Skip to content

It's Now Appropriate to Prepare for Post-Quantum Security with NIST Guidelines in Place

Organizations ought to avoid falling into the trap of delayed transition to Post-Quantum Cryptography (PQC).

Surge of Network and Information Flow
Surge of Network and Information Flow

It's Now Appropriate to Prepare for Post-Quantum Security with NIST Guidelines in Place

Ted Shorter, having spent over 25 years in the security sector, including 10 years with the DOD and 15 years at Keyfactor, currently serves as the company's CTO. This summer, the long-anticipated moment for security-focused professionals arrived as the National Institute of Standards and Technology finalized three quantum-resistant algorithms, hinting at more to come, potentially by the end of the year. The main concern now for organizations is not to fall behind in transitioning to PQC.

RSA, a widely adopted cryptographic standard, is based on factoring large prime numbers and has proven practically unbreakable using traditional computing methods. However, factoring primes is within the realm of quantum computing, making it susceptible to quantum-powered attacks. Elliptic Curve Cryptography (ECC) won't fare any better. NIST's PQC algorithms are designed to withstand quantum computing's strengths.

Although no one knows the exact moment when a Quantum Computer capable of breaking RSA or ECC will appear, most experts now believe it's only a matter of time. The concept of quantum systems breaking current encryption standards is a tangible threat, and organizations have valid reasons to initiate their transitions now. For starters, fully transitioning to PQC will be a lengthy and complex process. Moreover, information currently considered secure could potentially be compromised in the future. The tactic of "Harvest Now, Decrypt Later" (HNDL) is becoming increasingly popular, where threat actors steal encrypted information with the intention of decrypting it when a powerful enough quantum computer becomes available.

Despite the release of these new standards, which was long-awaited following NIST's launch of its PQC initiative in 2016, only 23% of organizations have initiated preparation for transitioning. In addition, research indicates that the majority of organizations expect the transition to take around four years, although it could realistically take a decade or more. While the timeline isn't set in stone, NIST's latest report establishes 2030 as the target date for PQC migration completions. Given that previous transitions, such as SHA-1 to SHA-2, took over a decade, initiating early will be essential as the timeframe for PQC adoption is much shorter.

In response, vendors are actively implementing these standards. Most seem to be aiming for some level of support in Q1 2025, with organizations conducting asset inventories now. The three algorithms released by NIST are now referred to as ML-KEM (FIPS 203), a standard for encapsulating keys for encryption, and ML-DSA (FIPS 204) and SLH-DSA (FIPS 205), both designed for securing digital signatures.

The following are steps security teams can take to prepare enterprises for PQC:

The Journey Towards Post-Quantum Readiness

Take Stock:

Create a comprehensive inventory of all your cryptographic assets, identifying those that are vulnerable and at risk. Automating this process can save security teams a significant amount of time and ensure no assets are overlooked.

Analyze Application Ecosystems:

As part of planning for migration, understand how applications interconnect and communicate within the infrastructure from an encryption and security perspective.

Establish a Clear Implementation Strategy:

Determine a realistic budget, identify the necessary tools and teams, set up a clear timeline with deadlines, and assign roles to IT and security team members. Remember, this is a collaborative project.

Contact Your Vendors:

Inquire about their plans and timelines for transitioning to PQC. A vendor's plans and the prevalence of these vendors in your ecosystem will factor into when and where you can deploy the new algorithms.

Start Testing:

Establish lab environments where you can test PQC public-key encryption and prepare signature validation software for the new algorithms. You can use a sandbox environment to evaluate a system's ability to issue quantum-resistant certificates and assess your crypto-agility, or the ability to seamlessly migrate from one algorithm to another.

Prioritize Defending Against "Harvest Now, Decrypt Later":

HNDL poses a genuine threat to any organization in possession of sensitive information for five years or more. TLS 1.3, the protocol employing encryption for most Internet communication, is being updated to include support for the new ML-KEM algorithm standard for TLS tunnel encryption. Targeting TLS 1.3, particularly for external-facing communication, is a path to mitigating the most pressing Quantum-related threat.

Plan for a "Crypto-Agile" World Across All Operations:

It would be a mistake to view this as simply a shift from RSA to ML-DSA. Organizations must prepare for crypto-agility across all current and future projects. If you're in the manufacturing sector, design for crypto-agility—often challenging for IoT devices. Although RSA is grounded in mathematical concepts that date back thousands of years, the new Quantum-resistant algorithms are based on mathematics that is only a few decades old. As NIST rolls out additional PQC standards, planning for a diverse array of asymmetric algorithm options will more than likely triple what we're familiar with. Design your systems with the understanding that you may need to swap algorithms rapidly.

Consider Upcoming Regulations: If you manufacture goods intended for government purchase, establish strategies and routes to incorporate PQC algorithms for digital signatures and software updates in your offerings. The Commercial National Security Algorithm Suite 2.0 (CNSA 2.0), which imposes quantum-resistant demands on national security systems for suppliers dealing with the National Security Agency (NSA), is mandatory. It's likely that other U.S. agencies and foreign governments will also adopt similar rules.

It's Time to Get Ready

NIST's presentation of the PQC algorithms signaled the concluding phases of an eight-year initiative, but most others are still at the beginning. The transition will be intricate, but organizations can navigate it by adhering to the steps outlined above. The moment to begin preparing your data and systems for a future dominated by computing capable of cracking encryption is now.

Our Elite Tech Council is an exclusive gathering for top-tier CIOs, CTOs, and tech executives, by invitation only. Am I eligible?

Ted Shorter, recognizing the complexity of transitioning to quantum-resistant cryptographic standards, has been actively encouraging organizations to start their preparations early. Despite spending years in the security sector, Ted Shorter understands that fully transitioning to PQC will be a significant endeavor for many companies, requiring time, resources, and a comprehensive strategy.

In light of this, Ted Shorter has been advocating for companies to create a detailed inventory of their cryptographic assets, assess their application ecosystems, and establish a clear implementation strategy, among other steps outlined in the journey towards post-quantum readiness. By initiating these preparations now, organizations can ensure they are not left behind in the transition to more advanced encryption standards.

Read also:

    Comments

    Latest