral linear combinations of vectors of different lengths and directions. The hard problem is typically finding the shortest non-zero vector in a given lattice. This is difficult to do without trying all possible combinations of the basis vectors.

Code-based cryptography: These algorithms are based on error-correcting codes. An efficient error-correcting code is then hidden within a significantly larger code, which is made public. The hard problem is that it is difficult to find the small code within the larger code.

Multi-variate cryptography: The algorithms are based on nonlinear solving systems of simultaneous polynomial equations over finite fields. These are basically large versions of the same problems that are studied in introductory algebra. Solving this hard problem, in general, is known to be NP-hard.

Symmetric-based cryptography: These are based on ideas like zero-knowledge proofs based on traditional symmetric cryptographic algorithms, which are quantum-safe with large enough keys. There are security proofs that show that if the underlying symmetric algorithm is secure, then the asymmetric algorithm based on it is secure. Decrypting classical symmetric algorithms is known to be a hard problem even for quantum computers.

Other: One candidate is based on supersingular isogenies, which is a very new asymmetric cryptographic technique based on abstract mathematical structures related to elliptic curves.

There is one additional category called hash-based signatures, which are not part of the competition because they are being standardized separately. The hard problem is that classical hash algorithms are also known to still be secure against quantum computers. They have some advantages and disadvantages which we will cover in a future article – the main advantage being that they are well understood and can be deployed now. NIST is planning to publish a standard for its use by the end of 2019.

The meeting also included an industry panel that expressed widespread support for hybrid cryptography, both now and in the future. That or a similar technique is required to support the transition between algorithms and avoids having a single point of failure that could potentially endanger cryptography again in the future. We’ll discuss hybrid cryptography in the next article in the series.

Still navigating post-quantum cryptography and wanting to learn more or try it for yourself? Visit here to learn more.

Throughout the year, we have been blogging about the quantum computing revolution that is just over the horizon, and its implications for security and cryptography. It’s too early to predict when it will be possible to build a scalable quantum computer, but the latest research from the National Academy of Sciences makes it clear that the time to start transitioning to a quantum-safe future is now. Although RSA and ECC algorithms remain safe for the moment, the National Academy states that a powerful quantum computer could break even a sophisticated 2048-bit RSA key in just a few months. One thing is certain: it will take substantial time to develop, standardize and deploy post-quantum cryptographic techniques.

Test kit provides a head start on a post-quantum world

Fortunately, industry standards groups are actively preparing for a post-quantum future. DigiCert is playing a major part in several initiatives, including the NIST post-quantum cryptography project. To help organizations take advantage of our R&D efforts, DigiCert has introduced a kit designed to allow customers to start testing a PQC algorithm in their network today.
This PQC test kit is designed for technical users who want to try out the process of installing the hybrid RSA/PQC certificate (TLS or IoT). We believe the kit will be useful for PKI architects and technical solution designers across a variety of industries and use cases, including financial services; government agencies; manufacturers; utilities providers, such as smart meters; and anyone making strategic security or design decisions.

The test kit was built for experimentation and hands-on research to help customers test and learn more about the technology. It includes a link to documentation that describes how users can set up a Linux box and run all the appropriate commands to generate post-quantum certificates. These hybrid certificates contain the backwards-compatible RSA/ECC keys, as well as future compatible post-quantum keys using the CRYSTALS-Dilithium algorithm.

The certificates are also compliant with today’s cryptography and have within them the ability to support tomorrow’s cryptography as well. Although final standards have not yet been adopted, experimenting with hybrid post-quantum certificates can enable organizations to take a first step toward understanding the security challenges of a post-quantum world, as they begin building a bridge to the future. DigiCert firmly believes that user feedback is key to developing the next generation of cryptographic tools, and we are encouraging users to share feedback about what they have learned, what’s most interesting to them and what challenges remain.

The time to act is now

When should an organization start transitioning to quantum-safe algorithms? As we discussed in our last article in this series, the answer will be different for every organization, and even for every system that uses encryption. Utilizing tools such as the Mosca equation, organizations can gain insight into the best time to begin developing a transition plan for their organization. Whether you’re planning to explore quantum-safe algorithms right away or as a future initiative, DigiCert can provide the expertise and support you need to meet your specific business needs.

If you’d like to learn more about how to acquire the PQC test kit, contact DigiCert sales, as the kit will be available as a zip file download from CertCentral. The test kits will include instructions on how to correctly build a Post Quantum capable version of OpenSSL (popular SSL/TLS library) and Apache (web server) on a Linux server or workstation and use those programs to run various tests.

The Anti-Phishing Working Group’s (APWG) Phishing Activity Trends Report, 1st Quarter 2019, shows that, for the first time, phishing of Software-as-a-Service (SaaS) and webmail has surpassed phishing of payment services. SaaS and webmail were the most-targeted sector for phishing in Q1 2019, suffering 36 percent of phishing attacks (compared to 27 percent for payment services).

Phishing is a common cybersecurity attack method for stealing user credentials and corporate data through deception-based emails sent by hackers. Cybercriminals use emails to impersonate legitimate businesses and lure users to counterfeit websites.

Phishing attacks make it clear that usernames and passwords alone are not protecting companies. What are needed are stronger authentication methods.

Cybercriminals always take the path of least resistance

Hackers, by their very nature, are opportunistic. They target the businesses that are the easiest to breach. Financial institutions have become more security-savvy and have invested in safeguarding their systems. Therefore, as shown by the APWG report, hackers are moving on to the greener pastures of SaaS and webmail services.

The weak links in the chain of security between cloud services and users are the enterprises that use their services. There are two primary reasons for this. First, corporate users are often unaware of the signs of a phishing attack. Second, logging in to online services with only a username and password makes users an easy target. Companies that use strong, two-factor authentication methods, such as certificate-based tokens or chip cards, can better protect their users and confidential corporate information.

Best practices are key to protecting against cyberattacks

As a preventative measure, SaaS and webmail service providers should provide strong certificate-based authentication and encryption. If an SaaS provider does not offer such measures, companies can integrate a PKI platform, certificate-based chip card technology or time-based tokens into the online application service.

To validate user identity and secure communications, companies should enforce authentication and end-to-end encryption throughout their networks and reinforce all their connection points with certificates. This can be done by implementing a PKI platform to issue and manage digital certificates. Depending on the platform, the entire process of creating, managing, distributing, using, storing and revoking digital certificates, as well as managing public-key encryption, can be completely automated.

In addition to providing certificate-based authentication, companies and users must become more knowledgeable about identifying phishing attempts and trustworthy websites. When receiving new e-mails with links, users should hover over the link and look at the destination URL to make sure it’s what they expect. If they click on the link without first checking, they could be subjected to malware dished out by the website. When there, users should check for the lock icon in the browser address bar, which indicates an encrypted connection. Users can quickly determine the authenticity of the website by clicking on the lock icon to identify the issuing Certificate Authority (CA) and the company to which the certificate was issued.

Another practice gaining popularity is Brand Indicators for Message Identification (BIMI). This industry-wide standard uses brand logos as indicators to help people avoid fraudulent email. Many email technology companies, such as Google, have announced intentions to pilot the use of BIMI to enable email inboxes like Gmail to display logos beside authenticated email.

Deploying certificate-based authentication

Strong authentication can address many common security risks. Secure authentication includes user authentication for the device, access to the SaaS portal, and access to the SaaS web link. A scalable and easy-to-use digital certificate management platform eases certificate management and helps companies strengthen authentication for web-connected system at scale. Proper investments in user education and scalable technology that reduces user interaction in authentication will help businesses combat the effects of phishing attacks.

I was recently made aware of an article where some security researchers attempted to attack and exploit security vulnerabilities in vehicles through the use of tools and applications designed to access and utilize information on the vehicle network. What struck me as interesting about this article is that there seems to be no end to the level of creativity someone will apply to misusing a system. Moreover, it was also apparent that controlling access to the vehicle network makes it more difficult to exploit.

This is really no surprise to the security world. Access control and authentication are indeed solid pillars of any good security implementation. Failures in access control and authentication arguably account for the vast majority of security failures globally. I would go so far as to say, from my personal observation, that we can probably manage at least 80% of security issues through such measures.

So why is this potentially problematic in the automotive industry? Simply put, it is because of legacy technologies combined with challenges in cooperative collaboration.

Vehicle networks have evolved over the last several decades from simple communications within a vehicle using a technology known as CAN Bus (Control Area Network). This is an effective and robust technology that has been battle tested for years and allows for rapid and reliable communication between devices found in a vehicle. The problem with CAN Bus, however, is that it was not designed with secure communications in mind, and attempts to add secure certificate-based authentication to CAN Bus devices have not been very successful.

This has not deterred the technology industry, where manufacturers of microcontrollers used in vehicles have risen to the challenge and created various secure and robust solutions that can augment or entirely replace the traditional CAN Bus. Where the challenge manifests itself is in getting the entire automotive industry to agree on an interoperable and ubiquitous solution. CAN Bus just works, and everyone who makes parts that communicate in a vehicle network knows how it works and how to keep making it work. We as consumers of vehicles demand reliability, so automotive manufacturers are loathe to mess with their winning formula.

Yet we are talking about being inside the vehicle network. What has happened in the last decade or so is connecting the vehicle internal network with the outside world. This has allowed a world of digital diseases to work their way into the vehicle, and as vehicles continue to connect to the outside world, it will only become more challenging to keep things secure. This is, however, where we can easily apply tried and true secure certificate-based authentication methods, based on PKI, and limit access to vehicle networks.

The challenge here, however, is that unlike the well-established methods that are deployed in enterprise and global networks, there are currently no consistent and standardized methods the automotive industry has agreed upon for how such systems are to be implemented and managed. This means that if an automotive manufacturer implements trusted authentication in their global vehicle network, there is a high likelihood that anything outside of the control of the vehicle manufacturer will be unable to communicate with their vehicles.

This becomes a major issue for car repair facilities, who rely on diagnostic equipment that must communicate with the vehicle to facilitate proper repairs. In essence it means that every repair facility would need diagnostic equipment specific to each manufacturer, and that is only if the manufacturer is cooperative. While the automotive community has engaged with the diagnostic community in forging some secure certificate-based authentication standards, there is still no finalized and global agreement about how this will be implemented or managed.

DigiCert is fully committed to working with the automotive industry to help standardize and implement trusted authentication. While changing the way such a large industry does things is always challenging, the effort to build a secure digital world is a commitment worth pursuing.

A new CA/Browser Forum proposal being discussed now would shorten maximum certificate lifetimes to 13 months. This comes after lifetimes were reduced from 39 to 27 months, effective March 2018. If passed, these changes would go into effect in March 2020. This blog analyzes the merits of this proposal and how the proposed security benefit compares with the impact on certificate users.

Are One-Year Certificates More Secure?

For many years, certificates that protected websites had a maximum lifetime of three years. These certificates were only issued after carefully vetting all the information that was contained in the certificate and could be revoked if the information was no longer valid.

There was a previous attempt to reduce certificate lifetimes to one year, back in early 2017, which was rejected by the CA/B Forum. Now, the same proposal is being made again. What is behind these proposals, and do they do anything to increase the security of digital certificates?

Protecting Internet Traffic

On the modern internet, digital certificates are essential for protecting traffic to and from websites, including the highest value ones. These communications may include all sorts of sensitive information, including payment information, passwords, protected health information, trade secrets and other work-related confidential information. These websites must protect the three pillars of information security: confidentiality, integrity and availability. All communications need to be encrypted, with no possibility to modify them, and no downtime.

To guarantee this, the maintainers of such websites have strict controls about when and how their servers can be modified, and what software can run on their servers. In many cases, especially in the financial and healthcare industries, there are strict audit and compliance requirements that govern these change management procedures.

Moving to shorter certificate lifetimes, especially below one year, as has been suggested might be coming in the near future, has significant costs. Each change must be carefully tested to make sure it has been made correctly and does not negatively impact the security of the system. Making such changes in an automated way is attractive, but significantly increases the complexity of such systems, and increases the attack surface by introducing new software agents on critical systems. Even worse, those software agents connect to the internet and download certificates directly onto highly trusted systems. Significant care needs to be taken to make sure this does not adversely impact the security of the system.

We believe the goal of improving certificate security is better served by allowing more time for companies to continue their growing use of automation, to test their systems and to prepare for these changes. The primary point is that any benefit of reducing certificate lifetimes is theoretical, while the risks and costs to make the changes, especially in a short period of time, are real.

Proposed Security Benefits

So what is the proposed security benefit that justifies this cost? It is far from clear that there is any at all. This change has absolutely no effect on malicious websites, which operate for very short time periods, from a few days to a week or two at most. After that, the domain has been added to various blacklists, and the attacker moves on to a new domain and acquires new certificates.

Another benefit that is sometimes suggested is that shorter lifetime certificates allow quicker transitions when the compliance rules change. Two-year certificate lifetimes mean that certificates that are issued today will still be around two years from now. But isn’t it the responsibility of those managing the certificate ecosystem to come up with compliance rules that can endure for at least that long? Constantly changing the rules for certificate issuance with little lead time does not give those who deploy or rely upon certificates adequate time to become aware of the changes, analyze them and determine the impact on their systems, and make adequate preparations to update their systems responsibly, including complying with all the other regulatory requirements.

It is also important to note that this change applies to all companies, regardless of their situation, on a relatively short timeline. These sorts of short-term mandates run the risk of diverting resources from other, more critical security improvements that are underway at many companies.

The Bottom Line

Rapidly reducing certificate lifetimes to one year, or even less, has significant costs to many companies which rely on digital certificates to protect their systems. These costs are not offset by any significant security improvement, and these changes have no impact on bad actors who are engaged in illegal activity or impersonating legitimate companies. These changes make it significantly more difficult for many companies to protect their internet traffic and customers, with no benefit, and therefore DigiCert has no choice but to oppose these changes.

As the sheer number of connected devices continues to rise and technology continues to develop toward a future full of quantum computers, securing devices/applications and becoming “crypto agile” is fundamental to an organization’s effort to become and stay secure, today and in the future. Read on to discover how to improve your organization’s crypto-agility.

A common enterprise goal is to improve business agility. The ability to quickly adapt to market changes gives an organization a competitive advantage and can also prevent unnecessary losses. Information is an organization’s lifeblood, and the information security department is responsible for establishing and maintaining secure connections between IT systems and all external devices. As a best practice encryption should always be used between diverse systems that have to interoperate. Your organization should require encrypted links to protect the information in transit, whether it is destined for internal or external systems. As the number of connected devices grows, becoming “crypto agile” is a key component of an organization’s business agility.

Poor visibility limits agility

A common issue most security professionals face is not having a full understanding of where crypto is being used throughout the IT infrastructure. Maintaining a software inventory is something security professionals are familiar with, and they need to develop the same insight into all connected devices.

Among the most common crypto in use today are TLS/SSL certificates, which are used to establish secure connections between browsers, servers and an ever-expanding number of devices and applications.

TLS uses both asymmetric and symmetric encryption via a Public Key Infrastructure (PKI), which is the set of hardware, software, people, policies and procedures that are needed to create, manage, distribute, use, store and revoke digital certificates. PKI is also what binds keys with user identities by means of a Certificate Authority (CA). PKI benefits from using both types of encryption. For example, in TLS communications, the server’s TLS certificate contains an asymmetric public and private key pair. The session key that the server and the browser create during the TLS handshake is symmetric.

What crypto-agility is and is not

Crypto-agility involves knowing everywhere that crypto is being used in your organization (e.g. protocols, libraries, algorithms, certificates, etc.), knowing how it is being used and having the ability to quickly identify issues and remediate them. True crypto-agility allows you to seamlessly replace outdated crypto as necessary via automation.

Crypto-agility is not just the ability to use different algorithms for critical functions (e.g., hashing, signing, encrypting, etc.), nor is it the ability to choose which algorithm (e.g. SHA-1 or SHA-256) to use for a particular function.

SHA-2, the successor to SHA-1, contains the same cryptographic weakness (although its increased length offers better protection against breaking). Still, SHA-3 is the recommended replacement for SHA-1 and SHA-2, but the problem is that almost no hardware or software products support it yet.
Simply trying to get the supported algorithms into place everywhere they need to be can be a tall order, and that makes striving to achieve crypto-agility more difficult. Most crypto transitions happen at internet scale, and transitioning off of one crypto algorithm to a new one requires working with all of your vendors.

Crypto-agility best practices include the following:

• Establish and communicate clear policies
• Inventory all crypto assets
• Identify crypto vulnerabilities (internal to your org and with vendors)
• Have the ability to test new cryptographic algorithms
• Have the ability to replace vulnerable keys and certs quickly
• Maintain ownership information
• Automate management
• Automate replacement tracking

The first step in establishing crypto-agility within your organization is to create and clearly communicate policies around TLS best practices (for information on TLS best practices reach out to your DigiCert rep). After policies are established, the next step is the inventorying of all crypto assets, which can be accomplished through the use of a modern certificate management platform with a comprehensive discovery feature (see CertCentral for more information on certificate discovery). Once the inventory is complete and you have visibility and control of all your organization’s crypto assets, you will have the flexibility to start testing new algorithms as they become available and/or replace vulnerable keys, without the concern of leaving your organization unsecured or breaking critical processes.

As you achieve visibility and control and can freely swap crypto at your choosing, your next focus point is on maintaining crypto-agility. You will want to make sure the correct people or departments retain ownership of their respective crypto-assets and that automation of crypto-assets like TLS certificates are being used whenever possible to make sure replacement and tracking are being completed even when everyone is away.

Achieving crypto-agility requires that all your hardware vendors also can update their devices in a timely manner. How security conscious a hardware vendor is can play a role in helping organizations retain crypto-agility. If you have a vendor with a history of being slow to roll out security updates, that creates a risk. If you work with vendors that provide regular updates, disclose what crypto they’re using and support the latest algorithms, you minimize risk and improve your crypto-agility level. That will enable your organization to more quickly respond to a large crypto threat and mitigate any potential damage.

Your vendors (example: IT hardware/software providers), business partners and third-party service providers need to be able to provide you with information on how they will support your plan. Make it your policy to work with vendors who use the best current cryptography and add support for modern standards and improved algorithms within a reasonable timeframe. Software and firmware need to be upgradable in a reasonable timeframe, and with a reasonable amount of effort. This will enable you to quickly replace anything from previous crypto eras that leave your organization open to security vulnerabilities. This policy should also be taken with remote software updates, but if you have taken steps to maintain visibility and control and to automate your crypto-assets, you should not be negatively affected.

Finally, you need to start at least thinking about the transformation of your IT infrastructure that quantum computing will drive in the not-too-distant future. Quantum computing will enable computers and IoT devices to run calculations much faster than what is possible today. It promises to fundamentally change the way we approach everything, from researching cures for cancer to alleviating traffic in urban centers. But realizing those visions requires overcoming the new IoT security challenges quantum computing will create.

Today, connected devices rely on RSA or ECC cryptography to protect the confidentiality, integrity and authenticity of electronic communications. Web browsers also use RSA and ECC signature verification to establish a secure connection over the internet or validate digital signatures. However, NIST and other security industry watchdogs predict that within a decade, large-scale quantum computing will break RSA public-key cryptography.

The benefits and risks quantum computing presents will affect virtually every industry, including financial services, healthcare, energy and manufacturing. The realization of quantum computing-driven IT systems may still be at least five to 10 years down the road, but it’s something to consider now as you work to improve your crypto-agility levels today and tomorrow.

Closing thoughts to consider:

• Cryptography that can protect remote software update (hash-based signatures) exists today and should be deployed.
• This will allow software to be updated to NIST-approved post-quantum algorithms when they are available.
• The technologies that are available today not only provide the ability to upgrade to post-quantum algorithms in the future, but also increase your organization’s ability to respond to whatever cryptographic challenges arise in the future.

In previous articles in this series, we have discussed the threat quantum computing poses to classical cryptography and the difficulty of predicting when a cryptographically relevant quantum computer will arrive. In this article, we will discuss how to determine when it is necessary to start transitioning to quantum-safe algorithms. The answer will be different for every organization, and indeed for every system that uses encryption, so we will discuss how to come up with an appropriate transition plan for your organization. For many organizations, the time to start working on transitioning to quantum-safe algorithms is now, for the reasons outlined below.

The best-known equation for helping determine when to start transitioning to quantum-safe algorithms is the Mosca equation. Introduced by Michele Mosca, it describes how long before a cryptographically relevant quantum computer arrives the transition must start in order for data to remain protected. The Mosca equation is:

D + T ≥ Q_c

The variables are as follows:

• D is the amount of time the data needs to remain secret,
• T is the amount of time required to transition all systems to quantum-safe techniques, and
• Q_c is the amount of time before a cryptographically relevant quantum computer arrives.

When the inequality is true, the data is vulnerable to being decrypted by a quantum computer before its protection lifetime expires.

Determining the values of these variables for a particular organization or system can be tricky. As discussed in the second article in this series, it is very difficult right now predict when a cryptographically relevant quantum computer will arrive. Over the next few years, more information will become available, leading to more accurate forecasts, but for now, it is necessary to make an informed guess. Also, to guarantee that information remains safe, it is necessary for the guess to be conservative; otherwise, information will be at risk if the guess proves to be too optimistic. Right now, the consensus is that it is possible that such a computer may be around in as little as seven to 10 years, if progress continues to be made at a steady rate.

If we use this value for Qc, there is an obvious problem: the data protection lifetime (D) for many critical systems already exceeds that value. For those systems, the data that is being encrypted today is already at risk of being decrypted in the future. It is important to identify and prioritize these systems to address the potential threat. In the next article, we will discuss techniques that are available today to protect these systems.

To determine the appropriate data protection lifetime, it is important to understand where all the data your organization relies upon resides, how it is being protected, and the consequences of unauthorized disclosure. Such a data inventory is an important part of data protection practices even in the absence of a threat from quantum computing, so it is a useful exercise to undergo. Some data is relatively transient and unimportant and may only need to remain secret for a year or two. Other data may have a desired protection lifetime that exceeds a century. For example, if a child is born with a sensitive health condition, it is desirable for HIPAA and other privacy reasons that that information be kept secret by healthcare providers for the child’s entire lifetime. Determining the sensitivity of all the information your organization handles helps security teams make intelligent decisions about the protection profile for the data, including the timeline for protecting it from the threat from quantum computing.

The amount of time required to transition systems to post-quantum cryptography (T) is also often longer than people expect. For example, SHA-1 has been obsolete for 15 years but is still used today. The original Data Encryption Standard (DES) was published in 1975 and only uses 56-bit keys but is still being used in a few locations within financial systems. Large, complex systems with high availability requirements are simply very hard to upgrade, especially when the software being upgraded is buried deep in essential systems, or hard-wired into hardware, as cryptographic functions generally are.

Remember that the time T includes all activities related to the transition. This includes any time spent planning and organizing the transition, getting the necessary approvals and budget, testing the transition plan to determine whether it will work, conducting pilot projects and deploying all the updates globally. And this has to be repeated for each usage of cryptography within the organization. Getting started with the planning and discovery phase now is essential to determine the overall impact of the coming transition.

Another key point is the importance of cryptographic agility, or reducing the time necessary to replace cryptographic algorithms within critical systems. Cryptographic agility reduces the value of T, providing additional breathing room to plan and execute the transition. Systems that cannot easily be upgraded need to be enhanced to allow for cryptographic transitions. It is especially important to pay close attention to the transition phase, where systems that have already been upgraded will need to interoperate with systems that haven’t.

Plugging reasonable values into the Mosca equation shows that for many organizations and systems, the time to begin working on the transition to quantum-safe algorithms is now. Recommended first steps are:

1. Perform an inventory of all systems that use cryptography and the data being protected, and determine an appropriate data protection lifetime.
2. Start developing a transition plan for how systems will be upgraded, and work to increase your organization’s cryptographic agility to reduce the time the transition will take.
3. Talk to your third-party vendors about their plans to support your transition to quantum-safe algorithms for the cryptography they include in their products.

Waiting until the last minute to start planning the transition to quantum-safe algorithms unnecessarily puts your organization’s data at risk. Taking these steps will help get your organization ready for the coming transition. In the next article, we will discuss technical measures organizations can take today to protect their data from quantum computers, and the tools DigiCert will be making available to allow organizations to experiment with and test post-quantum cryptography, including incorporating it into their software systems.