Page 118 - Cyber Defense eMagazine August 2023
P. 118
sectors. Cryptography's ubiquitous presence makes it difficult to track assets that organizations may not
even be aware of.
Although not subject to the May deadline, Enterprises must also identify and proactively manage their
cryptographic assets. It is crucial for all organizations to follow a structured approach for transitioning to
a post-quantum world. Consider the following steps:
Step 1: Inventory
The first step is to inventory all cryptographic systems, including certificates and algorithms, and prioritize
them based on their level of criticality. This process entails understanding the crypto assets within an
organization's environment, including the algorithms certificates used, their issuers, expiration dates, the
domains they protect, and even the software signed with specific keys. Additionally, organizations must
investigate whether their software packages or devices automatically download updates, connect to
backend servers, or operate on websites or portals managed by third parties or cloud providers.
Establishing these details requires extensive communication with various providers and backend entities.
While identifying an organization’s digital footprint may seem daunting, it is essential in today’s
interconnected world. Understanding crypto assets is the key to protecting them effectively.
Step 2: Prioritize
The next step involves prioritizing the replacement of encryption algorithms that generate signatures
requiring long-term trust. This includes securing the roots of trust, firmware for long-lived devices, and
other critical components. The urgency arises from the fact that encrypted data can be recorded now and
decrypted later by operators of future quantum computers, a practice known as “harvest now, decrypt
later.” Therefore, any encryption intended for long-term use should be the first priority for replacement.
Step 3: Test
Furthermore, organizations need to explore and test the incorporation of post-quantum cryptography
algorithms. The National Institute of Standards and Technology (NIST) has already selected the final
algorithms for PQC standardization, but the development of standards, documentation, and secure
implementation methods is still underway. It may take up to two years before these algorithms become
widespread. However, implementers of cryptographic libraries and security software should start
integrating these algorithms into their products now. Organizations can also begin exploring how to
incorporate the selected PQC algorithms, as there will be a certain level of effort required to
accommodate them.
While the deadline for federal agencies to submit their inventories of cryptographic systems has passed,
the need for all organizations to identify and manage their crypto assets proactively remains. The
transition to quantum-resistant cryptography is a significant undertaking, but by understanding and
Cyber Defense eMagazine – August 2023 Edition 118
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.