SBN

5 Ways to Prepare Now for Quantum Computing

PKI relies primarily on two standardized algorithms, Rivest-Shamir-Adleman (RSA) and elliptic-curve cryptography (ECC), which act as the “digital trust stamps” to verify the massive amounts of human and machine identities accessing data every second. However, these algorithms are soon to be easily broken by quantum computers. If an average computer today tried to break a message using standard encryption, it would take about 300 trillion years. A quantum computer will be able to do the same thing in a week. The potential impact of quantum computing is so serious, that it’s sometimes known as The Quantum Apocalypse.

Preparation is well underway. For the past six years, the US National Institute of Standards and Technology (NIST) has been conducting a competitive search for post-quantum encryption algorithms. In a milestone July announcement, NIST released its winning selections: CRYSTALS-Kyber for general encryption and CRYSTALS-Dilithium, FALCON, and SPHINCS+ for digital signatures.

There is still much work left to be done to standardize these algorithms (which isn’t expected to be complete until 2024), and a quantum computer capable of breaking today’s encryption hasn’t been created yet. However, enterprises – government and private industry alike – need to start planning now for fast, efficient, and error-free deployment to new cryptographic standards. In fact, the Cybersecurity and Infrastructure Security Agency recently released a bulletin listing key actions for IT to begin working on right away. Here are five things IT teams can do today to protect their enterprises from quantum-based breaches:

  1. Take inventory. The place to start is by taking inventory of all encrypted systems and preparing a strategy for deployment of the new cryptography. From the ground up, understand where the most important systems are, what the risks are, what the use cases are, who is involved in this transition, and what systems will likely be affected by quantum computing. The unknown becomes a vulnerability.
  2. Test the new post-quantum cryptographic algorithms. It’s not possible to issue a public certificate with these new algorithms yet because they’re not standardized, and current software won’t support them. Vendors, software, OS, and service providers are now starting to gear up to support these primitives, and until that happens, enterprises can’t use them in production. However, it is possible to start testing the algorithms in lab environments. IT professionals should test the new cryptography in controlled environments, while the standards work is being done. Everyone must understand how to use new certificate types like hybrid certificates and what private Certificate Authority (CA) software capable of using post-quantum algorithms looks like. Sectigo Quantum Labs offers a free hybrid certificate toolkit for security professionals to evaluate their post-quantum options.
  3. Create a plan for transitioning systems. Every use case for post-quantum cryptography will likely involve a host of interdependent technologies. Enterprises must understand the intricate systems in place and have a plan for transitioning them to post-quantum cryptography.

    Some systems won’t be able to consume the new types of quantum-safe certificates, which begs the important question: How much risk is associated with that old system? If the answer is “too much,” then IT leaders must decide if it can be decommissioned. The only other option is to leave the systems running while vulnerable to attack from quantum computers. Depending on the nature and sensitivity of the data and operations involved, leaders will have to make pragmatic choices about the best paths forward.

  4. Work with vendors. It’s time to work hand-in-hand with the vendor community. For almost all the enterprises in the world, the vast majority of the post-quantum cryptography implementation must be done by vendors. Hardware, software, and service providers will deliver products to enterprises. Then it’s the IT leader’s job to implement these new post-quantum-ready solutions and integrate them intelligently. Today IT leaders should already be finding out how their technology vendors plan on supporting the new post-quantum cryptographic algorithms.
  5. Educate your workforce. The average sysadmin, rightfully so, is not currently thinking about a post-quantum world in a meaningful way. After all, he or she is consumed with keeping the lights on today. Two years may seem like a long time away, but technology teams are well advised to begin today in taking inventory and understanding the impact of this computing progress.

    In addition to testing algorithms in sandboxes, speaking with vendors, and determining what their post-quantum infrastructure should look like, they can take inventory of those within their organizations who will be affected and provide training on how to interact with those new systems.

Enterprises can’t wait. Be proactive and start preparing now, because it’s going to take time to switch to quantum-safe cryptography. Download the number one resource for quantum PKI solutions at www.sectigo.com/quantum-labs.

*** This is a Security Bloggers Network syndicated blog from Sectigo authored by Tim Callan. Read the original post at: https://sectigo.com/resource-library/5-ways-to-prepare-now-for-quantum-computing

Avatar photo

Tim Callan

Tim Callan is responsible for ensuring Sectigo’s CA practices conform to industry and regulatory requirements and the company’s published Certificate Practices. Tim has more than twenty years’ experience as a strategy and product leader for successful B2B software and SaaS companies, with fifteen years’ experience in the SSL and PKI technology spaces.

tim-callan has 35 posts and counting.See all posts by tim-callan