The Sky is Not Falling

If Henny Penny were walking around in today’s landscape, what would she say about the impact of quantum computing to today’s cryptography? There is no question that quantum computing poses significant risks to the security of cryptography, with the ability to potentially put entire infrastructures, networks, applications, and machine identities at risk. Despite the sizable threats, the sky is most certainly not falling. Organizations have the ability to make the transition to quantum-safe cryptography efficiently and seamlessly.

 

ISARA’s chief technology officer, Mike Brown, participated in a four-part blog post series with Crypto4A Technologies via Venafi, in which he outlined the impact of quantum computing, what organizations can do today, how to prepare PKIs, how to make machine identities safe, and what hybrid certificates are all about.

 

This problem is manageable. In his blog post, Quantum Computing Readiness: 3 Areas to Focus on Today, Brown outlined specific use cases to help focus efforts:

  1. Future-proof your communications systems
    If I'm in an organization today, and I'm thinking about preparing for the quantum threat, the first thing I'm going to do is focus on future-proofing communications. Quantum computers are expected about 10 years from now. If they can break commercial communications, then I need to ready my communications today so that they are protected 10 years from now. I should start looking at solutions now to prepare and protect my communications systems.

  2. Plan your identity and access management migration
    Even with new algorithms and processing power, machine identities will still have a strong role in protecting quantum computing. Now, I have this public key infrastructure, the Certificate Authority, that we use for protecting and identifying and authenticating users in my environment. Machine identities are impacting and being used by so many different systems in my environment. I need to start thinking about that IT migration problem and solve it to make sure my systems are ready today for quantum developments tomorrow.

  3. Prepare for authenticated software and firmware updates
    We will still need to authenticate machines in a post-quantum world. For example, my vehicle that might be getting software updates over the air is relying upon a root of trust, which I know needs to be protected in order for my software update to be authenticated. If I'm a car manufacturer, or I'm an OS provider who is relying on a root of trust within a computer system, I should start thinking today about how I protect myself from the quantum threat so that my over-the-air software updates can’t be spoofed by an adversary.

 

Are You Ready for Quantum Safety?

In Brown’s blog post, How to Prepare Your PKI for Quantum Computing, he outlines how to prepare for an agile transition for organizations to prepare their infrastructures to be ready to be quantum safe. “As an industry, we've gone through crypto transitions a number of times before — Triple DES to AES, MD5 hash functions and SHA-1 to SHA-2. But this one will be bigger. Changes in key sizes as well as this quantum-safe transition is the largest transition we've had to think about from a cryptographic perspective.”

 

7 Questions to Ask Now

Is the sky falling? No! John O’Connor, VP product management, at Crypto4A Technologies, offers a checklist of questions that organizations should ask as they are working toward quantum safety in his blog post, Crypto Agility and Quantum Preparedness: Build Now for the Future:

      What certificates are in my environment?

      Where are they?

      What are they used for?

      What crypto are the systems that use those certificates using?

      What are you building yourself?

      What are you getting and when from your vendors?

      What is their roadmap to become quantum-safe?

“Incorporating new crypto into your machine identity management strategy is not something you want to wait on,” states O’Connor. Learn more about how to get started with quantum-ready integrations that Crypto4A and ISARA have built for the Venafi Trust Protection Platform.

Take Action Now with Hybrid Certificates

Venafi’s Juan Carlos Gutierrez Torres interviews Brown and O’Connor in the blog post, Get Quantum Ready with Hybrid Certificates. Brown explains, “The idea of a hybrid certificate is to utilize the existing X.509 structure to include both a ‘classical public key’ — your RSA or elliptic curve key — and a quantum-safe key. Maybe it's Dilithium or maybe it's SPHINCS+.” O’Connor adds, “The only way to get started on this transition is to start creating a migration plan and start testing these things out. It's going to take a long time, so of course we will need support from many devices and many systems across our enterprises. But now is the time to get started. It doesn't need to be difficult.” Gartner is talking about 2022 to 2023 when organizations need to have plans in place, states Brown. “This is very much a coming, near-term reality that organizations need to grapple with now!”

 

This is not a simple folk tale, but the transition to quantum is a journey that can have a good ending. If your encounters on the way include ISARA, with our cryptographic management platform, we can help you get started by revealing your cryptographic blind spots.