This year, Keyfactor announced the launch of Command Risk Intelligence, a new component of Keyfactor’s leading Certificate Lifecycle Management and Automation solution, Keyfactor Command.
As organizations prepare for a migration to new cryptographic methods to protect against the looming threat from quantum computing, this new component helps to triage and prioritize these migration needs.
What is Command Risk Intelligence?
Command itself provides a “single pane of glass” for administrators to easily view their entire inventory of PKI assets, helping to issue, deploy, track, and replace enterprise certificates at scale.
Risk Intelligence builds on the capabilities of the base platform, expanding the certificate inventory deeper into the public web footprint and adding new tools to surface and detect actionable risk evident in a certificate inventory. Each certificate is run through a rules engine, inspecting it for a wide variety of defects and quantifying the level of danger into a “risk score”.
These capabilities help administrators to identify keys that are unexpectedly weak, Certificate Authorities improperly configured to enforce organizational policy, and certificates not appearing online as expected.
Development of Command Risk Intelligence has required careful consideration of the impact of a number of emerging technologies and their confluence within the enterprise security space.
The Rise of Predictive Threat Intelligence
Continued advances in cloud computing have made factoring attacks against RSA keys ever easier, as described in our older research. Generative and Agentic AI continues to redefine how IT administrators interact with enterprise software, while at the same time opening new ways for attackers to exploit security defects.
And this is to say nothing of self-driving cars, self-regulating medical devices, and other such life-critical applications of connected technology that could be impacted by security issues.
We aim to provide the best possible protection from these issues, for example by implementing analysis within Command Risk Intelligence to catch certificates vulnerable to factoring attacks. To protect against AI threats, we both run each certificate through a machine learning rule that could provide insights into the risk level that a model might perceive a certificate to represent at first glance, and we surface the most serious issues to administrators’ attention for proactive defense against such threats.
As Gartner put it in the June publication, “Emerging Tech: The Rise of AI-Based Predictive Threat Intelligence”:
The rapidly increasing and expanding reliance on internet-facing digital assets has emboldened threat actors with a wide array of targets and options for exploitation. This, combined with threat actors’ ability to leverage AI technology, drives the urgent need for more concerted efforts to automate security with AI-based predictive defense capabilities.
The reasoning Keyfactor has employed in developing the Risk Intelligence Module is closely aligned with these conclusions from Gartner. However, no combination of such measures is adequate to protect against risks to systems in use today from the advent of practical quantum computers, which stand to render all RSA and ECC keys in use obsolete in the coming years.
While AI risks pose a threat today, they do not cause fundamentally secure keys to become insecure.
Efforts should be focused on identifying weak points and proactively shoring them up to ensure that all resources provide the expected security benefit. The risk from quantum computing is then a very different risk to enterprise certificates, and while there may yet be some time until the practical impacts to cryptography are significant, the regulatory impacts have already begun.
The ultimate impact of quantum computing on cryptography will be even larger than that of AI, because it will require replacement of all keys, not just select high-risk keys. Our Command Risk Intelligence component, then, needed to account for this risk.
NIST Guidelines and Key Deprecation Timelines
The key regulatory timeline began last year, when the National Institute of Standards and Technology (NIST) released the initial public draft of its landmark guideline, NIST IR 8547, calling for migration to new, “quantum-safe” cryptographic algorithms by Jan 1, 2030 or Jan 1, 2035 for different applications. This guidance is rooted in NIST’s belief that RSA and ECC keys will cease providing appropriate security in this timeframe.
An adversary with a sufficiently powerful quantum computer can rederive the RSA or ECC private key, and use this to impersonate servers, decrypt traffic, sign malware, and perform other sensitive operations with the trusted credential.
This guidance is also essentially independent from NIST’s requirements for key sizes needed to protect against classical computers rederiving a private key. This has been updated numerous times already – RSA-512 gave way to 1024, 2048, and so on. As computers get more powerful, they are able to break larger and larger keys despite the exponential complexity in doing so. Under this progression, RSA-2048 – by far the most common key size found online – is scheduled for deprecation under this older guidance as well.
The “Harvest Now, Decrypt Later” Problem
Taking these two sets of guidelines together, then, NIST is essentially saying that keys in widespread use today will be vulnerable to multiple vectors within a decade. But this very much does not mean that it is safe to use RSA-2048 keys for all applications right up to the first deadline.
One of the most pernicious issues is a “harvest now, decrypt later” attack. State-level and other sophisticated actors are able to capture traffic of interest flowing across networks over TLS. In many cases, even when the data cannot be decrypted today, it can be preserved, then decrypted when computers – classical, quantum, or otherwise – are powerful enough to rederive the private key.
Certainly, some data revealed in this way will have passed the point of usefulness, but much other information will still be highly valuable.
As an easy example, I now have credit cards with expiration dates in the 2030s. If I buy something in 2029, and the vendor has been procrastinating for the NIST cutoff date, someone who is able to harvest and subsequently decrypt that info would be able to obtain my valid credit card number. As the cutoff date approaches, an even larger fraction of the data captured in this way will be valuable, and the incentive for bad actors to harvest it will increase. There are mitigations against this risk, such as the use of Forward Secrecy, a property that can be configured for many TLS communications but that is not universally adopted. However, the best mitigation is to replace all of the certificates on these traditional algorithms with quantum-safe cryptography.
Unfortunately, this is easier said than done.
The algorithms have been standardized for less than a year. There are major TLS clients like Safari that still do not support these algorithms. Organizations must discover their vulnerable keys, triage them, obtain a solution for issuing new quantum-safe replacements, and perform a large number of system reconfigurations, installing new keys and newly-signed software.
Keyfactor’s technology stack helps with every one of these tasks:
- EJBCA issues new quantum-safe certificates to replace the legacy certs
- Command automates tracking and replacement of certificates
- BouncyCastle allows application developers to support quantum-safe cryptographic algorithms in their own applications
- SigNum and SignServer enable quantum-safe digital signatures
With Keyfactor’s recent acquisitions of the CipherInsights and AgileSec Analytics platforms, Keyfactor offers new ways to discover impacted keys for triage. Risk Intelligence’s role is in this step, helping organizations to determine which systems are most critically at risk and triage their certificates by priority for replacement.
How Risk Intelligence Quantifies Quantum Risk
To do this, we consider several details about the certificate.
The first detail is its expiration date. The easy case is if it expires after Jan 1, 2035. This is past all of the deadlines related to security for both quantum and classical computers, and all key sizes will be considered broken, leading to a “CRITICAL” violation (risk score of 1000). For certificates expiring between Jan 1, 2030 and Jan 1, 2035, we use a geometric scale based on the expected key sizes during this timeframe. Now, due to the threat of quantum computing, again, all RSA and ECC keys are nominally at risk during this period.
However, for both quantum computers and classical computers, smaller keys will be broken first, and larger keys are at lower risk.
Due to this risk, all sizes of RSA and ECC are scored at least as HIGH risk (100-999 risk score). But then we begin to differentiate based on the number of “bits of security”, which is a way to standardize key strength regardless of different key types having a different number of bytes.
This standardization is necessary because, for example, RSA keys contain the product of two large prime numbers. It requires a lot of space to write these numbers, but the information density is lower. So an RSA 3072 key is considered to have 128 bits of security. This would be considered secure against a classical computer in 2030-2034, but not against a quantum computer. Therefore, we assign this a score of 100. However, a key with just 127 bits would already be considered marginally deficient against a classical computer too, and we score this higher, at 500. As the key size diminishes further, the computational power – of either type – required to break the key decreases, and the number of parties with the capability to do so increases exponentially.
Therefore, the risk score increases until we get to 111 bits or below (RSA 2048 or ECC 224 contain 112), at which point we say the certificate has a CRITICAL risk of 1000. Between 112 and 127 bits, we interpolate on a geometric scale; given that 111 bits maps to a score of 1000 and 128 bits to 500, this leads to the formula RISK = 1000*0.955(SECURITY_BITS – 112).
For certificates expiring before 2030, at first glance, this quantum-readiness logic might not seem to apply. But going back to the “harvest now, decrypt later” and the credit cards today with expiration dates in the 2030s, it is essential to consider the lifetime needs of the data protected by these certificates.
It is also conceivable that quantum computers will mature on a faster timeline than NIST has contemplated, due to unforeseen developments – perhaps contemporary AI technologies will aid research and development. This means that keys that do meet the published minimum standards for security requirements today, but which would not meet the requirements in 2030, will still be assigned a small risk score of “1”, meant simply to prompt consideration of this risk.
Naturally, certificates that fail even today’s minimums are given a higher score. At the worst end, RSA 1024 (80 bits) can already be broken with as little as 7 figures USD of compute cost, and will be given a CRITICAL score of 1000.
At the milder end, certificates that are just under today’s minimum will be given a score of 100. Again, we interpolate for keys whose bits of security is between 81 and 111, using the formula RISK = 1000*0.926(SECURITY_BITS – 81) to align with the scores at the end of the range.
What’s Next in Quantum Risk Assessment
This piecewise logic stands to evolve as quantum migration strategies continue to develop over the coming years.
As the 2030s deadlines approach, it is expected that future versions of Command Risk Intelligence will weigh these risks progressively higher, and will eventually flag all RSA and ECC certificates as critical risks. As with any of the other findings coming from Risk Intelligence, having this information about your possible exposure surfaced in your crypto-agility platform gives you the power to quickly and easily monitor and remediate keys that are not providing the appropriate security value for your organization.
Concerned about AI or quantum threats to your cryptographic assets? Talk to our security experts about Command Risk Intelligence.
