In brief: The move to post-quantum cryptography can feel overwhelming, but you’re not alone. Here’s what’s at stake for enterprises – yours included – and a simple 4-step plan to help you start the transition with confidence.
The migration strategy towards quantum-resistant cryptography spearheaded by the National Institute of Standards and Technology (NIST) highlights 2030 as the deadline to phase out RSA/ECC encryption in favor of post-quantum cryptography, or PQC.
You may be thinking that 2030 isn’t that far away, and you’re absolutely right! Leaps in quantum computing may render the traditional PKI obsolete and usher in the era of PQC sooner than we think.
Take blockchain, a favorite in the world of cryptography. It depends entirely on asymmetric cryptography to verify transactions and keep its ledger trustworthy. Today’s digital signatures are secure – until a quantum computer comes along. Then, they become as weak as a simple “qwerty” password. Without quantum-safe algorithms, these signatures could be easily forged, and trust in blockchain would fall apart.
That’s why Keyfactor’s experts say the time to invest in crypto agility is now. Organizations that start preparing today will be ready to quickly adopt new cryptographic standards as the tech evolves.
PQC Transition: A Step-by-Step Approach
Transitioning to quantum-safe algorithms will allow organizations to maintain the high level of security required to keep their assets and data safer than before. While it may be a monumental undertaking, approaching it in incremental steps makes it workable for any enterprise.
The 4-step framework below will help you get quantum-ready by 2030 and beyond.
Step 1: Observe and Take PKI Inventory
Taking stock of your organization’s PKI is the first step for enterprises gearing up for the post-quantum cryptography transition. Without knowledge of every system, it is impossible to fully evaluate and prioritize the updates required to resist quantum-powered cyber attacks. It is key to identify all certificates, cryptographic libraries, and encryption dependencies across systems. This can be a huge undertaking given the typical complexity of PKI for organizations.
Nonetheless, special attention should be given to Internet of Things (IoT) devices, the applications used in the cloud and in on-prem environments, and the root Certificate Authority (CA) employed by the enterprise. These three areas contribute the most dependencies across systems and may open additional vulnerabilities in the quantum era.
Action items at this step may include:
- Employing automated PKI tools to map certificates and encryption dependencies – highly recommended for complex systems;
- Classifying certificates by their expiration date, risk level, and algorithm used;
- Documenting PKI dependencies across infrastructure for additional visibility and to foresee potential weak points.
Step 2: Assess and Triage Asset Risk
Not all assets are created equal. Every organization prioritizes data security differently, depending on the data it needs to protect the most. In the context of quantum-resistant strategies, it is important to understand quantum risk per asset. This isn’t to say that some data are less deserving of protection than others; all that does is provide an enterprise a chance to triage its quantum preparedness, securing the most vital assets first and safeguarding secondary data with more traditional means for longer.
Some of the most sensitive data, like financial transactions or personal identification information, requires urgent quantum-safe protection first. Other proprietary data that may be less sensitive but still necessary for business functions may be considered lower-risk and stay protected by legacy PKI for a time. It’s important to keep in mind that delays introduced by triaging assets based on their security risk do not mean neglecting to protect lower-priority data entirely. By 2035, the deadline proposed by NIST to deprecate RSA/ECC encryption, all assets should be secured by PQC with no exceptions.
Potential high-priority sensitive data systems include:
- Digital identity management systems;
- Financial systems;
- Government communications;
- Cloud-based authentication.
Examples of medium-priority proprietary systems:
- Enterprise VPNs;
- Web authentication certificates;
- Encrypted email;
- Secure messaging.
Lower-priority data:
- Internal applications with limited or short-lived encryption needs.
Organizations may choose to prioritize their systems in a different order according to their risk profile and needs.
Step 3: Hybrid PKI, A Secure Transition
Once your organization has an accurate and complete picture of its current state of PKI and the hierarchical list of systems to tackle for protection, the next best step you can take before 2030 is to introduce a post-quantum hybrid PKI to initiate the transition to post-quantum cryptography.
What is a PQC-ready hybrid PKI?
A hybrid PKI combines traditional cryptography with PQC for its phased adoption, ensuring comprehensive protection every step of the way for devices and systems that cannot be upgraded simultaneously.
The best hybrid PKI solutions still support RSA/ECC alongside cutting-edge PQC algorithms, working seamlessly to issue certificates that are compatible with “legacy” as well as PQC-capable devices. This makes them suitable for a triaged approach of protecting data assets from highest to lowest priority.
Hybrid PKI best practices
- Deploy hybrid certificates that support both RSA/ECC and PQC to ensure compatibility with systems not yet equipped for PQC.
- Rely on certificate authorities that offer quantum-safe options and phase out the CAs that do not.
- Test quantum-resistant TLS to fully secure network communications data in transit.
With a fully implemented, tested, and verified hybrid PKI in place, your enterprise will be at the forefront of quantum preparedness, leaps ahead of many organizations who are only beginning to think about getting quantum-ready.
Step 4: Incremental Migration Milestones
Transitioning to post-quantum cryptography won’t happen overnight. Even the path to implementing a hybrid PKI may present significant challenges at the organizational level, yet this is the effort worth putting in now.
With the 2030 deadline to protect the highest-priority assets with PQC algorithms only five years away, the roadmap to quantum preparedness is, well, quite short. Beyond 2030, enterprises should be ready to depreciate all non-PQC encryption standards, such as RSA and ECC, by 2035.
Broken down into 3-year stages, your roadmap could look like a bit like this:
2025-2027: Take full PKI inventory, begin testing hybrid PKI, and upgrade the highest-risk assets to PQC-supported encryption. At this stage, if at all feasible, establishing a cross-functional PKI readiness team to track migration efforts and own PKI governance ensures the process stays on track and can be tailored to developing technology and the changing cyber security landscape.
2028-2030: Replace all critical RSA/ECC-dependent encryption algorithms with the developed quantum-safe alternatives. Schedule regular audits of cryptographic usage with the expectation of continuing to adjust plans based on emerging quantum threats.
2031-2035: Complete the migration of remaining assets to PQC and chart the course for maintaining crypto-agility enterprise-wide for future advancements.
Stay Ahead With Expert Help
Successfully deploying PQC by 2030 starts with a smart, phased approach – and you don’t have to do it alone! Our four-step framework, from assessing your current PKI to deploying hybrid solutions, is designed to help you lead the way into the post-quantum era.
Start your PQC journey here. Simply reach out to our experts – we’re industry leaders in all things PKI! Keyfactor is here to make your organization quantum-ready before it’s too late.
