Is Your Cryptographic Infrastructure Healthy?

Is Your Cryptographic Infrastructure Healthy?

 Ah, a new year. This is the logical time to take steps toward better health. As we embrace a new year, a healthy checklist for individuals may include:

  • Eat more vegetables
  • Drink more water

  • Exercise

  • Eat more fiber

  • Wear sunscreen

 What about your organization’s cryptographic infrastructure? Is it healthy? What can enterprises do now to keep theirs in good shape, especially as the industry collectively moves toward post-quantum cryptography?

With enterprises planning the migration of their entire cryptographic assets from classical public-key cryptography to quantum-safe cryptography, they can improve their infrastructure wellness now by taking preventative steps with crypto-agile solutions. Think of crypto-agility as the “super food” for cryptographic wellness.  

 NIST: The Latest on Post-Quantum Cryptography

The latest update from NIST indicates that everything is moving forward with the post-quantum cryptography (PQC) standardization project and lots of progress has been made. On January 14, Dustin Moody of NIST gave a presentation to ASC X9 Inc., wherein he shared insights on where the project stands today and where it will go in 2021 and beyond.

But first, a quick overview of the project. “The goal of this research is to develop cryptographic algorithms that would be secure against both quantum and classical computers. These algorithms could serve as replacements for our current public-key cryptosystems to prepare for the eventuality that large-scale quantum computers become a reality,” states NIST. With quantum computers expected to completely break many public-key cryptosystems — including RSA, DSA, and elliptic curve cryptosystems — NIST launched the effort in 2016 to investigate post-quantum cryptography, also called quantum-resistant or quantum-safe cryptography. For a glossary of quantum-related terms, download our free Managing Cryptographic and Quantum Risk guide.

The NIST PQC project is a worldwide effort. Did you know that 25 countries, 16 states, and 6 continents have participated so far? Cryptographic algorithm proposals are currently under evaluation, and in June of 2020, NIST “winnowed the 69 submissions it initially received down to a final group of 15.” For details on the round one selection, visit NISTIR 8240. For details on the round two selection, visit NISTIR 8309.

 What’s next? NIST is planning to hold the third NIST PQC Standardization Conference, likely in June of this year, and will then select cryptographic algorithms to standardize and to continue studying. "The likely outcome is that at the end of this third round, we will standardize one or two algorithms for encryption and key establishment, and one or two others for digital signatures," stated Moody previously in a Help Net Security article. The third PQC selection round will last 12-18 months. NIST expects to release draft standards for public comment in 2022. The final standard for quantum-resistant cryptography is on track to be ready by 2024.

 Quantum-Safe Migration Planning

As NIST continues to move forward with algorithm standardization, what can organizations do in the meantime? Begin quantum-safe migration planning.

Organizations should prepare for the transition to post-quantum cryptography by, first and foremost, identifying the critical applications and protocols that use cryptography. Specific information is key to foreseeing possible challenges and barriers, such as current allowed maximum key and signature sizes and limits on hardware, software, and transmission bandwidth. Introducing crypto agility will ease the future replacement,” urges Lily Chen, group director post-quantum cryptography team with NIST.

 In Your Quantum-Safe Migration Journey Begins with a Single Step, our latest article in Security Boulevard, we outline two things organizations must prioritize:

1.     Inventory. The first step toward managing cryptographic risk is to improve cryptographic visibility by creating a full inventory of where, how, and what cryptography is used. Organizations must also identify all business-critical systems, applications, and information, and their dependence upon the cryptographic assets; this dependency map should be closely linked to the cryptography inventory. An organization must extend its crypto-visibility into vendors, contractors, OEMs, third parties, and partners.

2.     Invest in crypto-agile solutions. Crypto-agility can help organizations bridge the gap between current and quantum-safe security. Many enterprises are looking to adopt a crypto-agile posture with minimal disruption to existing systems, standards and end users. For example, ISARA’s Catalyst™ Agile Digital Certificate Methodology enables a cost-effective and simplified migration to quantum-safe security today by supporting two cryptographic algorithms — e.g. one classic and one quantum-safe algorithm — within a single X.509 certificate.  

Learn about what’s at stake for your cryptographic infrastructure and what your organization can do to take action, in our free guide: Managing Cryptographic and Quantum Risk. Gain hands-on experience and explore quantum-safe cryptography with our Quantum-Safe Readiness Program for Enterprises.

Most importantly, here’s to a healthy 2021 for all! Pass the spinach…