Cloud 101CircleEventsBlog
CSA's Continuous Audit Metrics Working Group is expanding! Help shape the future of cloud assurance.

Getting a Handle on Your Crypto Assets to Prepare for PQC

Getting a Handle on Your Crypto Assets to Prepare for PQC

Blog Article Published: 02/12/2024

Originally published by DigiCert.

Written by Timothy Hollebeek.

Quantum computing’s impending arrival is exposing what cryptography experts already know: Crypto is everywhere. Almost everything that implements modern security practices relies on cryptography and public key infrastructures (PKIs) to deliver digital trust.

Why does crypto’s ubiquity matter? Four words: cryptographically relevant quantum computers (CRQCs), the machines powerful enough to break traditional asymmetric algorithms like RSA and ECC.

It’s a threat post-quantum cryptography (PQC) can solve, and NIST’s August 2023 release of the first PQC draft standards brought the world one step closer to a quantum-safe future.

Employing PQC means organizations have to identify their digital footprint by creating an inventory of their cryptographic assets. It’s a process that kicked off with U.S. federal agencies, which were instructed to submit lists of their most critical cryptographic systems by May 2023. But many agencies struggled to meet the deadline, and it wasn’t until December that an agency-wide inventory of asymmetric cryptography was complete.

The federal government’s challenges revealed the complexities of creating a crypto asset inventory—especially when an organization has assets they may not even know exist. We've broken the process down into four steps to help you start planning your transition.


4 steps to start the transition to PQC

The majority of IT leaders worry their companies are nowhere near ready for quantum computing. If you’re part of an organization that deals with cryptographic assets and hasn’t yet begun transitioning to PQC, here’s how to get started.


1. Inventory your cryptographic assets

The first step is to begin inventorying your certificates, algorithms, and other cryptographic assets, prioritizing them based on their level of criticality. From there, you can determine what needs to be upgraded or replaced to ensure your systems remain secure when quantum computing becomes a reality.

Throughout the inventory process, you’ll need to ask a few key questions:

  • Which algorithms are your certificates currently using?
  • Who issued the certificates?
  • When do the certificates expire?
  • Which domains do the certificates protect?
  • Which keys sign your software?

Conducting a thorough inventory doesn’t stop there. You’ll also need to ask questions like:

  • Does your software package or device automatically download updates?
  • Does it connect to a backend server?
  • Is it associated with a website or portal?
  • Is that website or portal operated by a third party or cloud provider?

If the answer is yes, you’ll then need to contact each provider to find out who they rely on—what software packages do your providers’ providers use, who are the providers’ providers’ backend providers, and so on.

Like we said, it’s a complex process. But that’s why the time to begin is now—not after quantum computing starts revealing (and exploiting) your vulnerabilities.


2. Prioritize crypto that needs to be trusted for a long time

The place to start swapping out encryption algorithms is with crypto that produces signatures that need to be trusted for a long time: Think things like roots of trust and firmware for long-lived devices. And yes, that means producing detailed inventories of software and devices and where their crypto comes from.

Why? Attackers are playing the long game, recording encrypted data as part of a surveillance strategy called “harvest now, decrypt later.” When quantum computing becomes available, cybercriminals will decrypt it—and the only sure way to protect yourself against this strategy is to prioritize any encryption your organization will rely on long-term.


3. Explore and test the ways you’ll incorporate PQC algorithms

NIST is still working to standardize and document the methods of securely implementing, testing, and deploying the new crypto-safe algorithms. But implementors of cryptographic libraries and security software need to start integrating the algorithms into their products now. Accommodating the selected PQC algorithms will require some effort, so your organization can get ahead of the curve by exploring how to incorporate them into your crypto library.


4. Become crypto-agile

The steps we’ve outlined so far aren’t easy tasks to check off. But inventorying your cryptographic assets now will pay off when quantum computing begins breaking algorithms—and while we don’t know exactly when that will happen, we do know it’s a question of when, not if.

After your inventory is complete, the next phase of the PQC transition will be achieving crypto-agility, which involves asset visibility, established methods for deploying encryption technologies, and the ability to respond quickly when security issues arise.

A lifecycle manager solution uses discovery, automation, and centralized certificate management to give you control over your certificate inventory, making it possible to replace outdated crypto assets with no significant disruption to your system’s infrastructure.

Transitioning to quantum-resistant cryptography is a significant undertaking. But by identifying and managing your crypto assets, your organization can lay the foundation for a secure and trusted digital future.

Share this content on your favorite social network today!