What a remarkable day it was at the Keyfactor Community Tech Meetup 2023, on 14th September! As the host of this fantastic event, I am thrilled to bring you a recap and summary of the day’s proceedings. Whether you were there with us in Stockholm or couldn’t make it, this blog post is your ticket to the key takeaways and insights from our second annual gathering of open-source cryptography, public key infrastructure (PKI), certificates, and digital signing enthusiasts.
The Keyfactor Community Tech Meetup is about staying at the forefront of technological advancements. This year, the event took place live at the iconic Epicenter in Stockholm, Sweden. We delved deep into three key areas: post-quantum cryptography (PQC) and the vital role of PKI, certificates, and signing in DevOps and IoT.
Our journey into the world of post-quantum cryptography was led by experts Tomas Gustavsson our Chief PKI Officer, and David Hook, VP Software Engineering Crypto Workshop. These sessions provided valuable insights into the quantum readiness area.
Current State of Quantum-Ready Cryptography
One of the most significant takeaways was the progress made in post-quantum cryptography. Drafts for the official PQC algorithms based on Kyber, Dilithium, and SPHINCS+ have now been published by NIST. Round 4 of PQC development, featuring BIKE, HQC, and Classic McEliece is still ongoing, but has turned into a choice between BIKE and HQC as Classic McEliece is being standardized by other organizations (NIST may still release their own published standard for it). The initiation of the signature round with diverse cryptographic approaches highlights the robustness of the ongoing work.
Quantum Readiness Keyfactor Roadmap
Our roadmap to quantum readiness was unveiled, with timelines and milestones. Federal agency adoption plans in 2023, NIST’s publication of PQC standards in 2024, and the migration to PQC-compliant vendors by 2025 under CNSA 2.0 all emphasized the urgency of preparation. In view of this the move to quantum readiness now defines a large part of our roadmap. Flexibility and adaptability to potential revisions in these timelines were emphasized.
Bouncy Castle Updates and Efforts
Our event highlighted the central role of key cryptographic libraries and protocols in EJBCA and SignServer. Bouncy Castle’s efforts to retire certain algorithms and incorporate certificate modifications for quantum readiness from both the X9 consortium and the IETF were discussed. The adaptation of protocols to handle the new Key Encapsulation Mechanism (KEM) algorithms for both certificate issuance and in TLS standards was raised as crucial for future-proofing cryptographic systems.
Tomas Gustavsson’s unique session on post-quantum cryptography benchmarking provided attendees with a practical understanding of the post-quantum algorithms. The session compared classic and quantum ready algorithms in terms of key size, performance, security, and issuance speed with three hardware security modules provided for EJBCA integration testing.
Securing the Future of IoT
The Internet of Things (IoT) has transformed our world, but ensuring its security is paramount. Andreas Philipp, Senior Business Development Manager, IoT, Guillaume Crinon, Director, IoT Business Strategy, and Ray Lillback, Director IoT Solution Architect guided us through the complexities of IoT cybersecurity and the role of PKI.
IoT Lifecycle Challenges
IoT’s complex journey requires robust cybersecurity solutions. We explored the challenges arising from cost pressures, brownfield solutions, and the need for built-in security features.
PKI and IEEE 802.1 AR-based solutions for constrained IoT devices emerge as a promising approach. IEEE 802.1 AR offers a secure device identity framework simplifying device authentication.
Secure and trusted IoT identity provisioning was emphasized to enable secure connections. However, this can be a challenging task, especially in industrial settings. Our implementation using EJBCA is open-source and available on GitHub so you can use it today.
Supporting the Industry
Keyfactor is one of the founding members of the Open Industrial PKI Service. For those operating within the industrial sector who aren’t prepared to establish their own PKI infrastructure for initial testing and prototyping, this service provides a viable alternative by offering complimentary X.509 certificate and PKI services.
Certificate Management and CI/CD Pipelines
Eric Mizell, Field CTO and VP, Solution Engineering and Sven Rajala, International PKI Man of Mystery shed light on the critical role of certificate management in containerized environments and CI/CD pipelines.
Challenges with Certificate Authorities
Organizations often face difficulties obtaining certificates from certificate authorities (CAs), like Microsoft CAs, due to limited APIs, technology lock-ins and scalability issues. Ad-hoc self-signed CAs pose challenges in terms of policy controls and visibility. It is fundamental for DevOps to adhere to regulations like NIS2 and standard InfoSec requirements as cyberattacks become increasingly sophisticated.
EJBCA Integration with Kubernetes & Service Mesh
EJBCA’s integration with Kubernetes and Service Mesh environments via CSR API and cert-manager for X.509 credential provisioning was highlighted, emphasizing its role as a Certificate Authority with the ability to issue ephemeral and non-ephemeral certificates.
EJBCA’s integration with HashiCorp Vault for ephemeral and non-ephemeral certs (mTLS) via the EJBCA Secrets Plugin enables organizations to standardize on a modern PKI and at the same time maintain existing code and workflows.
Streamlining code and container Image Signing. SignServer’s integration into CI/CD pipelines automates code and container image signing, ensuring trust in pre-production and production environments.
Ask Me Anything about EJBCA and SignServer
The event also featured interactive sessions and an Ask Me Anything session, where participants engaged in discussions and received real-time answers from our product owners, software architects and subject matter experts. Topics spanned product roadmap, improvements, commonly asked questions, and general insights into the latest PKI and signing field advancements.
Thanks to Roman Cinkais from 3Key and Daniel Stenberg, Founder and Lead Developer of cURL and libcurl
We had two external speakers who were very well received. During Roman’s presentation, he discussed the PKI Consortium’s PKI maturity model which allows companies to benchmark their PKI implementations and measure their progress. The technical audience appreciated Daniel’s presentation on Quic. A new transport protocol for the internet, Quic, exchanges TCP and TLS and is intended to improve performance and security.
Conclusion and Recordings
The Keyfactor Community Tech Meetup 2023 was a resounding success, bringing together experts and enthusiasts to explore the frontiers of technology. We’ve glimpsed into the future of post-quantum cryptography, fortified IoT security, and learned the importance of robust certificate management in DevOps. The journey continues, and embracing these technologies isn’t just an option; it’s a necessity in our ever-evolving tech landscape. For those of you who joined us in Stockholm, thank you for being a part of this remarkable event!
Subscribe to our newsletter to learn when the recorded meetup workshops are available and other news from the Community, including new product releases and tutorial videos.
See you next year!