Your Post-Quantum Cryptography Journey: Over the River and Through the Woods

Over the river and through the woods, To grandmother's house we go;
The horse knows the way to carry the sleigh, Through (the) white and drifted snow!

‘Tis the season for visits to grandmother and Uncle Joe. ‘Tis also the season for organizations to start planning their roadmaps for a quantum-safe New Year. After all, the third round of the NIST PQC Standardization Process is expected to be completed in early 2022 when the National Institute of Standards and Technology (NIST) makes the much-anticipated announcement of the post-quantum algorithms it intends to standardize. This announcement will mark a major milestone in the global transition to post-quantum cryptography. As the announcement looms — and 2021 comes to a close — your organization needs to take forward steps on its post-quantum journey. One of the most critical steps along this journey will be developing a plan to adopt the new cryptographic standards. Does your organization know the way to carry the sleigh?

For many organizations, quantum-safe transition planning can feel overwhelming. Fortunately, there are resources to help. For example, NIST has partnered with the U.S. Department of Homeland Security (DHS) to provide a post-quantum cryptography roadmap to empower organizations to take action. “Now is the time for organizations to assess and mitigate their related risk exposure. As we continue responding to urgent cyber challenges, we must also stay ahead of the curve by focusing on strategic, long-term goals. This new roadmap will help protect our critical infrastructure and increase cybersecurity resilience across the country,” advocates DHS secretary Alejandro N. Mayorkas.

Highlights from the DHS roadmap include:

  1. Engagement with standards organizations
  2. Inventory of critical data
  3. Inventory of cryptographic technologies
  4. Identification of internal standards
  5. Identification of Public Key Cryptography
  6. Prioritization of systems for replacement
  7. Plan for transition

NIST NCCoE Graphic.png

Source: U.S. Department of Homeland Security

As part of the NIST/DHS partnership, the National Cybersecurity Center of Excellence (NCCoE), a part of the DHS has created the Migration to Post-Quantum Cryptography project to provide whitepapers, playbooks and implementations to empower organizations to take action. The main objective is to accelerate the preparedness of organizations, so they are not blindsided by the threat to cryptography that large-scale quantum computing poses. The project will highlight companies and solutions that are available to help organizations create effective plans to ensure the continued security of their essential data, systems, and infrastructures.

The NIST/NCCoE project is seeking industry input and participation to demonstrate the discovery tools that can provide automated assistance in identifying where and how public-key cryptography is being used in hardware, firmware, operating systems, communication protocols, cryptographic libraries, and applications employed in data centers — whether on-premises or in the cloud — and distributed computer, storage, and network infrastructures. ISARA has submitted a letter of interest as part of this process highlighting its Advance™ Crypto Agility Suite, with the goal of being part of a possible future Cooperative Research and Development Agreement (CRADA).

“It is critical to begin planning for replacement of hardware, software, and services that use public-key algorithms now so that the information is protected from future attacks,” states NCCoE. Inventorying critical data and cryptographic technologies are among the first steps organizations can take to prepare for the post-quantum cryptography migration. NCCoE reinforces the importance for organizations to identify all instances of public-key algorithms used in their network infrastructures — computer and communications hardware, operating systems, application programs, communications protocols, key infrastructures, and access control mechanisms.

While the recipe for quantum safety is not quite as simple as grandmother’s fudge, it is manageable if organizations follow the recommendations and guidance from leading organizations, including NIST, DHS, and NCCoE.

Interested in taking an agile approach to quantum-safe cryptography? Learn more about the ISARA Radiate™ Quantum-safe Toolkit, a standards-based quantum-safe software development kit built for developers who want to test and integrate next-generation post-quantum cryptography into their commercial products.

Already at the “inventorying” stage? DHS is proposing that 2021-2023 is the time to inventory and prioritize systems. Visit ISARA to learn more about Advance Crypto Agility Suite, a cryptographic management platform that enables organizations to discover and administer their cryptographic assets whether on-premises or in the cloud. Something to reveal your blind spots...sounds ideal for any sleigh journey over the river and through the woods.