sectors. Cryptography's  ubiquitous presence makes it difficult to track assets that organizations may not
            even be aware of.

            Although  not subject to the May deadline,  Enterprises  must also identify and proactively  manage  their
            cryptographic assets. It is crucial for all organizations to follow a structured approach for transitioning to
            a post-quantum world. Consider the following steps:



            Step 1:  Inventory

            The first step is to inventory all cryptographic systems, including certificates and algorithms, and prioritize
            them based  on their  level of criticality.  This  process entails  understanding  the crypto  assets  within an
            organization's environment, including the algorithms certificates used, their issuers, expiration dates, the
            domains they protect, and even the software signed with specific keys. Additionally, organizations  must
            investigate  whether  their  software  packages  or  devices  automatically  download  updates,  connect  to
            backend  servers,  or  operate  on  websites  or  portals  managed  by  third  parties  or  cloud  providers.
            Establishing these details requires extensive communication with various providers and backend entities.

            While  identifying  an  organization’s  digital  footprint  may  seem  daunting,  it  is  essential  in  today’s
            interconnected world. Understanding  crypto assets is the key to protecting them effectively.



            Step 2:  Prioritize

            The  next  step  involves  prioritizing  the  replacement  of  encryption  algorithms  that  generate  signatures
            requiring  long-term trust.  This includes  securing  the roots of trust, firmware  for long-lived  devices, and
            other critical components. The urgency arises from the fact that encrypted data can be recorded now and
            decrypted  later by operators  of future quantum  computers,  a practice known  as “harvest now,  decrypt
            later.” Therefore, any encryption intended for long-term use should be the first priority for replacement.



            Step 3: Test

            Furthermore,  organizations  need  to explore  and  test  the  incorporation  of  post-quantum  cryptography
            algorithms.  The National  Institute  of Standards  and  Technology  (NIST)  has  already  selected  the final
            algorithms  for  PQC  standardization,  but  the  development  of  standards,  documentation,  and  secure
            implementation  methods is still underway. It may take up to two years before these algorithms become
            widespread.  However,  implementers  of  cryptographic  libraries  and  security  software  should  start
            integrating  these  algorithms  into  their  products  now.  Organizations  can  also  begin  exploring  how  to
            incorporate  the  selected  PQC  algorithms,  as  there  will  be  a  certain  level  of  effort  required  to
            accommodate them.

            While the deadline for federal agencies to submit their inventories of cryptographic systems has passed,
            the  need  for  all  organizations  to  identify  and  manage  their  crypto  assets  proactively  remains.  The
            transition  to  quantum-resistant  cryptography  is  a  significant  undertaking,  but  by  understanding  and




            Cyber Defense eMagazine – August 2023 Edition                                                                                                                                                                                                               118
            Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.