For nearly 50 years, public key infrastructure (PKI) has provided a secure cryptographic foundation for the world’s data. But in the next few years, quantum computers are destined to render the current cryptographic algorithms that secure devices and the people who use them obsolete.
PKI relies primarily on two standardized algorithms, Rivest-Shamir-Adleman (RSA) and elliptic-curve cryptography (ECC), which act as the “digital trust stamps” to verify the massive amounts of human and machine identities accessing data every second. However, these algorithms will soon be easily broken by quantum computers. If today’s computers tried to break a message using standard encryption, it would take about 300 trillion years. A quantum computer will have the computer power to be able to break it in a week. The potential impact of quantum computing is so serious that it’s sometimes known as The Quantum Apocalypse.
Preparation for The Quantum Apocalypse is well underway. For the past six years, the US National Institute of Standards and Technology (NIST) has been conducting a competitive search for post-quantum encryption algorithms. In a milestone July announcement, NIST released its winning selections: CRYSTALS-Kyber for general encryption and CRYSTALS-Dilithium, FALCON, and SPHINCS+ for digital signatures.
There is still much work left to be done to standardize these algorithms, which are not expected to be complete until 2024. Additionally, a quantum computer capable of breaking today’s encryption hasn’t been created yet. However, enterprises – government and private industry alike – need to start planning now for fast, efficient, and error-free deployment to new quantum-resistant cryptographic standards. In fact, the Cybersecurity and Infrastructure Security Agency recently released a bulletin recommending key actions for IT teams to begin working on right away.
Here are five things IT teams can do today to protect their enterprises from quantum-based threats:
1. Take Inventory
The place to start is by taking inventory of all encrypted systems and preparing a strategy for deployment of the new cryptography. From the ground up, understand where the most important systems are, what the risks are, what the use cases are, who is involved in this transition, and what systems will likely be affected by quantum computing. The unknown becomes a vulnerability for hackers and cyber attacks.
2. Test the New Post-Quantum Cryptographic Algorithms
It’s not possible to issue a public certificate with these new algorithms yet because they’re not standardized, and because current software won’t support them. Vendors, software, OS, and service providers are now starting to gear up to support these primitives, and until that happens, enterprises can’t use them in production.
However, it is possible to start testing the algorithms in lab environments. Computer science and IT professionals should test the new cryptography in controlled environments, while the standards work is being done. Everyone must understand how to use new certificate types like hybrid certificates and what private Certificate Authority (CA) software capable of using post-quantum algorithms looks like. Sectigo Quantum Labs offers a free hybrid certificate toolkit for security professionals to evaluate their post-quantum options.
3. Create a Plan for Transitioning Systems
Every use case for post-quantum cryptography will likely involve a host of interdependent technologies. Enterprises must understand the intricate systems and critical infrastructure in place and have a plan for transitioning them to post-quantum cryptography.
Some systems won’t be able to consume the new types of quantum-safe certificates, which begs the important question: How much risk is associated with that old system? If the answer is “too much,” then IT leaders must decide if it can be decommissioned. The only other option is to leave the systems running while vulnerable to attacks from quantum computers. Depending on the nature and sensitivity of the data and operations involved, leaders will have to make pragmatic choices about the best paths forward.
4. Work With Vendors
It’s time to work hand-in-hand with the vendor community. For almost all enterprises in the world, the vast majority of the post-quantum cryptography implementation must be done by vendors. Hardware, software, and service providers will deliver products to enterprises. Then it’s the IT leader’s job to implement these new post-quantum-technology solutions and integrate them intelligently. Today, IT leaders should already be finding out how their technology vendors plan on supporting the new post-quantum cryptographic algorithms.
5. Educate Your Workforce
The average sysadmin, rightfully so, is not currently thinking about a post-quantum world in a meaningful way. After all, he or she is consumed with keeping the lights on today. Two years may seem like a long time away, but technology teams are well advised to begin today in taking inventory and understanding the impact of this computing progress.
In addition to testing post-quantum encryption algorithms in sandboxes, speaking with vendors, and determining what their post-quantum ecosystem should look like, they can take inventory of those within their organizations who will be affected and provide training on how to interact with those new systems.
Enterprises can’t wait. Be proactive and start preparing now, because it’s going to take time to switch to quantum-safe cryptography. Download the number one resource for quantum PKI solutions at www.sectigo.com/quantum-labs.