Free Trial
Contact Us
Podcast

Root Causes 251: What's Next for the NIST PQC Primitives?

Hosted by
Tim Callan
Tim Callan
Chief Compliance Officer
Jason Soroko
Jason Soroko
Fellow
Original broadcast date
October 28, 2022

NIST has announced its new post-quantum cryptography primitives. So now what? In this episode we discuss the next steps required by the technology industry for widespread adoption of these algorithms and what the enterprise can do starting today to ready itself for quantum-safe encryption.

Podcast Transcript

Lightly edited for flow and brevity.
Tim CallanTim CallanSo, one of the stories that we've been covering a lot in the last few months is the new primitives from NIST. So, the winners of NIST’s third round post-quantum crypto contest came out on July 5, day after Independence Day, and since then, there's been a lot in the news, and we've talked about a lot of different angles about that. One of the things though that we have not yet discussed is okay, these primitives are out, what happens next?
Jason SorokoJason SorokoI think, Tim, the most important thing to call out in terms of what is next was written right by NIST, which is these, these primitives, now that they've been selected based off of their properties, they've gone through these contexts - - And don't forget, we are talking about these, we're not stone, stone tablets that were found by a burning bush. These were things that were developed by mathematicians over time based off of a long history of real mathematics and study and it led to not just the thing itself, but also a real honest to goodness implementation. And what needs to happen now is the implementation and the math need to be standardized. And we now have a lot of insight based off of the activities that were done to generally choose, okay, we've shown how these things work, they can work in a general context things like latency, things like key sizes, all these things that were so important during the initial phases now need to come down to alright, what is going to become the standard to make this interoperable amongst all of us? We don't want to have various kinds of implementations out in the world that are incompatible. How do we make it all work? Because as with PKI, Tim, it is just unbelievable how systems work together. It's just so ubiquitous. It's everywhere. And therefore, the standardization exercise is incredibly important when it comes down to these things. That's step one.
Tim CallanTim CallanAnd it's necessary. Like there are so many systems that in the absence of working PKI, you just plain don't have computing. You don't have a digital system at all. And so, it does touch so many standards and just touches so much hardware, software and everything.
Jason SorokoJason SorokoExactly. So what's interesting, though, Tim, is people might come up to us, and I'm going to preempt the question by bringing it up, which is, Jay, I've seen announcements by major content delivery networks and others saying, hey, we've brought quantum safe encryption into our realm. It's now a first-class member of the way that we operate and we're starting to protect stuff with post-quantum cryptography now. So people might ask us well, Jay, Tim, you just told me that step one was standardization, and yet I'm already seeing industry moving ahead with some of this stuff.
Tim CallanTim CallanThat is interesting. So just for instance, one of these recent announcements was Cloudflare. And if you think about Cloudflare, they have this giant network that is entirely in Cloudflare’s control. And one of the things that Cloudflare is very good at is agility. They can take the amount of nodes that can adapt and swap as they're needed to in real time is just breathtaking. And so, Cloudflare has decided inside of our own network, we will use - even though something isn't standardized - we're just gonna use it anyway. We're going to be the standard and we're going to standardize it. And what are your thoughts on that, Jay?
Jason SorokoJason SorokoSo Tim, if you take a look at their blog on the subject, what they've done is they've actually chosen a draft standardization. And so, they've been very open about that and that's great. What it means is, I like the word you used, because of their walled garden, they can be agile because whenever final standards come out, it looks like they can probably swap it out. Like that is my assumption.
Tim CallanTim CallanI'm sure that they plan on updating, perhaps we should say, to match as standards evolve and you could even imagine, again, with an extremely agile organization, you could even imagine, they might not wait for the final versions. They might somewhere along the line make incremental changes as drafts proceed to stay closer to what the ultimate versions of the standards are likely to look like.
Jason SorokoJason SorokoSo, Tim, I want to just dig a little further into what Cloudflare talked about because it to me, it talks about step two. Because Cloudflare, what they've done is they kind of got to step two quickly. And it kind of informs the rest of us who have not implemented post- quantum yet what the next step kind of is. And because it really comes down to this. They took advantage of a bridging technology between legacy systems, legacy PKI, legacy PKI, cryptographic algorithms, RSA, ECC, etc., and are using hybrid certificates to be able to bridge to these draft standard post-quantum algorithms. And so, you and I, Tim, have repeatedly said on this podcast, and we stick with it, the time to get your hands dirty with post-quantum resistant algorithms is now and one of the best ways to do that is to actually start to study what hybrid certificates are all about. It's still the x.509 standard. It's taking advantage of some additional fields to be able to wrap the old algorithms with the new algorithms. Without getting into a lot of detail, that's exactly what Cloudflare has done. They basically not just got their hands dirty, but now they've actually implemented it, and they're implementing it with draft standards.
Tim CallanTim CallanOf course. As long as you're using the same draft standard on both sides, it doesn't really matter that it's a draft. Like there's ways that it matters. But in terms of connectivity, it doesn't matter. Because everybody knows what to expect.
Jason SorokoJason SorokoThe beauty of the hybrid certificates, Tim, is that you could be using Tim Callan’s favorite crypto algorithm… as one of your cryptographic algorithms that you're using in your keys. We bring up that word agile. This is one way to be incredibly agile. You could even use hybrid certificates to switch from RSA to ECC.

And isn't that interesting? Because what happens if one day, two, three, four years from now, it turns out that it isn't even quantum computers we have to worry about. It's some new form of math that has some sort of quadratic sieve, some genius has come up with that somehow now, you're able to guess prime numbers that nobody ever thought possible. And RSA is just beaten. The factorization of RSA just becomes trivial and everybody big rush has to go to ECC. Well, guess what? This is what hybrid certificates can give you. And so, yes, it's usually talked about in the post- quantum sense, but it's useful for any form of algorithm and that's why when we're talking about, hey, why can Cloudflare afford to be using a draft standard before the final standardization? Well, it’s because the hybrid certs. That's the reason.
Tim CallanTim CallanSo, I kind of think of it as a stream. And the top of the stream is the NIST contest. And then the next thing where it flows downstream, the next thing it flows down to is these standards that you're talking about. And there's a bunch of them. And, IETF has to do its thing, but then it drops down another level for the people who work with that sort of stuff. So, in our world, that's something like CA/Browser Forum, or WiMAX Forum or somebody like that. And then after that, I think the next level in the stream, most of the time, is vendors. It's people who create hardware, software and services for sale. And those people work on it as the next stage because what they have to do is they have to go through and say, ok, now that these standards have come out of the organizations that are relevant to me, that I pay attention to, that make sure that I have interoperability in my space, then those providers have to create updated versions of their software that will support those standards. Because they all have to be the same and they have to implement them the same way and use them the same way. And then at that point, that's where the enterprise can really go online, go live with the stuff, because then the enterprise can get those software, hardware services, and implement them, and actually implement them with the new primitives from NIST, or with hybrid certificates because they're using some new primitives and some old primitives. And maybe there's opportunities to jump the queue and Cloudflare is a good example of that, but I think those are rare and special opportunities when organizations have kind of unusual circumstances and unusual capabilities. And for most of the enterprises in the world, I expect it to go through those four phases that I just laid out.
Jason SorokoJason SorokoExactly. Tim. That's a really, really good explanation of a whole other dimension to this, which is the fact that there are layers of layers within all of this and each of them has to do their part. I think that by calling out all of it, you all - the audience to this - gets to hear what the industry as a whole has to do. Like this is a gigantic coming together of a lot of brains. That has to happen and is happening. Thank goodness. This shows you that the world really still does work in a way, because it is all happening as we speak. I think for those of you who are listeners to this podcast wondering well, what about me? I live in an enterprise. What do I do? What's my homework from this? I think there's a couple of real brass tacks homework items.

One is one has been called out. It's number one on the list of whether it's the Department of Homeland Security all the way to other things that we've done other forms of guidance that we've called out. Number one is taking inventory of all the places that you're using PKI. Where are you using ECC algorithm? Where are you using RSA algorithm? It's just I guarantee it's very prevalent within your organization but don't feel overwhelmed by it. Narrow it down. Like in other words, don't worry about systems so much that are using AES encryption. You might see references to AES encryption all over your enterprise. If you see that, that's fantastic. Note it down. But where you really want to focus here in your inventory taking is anywhere you're using RSA or ECC for the purposes of not necessarily just an encryption, we're talking about use cases such as SSL. Even though that term has been deprecated to TLS, most of you guys know it as SSL. In other words, where are your web servers? That's the first question because those systems will be affected by this. And the second major category of systems is going to be anywhere that you're doing authentication. In other words, anywhere you are using PKI for authentication is going to be affected by this. And the third area is anywhere where you're doing signing. You're probably not generating code signing certificates, but you may be in the possession of PKI certificates for the purposes of document signing, for example. And so therefore, that's the third major area that I think concentrate on those. The first major area is just good old-fashioned AES encryption. That's really not as affected by this. But those other three categories, those are the ones where you want to get your inventory list really, really tight.

While you're doing that, I think an exercise in parallel is for those enterprises - and there's a lot of you out there - who are running things like MSCA. Good old-fashioned Microsoft CA, Active Directory Certificate Services for those of you know it as that. So those of you who are running CAs from other CA vendors, for private PKI purposes. That's absolutely, absolutely core in your inventory and because those are used for many of those use cases that we just talked about. The thing is, the thing is, you may want to experiment with what does a native post-quantum CA look like? That's available. And in fact, the usage of hybrid certificates is something that you can now get your hands dirty with and the beauty of it is if you have staff that are already running those kinds of PKI resources in your enterprise, they have more than enough capability to get their hands dirty with the new stuff and start learning what a hybrid cert looks like, the length of time it takes to actually issue one. Play around. Because of the fact that you can swap between post-quantum cryptographic algorithms, do that. Have a look at what each of them do. Become opinionated about Kyber and some of the others that are available to you. I would challenge any enterprise - you're good at this when you can make informed statements about we've chosen Kyber over the other NIST, you know, NIST choices because of x, y, or z. If you can repeat that back to me, you guys get an A+, because you're exactly where you need to be at this point in the game, with what Tim just said about where the rest of the industry, what it's doing, and what you'll ultimately have to respond to, once we're there.
Tim CallanTim CallanAnd then at the same time, if I can build on that, Jay, I think a lot of this work is going to have to be done by people who aren't the enterprise. They are the enterprise’s vendors. So, I can put hybrid certs in place and if those hybrid certs keep using RSA into the indefinite future, I haven't solved anything. And so, what I need to do is I need to make sure that my systems are being upgraded to the point where they're able to use the post-quantum crypto and that's going to be a matter of patching or version upgrades. Like in the case of software that I'm running, if I'm running the software on my hardware, I'm going to need to patch it or upgrade the version or do something like that, I'm going to need to look to my vendors to tell me when they're going to have that available for me and I'm going to need to decide if that soon enough. Or if I need a Plan B. Maybe that's the time to switch vendors.

In the case of SaaS, I think that's mostly going to be handled for you. So you’re using a SaaS service, it's pretty much that vendor’s problem, except for kind of an unusual circumstance, it's that vendor’s problem to get that cryptography upgraded but you're still the one who is vulnerable. So understanding what their plans are, and their timelines are and whether again, whether you're happy with those plans and timelines is also something that the enterprise can be working on now. And then there are going to be some legacy systems, or there's going to be some hardware that may be extremely inflexible and under those circumstances, you're going to have to make a decision. You're going to decide, are these things that I'm willing to take my chances with? Maybe because it's not that essential what they do, maybe there's no real secrets there? Maybe if it got knocked down, we could weather it? Or are these core? Are these very essential? And once again there, do I need to think about an upgrade? Do I need to think about changing out that hardware? Or do I think I need think about changing out that legacy homegrown baseline system that things are built on that just isn't safe anymore? And so that's another way I think to think about this as an enterprise, is you look at what are the sources of technology that I have and what are those sources going to do to allow me to be quantum safe and when.
Jason SorokoJason SorokoTim, there's the old saying, don't roll your own crypto and I think a lot of people follow that. That's great. I'm so glad that most people do follow that old rule of thumb. But, I think there's a new rule of thumb, that those of you who are in the business, probably, you're either learning it or hopefully learning it the easy way, not the hard way, which is it used to be quite popular to be paranoid about, I would never use anything in the cloud, I would never use anything hosted. These are my core, core secrets, generators, and therefore I want to be able to hug them. I want to go into my server room and be able to touch the system that’s actually generating those secrets. And the problem is this. That system, whatever you installed way back in, who knows, late 90s to 2000s, look, unfortunately, that's aging. You probably built a whole pile of infrastructure around that, and it's an aging system that now is going to be vulnerable in the post-quantum world. And so therefore don't make it a liability. That apparent need to have it very close to you. Tim is pointing out in a very kind way, if you really get down to brass tacks, do you want to not just not roll your own crypto, but hosting your own CAs, you better have a really, really good reason, going into this pre-post quantum period over the next X number of years. When you're making decisions about swapping systems, and, whatever it is you're building in your enterprise. And I would tell you, you better be military or somebody with unbelievable concerns about secrecy to be able to have the smarts to be able to swap out an entire cryptographic algorithm in a legacy system. It's not going to be easy. So, think about what the vendors are doing.

I think it's fantastic that your content delivery network, you don't have to worry about it too much. It's just there. Your inventory sheet is just a checkmark, saying my understanding is that my content delivery network is already using post-quantum algorithms. Fantastic. But for those of you who say don't have your PKI hosted in the cloud, a lot of you who are running it in-house, what are you going to do with that? And maybe the decision is maybe I look at dealing with a vendor who's taking care of this for me.
Tim CallanTim CallanMaybe this is the motivating factor to make that change.
Jason SorokoJason SorokoAnd that's it, Tim, don't roll your own crypto, and my goodness, it's already difficult and choosing your correct certificate profile is not easy. It requires you to do it right. And a lot of times you work with a security vendor, and they can help you to do that but it can take a long time and it's risky. Well, even hosting your own system has other risks. There's people who do that for a living and do it very, very well. Just like with your content delivery network, you're not reinventing what Cloudflare does. Well, why should you be reinventing what a cryptographic system is doing? Which is just unbelievably complex. I'm just repeating myself now but I am thinking that it comes almost under that rule of thumb of don't roll your own crypto and don't even host your own crypto.
Tim CallanTim CallanI think that's a really good point. Like is this is this the motivating event that should cause you to reconsider that decision that probably was made long ago when things were very different and maybe this is the time and a lot of people stick with what they're doing because they don't want to take on the project of moving it or not right now. But you're gonna have a project either way. And so maybe this is a smart time to think about moving to something that's hosted for you. Let that vendor worry about all these difficult problems and just sort of take advantage of the work they do. I think that's a good point.

So the new NIST algorithms are out and we see there's a lot of work to be done but I hope part of the takeaway here is that there are things that you can do starting now and then the rest of the industry will work through its work and we'll all be able to move over to these algorithms.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud