Guest Contributor, Dr. TAN Teik Guan, PhD, CEO of pQCee.com

With rapid advances in quantum computing technology, the threat of quantum computers on security of existing digital systems is becoming a reality soon. Regulatory agencies are encouraging enterprises to start their post-quantum migration journey to defend against this looming threat.

An apt analogy described cryptography as a big bunch of “nails” that had been hammered into a house and post-quantum migration is the process of finding these “nails” and replacing them with stronger ones, all the time making sure that the house remains sturdy and standing. And if you understand the complexity of today’s digital systems, the interconnectivity and high-speed processing coupled with huge sources of data, then you will realize that it is a very large number of different “nails” that we are dealing with, and the task of finding and replacing them is a multi-year and multi-party effort.

Let’s start from the basics:
  • Different cryptographic algorithms are affected by quantum threats in different ways.

There are two broad families of cryptography, namely public (or asymmetric) key cryptography and symmetric key cryptography, that are used in combination to protect today’s digital systems. Symmetric key cryptography is applied by communicating parties that know a common secret key which is used to encrypt information sent amongst each other. AES (Advanced Encryption Standard) is an encryption algorithm that belongs to the symmetric key cryptography family and if used with an appropriately large key size (such as AES-256), is not vulnerable to quantum attacks.

Public key cryptography is mostly used for key exchange, verifying digital identities and protecting message authenticity. The mathematical foundation on which current day public key cryptographic algorithms such as RSA (Rivest-Shamir-Adleman) and ECC (Elliptic Curve Cryptography) use are unfortunately vulnerable to quantum computers, regardless of key size. These are the sets of “nails” we need to replace.

Examples of applications that rely heavily on public key cryptography include digital certificates for public key infrastructure (PKIs) and cryptocurrency wallet transactions in blockchains.

  • Cryptography is used in different layers within an application

You are going to find lots of “nails” in even the simplest of applications. Take the common-day web browser for example. It is used for accessing news and social media feeds, send and receive emails, and view/approve electronic agreements. At the communicating layer, the web browser uses TLS (Transport Layer Security) to authenticate the website and encrypt the communication link. The electronic agreements approved in the browser have to be digitally signed for non-repudiation purposes. The web browser application is downloaded from the app store which requires the owner to code-sign the application. The web browser runs in the laptop whose operating system checks for software licenses and also downloads the latest anti-virus mechanisms. The laptop may need additional authentication connect to an office network, and also regular upgrades to its firmware to keep up to date.

All of the above activities, most of which happen seamlessly to the end-user, require the use of public key cryptography to ensure the security of the operation. Finding all these “nails” is not a straight-forward nor once-off task.

  • Inter-dependencies with other systems mean that the migration process is never complete

The post-quantum migration is further complicated by two opposing requirements: (i) the short-term need for systems to keep updated to stay secure against current-day attacks; and (ii) the long-term need for systems to be completely rid of quantum-insecure cryptography.

When performing regular updates, especially automatic/urgent fixes and patches from external vendors, there is no guarantee that these updates do not contain quantum-insecure cryptography. This would inadvertently compromise the overall state of quantum-readiness in the system, and force application owners to revisit the topic of migration even for applications that have been post-quantum migrated. The way to navigate this is to build up internal capabilities and tools on post-quantum discovery and remediation, while strengthening your supply chain with quantum-ready vendors.

So while the task of cryptographic discovery and remediation (aka finding and replacing “nails”) is complicated due to intricacies and operational availability, it can be made easier by starting early and working with trusted vendors and tools to build up technical competency and agility. Netrust is a long-term trusted service partner for many organizations since 1997 and has seen through successful cryptographic migrations from MD5 to SHA256, from DES to AES. Within their arsenal of resources, tools and with more than 25 years in professional services they are able to provide:

  • Cryptographic discovery
  • Post quantum certificates
  • Quantum-safe HSMs
  • pQCee suite of quantum-safe libraries for web browsing, secure email, document signing

 

Insights from Netrust:

The foundation of a successful post-quantum migration starts with understanding your cryptographic Bill of Materials (Crypto-BOM)—a comprehensive inventory of all cryptographic assets within your ecosystem. Without this visibility, organizations risk overlooking vulnerabilities that quantum threats can exploit. At Netrust, we help enterprises proactively assess their cryptographic landscape through our PKI Health Check, ensuring that outdated, insecure algorithms are identified and systematically replaced with safe alternatives

Take proactive steps to secure your digital environment. Schedule your Free PKI Health Check by contacting us today!

 

Follow us on LinkedIn for the latest happenings/updates.

 

 

[1] Credited to Mr Mark Carney of Santander Digital Services