Transforming PKI Migrations: Unlocking the Power of Crypto-Agility with Quantum-Safe Multiple Algorithm Certificates

By Alexander Truskovsky, Senior Product Manager, ISARA Corporation 

Published on Apr. 12, 2018


Crypto-agility is the key to cost-effectively migrate information and communication technology (ICT) systems from legacy to quantum-safe systems.

By using our unique dual-algorithm approach to certificates, ISARA Catalyst Agile Digital Certificate Technology, this is possible for large organizations and governments.

In this post, you’ll learn about:

  • Why crypto-agility is necessary to reduce switching costs
  • Challenges to achieving crypto-agility
  • Our unique approach to multiple algorithm certificates for crypto-agility (ISARA Catalyst Agile Digital Certificate Technology)
  • Our collaboration with Cisco Systems to create the first digital certificate compatible with both classic and quantum-safe cryptographic algorithms, including a live server for developers to try out the new certificates
  • International standards update to address the quantum-safe migration at a large scale

Reduce switching costs by incorporating crypto-agility

When technology is updated or changed in any way in an existing communications network or system, the owner of such a system incurs a technology switching-cost. For example, replacing certain legacy equipment and/or associated software may also mandate the complete replacement of every other network component with which the replacement equipment needs to communicate.  In such a case, the impact of technology switching-costs may be devastating to the business, as there can be serious impacts on labour, scheduling, potential outages, as well as equipment and software costs. This switching-cost may nevertheless be managed in order to limit the associated business liability. One such technique to manage technology switching-cost in the context of cryptographic systems is referred to as “crypto-agility”.

What is crypto-agility? 

It is the ability for cryptographic protocols and applications to transition to new cryptographic primitives with relative ease, even allowing legacy equipment and software to co-exist with updated software at times. This permits a gradual migration from legacy to updated technology and allows the manager of systems to monitor the incremental impact of the changes.

There are two challenges to achieving crypto-agility: quantum-safe algorithm suitability and the migration process itself.

  1. The first challenge to implementing crypto-agility is algorithm suitability. Most quantum-safe candidate replacements differ from classic counterparts in size, speed, queue and buffer sizes, things we haven’t had to deal with before like private key state management and directionality. Multiple quantum-safe replacement algorithms are likely to be standardized to ensure there are algorithmic options for every type of cryptographic protocol, and that there is a standardized migration path among these options where possible.
  2. The second problem is the migration itself. How easy is it for systems to negotiate between classic and quantum-safe algorithms during migration? While key establishment is typically negotiated between peers, authentication typically relies on a single algorithm in the identity certificate issued by the Public Key Infrastructure (PKI). Often, enterprise PKIs service a number of types of applications, anything from providing credentials for physical access control to system login authentication to application authorization to VPNs.

All these dependent systems need to migrate at once if the PKI is upgraded. This means that many, if not most of an existing system may need to be replaced. These types of forklift upgrades don’t usually work, as they often incur service outages that may have serious impacts on the user’s business. Another solution to updating systems is to duplicate credentials and allow users or applications choose which one to use. This duplicates PKI resources and creates additional support issues and labour costs for already resource-limited IT departments.

ISARA’s solution: one certification, multiple algorithms via ISARA Catalyst Agile Digital Certificate Technology

What is needed to transition to quantum-safe systems is the ability to essentially negotiate an authentication algorithm without duplicating certificates. We would like to have the ability to migrate to a new authentication mechanism in PKI and dependent systems in a similar manner as key establishment. At ISARA, we developed technology, ISARA Catalyst Agile Digital Certificate Technology, that enables a public-key algorithm certificate that can contain multiple public keys and multiple issuer signatures.

What this allows us to do is update the PKI to use multiple public-key algorithms without any impact on the legacy applications that only understand classic cryptography. In the meantime, applications that are upgraded to support quantum-safe cryptographic algorithms can use the quantum-safe algorithms in the certificates. Simply put, your existing equipment and software can still operate, and will not be disrupted by new certificates.

Cisco Systems and ISARA partner on public demo of the world’s first digital certificate compatible with both classic and quantum-safe cryptographic algorithms

Along with our partners at Cisco Systems we created a public demo to showcase the use of these certificates to obtain the cryptographic agility in both the EST protocol (RFC7030) and the TLS 1.2 protocol (RFC 5246). Users will be able to download a hybrid root certificate and request a hybrid end entity certificate from the EST server. The users will then be able to connect to the TLS server using the hybrid certificate such that either classic or quantum-safe cipher suite are used for the digital signature.  For more information please visit We want to thank Cisco Systems for working with us to create this demonstration of a real-world quantum-safe implementation with cryptographic agility.

X.509 certificate standards will be updated

Together with our collaborators at Cisco Systems and Entrust Datacard we submitted an Internet Draft to IETF outlining the new X.509 certificate format. The new certificate supports multiple public-key algorithms, can be used by both systems upgraded to support quantum-safe cryptographic algorithms and non-upgraded systems that can still rely on classic cryptographic algorithms without any changes to them. The additional public keys and signatures are placed in non-critical extensions that make it possible for non-upgraded applications to process them without failing. Signatures here are layered in such a way that all certificate attributes are covered by both signatures. Classic signature, however, is applied last, which makes the resulting certificates compatible with existing unmodified systems.

The latest revision of this certificate format is available in the OpenSSL connector which is part of ISARA Radiate™ Quantum-safe Toolkit. Learn more about ISARA Radiate.

Thank you to Cisco’s team for their collaboration on this release.

Read Cisco’s Technical Marketing Engineer, Panos Kampanakis’, blog post "Towards Backward-Compatible Post-Quantum Certificate Authentication", to learn more about Cisco’s take on this collaboration.