The rise of post-quantum cryptography (PQC) is bringing attention to the widespread use of cryptography in our digital world. Virtually every digital connection relies on cryptographic techniques and public key infrastructures (PKIs) to establish trust. However, the emergence of cryptographically relevant quantum computers (CRQCs) poses a threat to traditional asymmetric algorithms such as RSA and ECC. To address this challenge, researchers have been developing post-quantum cryptography, which encompasses cryptographic algorithms designed to be resistant to quantum computer attacks.
While CRQCs still need to be more powerful and larger than currently available quantum computers, their development is progressing. Therefore, organizations must prepare for the eventual transition to post-quantum algorithms. However, this transition poses a significant challenge, requiring a complex upgrade of the vast digital infrastructure built over the past few decades. Although organizations have some time to adapt, they need to initiate the process of understanding the implications of this transition.
In the United States, federal agencies have received instructions from the Office of the National Cyber Director (ONCD) to inventory their cryptographic systems in preparation for the shift to quantum-resistant cryptography. These guidelines, outlined in the White House’s National Security Memorandum 10, required agencies to submit their prioritized inventories of cryptographic systems by May 4, 2023. However, meeting this deadline has proven to be challenging for some agencies. The complexity of identifying cryptographic systems extends beyond federal agencies and applies to organizations across all sectors. Cryptography’s ubiquitous presence makes it difficult to track assets that organizations may not even be aware of.
While enterprises are not subject to the May deadline, they must also identify and proactively manage their cryptographic assets. It is crucial for all organizations to follow a structured approach for transitioning to a post-quantum world. This approach includes the following steps:
Step 1: Inventory
The first step is to inventory all cryptographic systems, including certificates and algorithms, and prioritize them based on their level of criticality. This process requires understanding the crypto assets within an organization’s environment, including the algorithms certificates used, their issuers, expiration dates, the domains they protect, and even the software signed with specific keys. Additionally, organizations must investigate whether their software packages or devices automatically download updates, connect to backend servers, or operate on websites or portals managed by third parties or cloud providers. Establishing these details requires extensive communication with various providers and backend entities. While identifying an organization’s digital footprint may seem daunting, it is essential in today’s interconnected world. Understanding crypto assets is the key to protecting them effectively.
Step 2: Prioritize
The next step involves prioritizing the replacement of encryption algorithms that generate signatures requiring long-term trust. This includes securing the roots of trust, firmware for long-lived devices, and other critical components. The urgency arises from the fact that encrypted data can be recorded now and decrypted later by operators of future quantum computers, a practice known as “harvest now, decrypt later.” Therefore, any encryption intended for long-term use should be the first priority for replacement.
Step 3: Test
Furthermore, organizations need to explore and test the incorporation of post-quantum cryptography algorithms. The National Institute of Standards and Technology (NIST) has already selected the final algorithms for PQC standardization, but the development of standards, documentation, and secure implementation methods is still underway. It may take up to two years before these algorithms become widespread. However, implementers of cryptographic libraries and security software should start integrating these algorithms into their products now. Organizations can also begin exploring how to incorporate the selected PQC algorithms, as there will be a certain level of effort required to accommodate them.
While the deadline for federal agencies to submit their inventories of cryptographic systems has passed, the need for all organizations to identify and manage their crypto assets proactively remains. The transition to quantum-resistant cryptography is a significant undertaking, but by understanding and managing their crypto assets, organizations can lay the groundwork for a secure and trustworthy digital future.
It is crucial to start the process now and stay informed about the developments in post-quantum cryptography to ensure a smooth transition when the time comes.