Overcoming Digital Certificate Management Challenges in the Quantum Era

Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Murali Palanisamy of AppViewX explores the challenges digital certificate management will face during the inevitable “Quantum Era.”

Most commonly known for displaying the lock icon next to “https” on a webpage’s URL, digital certificates (SSL/TLS) make users feel that the website they are interacting with is trusted. But these certificates — which encrypt connections between users, applications, and other digital assets — also protect machines and workloads. With quantum computing on the horizon, organizations will eventually need to replace thousands of certificates throughout their hybrid and multi-cloud environments.

Digital certificates have been targeted for a security overhaul recently, forcing organizations to update them more frequently and upgrade their encryption algorithms. Browser vendors, including Apple and Google, and certification authorities (CAs) who comprise the CA/Browser Forum have reduced the lifespan of certificates and begun considering what the future will look like once quantum computers make today’s certificates and encryption algorithms obsolete.

These changes are now making crypto-agility — the ability to switch certificates and encryption standards with minimal disruption — a must for any organization looking to future-proof security before quantum computing forces their hand.

Overcoming Digital Certificate Management Challenges in the Quantum Era

Post-Quantum Cryptography 

Quantum computing is still in development and not yet mainstreamed, but security professionals are already laboring to develop post-quantum cryptography (PQC), on the understanding that the future will be here soon. One recent study found it would still take a very powerful quantum computer 104 days to break today’s standard encryption, but if Moore’s Law is anything to go by, those powerful quantum computers will eventually come within reach of users—and hackers.

Traditional cryptography relies on parsing large numbers—short work for a quantum processor—but PQC has to go a step further. It uses mathematical techniques that are resistant to the straight-line factoring of numbers that quantum computing enables, such as code-based cryptography (a field focused on error-correction and changing numbers), lattice-based cryptography (which uses a series of grid-like structures for managing its computations) and multivariate polynomial cryptography (which relies on a series of quadratic equations).

Before hackers can get access to quantum computers, a number of groups are facing the reality and trying to create standards for post-quantum cryptography. Most notably, the National Institute of Standards and Technology (NIST), which is part of the U.S. Department of Commerce, is completing a review to standardize quantum-resistant encryption algorithms to help organizations worldwide protect the certificates that enable encryption from this new technology.

Most of today’s encryption, such as the Secure Socket Layer (SSL) and Transport Layer Security (TLS) certificates used in websites, applications, and cloud services, relies on what is known as asymmetrical encryption, where a public key “hashes,” or encrypts, the information and a private key available only to the authenticated user decrypts it.

Unfortunately, most of the protocols commonly used in this type of encryption, such as RSA and ECC (Elliptic Curve Cryptography), are vulnerable to quantum decryption, so new standards are being developed. One of them, AES (Advanced Encryption Standard), is being recommended for safeguarding data as we approach the quantum era; it was developed by NIST and is already used by the U.S. government.

Get Quantum Crypto-Agile Now

With quantum computing on the horizon, organizations must find a way to adopt new PQC certificates without crushing their own operations in the process. This is where crypto-agility can help by paving the way for PQC and the regulatory issues that will inevitably follow.

In the interim, it can also help organizations become more proactive in heading off crypto compromises, remediating attacks, and smoothing the transition to the more secure SHA-2. At a minimum, organizations should consider adopting crypto-agility now to prepare for Google’s proposal to reduce TLS certificate validity from 398 days to a mere 90 days.

To establish a crypto-agile certificate lifecycle management (CLM) process, consider these best practices:

• Know your assets: Find and review all of the organization’s cryptographic assets, including digital certificates, and public and private keys and match them to the resources they are securing, including devices, applications, machine identities and cloud services.
• Inventory your crypto assets: Visibility is one of the goals of crypto-agility, so analyze and track cryptographic standards in use to make sure they comply with the accepted practices. Setting up a comprehensive inventory of all your certificates, matched to their location, expiration date, owner, and Certificate Authority (CA) can help.
• Establish policies: Set up and enforce enterprise-wide crypto policies for the entire organization, governing when and how to use, modify, and phase out crypto instruments and algorithms to make sure the most current cryptographic practices are being used.
• Leverage Automation: CLM automation can enable crypto-agility by setting up a single point of control for managing digital assets and their corresponding certificates in a more efficient manner. It can also help mitigate crypto failures that can disable the organization. Most importantly, automation can facilitate the migration to PQC without time- and budget-intensive retrofitting, while meeting security and regulatory requirements as cryptography evolves.

The post-quantum future is still theoretical, but like most tools in the digital area, it will become reality sooner than we think. Consider how quickly artificial intelligence has created monumental management challenges for most enterprises. Now is the time to embrace crypto-agility and prepare for the quantum computing leap in order to get ahead of the disruption.