Published on
March 11, 2024
Quantum computing has an adverse effect on cryptography: the current algorithms that are used every day to protect our communications on the Internet are vulnerable, and thus will need to be replaced. This is the purpose of Post-Quantum Cryptography. The NIST has selected several algorithms that are aimed at replacing existing onces, and most of them have been standardized. That leaves us with one issue: how to deploy these new algorithms?
Most agencies currently recommend to deploy these algorithms in hybrid mode. Since we have little experience with the new algorithms, instead of deploying purely PQC cryptographic assets. The idea is to mix legacy and PQC cryptography, so that the level of protection is at least not worse than with the current algorithms. Therefore, should a weakness be detected within new algorithms, the protection remains efficient enough.
At EVERTRUST, we are digital trust specialists, and thus face this challenge. Our view is focused on cryptographic assets deployment, and at the end of the day we believe that several key principles need to be observed:
The solution should be fully interoperable. Typical information systems are extremely heterogeneous, and standards-based interoperability is the key.
The solution should be backward compatible. The components of the information systems will migrate to PQC at different paces based on critical level and availability, making backward compatibility a pre-requisite to interoperability.
The solution should ease the migration. Each software consuming cryptographic assets should be able to use instantly and simply either current or hybrid variants, so that migrating to a new version supporting PQC translates only into very minimal configuration changes.
The solution should provide a status about the migration, in order to follow track on PQC deployment and thus be able to manage the risks comprehensively.
Now, how does that translates concretely to X.509 certificates, the most popular format for cryptographic assets, used by billions of machines, servers and users around the world to identify themselves and ensure communication protection?
In our opinion:
X.509 certificates should be hybrid and backward compatible. Luckily, ITU-T X.509 10/19 standard (https://www.itu.int/rec/T-REC-X.509-201910-I/en) is a very good basis for that need, allowing certificates to contain both current and PQC cryptography, in a backward-compatible format that can be read and used by today's cryptographic libraries.
Same goes for Certificate Signing Requests and Certificate Revocation List, pretty much for the same reasons.
For the private keys the composite format seems to be the best option. It holds within the same file, in a single PKCS#8 both current and PQC private keys. This makes it easy to consume at application level, by pointing to a single file containing everything in the same format that was previously used. For the record, this draft seemed very interesting https://datatracker.ietf.org/doc/draft-ounsworth-pq-composite-keys/
Protocols using these certificates, such as TLS, and libraries implementing them should evolve accordingly to take them into account.
Finally, certificate lifecycle management solution offering inventory, governance and automation functions, should be deployed.
Time is ticking, at industry level. Let's tackle these points, decide and hit the road!
