Integrating Crypto Agility Into PKIs

Long Term Authentication Challenges

Enterprise IT teams and connected device manufacturers increasingly use public key infrastructure (PKI) for authentication and encryption. However, the cryptographic signatures within the certificates used by today’s systems are vulnerable to quantum-enabled attacks.

Makers of long-lived IoT devices and IT teams responsible for large and complex PKIs need solutions today to mitigate their quantum risk and avoid losing control of devices or exposing mission-critical information in the age of cryptographically relevant quantum computers (CRQCs).

The challenge: Traditional digital certificates can only manage one signature algorithm. This limitation makes a timely migration to quantum-safe signature algorithms tricky within large and complex PKIs. Bridging the gap between current and quantum-safe security — without disrupting existing systems and end users, and while maintaining standards compliance — requires a new approach.

Multiple Migrations will be Required Over Time

Over decades, attacks on classical algorithms, cryptographic primitives (such as hash functions), and implementations thereof have evolved, causing organizations to go through the long and difficult process of upgrading their systems to maintain security. In the same way, we should not expect that quantum-safe algorithms will stay the same forever. Consequently, organizations should expect to perform multiple quantum-safe migrations over time.

Crypto agility provides organizations with an efficient mechanism to switch away from broken or outdated cryptography, and quickly respond to new attacks on currently used algorithms. By integrating crypto agility into PKIs today, organizations enable smoother migrations in the future, saving on time, cost, and effort.

Simplify Cryptographic Migrations with ISARA CatalystTM Crypto Agile PKI

A simplified, cost-effective method of migrating PKIs to different cryptographic algorithms is to utilize a crypto-agile approach by integrating ISARA Catalyst Crypto Agile PKI

ISARA Catalyst Crypto Agile PKI is a technique for creating an enhanced X.509 digital certificate that simultaneously contains two sets of cryptographic subject public keys and issuer signatures.

This technique provides administrators with maximum flexibility because the crypto agile credentials offer full backward compatibility with current, non-updated, systems. The crypto agility built into this approach makes it entirely seamless to end-users.

Benefits & Advantages

  • Gradual migration – Upgrade your most critical, at-risk assets in phases due to backward compatibility with current X.509 certificates which ensures interoperability
  • Eliminate duplication and management of multiple public key infrastructures (PKI) – reduce time, costs and complications associated with transitioning cryptography
  • Protect using the cryptographic algorithms you need to use, faster – whether you need a faster path to compliance or simply want to transition to stronger or more efficient security
  • Transparent to end-users – those endpoints using the enhanced certificates can still interact with existing systems and vice versa
  • Future-proof systems – integrate crypto agility to reduce the pains of performing migrations again in the future


Related Resources

  Web Page

ISARA Catalyst™ Crypto Agile PKI

  White Paper

Enabling Quantum-Safe Migration with Crypto-Agile Certificates

  Research Paper

The Viability of Post-quantum X.509 Certificates

Ready to get started?

Request a meeting to learn more about crypto agility and quantum-safe security.