Free Trial
Contact Us
Podcast

Root Causes 447: NIST Deprecates RSA-2048 and ECC 256

Hosted by
Tim Callan
Tim Callan
Chief Compliance Officer
Jason Soroko
Jason Soroko
Fellow
Original broadcast date
December 13, 2024

As part of its post-quantum cryptography (PQC) initiative NIST has released a draft deprecating RSA-2048 and ECC 256 by 2030 and disallowing them by 2035. We get into the details.

Podcast Transcript

Lightly edited for flow and brevity.
Tim CallanTim CallanIn our ongoing coverage of NIST and post-quantum cryptography, there was a recent announcement from NIST about the deprecation of certain key lengths of RSA and ECC.
Jason SorokoJason SorokoLet’s get the reference to the document out so all of us can read together.

And so the title of this document from NIST is Transition To Post-Quantum Cryptography Standards, NIST IR 8547, and this is - and I want to note this - an initial public draft that came out on November 12, 2024 and is basically within its comment period until sometime in January 2025. We're covering this early, Tim, because I think the implications of this document are very, very important.

Basically, what NIST is doing here is saying we intend to change our guidance on some cryptographic algorithms. Now this has happened in the past. The deprecation of SHA-1 and a number of other things. This has happened before. So there is precedence for this. However, to really just get the main message out of this document is that RSA 2048, ECC 256, so we're talking like the number one and number two cryptographic algorithms that are used today for things such as encryption of data in transit, SSL, publicly trusted certificates, a lot of you who have configured your private Certificate Authorities, you are probably using one or maybe even both of those cryptographic algorithms. What NIST is saying in this document, from my interpretation and from a lot of people's interpretation, is the deprecation of RSA 2048, ECC 256, will be by at some point in 2030 and a disallowed in 2035. So Tim, that's huge news.
Tim CallanTim CallanThat's big news. Now, a couple things jump out at me here. First of all is 2030. That date doesn't seem like a coincidence does it? Because there's been a lot of discussion about 2030 as kind of a target date for when we think that cryptographic relevance for quantum computer is reality.
Jason SorokoJason SorokoTim, you are absolutely dead correct. And really, I think the way to interpret this in really simple words is this, you and I have done a lot of podcasts on what is the Z date, the Q date. When is the panic button going to get hit on post-quantum and I think that what NIST is doing is basically saying we're not even waiting for a quantum computer to arrive that will have a sufficient number of stable qubits and run Shor's algorithm and break RSA or ECC. We're going to put a line in the sand right now and tell everybody you have to start preparing for the deprecation of today's cryptographic algorithms - and I'm talking about specifically RSA and ECC, not AES or the others - and you have to start preparing for that and we're going to put a date where our guidance says these things are deprecated within 2030 and so that's it, Tim. You got it right.
Tim CallanTim CallanAnd it's almost 2025. So basically, that gives everybody five years to do this work, which on the one hand seems like plenty of time, but on the other hand, think about how long systems and code bases and things can sometimes hang around.
Jason SorokoJason SorokoNow that is why this is being done. It's giving people plenty of time to ramp up and get ready. Tim, I think this is the biggest shot across the bow that's necessary for you and your involvement with the CA/Browser Forum. I think you probably heard this loud and clear now to say, guys, it's time. It's time to start getting ready for not just publicly trusted certificates, but privately trusted certificates and all the work that's going to be necessary. Regardless of where you're using these legacy cryptographic algorithms, all industry will have to come together and be prepared for 2030.
Tim CallanTim CallanSure. And so this isn't just important to the CIO or the CISO at the enterprise. This is also very important I would say to the technology vendors that sell to them because those folks should be looking at this and saying, okay, I have to have product roadmaps that support these schedules or I'm going to lose my customers to my competitors who do. And that should also I think be very motivational in seeing broad support for the new algorithms coming into the software and hardware where ultimately those users are going to need it.
Jason SorokoJason SorokoExactly, Tim. Listen, for those of you who are working with something like Microsoft Active Directory Certificate Services, also commonly known as Microsoft CA, is your on-prem PKI that you've probably been running for more than a decade, perhaps even two decades, is there a path forward for you to be able to run the alternative cryptographic algorithms? If the answer is no, that means your MSCA might be running a deprecated cryptographic algorithm past 2030. That's something to plan for.
Tim CallanTim CallanExactly. And, again, this gives people time to identify these things and have a project and get going. But five years, like if you squander the five years, you're not going to be happy about that. Let me ask you this, Jason. What is the difference between deprecated and disallowed?
Jason SorokoJason SorokoThis is not the technically correct answer, Tim. But I think this is the reality. This is the real answer. The real answer is this. I think you will probably see some systems - not publicly trusted certificates, but like some forms of private systems that have been around for 20 years, where they're giving you this period of time where you can run it until 2030 happily and then just like Bruno Couillard taught us during one of our previous podcasts, he said, we're probably going to live for a period of four to five years at least, where we're going to have legacy systems that are essentially running deprecated cryptographic algorithms. So they will be operational but deprecated in the sense that they work, they do what they need to do, but we have to consider them unsafe. It'll be a very strange period of time. And what NIST is basically saying is, you basically have until 2035 until you really, absolutely do have to completely change out and rip and replace these systems. You really shouldn't past 2035 have a deprecated system in place.
Tim CallanTim CallanBut really, like if at all possible, you should try to be off it on 2030 and for the difficult, sticky stuff, make extra 100% sure you’re off it by 2035. Would that be the right way to put it?
Jason SorokoJason SorokoAbsolutely, Tim. It’s a period of motivation. It's very actually close an idea to what you've explained in a previous podcast about the reason for a 200- day step down period, and 100-day and 45-day, 47-day step down period for publicly trusted certificate maximum certificate lifespan. It's the same kind of an idea that it's just this constant motivation to move you forward to what's next, without putting you into a lurch all at once, in a binary state of everything's just completely disallowed all at once.
Tim CallanTim CallanSure. I get that. And okay. I mean, I think this is interesting. It's interesting that you brought up the SHA-1 deprecation, which I think a lot of people don't know, or it's easy for us to forget that really was driven by NIST.

And look how thorough and successful that was. And so this kind of guidance matters. Like, like, there's no enforcement here. NIST doesn't have the authority to force people to do this, or to punish them if they don't, or reward them if they do. But it is considered to be a very authoritative source of best practices and so when these kind of recommendations come out, they are very strong. A lot of people just follow the NIST guidelines and even if they don't, oftentimes those govern other guidelines.
Jason SorokoJason SorokoThat is absolutely correct, and that is what this document is. In fact, Tim, there's a lot more in this document we're going to cover in future podcasts, but there's really one more point that I want to make here, which is both ML-KEM and ML-DSA are also noted in this document that we're citing, and the allowed or recommended parameters, basically the bits of security are within this document. So to put it into real simple English terms, they're not just saying RSA or ECC past a certain bit length are deprecated. What they are also saying is they are offering ML-KEM and ML-DSA as the alternatives, and so this is one of the first times we've seen this, basically. Of course, the standards dropped from NIST. You and I covered this in previous podcasts. We had Dr. Dustin Moody explaining exactly what the process was, but now we're finally seeing, okay, guidance is changing so that these new cryptographic algorithm standards that are post-quantum based are now going to be allowed and part of guidance. And so therefore, not only do you see deprecation, but you see the recommendation to the next thing.
Tim CallanTim CallanAbsolutely. So anyway, important and I think you said November 12 was when that came out, so that's quite recent. And, guidance like this is going to stick around for a long time, and people are going to be looking at this for a lot of years to come.
Jason SorokoJason SorokoI think we're going to be waiting until probably January, or a little longer before this becomes an official document. Right now, it's basically open for comment. This is an initial public document for draft and so we will report on when this thing crystallizes. But there it is. We wanted to get this information out.
Tim CallanTim CallanAnd for something like this, I get that it's open for commentary, and I get that they're listening, and I get that they're prepared to make adjustments. I would predict that we see adjustments. We don't see the basic guidance change. Like they're not gonna stop deprecating and disallowing. They're not gonna decide that they don't want to deprecate and disallow these algorithms. It just may be some of the subtleties of what's in the advice in the document changes.
Jason SorokoJason SorokoI think your intuition is dead on, Tim and folks, let's sum this up with really what NIST is telling you. NIST is telling you that they're not waiting for a quantum computer to show up and surprise us before we start deprecating or recommending the deprecation of our legacy cryptographic algorithms. They're basically giving you a date right now which lines right up with what we've been telling you is the most commonly cited date for when we expect quantum computers to be sufficiently powerful to or at least within the ballpark of being scary enough to render the legacy cryptographic algorithms deprecated and disallowed. And we now have the dates. We now see what the guidance is going to be, and we see the dates. It's now on paper and printed, Tim. We no longer have to ask ourselves when.
Tim CallanTim CallanI think so. I think this is important, and we wanted to tell you guys about it right away, and we may dip back into this later, but that's the headline for today.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud