To ease the disruption caused by moving away from quantum-vulnerable cryptographic code, NIST has released a draft document describing the first steps of that journey.
To ease the migration from public-key cryptographic algorithms to quantum-resistant algorithms, the National Institute of Standards and Technology’s National Cybersecurity Center of Excellence (NCCOE) has released a draft document describing migration challenges and approaches for facilitating that migration.
NIST has been working to evaluate and select post-quantum encryption algorithms since 2016, and the migration process is also expected to be a lengthy process. Because nothing can protect hardware, software, applications or data from a quantum-enabled adversary, encryption keys and data will require re-encrypting with a quantum-resistant algorithm and deleting or physically securing copies and backups. What’s more, replacing cryptographic algorithms requires all system components -- protocols, schemes and infrastructures -- be ready to process the new encryption scheme. As a result, NIST said, “algorithm replacement can be extremely disruptive and often takes decades to complete.”
To get a head start on executing a migration roadmap, NIST has outlined five implementation scenarios that aim to identify quantum-vulnerable cryptographic code, prioritize the replacement of that code and address remediating deficiencies based on security controls’ dependence on quantum-vulnerable cryptography. All scenarios address enterprise data center environments, including on-premises data centers and data hosted in public and hybrid clouds by owners or third-party providers.
- Scenario 1: Discovering the FIPS-140-validated hardware and software modules present in the enterprise that employ quantum-vulnerable public-key cryptography, identifying priorities for replacement based on a documented risk assessment and developing a migration strategy for each component.
- Scenario 2: Identifying the cryptographic libraries that are commonly used for quantum-vulnerable algorithms and those that might support one of NIST’s selected quantum-resistant algorithms.
- Scenario 3: Finding and selecting sample cryptographic applications that use quantum-vulnerable public-key cryptography, prioritizing them by risk and the number of affected systems and processes and identifying the candidate replacement algorithms or compensating controls, if they exists.
- Scenario 4: Identifying quantum-vulnerable code in computing platforms, including operating systems, access control utilities, cryptographic integrity applications and identity and access management applications as well as investigating the projected impact of mitigation options.
- Scenario 5: Finding and prioritizing the quantum-vulnerable cryptographic algorithms used in communication protocols leveraged by critical infrastructure sectors and suggesting possible replacements.
Organizations collaborating with NIST on this project will be able to install and test discovery tools and quantum-resistant components in an enterprise environment – featuring physical, virtualized and containerized workloads -- hosted by NCCoE’s post quantum cryptography laboratory. The lab’s high-level architecture will connect to external sites and cloud resources hosted by the collaborators so the partners can install operate their discovery tools remotely via virtual private network. Conversely, lab staff can use the tools to discover quantum-vulnerable software in remote sites.
Comments on the draft report are due July 7.