Today’s technology secures the world’s data like a passport.
Technology that works in some ways like a passport is used to protect the world’s data today. A public key infrastructure (PKI) digital certificate, like a passport, has information about the person who owns it, like their name and address. Digital certificates are like “passports” for people and the machines they use, like software, code, bots, IoT/OT, laptops, and devices.
Even though most people don’t know it, this technology is at the heart of everything in the digital world. It ensures that businesses can safely do business within their own networks and beyond. It is the basic cryptographic technology that verifies the identities of the millions of people and machines that access sensitive data every second of every day. It works like a digital trust stamp.
This cryptographic foundation and an organization’s ability to build digital trust are at risk because of quantum computing. Quantum computers use quantum physics to solve difficult problems much faster than today’s computers can. Quantum computers can do many things at once, which means it will be a lot easier to get into encrypted files and communications that are protected by digital certificates. To keep digital operations safe, the world needs to use new families of PKI cryptography that can’t be broken by quantum computers.
When talking about digital certificates, people who work in the security industry often use the terms “crypto agility” or “cryptographic agility.” This means that an enterprise’s ecosystem is able to make sure that its basic cryptographic primitives are up-to-date, reliable, and strong, and that it is using the best cryptography for a given situation. Being cryptographically agile means being able to adapt to change, and in the business world today, change happens quickly.
Enterprises will never be able to reach a set goal for crypto agility. IT leaders are seeing their total number of certificates grow and the average lifespan of digital certificates drop to one year or less. At the same time, quantum computing is getting closer to being a reality, so crypto agility has never been more important.
Quantum Computing and Why Crypto Agility Is Needed
To understand the changes to cryptography that will be needed to protect against future quantum threats, it’s important to first know how things work right now.
Certificates are used to verify and trust devices like phones, laptops, and servers. PKI technology is at the heart of credit cards, e-passports, and other things that most people don’t think of as “digital,” like a keycard that lets you into a building. These are cyber-physical systems that use PKI to make sure that the sensitive information they hold stays private, can’t be changed, and is real. It’s hard to say how many times the average employee uses PKI in a day, but the answer is “a lot.” PKI is used in almost every part of work and life, both at work and at home, and in all industries.
Rivest-Shamir-Aldelman (RSA) and elliptic-curve cryptography are the two algorithms that are used in production PKI systems today (ECC). Unfortunately, because quantum computers work differently than traditional 1/0 gated computers, it is very easy for quantum computers to break these algorithms. Using today’s standard-strength encryption, the average computer would need about 300 trillion years to break a message, but a quantum computer would only need about a week. Because the effects could be so bad, this is sometimes called the “Quantum Apocalypse.”
After a six-year search, the US National Institute of Standards and Technology (NIST) has announced a new set of cryptographic “primitives” that can’t be broken by quantum computers: CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON, and SPHINCS+.
Now, businesses need to start the important work of adding new encryption to all of their computer systems. Standardization of the new quantum-resistant algorithms is expected by 2024, and it is thought that RSA and ECC will be broken by quantum computing as soon as 2026. So, now is the time to start getting ready to ensure crypto agility today and in the years to come.
“The PKI of the Future”
What does it look like to be crypto-agile in preparation for the quantum age? IT leaders in businesses must use X.509 hybrid certificates that use encryption algorithms that are safe against quantum attacks. Traditional keys and signatures and quantum-safe keys and signatures are both stored in hybrid certificates. With these cross-signed certificates, systems with more than one part that can’t all be upgraded or replaced at the same time can move to a new system. This makes it easier to switch from traditional PKI cryptography to post-quantum cryptography once the new algorithms have been standardised.
Hybrid certificates can be thought of as a house with two doors. Each door has its own key. If a new lock is put on the front door, only people who have the new key can open it. People with the old key can still get in, but only through the back door, which hasn’t changed. Over time, users can trade their keys for new ones that work with the new door lock. Once everyone has changed their keys, the back door lock can be changed without anyone being locked out. These hybrid certificates will be the most important way for cryptography to get from where it is now to where it will be in a few years.
You can’t just use these new cryptographic algorithms and then forget about them. They also need to be managed, which can no longer be done by hand due to their size. The next generation of PKI is all about having a single Certificate Lifecycle Management (CLM) platform to find, issue, renew, govern, manage, and automate the lifecycles of any digital certificate, including hybrid certificates. Automated CLM keeps PKI safe and reduces the chance that expired certificates will cause outages or security breaches.
Over time, the cryptographic primitives will be replaced more quickly, and the lifespan of certificates will continue to get shorter. Being cryptographically agile means being able to respond quickly to these changes.
