With the rise of post-quantum cryptography (PQC), the importance of encryption in our digital landscape becomes even more apparent. The foundation of trust in our digital connections relies heavily on cryptographic techniques and public key infrastructures (PKIs). However, the rapid development of cryptographically relevant quantum computers (CRQCs) poses a significant threat to traditional asymmetric algorithms like RSA and ECC. To counter this threat, the concept of post-quantum cryptography has emerged, showcasing cryptographic algorithms specifically designed to resist quantum computer attacks.
While CRQCs still require more power and size than the currently available quantum computers, their development is progressing rapidly. Organizations must proactively prepare for the eventual transition to post-quantum algorithms. This transition presents a complex challenge as it involves upgrading the vast digital infrastructure built over the past few decades. Adaptation to this transition requires organizations to initiate the process of comprehending the implications it holds.
Recently, federal agencies in the United States received instructions from the Office of the National Cyber Director (ONCD) to take inventory of their cryptographic systems in preparation for the shift to quantum-resistant cryptography. Explained in the White House’s National Security Memorandum 10, these guidelines mandated agencies to submit prioritized inventories of cryptographic systems by May 4, 2023. However, meeting this deadline has proven to be a challenging task for some agencies. The complexity of identifying cryptographic systems extends beyond federal agencies and applies to organizations across all sectors. The pervasiveness of cryptography makes it difficult to track assets that organizations might not even be aware of.
While not subject to the May deadline, enterprises must also identify and proactively manage their cryptographic assets. It is essential for all organizations to follow a structured approach when transitioning to a post-quantum world. Let’s explore some necessary steps to take:
Step 1: Comprehensive Inventory
The first step involves taking inventory of all cryptographic systems within an organization, including certificates and algorithms. This process requires understanding the crypto assets present in the organization’s environment, including the algorithms used, certificate issuers, expiration dates, protected domains, and software signed with specific keys. Additionally, organizations must investigate whether their software packages or devices automatically download updates, connect to backend servers, or operate on websites managed by third parties or cloud providers. Establishing these details necessitates extensive communication with various providers and backend entities.
Identifying an organization’s digital footprint in today’s interconnected world may appear daunting, but it is crucial to protect crypto assets effectively.
Step 2: Strategic Prioritization
The next step revolves around prioritizing the replacement of encryption algorithms that generate signatures requiring long-term trust. This encompasses securing the roots of trust, firmware for long-lived devices, and other critical components. The urgency arises from the fact that encrypted data can be recorded now and decrypted later by operators of future quantum computers, a practice commonly known as “harvest now, decrypt later.” Therefore, any encryption intended for long-term use should be the first priority for replacement.
Step 3: Incorporate and Test
Furthermore, organizations need to explore and test the incorporation of post-quantum cryptography algorithms. The National Institute of Standards and Technology (NIST) has already selected the final algorithms for PQC standardization, but the development of standards, documentation, and secure implementation methods is still ongoing. It may take up to two years before these algorithms gain widespread adoption. However, implementers of cryptographic libraries and security software are strongly advised to start integrating these algorithms into their products now. Organizations can also begin exploring the incorporation of selected PQC algorithms as there will be a certain level of effort required to accommodate them.
While the deadline for federal agencies to submit their inventories of cryptographic systems has already passed, the responsibility still remains for all organizations to proactively identify and manage their crypto assets. The transition to quantum-resistant cryptography is undoubtedly a formidable task, but by comprehensively understanding and managing crypto assets, organizations can lay the groundwork for a secure and trustworthy digital future.
It is crucial to initiate the transition process now and stay informed about the developments in post-quantum cryptography to ensure a smooth transition when the time comes.
What is post-quantum cryptography?
Post-quantum cryptography refers to cryptographic techniques and algorithms designed to resist attacks from cryptographically relevant quantum computers (CRQCs). These quantum computers pose a significant threat to traditional asymmetric algorithms, necessitating the development of new cryptographic approaches that can withstand quantum computer attacks.
Why is it important to prepare for a quantum-resistant cryptographic future?
Preparing for a quantum-resistant cryptographic future is crucial because the development of cryptographically relevant quantum computers is progressing rapidly. These quantum computers can potentially break traditional asymmetric algorithms, compromising the security of our digital connections and sensitive information. By proactively preparing and transitioning to post-quantum algorithms, organizations can mitigate the risks posed by future quantum computers and ensure the integrity and confidentiality of their digital assets.
What steps can organizations take to prepare for a quantum-resistant cryptographic future?
Organizations can take the following steps to prepare for a quantum-resistant cryptographic future:
1. Inventory all cryptographic systems, including certificates and algorithms, and prioritize them based on their level of criticality.
2. Strategically prioritize the replacement of encryption algorithms requiring long-term trust to protect against “harvest now, decrypt later” attacks.
3. Explore and test the incorporation of post-quantum cryptography algorithms selected by standards bodies like the National Institute of Standards and Technology (NIST).
By following these steps, organizations can lay the groundwork for a smooth transition to a quantum-resistant cryptographic future.