As quantum computing gets closer to practical realization, the threat landscape for cryptographic systems, particularly Transport Layer Security (TLS) certificates, becomes too high to be ignored and requires immediate attention to be ready. Quantum computers have the potential to break widely used encryption algorithms, making post-quantum encryption (PQE) and crypto-agility essential topics for discussion and action.
Understanding the quantum threat
Quantum computers operate on principles fundamentally different from classical computers. While classical computers use bits as their smallest unit of data, quantum computers use quantum bits (qubits), which can exist in multiple states simultaneously. This capability allows quantum computers to solve certain problems exponentially faster than classical computers. In other words, while quantum computers should not be considered as “super computers” able to solve any problem quicker, we must understand that they will be extremely good in certain things, such as factorizing and other numbers-crunching techniques.
The implications for cryptography are profound. Algorithms like RSA, ECC (Elliptic Curve Cryptography), and DSA (Digital Signature Algorithm) rely on the difficulty of problems like integer factorization and discrete logarithms—problems that quantum computers can solve efficiently in relatively short times. This means that the encryption and digital signatures that currently secure TLS connections could be rendered obsolete.
Post-quantum encryption (PQE)
The primary challenge in PQE is selecting algorithms that can withstand quantum attacks. The National Institute of Standards and Technology (NIST) has been leading an effort to identify and standardize quantum-resistant cryptographic algorithms. This involves evaluating numerous candidates based on security, performance, and ease of implementation. The challenge lies in the uncertainty and the rapid pace of advancements in quantum computing, which complicates the prediction of which algorithms will be most effective in the long term.
Post-quantum algorithms tend to require larger key sizes and more computational resources than their classical counterparts. Also use techniques different of factorization and discrete logarithms, and therefore rendering quantum computers far less effective to breach them. As a derived effect, these new algorithms can lead to increased latency and higher demands on processing power and storage. Ensuring that these algorithms can be efficiently implemented in environments of high demand (such as heavily-loaded servers, or with resource constraints, such as IoT devices and mobile platforms, is a significant challenge.
Transitioning to post-quantum algorithms necessitates widespread changes across systems and protocols. Ensuring interoperability between systems using different cryptographic standards during the transition phase is complex. Organizations must manage mixed environments where classical and post-quantum systems coexist, which can lead to compatibility issues and require extensive testing and validation, especially considering that there are still to be fully defined and endorsed by regulatory bodies.
Companies must start looking at all this, and try to be ready ASAP, but in the meantime, there are other mitigating tasks that can be taken, such as building up capabilities for “crypto-agility”, that allow to rotate efficiently keys and certificates, reducing the exposure to attacks.
Prepare for the Future of Cybersecurity: InfoSec's Guide to Post-Quantum Readiness
Crypto-Agility
Crypto-agility refers to the ability of a system to switch between cryptographic algorithms and keys with minimal disruption. This capability is crucial in a post-quantum world where the cryptographic landscape may change rapidly.
Systems must be designed with flexibility in mind, allowing for automated key rotation and the integration of new algorithms. This often involves abstracting cryptographic operations to allow for the easy swapping of underlying algorithms without significant changes to the system architecture. However, designing such flexible systems can be challenging, especially for legacy systems not built with crypto-agility in mind.
Implementing automated updates for keys, certificates and cryptographic algorithms is essential for maintaining security in the face of new threats. However, ensuring that updates are applied consistently and correctly across all systems, and that they do not introduce new vulnerabilities or disrupt operations, is a complex task. Automated updates also require robust monitoring and rollback mechanisms to address any issues that arise.
TLS certificates and management
TLS certificates are a cornerstone of secure communications on the internet, providing authentication and enabling encrypted connections. The management of these certificates in the context of post-quantum encryption and crypto-agility introduces additional challenges.
The issuance and lifecycle management of TLS certificates must be adapted to support post-quantum cryptographic algorithms. Certificate Authorities (CAs) need to develop processes for generating, validating, and issuing post-quantum certificates. Additionally, organizations must manage the lifecycle of these certificates, including renewal and revocation, in a post-quantum context. This involves updating certificate management tools and practices to handle larger key sizes and new algorithms.
Deploying post-quantum certificates requires ensuring compatibility with existing systems and applications. This includes updating servers, clients, and intermediaries to support new algorithms and key sizes. Organizations must also coordinate with partners and third-party services to ensure interoperability. The transition period, where both classical and post-quantum certificates may be in use, adds complexity to deployment strategies.
Effective monitoring of TLS certificates is crucial for maintaining security. This includes tracking certificate expiration, detecting potential compromises, and ensuring compliance with security policies. In a post-quantum world, monitoring systems must be adapted to handle the characteristics of post-quantum certificates and to respond to new types of threats. Rapid response mechanisms are essential to address vulnerabilities and update certificates as needed.
Moving forward today with Venafi and WISeKey
Organizations must stay abreast of developments in quantum computing and post-quantum cryptography. This includes following standards bodies like NIST and participating in industry forums and working groups.
In the meantime, and in parallel, it becomes crucial the adoption of tools such as the integration of Venafi Control Plane for automated certificate management, combined with efficient Trust Services providers, such as WISeKey, that can seamlessly generate publicly-trusted TLS certificates.
Machine Identity Security Summit 2024
Help us forge a new era of cybersecurity
☕ We're spilling all the machine identiTEA Oct. 1-3, but these insights are too valuable to just toss in the harbor! Browse the agenda and register now.