Why Crypto-Agility Is Crucial for Navigating Quantum Computing

Today, global data is secured with technology that, in some ways, acts like a passport. Like passports, this technology – a public key infrastructure (PKI) digital certificate – contains identity information linked to the holder. In the digital world, digital certificates act as a “passport” for humans and the machines (such as software, code, bots, IoT/OT, laptops and devices) they use.

Although the average person may not be aware of it, this technology underpins everything in digital life, ultimately ensuring that businesses can transact securely within their own networks and beyond. It is the fundamental cryptographic technology acting as a digital trust buffer to verify and authenticate the massive amounts of human and machine identities accessing sensitive data every second of the day.

Quantum computing threatens this cryptographic foundation and the organizational ability to establish digital trust. Quantum computers use quantum physics to solve complex problems much faster than traditional computers can today. Quantum computers can perform many processes simultaneously, with the consequence that it will become considerably easier to crack encrypted files and communications secured by digital certificates. Therefore, the world must adopt new families of quantum-resistant PKI cryptography to keep its digital operations secure.

Often, security industry insiders use the phrase “cryptographic agility” or “cryptographic agility” when talking about digital certificates. It refers to the ability of a company’s ecosystem to ensure that its fundamental cryptographic primitives are up-to-date, reliable, and robust, and that it uses the cryptography best suited for a given circumstance. Being cryptographically agile is the ability to react to change, and in the modern enterprise the pace of change is rapid.

Crypto agility will always be a moving target for businesses. As IT managers see their total certificate volumes increase and the average lifespan of digital certificates decrease to a year or less, and the world moves closer to the reality of quantum computing, cryptographic agility does not has never been so vital.

Quantum computing and the need for cryptographic agility

To understand the cryptographic changes needed to protect against future quantum threats, it is first crucial to understand what is happening today.

Devices such as phones, laptops, and servers are all validated and trusted using certificates. Credit cards, e-passports, and other things that most people don’t think of as “digital,” like a key card that grants access to a building, rely on PKI technology. They are cyber-physical systems, and they use PKI to ensure that the sensitive information they host remains confidential, tamper-proof, and authentic. It’s hard to guess how many times the average employee interacts with PKI in a single day, but the answer is “a lot”. PKI is present in almost every aspect of professional (and personal) life across all industries.

Current production PKI systems rely on two cryptographic algorithms, Rivest-Shamir-Aldelman (RSA) and Elliptic Curve Cryptography (ECC). Unfortunately, due to the way quantum computers operate differently than traditional 1/0-gate computer architecture, these algorithms are trivially easy for quantum computers to break. Today’s average computer would need about 300 trillion years to crack a message using today’s standard strength encryption, while a quantum computer would only need about one week. The potential effects are so severe that it is sometimes referred to as a quantum apocalypse.

After a six-year search, the US National Institute of Standards and Technology (NIST) has announced a new set of cryptographic “primitives” that have been deemed secure against hacking by quantum computers: CRYSTALS-Kyber, CRYSTALS- Dilithium, FALCON, and SPHINCS+.

Now, businesses must begin the important work of implementing new cryptography in all aspects of their IT systems. Standardization of new quantum-resistant algorithms is expected by 2024, and estimates indicate that quantum computing will break RSA and ECC as early as 2026. Therefore, preparation must begin now to ensure cryptographic agility today and in the years to come.

Next Generation PKI

What does crypto-agility look like in preparation for the quantum era? Enterprise IT managers should implement hybrid X.509 certificates that use quantum-safe encryption algorithms. Hybrid certificates accommodate both traditional and quantum-safe keys and signatures. These cross-signed certificates provide a migration path for systems with multiple components that cannot all be upgraded or replaced at the same time. This allows for an easier transition from traditional PKI cryptography to post-quantum cryptography (when new algorithms are standardized) in a more manageable way.

Think of using hybrid certificates like a two-door house where each door has its own key. If someone installs a new front door lock, only people with the new key can open that door. People with the old key can still enter the house, but only through the unchanged back door. Over time, keys can be exchanged between users, giving them access through the new door lock. Once everyone’s key is exchanged, the rear door lock can be safely changed without loss of access for anyone. These hybrid certificates will be the most important bridges between crypto today and in a few years.

Remember that these new cryptographic algorithms cannot just be deployed and forgotten. They must also be managed, which is no longer possible to do manually given the scale. The next generation of PKI is to have a single Certificate Lifecycle Management (CLM) platform to discover, issue, renew, govern, manage and automate the lifecycles of any digital certificate, including hybrid certificates. The automated CLM maintains a secure PKI and reduces the risk of outages and breaches due to expired certificates.

The trend will be towards faster and faster replacements over time of cryptographic primitives, as well as the continuous shortening of the lifespan of certificates. To react quickly to these changes is to be cryptographically agile.

Learn more about quantum cryptography and download a toolkit in Sectigo’s Quantum Labs at https://sectigo.com/quantum-labs.

*** This is a syndicated blog from Sectigo’s Security Bloggers Network written by Tim Callan. Read the original post at: https://sectigo.com/resource-library/why-crypto-agility-is-crucial-to-navigating-quantum-computing

Sherry J. Basler