David Mahdi, Chief Strategy Officer and CISO Advisor at Sectigo, explores what could be the government’s next big task and avoiding the quantum computing pitfall
For more than fifty years, public key infrastructure, or PKI, has been relied upon by almost all organizations to provide the cryptographic backbone which secures devices and the humans using them.
Relatively unknown outside the technology industry, PKI digital certificates provide the digital trust needed to secure critical national infrastructure – from telecommunications to energy supply, the banking sector and even life-critical technology deployed by armed forces worldwide.
Without PKI, public and private network access would not be safe, or secure. Only with PKI can we ensure the devices, people, software, and applications that make up critical national infrastructure remain in the sole control of those trusted with their security. PKI relies mainly on two algorithms, which form the basis of current cryptography: the RSA 2048 (Rivest – Shamir – Adleman) and ECC 256 (elliptic-curve cryptography).
These algorithms are the foundation of the ‘digital stamps’ which verify and protect human and non-human, or machine identities used to access sensitive data across government and all industries. However, change is coming.
What could be the quantum computing pitfall?
Like most things, nothing lasts, and the PKI organizations the world over have relied upon to maintain digital trust has an emerging and very real threat. We are now standing at the precipice of a new age of quantum computing; an advanced type of computation that leans on quantum physics to run multiple processes simultaneously. Quantum computing will render traditional PKI, as we know it, no longer fit for purpose.
This poses a very real threat to the information security systems we all rely on to protect our freedom and liberty. To remain secure, government agencies will have to adopt new families of quantum-resistant cryptography.
Now is the time to prepare for this transition. The step-change quantum computing will bring cannot be underestimated. The average computer trying to break a message encrypted with our common RSA and ECC algorithms would need around 300 trillion years. A quantum computer, with its ability to ‘guess’ keys in parallel, would need around a week.
What would happen when the first quantum computer becomes powerful enough?
The effects will be dire; when the first quantum computer becomes powerful enough, even data under the highest encryption will become easily decrypted by whoever has access to a functional quantum computer. In fact, some adversaries are already saving encrypted content, that they will later look to break with quantum computers (and perhaps other methods).
This could be anything from the control systems upholding the national electric grid, remote devices controlling the water supply, systems operated by the armed forces or secret services, even the central banking system. Scientists consider the predicted fallout of quantum computers so severe it’s called the Quantum Apocalypse.
Given the gigantic steps forward in the research and development of quantum computers, with Google, Honeywell, and indeed China in the race, it is a matter of when rather than whether quantum computers will change the digital world as we know it. One thing is certain: Governments must implement new cryptographic alternatives as soon as possible.
Work is already underway to overcome this looming issue: The USA’s National Institute of Standards and Technology (NIST) is working to find quantum-resistant alternatives to our current algorithms. Organizations across the world, from the fields of academia, technology, and the public sector, have united to collaborate in the discovery of new, quantum-safe algorithms.
NIST coordinates their efforts, and its Post-Quantum Cryptography project is well en-route to identifying and vetting potential next-generation cryptographic schemes, which it expects to do by 2024. Even before the NIST arrives at its final candidates, government agencies must begin the transition to quantum-safe PKI certificates to withstand the Quantum Apocalypse.
This process presents the core challenge: replacing every one of the trillions of certificates and keys in circulation in our digital systems is a gargantuan task given the variety of types, sources, issuers, lifespans, and a myriad of other factors. For every government around the world, this is mission-critical: failure to replace even one certificate could lead to breaches, data exfiltration, or operational disruption.
How do we avoid the quantum computing pitfall?
The first step is to gain a full understanding of all certificates and keys present in the public environment, and enable government IT to replace them at will, regardless of their specificities. The only way to make this shift effectively and safely is to leverage crypto-agile automation.
That is a crypto-agile approach, which anticipates frequent changes across, potentially, millions of certificates, keys and cryptography. One example, as it pertains to certificates is with Certificate Lifecycle Management. This allows organizations to manage all the certificates in the enterprise system at once, renewing, deploying and revoking them as necessary. Deploying these CLM solutions now can ease the transition to quantum-resistant certificates.
The most advanced CLM solutions can manage the transition of all certificates, independently of their particulars, including which Certificate Authority issued them originally. This makes CLM extremely effective in the transition from existing PKI certificates to quantum-resistant ones, as it ensures no stone will be left unturned.
While the cryptographic community works to standardize quantum-safe algorithms, players who have been securing the digital systems since the dawn of the internet have published free sets of resources like Quantum Labs.
Organizations and governments must arm themselves with the tools to migrate to quantum-resistant algorithms and prepare for the quantum era. In this way, they face the quantum as a leap forward, not a jump into the void.