Avesta Hojjati, VP of Engineering and Head of R&D, DigiCert, on proactive steps to get out in front of coming post-quantum challenges.
We all know that digital trust is fundamental to today’s interactions and processes.
For the past few decades, we’ve depended on cryptographic solutions based on classical encryption algorithms to ensure that trust.
But new advances in quantum computing are putting these cryptographic solutions at risk. The pressure is on for organizations to prepare for a post-quantum future.
What’s behind the post-quantum threat?
We’ve all heard about the tremendous potential of quantum computers, and their ability to solve complex problems in fields like pharmaceuticals, chemical production, manufacturing and finance.
However, the downside is that they could also provide bad actors with a powerful new tool for breaking classical encryption algorithms.
What makes current algorithms susceptible to attack by quantum computers? Today’s current algorithms are mostly based on what we call factorization problems.
As a simple example, RSA is essentially based on identifying two randomly generated large prime numbers and multiplying those large prime numbers to create a much larger prime number.
For today’s existing computers, it might take many years to figure out the roots of this single large prime number and crack the encryption.
But for a quantum computer utilizing principles such as entanglement and superposition, solving this factorization problem wouldn’t take years – it could take a few days, minutes or even seconds.
Facing that kind of computing power and speed, cryptographic mainstays like RSA, ECC and AES could suddenly become vulnerable – and all the trusted digital interactions they support are put at risk.
New solutions are on the way
It’s clear that the post-quantum computing threat is real, and it’s coming up fast. According to estimates from the Cloud Security Alliance, quantum technology could be able to break cybersecurity infrastructure in just six years.
The good news is that government and industry groups are hard at work helping organizations strengthen their cryptography, so they can be prepared for attacks that may lie on the horizon.
The National Institute of Standards and Technology (NIST) has announced three algorithms to be standardized for post-quantum digital signatures. The new encryption schemes, Dilithium, Falcon and SPHINCS+, are set to be finalized this year.
These new algorithms will be key to ensuring post-quantum digital trust, but it’s still up to organizations to put them in place. Since cryptographic solutions are deeply integrated into most enterprises, elevating security presents some challenges of its own.
From a software perspective, the actual task of implementing upgrades to post-quantum algorithms is similar to the software update processes that organizations are already utilizing.
However, upgrading hardware and IoT devices can introduce issues. For example, some hardware may lack the memory required to store keys that are significantly larger than those required for classical algorithms.
Other devices may lack the computing power required to support the new algorithms. As they plan their initiative, organizations need to apply a ‘security by design’ strategy where their post quantum crypto algorithms will be pushed to the hardware that have the capability of supporting them.
Crypto agility is essential
Regardless of which algorithms organizations choose, they will want to make sure that they have an agile framework and process in place at any moment, at any given time.
Crypto agility empowers organizations to automatically move from an algorithm that potentially could be broken to an algorithm which is safe and secure – at scale.
Crypto agility is based on three key pillars: discovery, automation and visibility.
- Gaining visibility with discovery
A discovery process is critical to gain full visibility into cryptographic processes that are deployed across the organization – or will be in development. Organizations should conduct a thorough inventory to gain visibility into all their cryptographic libraries.
Most IT professionals are familiar with a software bill of materials (SBOM), but they’re probably not familiar with a crypto bill of materials or CBOM.
Most organizations would probably be unable to present a list of all the cryptographic libraries across all of their organizations – or identify which algorithms are being used and where they reside.
That’s why the discovery step is so important, because you cannot automate or manage what you can’t discover.
- Scaling up with automation
Automation is the second key pillar of crypto agility.
After completing the discovery, to set up asset management across the entire organization, organizations should be able to automate the process of replacing cryptographic libraries in devices and endpoints such as load balancers and web servers, as well as clients such as web browsers.
- Optimizing with management
The combination discovery and automation leads to the third pillar of crypto agility: management.
With thorough visibility and efficient automation, organizations can then create policies and automatic deployments to identify outdated or broken crypto libraries, and automatically replace them.
Crypto agility can provide a strategic advantage for organizations that want to mitigate the post-quantum risk, but for many organizations, building awareness is the most essential first step.
With good communication, the right strategy and robust technology solutions, organizations can take proactive steps to get out in front of coming post-quantum challenges.