April 13, 2024
•
5
min read
In our digital world, cryptography is the foundational element in securing our technology infrastructure. As we enter the quantum computing age, the infrastructure that underpins our digital organizations faces new and profound threats. Here we delve into the realm of cryptography in infrastructure, examining how organizations can fortify their systems against the burgeoning quantum threats.
Infrastructure refers to the physical and virtual resources that support an organization’s entire computing environment. This includes endpoint devices, servers, networks, data centers, and the cloud. Traditional cryptography methods protect the confidentiality and integrity of data transmitted across these resources. However, with the advent of quantum computing, the cryptographic algorithms that secure this infrastructure are under threat.
Quantum computers leverage principles of quantum mechanics to process information in fundamentally different ways from classical computers. This enables quantum computers to solve certain mathematical problems that are nearly impossible for classical computers – the same types of math problems that, for half a century, have served as the basis for conventional cryptography. As a result, the cryptography that currently secures organizations’ infrastructure and our digital lives will become vulnerable overnight when quantum computers reach a sufficient level of sophistication.
The threat of quantum attacks requires a proactive and comprehensive approach to transitioning cryptography in infrastructure. Here are the key steps to how organizations can start preparing now:
1. Understand the Exposure: This initial step is crucial – mapping your organization's cryptographic landscape. Mapping cryptographic usage goes beyond just servers. Organizations need to identify cryptography used across all technologies: from TLS/SSL certificates, SSH keys and VPNs securing remote access, to mobile device management, and code signing for software integrity. Access controls, cloud network security, and storage & databases are also in scope.
2. Risk Assessment: It is crucial to delve into the sensitivity of the data under protection and the respective data retention requirements. Data of high sensitivity and subject to long-term retention mandates is especially vulnerable to Harvest-Now-Decrypt-Later (HNDL) attacks, where adversaries collect encrypted information to decrypt it when sufficiently powerful quantum computers become available. Understanding the types of protected data, from personally identifiable information (PII) to trade secrets, and their associated retention policies, is central to identifying their exposure level to quantum threats. This assessment informs the urgency and prioritization of transitioning specific applications to PQC, ensuring an appropriately prioritized response to protect against future quantum-enabled attacks.
3. Adopt Quantum-Resistant Cryptography: Organizations should prepare for and initiate plans to adopt quantum-resistant cryptographic algorithms, protocols, keys, and libraries. The transition towards new cryptographic standards necessitates a strategic, phased approach, prioritizing the protection of the most vulnerable and critical systems, as effective mitigations become available.
The first wave of PQC standards is already available for digitally signing software and firmware:
The next wave of standards for secure key exchange and digital signatures has been finalized by NIST and are on track to be formally published in the summer of 2024:
Transitioning to quantum-safe cryptography involves updates all aspects of an organization’s IT environment, including:
The reach extends to digital signatures for documents and contracts, and other technologies across the organization. Only by taking a holistic view, can potential vulnerabilities be identified, and defenses hardened.
4. Evaluate Hybrid Cryptography Solutions: A practical approach to transitioning to quantum-safe cryptography is the implementation of hybrid solutions. These solutions use a combination of traditional and quantum-resistant algorithms to enable progressive testing both to strengthen security and to ensure interoperability, backwards compatibility, and system performance throughout the transition phase.
5. Stay Informed: Engaging with standards and regulatory organizations including the National Institute of Standards and Technology (NIST), the European Telecommunications Standards Institute (ETSI), and the Cybersecurity & Infrastructure Security Agency (CISA), with industry organizations such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), and with service providers expert in post-quantum cryptography is essential to stay informed and effective defend against threats in this rapidly evolving space.
Securing infrastructure against quantum computing threats is an imperative that requires foresight, strategic planning, and a phased approach. By understanding the potential risks, starting the transition to quantum-resistant cryptography, and staying engaged in this ever-changing landscape, organizations can safeguard their infrastructure against future quantum threats.