The quantum computing threat to public-key encryption is enormous. Large-scale quantum computers are on the not-too-distant horizon. They will be capable of breaking the underlying public-key cryptography and public-key infrastructure (PKI) at the core of every secure information exchange and transaction conducted today. With quantum computing, public-key cryptography becomes easier to attack. This could wreak havoc on trust infrastructures in every industry and sector, including government, military, energy, aviation, financial services and automotive.
What exactly is at risk? Cryptography is the foundation of digital identity and trust. A threat to cryptography is a serious threat to that trust. In today’s increasingly connected ecosystem, broken cryptography can result in unauthorized access to sensitive information, lack of control over connected devices and, potentially, great danger to human safety. All systems that rely on cryptography—especially systems that are already vulnerable—will be at exponentially greater risk when quantum technologies arrive.
What can enterprises do now to strengthen and future-proof their cryptographic infrastructures? The answer lies in crypto agility. Bridging the gap between current and quantum-safe security—and simplifying the transition—requires a new approach. Many enterprises are looking to adopt a crypto-agile posture with minimal disruption to existing systems, standards and end users.
For example, there is a crypto-agile methodology for creating an enhanced X.509 digital certificate that simultaneously contains two sets of cryptographic subject public keys and issuer signatures. Enhanced X.509 certificates are compliant with industry standards and enable enterprises to seamlessly transition their infrastructures and systems to a quantum-safe state in phases while maintaining full backward compatibility with legacy systems.
The goal is to realize the benefits of quantum technology without compromising data and system security. To protect data and systems, the National Institute of Standards and Technology’s (NIST’s) National Cybersecurity Center of Excellence (NCCoE) recommends several practices “to ease the migration from the current set of public-key cryptographic algorithms to replacement algorithms that are resistant to quantum computer-based attacks.” A proactive approach to planning, preparing and future-proofing by implementing security measures, software updates and crypto-agile solutions is the best way for organizations to ready for the quantum threat and safeguard their cryptographic infrastructures and data.
Editor’s note: For further insights on this topic, read Paul Lucier’s recent Journal article, “How to Start Your Quantum Migration Journey,” ISACA Journal, volume 6, 2020.