All Exclusives

Post-Quantum Migration with DigiCert

The future comes at us faster than we might realize. Quantum computers are not just a glimmer on the horizon any longer. They’re here and already gaining power and precision. While this is something that should be lauded and embraced it does have security implications that must be addressed. I posted a post-quantum crypto primer a couple of years ago for those that don’t know who Peter Shor is and why his algorithm has the potential for chaos.

Thankfully someone at NIST was paying attention back in 2016 and they’ve been working overtime to get new encryption algorithms ready for us to use. After years of testing the candidate algorithms were release for public comment back in August. DigiCert has a handy blog post here covering them. With this 90-day analysis period the hope is that the CRYSTALS group will be ready for implementation very soon.

IBM Quantum Computer

Hiccups and Avoiding Heartache

If you think that simply switching out one algorithm for another is an easy thing to do you probably haven’t worked with cryptography in production. The world may have standardized on Diffe-Hellman and RSA but their pervasive nature means that they’re going to be difficult to unwind. Granted we do still have some time before quantum computers reach the necessary threshold to cause issues with RSA-based encryption but we are much closer now than we were even just three years ago.

Part of the issue is that it is extremely difficult to manage the overall encryption posture of your company. Even if you follow best practices for things like certificate authorities (CAs) and other infrastructure it is difficult to understand how they’re interacting with each other and how issues with one area can affect things overall. You need look no further than the number of outages in the past couple of years that have been caused by someone forgetting to renew a certificate to understand why.

Managing a known system of security is difficult. Trying to keep that system running while also swapping out old algorithms for new is similar to trying to change the tire on a car while it’s driving down the road. You’re going to encounter challenges and find ghosts hiding in the corners that you didn’t realize were still going. Heaven help you if you stumble across DES keys on forgotten appliances or devices with key length restrictions that don’t support newer algorithms.

Architecture Shifts Powered By DigiCert

I had the chance recently to sit down with Tim Hollenbeek. He’s an Industry and Standards Technical Strategist with DigiCert and that means he lives in the cryptography world. He’s an advocate for the new NIST standards but also for helping organizations get a handle on what needs to be done in order to easily adopt them before it’s too late.

Tim said that one of the advantages that DigiCert has is their Trust Manager platform. It enables you to manage your certificates and cryptographic infrastructure much more efficiently than the piecemeal way that might have been constructed over the years. No matter what your current PKI platform looks like it’s going to be reengineered in order to deploy solutions like Kyber and Dilithium.

Tim told me that the new NIST post-quantum solutions are not simple drop-in replacements for RSA and ECC. You’re going to need to understand the challenges faced by replacing the old standards with new ones. You also have to understand how the new standards replace the old ones and how they have different applications based on the needs of the organization. If you’ve been using a single system for all your heavy lifting in the past, like for example, using RSA for key exchange and for signatures you’re going to need to rethink things.

The value of a platform like the one from DigiCert is that you can understand the interactions and plan out how you’re going to approach a project of this magnitude while still ensuring your users and customers are secure. The last thing you want to do is get halfway through a transition only to find a show stopping issue and be forced to roll back, if that’s even possible. The experience that DigiCert has in the industry shines when confronted by these challenges.

Bringing It All Together

Post-quantum cryptography is not a faraway dream. It is as real as it can be today. As you investigate what this means for your organization you need to also examine how you’re managing things today. If the answer isn’t positive, or worse yet nonexistent, you need to examine how you’re going to resolve that in the immediate future. A little extra work today will save you lots of scrambling later when the full weight of quantum computers comes crashing through your legacy systems. And partnering with a trusted company like DigiCert will give you a huge leg up on the whole process.

For more information about DigiCert and their various Trust Manager solutions, make sure to check out their website at https://DigiCert.com

About the author

Tom Hollingsworth

Tom Hollingsworth is a networking professional, blogger, and speaker on advanced technology topics. He is also an organizer for networking and wireless for Tech Field Day.  His blog can be found at https://networkingnerd.net/

Leave a Comment