What is quantum encryption?
Quantum cryptography is a science that applies the principles of quantum mechanics to data encryption and data transmission so that data cannot be accessed by hackers - even by malicious actors who have quantum computing of their own. The broader application of quantum cryptography also includes creating and executing various cryptographic tasks using the unique capabilities and power of quantum computers. In theory, this type of computer could help in the development of new, stronger, and more efficient encryption systems that are not possible with existing traditional computer and communications architectures.
While many areas of this science are conceptual and not reality today, several key applications where cryptographic systems intersect with quantum computing are critical to the immediate future of cybersecurity. Two popular but distinctly different cryptographic applications developed using quantum properties are:
- Secure quantum encryption:The development of cryptographic algorithms, also known as post-quantum cryptography, that are secure against attack by a quantum computer and used in the generation of secure quantum certificates.
- Distribution of Quantum Keys:The process of using quantum communications to establish a shared key between two trusted parties so that an untrusted eavesdropper cannot learn about that key.
This article focuses on post-quantum cryptography, quantum security certificates, and how organizations can protect themselves when these risks become a reality.
Why is this science necessary?
The rapid development of quantum computing promises powerful computing capabilities that will solve a wide range of critical, even life-saving, computing problems that conventional computers simply cannot. Unfortunately, they are also capable of spawning new threats at unprecedented speed and scale. For example, complex mathematical equations that traditional computers take months or even years to solve can be cracked in a matter of moments by quantum computers running quantum algorithms such as Shor's algorithm. As a result, systems capable of cracking traditional mathematical encryption algorithms are expected to appear on the market within the next 5 to 10 years.
Hackers who apply this type of calculation to their attack arsenal will be able to quickly crack today's widely used encryption algorithms. especially theRSA and ECC encryption algorithms, which are fundamentalpublic key cryptography and symmetric key cryptography, are mathematical equations that can be quickly solved by these computers. This puts state-of-the-art cybersecurity, communications and digital identities at risk.
It is imperative to ensure that PKI solutions can adequately protect these systems and data from quantum computing attacks. This means that new quantum-proof algorithms have to be developed and companies have to switch to new quantum-proof certificates. The task of migrating to new digital certificates requires a well-planned effort to update PKI systems and the applications that use those certificates.
The development and migration to quantum security certificates needs to happen as quickly as possible and cannot wait for the RSA and ECC algorithms to be cracked. Hackers can steal sensitive data today, encrypted with current algorithms, and decrypt it later when quantum computing becomes available. Organizations must address this threat now to ensure their organizations' data, applications, and IT infrastructure are protected for years to come.
How does Quantum Safe encryption work?
Academic, technological, and public organizations around the world have accelerated their efforts to discover, develop, and implement new cryptographic quantum security algorithms. The aim is to create one or more algorithms that are reliably resistant to quantum computing. The task is technically difficult, but not impossible.
Good cryptographic systems require a difficult problem to solve. Quantum cryptography comes about by choosing a mathematical approach that is difficult for any computer to solve. Current RSA and ECC encryption algorithms are based on algebraic problems using very long random numbers. These are then applied to public keys and private keys such that the private key, which is the secret key, cannot be derived from the public key by brute force attacks in a reasonable amount of time using conventional computers. The attacks are ineffective because they are very computationally intensive. With quantum computing, these fundamental assumptions, on which our entire security architecture is built, are no longer applicable. New computers can derive the private key from a public key in a reasonable amount of time.
Quantum cryptography works by solving entirely different problems. For example, lattice-based cryptography is based on a geometric rather than an algebraic approach, making the peculiar properties of a quantum computer less effective in breaking quantum cryptographic systems. This type of cryptography is difficult to solve for both classical and quantum computers, making it a good candidate for the basis of a post-quantum cryptographic algorithm approach. Secure quantum algorithms have been proposed and are currently undergoing a selection process by the National Institute of Standards and Technology (NIST), the US federal agency that supports the development of new standards, with plans to issue the first standard for quantum-resistant cryptography in 2022.
What is the difference in quantum key distribution?
Quantum key distribution (QKD) uses quantum mechanical principles to send secure communications that allow users to securely distribute keys among themselves and provide encrypted communications that cannot be decrypted by eavesdropping by malicious actors. QKD secures communications, but does not encrypt the transmitted data like quantum security certificates do.
QKD systems create a shared private key between two connected parties and use a series of photons (particles of light) to transmit the data and key over a fiber optic cable. The key exchange is based on Heisenberg's uncertainty principle, namely that photons are randomly generated in one of two polarized quantum states and that the quantum property of a photon cannot be measured without changing the quantum information itself.
In this way, the two connected endpoints of a communication can verify the shared private key and ensure that the key can be used securely as long as the photons remain unaltered. When a malicious actor accesses or intercepts a message, the attempt to learn about the key information changes the quantum nature of the photons. The altered state of a single photon is detected and the parties know that the message has been compromised and cannot be trusted.
Types of Quantum Safe Certificates
With the development of quantum-safe cryptography, companies must now consider which certificates to implement.
Traditional PKI certificates are now the gold standard for authentication and encryption of digital identities. These certificates are called "legacy" because they use existing ECC or RSA encryption algorithms. Most PKI systems will continue to use traditional PKI certificates for some time. They offer effective protection against existing computer attacks, but will become obsolete in the future due to quantum computers and attacks on ECC and RSA cryptography.
There are three types of digital certificates that are relevant when considering quantum security options. Each guy is still a followerX.509 digital certificateStandards fundamental to public-key cryptography. These types differ significantly according to their purpose and the encryption algorithm used to create the certificate.
Quantum Safe Certificates
Quantum-safe certificates are X.509 certificates that use quantum-safe encryption algorithms. Although NIST is still in the process of standardizing cryptographic algorithms, it has identified several candidate algorithms and implementations of these algorithms are currently available.
Hybrid certificates are cross-signed certificates that contain a traditional (RSA or ECC) key and signature and a quantum security key and signature. Hybrid certificates provide a migration path for systems with multiple components that cannot be upgraded or replaced at the same time. This type allows systems to be gradually migrated, but eventually all systems using ECC or RSA encryption must migrate to new quantum security cryptographic algorithms.
Businesses need to upgrade key elements of their IT infrastructure to leverage quantum security cryptosystems and hybrid certificates. When other systems and devices access the newly upgraded system, they can continue to use classic encryption algorithms. The quantum-safe key and signature are stored as an alternate signature algorithm and alternate key. Applications that don't use the quantum security fields in hybrid certificates ignore these additional fields. Over time, security teams can update applications and systems to use the new algorithms. Once the transition is complete, they can replace the hybrid certificates and replace them with pure quantum security certificates.
Quantum Secure Composite Certificates
Composite certificates are similar to hybrid certificates in that they contain multiple keys and signatures, but differ in that they use a combination of existing encryption algorithms and quantum security. Composite certificates are analogous to a single door with multiple locks. One person must have all the keys to all the locks to open the door. The purpose of composite keys is to address concerns that every single currently available or future encryption algorithm can be cracked using quantum computers. If one of the encryption algorithms has an exploitable vulnerability, the entire system is still secure.
Although NIST is coordinating a process to study and select secure quantum cryptographic algorithms, these new algorithms have yet to be fully battle tested. It is possible that security researchers or hackers will eventually discover vulnerabilities in one or more of these proposed algorithms. Composite certificates provide strong protection against this risk, making them ideal for protecting environments with high security requirements. However, creating multiple encryption keys and combining them to issue a composite certificate requires exceptional computing power.
How to migrate to Quantum Safe certificates
Enterprises must now plan to take preventive measures against the threats posed by quantum computing. Certificate migration requires extensive updates to many systems, including internal applications, servers and systems under direct organizational control, as well as connections to external third-party systems. For organizations of all sizes, these actions require significant IT resources, human capital, and time.
The aim is to convert all systems to pure quantum security certification as quickly as possible. While the direct change in a large project could theoretically achieve this goal faster, the direct change involves risks. If a single system is not properly updated, it can no longer communicate with other systems and disrupt critical business applications. In addition, not all systems and environments may be technically ready to use quantum cryptographic algorithms at the same time. In this situation, a company should wait until its entire environment is ready and exposed to quantum computing attacks before starting the migration process.
In reality, not all systems need to be updated at the same time. A phased approach with hybrid certificates enables organizations to undertake a gradual migration that can begin today and requires less risky processes while environments remain secure. Hybrid certificates allow systems that don't yet support quantum security cryptography to work concurrently with new systems that do. Since all systems can support secure quantum cryptography, hybrid certificates can be discarded in favor of fully secure quantum certificates.
There are six steps required for an organization to migrate successfully, whether it's an in-place upgrade or using hybrid certificates.
- Step 1: Move to a Quantum-Proof PKI Infrastructure -The first step in migration is to upgrade an organization's PKI infrastructure, including the certificate authority (CA), to support quantum security algorithms. Instead of trying to update internal PKI systems themselves, IT security teams can turn to a commercial certificate authority like Sectigo, which offers commercial support for issuing and managing certificates. After an organization updates its existing CA or selects a new CA, the CA must issue a new intermediate and root quantum-proof certificate.
- Step 2: Update the Server's Cryptographic Algorithms -Next, the cryptographic libraries used by the server applications must be updated to support the new cryptographic algorithms and new quantum security certificate formats. When hybrid certificates are used, server applications must recognize and process traditional RSA or ECC certificates and hybrid certificates with quantum cryptographic security keys. This requires server applications to distinguish between the two different types of certificates and to properly use both types with the correct algorithmic method for the associated certificate type.
- Step 3: Update Client's Cryptographic Algorithms -Teams can update client apps. Note that a client application can communicate with many server applications, including external environments, and one or more of these server applications may not have been updated yet. In this case, hybrid certificates allow the client to work with servers that support traditional RSA and ECC algorithms, while using secure quantum algorithms with servers that support these newer algorithms.
- Step 4: Install Root with Quantum Security on All Systems -Any system that uses PKI has a trusted root store. This root store contains the certificates for the root and intermediate CAs that issue certificates within the PKI system. After the client and server systems have been updated to support quantum security algorithms, these root stores must be updated to add the new root and intermediate certificates.
- Step 5: Issue and Install Quantum Safe Certificates for All Devices/Applications -Once IT teams have updated all of an organization's systems to support secure quantum encryption, they need to issue new certificates and install them on all endpoints. Upon completion, each device will be secured with the new certificates.
- Step 6: Replace Traditional Encryption Algorithms and Revoke RSA/ECC Based Certificates -The final step in the migration is to replace the traditional RSA and ECC encryption algorithms. This can be done gradually across applications and systems as they migrate to the new algorithms. Once all systems are migrated, the RSA and ECC root certificates must be revoked to ensure that no system is using them.
Automate the management of Quantum Safe certificates
Migrating to new cryptographic algorithms and PKI systems requires configuring and issuing large numbers of new certificates and revoking old certificates for every application, device, and server in an organization. Additionally, IT teams must continue to manage all certificates on an ongoing basis to ensure systems are not down due to expired certificates. Using manual processes to discover, install, monitor, and renew all PKI certificates in an organization is labor-intensive and technically demanding.
An automated approach to certificate management also ensures that organizations can maintain cryptographic agility to adapt to evolving quantum security cryptographic techniques. Automation tools available today such asSectigo certificate manager, enable organizations to quickly update cryptographic algorithms, revoke compromised certificates and replace them with quantum security certificates, and automate certificate discovery and future certificate renewals.
As the cybersecurity community works to standardize quantum security algorithms, free resources can help organizations understand how this is affecting their critical business systems and how to maintain security as new threats emerge.Follow Quantum Labsproduces theSectigo Quantum Safe certified toolkit, a proof-of-concept solution that businesses and security professionals can use to evaluate potential solutions. This toolkit provides the ability to generate private quantum-safe root and intermediate certificates, issue private leaf certificates, and use these certificates to create quantum-safe TLS sessions.
Watch the following video demonstration of how to create secure quantum certificates with the toolkit: