Tim Callan, Chief Experience Officer at Sectigo
Today, personal and enterprise data is encrypted and secured using public key infrastructure (PKI) digital certificates. This technology acts like a passport in the digital world for both people and the machines they use (such as software, code, bots, IoT/OT, laptops, and devices).
Although the average person isn’t privy to the fact that this PKI technology underpins everything in digital life, businesses cannot securely transact without it. PKI uses cryptographic technology to provide a digital stamp of trust that authenticates the mass volumes of humans and machines requesting access to sensitive data. However, quantum computers threaten this cryptographic foundation and the ability to establish digital trust. When the first quantum computer is powerful enough, likely in the next few years, the world’s data will become easily decrypted by whoever has access to one of these computers, a scenario referred to as the ‘quantum apocalypse’.
Quantum computers rely on quantum physics to solve problems at a much faster rate than traditional computers. These computers can run multiple processes simultaneously, exponentially increasing processing rates and the ability to perform complex tasks, making it many orders of magnitude faster for them to break encrypted files secured by digital certificates. That means in the next few years enterprises will have to upgrade all their cryptography to new, quantum-safe PKI cryptographic algorithms to retain the security of their digital operations.
What It Means to Be ‘Crypto Agile’
The phrase ‘cryptographic agility’ when discussing digital certificates refers to an enterprise’s ecosystem to ensure that essential cryptographic primitives are up-to-date, reliable, and robust. Ultimately, crypto agility in its most comprehensive form is a constantly moving flag post, the ability to rapidly respond to change. The importance of crypto agility has never been more critical, as IT leaders are looking at ever-increasing volumes of certificates with rapidly decreasing lifespans while awaiting the pending consequences of quantum computing that are inching closer to reality.
To fully comprehend the significant cryptographic changes that are required to prepare for the quantum threat, it is important to first outline today’s landscape.
Devices such as phones, laptops, and servers are all secured by digital certificates, along with many other essential parts of our lives such as passports and credit cards. PKI ensures that all sensitive data remains secure and authentic by relying on two cryptographic algorithms, RSA (Rivest-Shamir-Adleman) and ECC (elliptic-curve cryptography). However, because quantum computers operate differently from traditional computing architectures, RSA and ECC are easily broken by quantum computers. A traditional computer would take an average of 300 trillion years to break traditional encryption at accepted current levels, whereas an equivalently powerful quantum computer will require a mere week to do the same.
To prevent what essentially would be the destruction of nearly all encryption the world over, the US National Institute of Standards and Technology (NIST) has devoted the last six years to leading a global search for quantum-safe algorithms. Earlier this year, NIST announced a new set of cryptographic foundations that can successfully resist quantum decryption: CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON, and SPHINCS+.
Now that NIST has announced these quantum-safe algorithms, enterprises must prepare to implement them across their networks and systems after they become standardised, which is expected by 2024.
Crypto Agility in the Quantum Era
To ensure crypto agility, enterprises will need to implement X.509 hybrid certificates, which employ both traditional and quantum-safe keys and signatures. These are crucial for managing pathways that contain multiple components that cannot be upgraded simultaneously. Instead, the cross-signed certificates manage the migration pathways to allow for an easier transition from PKI cryptography to post-quantum cryptography (when the new algorithms are standardised) in a more manageable way.
The best way to imagine hybrid certificates is to think of a house with two doors, where each door requires the same key. If you want to change the keys, you do it first by updating the lock in one of the two doors. Now only those with the new key will be able to open that door. However, all those with the old key are still able to enter the house using the second door with the unchanged lock. Once the new keys for the front door lock are successfully in the hands of all users, the back door lock can then be changed without anyone losing access. Like the new front door lock, hybrid certificates provide bridges between today’s cryptography and the new quantum-safe algorithms that require implementation.
The implementation of these new cryptographic algorithms must be carefully managed, a significant challenge given the sheer scale of all existing certificates. This requires a single pane of glass Certificate Lifecycle Management (CLM) platform to discover, issue, renew, manage, and automate the lifecycle of any digital certificate, including hybrid certificates. Automated CLM ensures that all PKI remains secure, to reduce any risk of breach or vulnerability from an expired certificate.
Over time, what one can expect to see is the quickening replacements of cryptographic primitives, coupled with a continually shortening lifespan of certificates. Those that are able to rapidly respond to these changes will be considered cryptographically agile.