Today the world’s data is secured with technology that in some ways acts like a passport. Like passports, this technology – a public key infrastructure (PKI) digital certificate – contains identity information related to the holder. In the digital world, digital certificates act as a “passport” for humans and the machines (such as software, code, bots, IoT/OT, laptops, and devices) they use.
Though the average person isn’t aware of it, public key cryptography technology underpins everything in digital life, ultimately ensuring enterprises can securely transact business within their own networks and wider. It is the cryptographic foundational technology acting as a digital trust stamp to verify and authenticate the massive amounts of human and machine identities accessing sensitive data every second of the day.
Quantum computing threatens this cryptographic foundation and organizational ability to establish digital trust. Quantum computers use quantum physics to solve complex problems much more quickly than traditional computers can today. Quantum computers can perform many processes simultaneously, one consequence of which is it will become drastically easier to break encrypted files and communications secured by digital certificates. Therefore, the world must adopt new families of quantum-resistant cryptographic standards to retain its secure digital operations.
Often, security industry insiders use the phrase "crypto agility" when discussing digital certificates but it’s important to know exactly what this means and how it relates to the future threats of quantum computing.
What is Crypto Agility?
Crypto agility is short for cryptographic agility, which refers to the ability of an enterprise’s ecosystem to ensure its fundamental cryptographic primitives are current, reliable, and robust, and that it’s using cryptography that is best for a given circumstance. Being cryptographically agile is the ability to respond to change, and in modern enterprises, the pace of change is rapid.
Crypto agility will always be a moving target for enterprises. As IT leaders watch their total certificate volumes increase and the average digital certificate lifespan decrease to just one year or less, and as the world inches closer to the reality of quantum computing, crypto agility has never been more vital.
Quantum Computing and the Need for Crypto Agility
To understand the cryptographic changes required to protect against future quantum threats, it’s first crucial to understand what happens today.
Devices like phones, laptops, and servers are all validated and trusted using certificates. Credit cards, e-passports, and other things that most people don’t think of as “digital,” such as a keycard that grants access to a building, have PKI technology at their core. These are cyber-physical systems, and they use PKI to ensure that the sensitive information they house remains confidential, is tamper-free, and is authentic. It is difficult to guess how often the average employee interacts with PKI in a single day, but the answer is “a lot.” PKI is present in nearly every aspect of work (and personal) life in all industries.
Today’s production PKI systems rely on two cryptographic algorithms, Rivest-Shamir-Adleman (RSA) and elliptic-curve cryptography (ECC). Unfortunately, due to the nature of how quantum computers operate differently from traditional 1/0-gated computing architecture, these algorithms are trivially easy for quantum computers to break. A normal computer with average computing power today would need about 300 trillion years to break a message using current standard-strength encryption, while a quantum computer would only need about one week. The potential effects are so dire, that this is sometimes referred to as the Quantum Apocalypse.
After a six-year search, The US National Institute of Standards and Technology (NIST) has announced a new set of cryptographic “primitives” that have been deemed to be secure against cracking by quantum computers: CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON, and SPHINCS+.
Now, enterprises must begin the important work of implementing new encryption standards across all aspects of their computing system infrastructure. The standardization of the new quantum-resistant algorithms is expected by 2024, and estimates say quantum computing will break RSA and ECC as early as 2026. Therefore, preparation must start now to ensure crypto agility today and in the years ahead.
Next Generation PKI
What does crypto agility look like in preparation for the quantum era? Enterprise IT leaders must implement X.509 hybrid certificates that use quantum-safe encryption algorithms. Hybrid certificates house both traditional and quantum-safe keys and signatures. These cross-signed certificates enable a migration path for systems with multiple components that can’t all be upgraded or replaced at the same time. This allows for an easier transition from traditional PKI cryptography to post-quantum cryptography (when the new algorithms are standardized) in a more manageable way.
Think of using hybrid certificates as a house with two doors where each door has its separate key. If someone installs a new front door lock, only people with the new key can open that door. People with the old key can still enter the house but only via the unchanged back door. Over time, keys can be swapped out to users, giving them access through the new door lock. Once everyone’s key is swapped out, the back door lock can be safely changed with no loss of access for anyone. These hybrid certificates will be the most important bridges between cryptography today and a few years from now.
Remember these new cryptographic algorithms can’t simply be deployed and forgotten. They also must be managed, which is no longer possible to do manually given the scale. Next generation PKI is about having a single pane of glass Certificate Lifecycle Management (CLM) platform to discover, issue, renew, govern, manage, and automate the lifecycles of any digital certificate, including hybrid certificates. Automated CLM maintains secure PKI and reduces the risks of outages and breaches due to expired certificates.
The trend is going to be for quicker and quicker replacements over time of the cryptographic primitives, as well as the continued shortening of certificate lifespans. Swiftly reacting to these changes is being cryptographically agile.
Learn more about quantum-safe cryptography and download a toolkit in Sectigo’s Quantum Labs.