For half a century, public key infrastructure (PKI) has formed the secure cryptographic backbone for all digital systems. PKI provide the trust needed to secure digital systems of all kinds, from enterprise to critical national infrastructure. Underpinning all digital aspects of consumers’ and businesses’ lives, from emails to algorithms, PKI is a ubiquitous technology which is behind every digital operation.
Behind the encryption digital certificates provide are two cryptographic algorithms: RSA 2048 (Rivest – Shamir – Adleman) and ECC 256 (elliptic-curve cryptography). They encrypt content by creating cryptographic keys which secure data so that only the correct recipient can decode the message the sender creates. This allows enterprises to securely transact business within their own networks and wider, and make sure digital operations are secure. However, RSA 2048 and ECC 256 will soon become unfit for purpose when quantum computing becomes powerful and stable enough to easily decrypt them.
Data vulnerability
Quantum computers’ immense processing power is capable of breaking encryption at great speed, leaving important data vulnerable, everything from bank account details to medical records to state secrets. This scenario is so alarming that specialists refer to it as the ‘Quantum Apocalypse’. While the average computer today would need around 300 trillion years to break data encrypted by RSA and ECC algorithms, which it would do by trying cryptographic keys one by one until it hits on the right one. In contrast, a quantum one would need about a week, as it has the ability to ‘guess’ keys in parallel.
Quantum Apocalypse
Scientists have dubbed the fallout of quantum computers the ‘Quantum Apocalypse’, predicting an impact so severe it will completely unroot existing digital systems. When the first quantum computer becomes operable, the actor who owns it will have a very easy job decrypting any data they get their hands on, including those datasets under the highest encryption. These sets could be anything: from the control systems managing critical national infrastructure like water or power supply, to highly confidential personal and industrial data in government or the enterprise.
To remain secure, organisations must transition to new, quantum-resistant cryptographic alternatives. With the arrival of operational quantum computers predicted to be less than a decade away, the time to act is now.
The United States’ National Institute of Standards and Technology (NIST) has already announced a new set of cryptographic “primitives” that have been deemed to be secure against cracking by quantum computers, and standardization is expected by next year. Meanwhile, organizations must steel themselves by transitioning to hybrid certificates. A hybrid certificate is essentially a traditional digital certificate with additional quantum-safe components encoded within it. This type of certificate, also known as a cross-signed hybrid certificate, helps bridge the gap independently of different clients’ (such as web browsers) crypto capabilities.
Hybrid certificates
This transition to hybrid certificates presents the core challenge for enterprises: replacing every one of the trillions of certificates in circulation in our digital systems is a gargantuan task given the variety of types, sources, issuers, lifespans, and myriad of other factors. In the context of a single enterprise, for example, there can potentially be tens of thousands of certificates, issued by multiple certificate authorities, and all with different lifespans determining their time to be renewed. For every organization around the world, this is mission-critical: failure to replace even one certificate can lead to outages and breaches.
One hurdle stands in the way of an orderly transition: for many organizations, it’s near impossible to discover and renew all the certificates in their ecosystems. Some may be expired but not revoked, others may be due for renewal shortly, and many issued by different Certificate Authorities (CAs). Particularly as Google Chromium has recently announced it will deprecate any certificate with a lifespan shorter than 90 days from the current year-long lifespan, manually handling certificate renewal and deployment will be even more difficult. Between lifespans shortening and the Quantum Apocalypse approaching, it is now more apparent than ever that certificate management cannot be a human task any longer.
The only way to automatically unearth and renew 100% of existing certificates, whatever their point in their lifespan, whatever their status and whatever the issuer, is automated, CA agnostic Certificate Lifecycle Management (CLM). Crucially, a CLM provider will need a vast array of partnerships with publicly and privately trusted CAs, so it can widen the pool of certificates it can discover and manage, including those hybrid certificates that use quantum-safe algorithms. Without such a solution, and one that works at a very advanced level, crypto agility (I.e. the ability of an enterprise’s ecosystem to ensure its fundamental cryptographic primitives are current, reliable and robust and to respond to change) cannot be achieved.
CA agnostic
Planning must start now before the so-called Quantum Apocalypse occurs. The first step is to gain a full understanding of all certificates present in the IT environment. During this preparation phase, the most advanced CLM solutions can manage the transition of all certificates, independently of their particulars, including which Certificate Authority issued them originally. This is known as being ‘CA Agnostic’ and is determined by the breadth of CA partnerships each CLM provider boasts, so IT security leaders should pay close attention to the realities of each offering. Unfortunately, some CLM providers tend to overestimate their coverage, so the first question should be whether they are truly CA Agnostic rather than providing lip service which is ultimately useless to IT leaders.
The partnerships and management agreements are ultimately what make a CLM provider better equipped and more effective in the transition from existing PKI certificates to quantum-resistant ones. A CA agnostic CLM ensures no stone will be left unturned. While the advent of quantum computers cannot be held at bay, businesses and organizations can certainly fortify themselves from the Quantum Apocalypse.