Steps for Transitioning to Quantum-Safe Services

NIST – Migration to Post-Quantum Cryptography Quantum Readiness outlines a comprehensive framework for transitioning cryptographic systems to post-quantum cryptography (PQC) in response to the emerging threat of quantum computers. Quantum technology is advancing rapidly and poses a significant risk to current public-key cryptographic methods like RSA, ECC, and DSA. This guide aims to assist organizations in preparing for and implementing PQC to safeguard sensitive data and critical systems. Key Points  The Quantum Threat Quantum computers are expected to disrupt cryptography by efficiently solving mathematical problems that underpin widely used encryption and key exchange methods. This would render current public-key systems ineffective in protecting sensitive data, emphasizing the need for cryptographic agility.  NIST PQC Standards NIST is spearheading efforts to standardize quantum-resistant algorithms through an open competition and evaluation process. These algorithms, designed to withstand quantum attacks, focus on two primary areas: 1. Key Establishment: Protecting methods like Diffie-Hellman and RSA key exchange. 2. Digital Signatures: Securing authentication processes.  Migration Framework The document provides a phased approach to migrating cryptographic systems to PQC: 1. Assessment Phase:    - Inventory cryptographic dependencies in current systems.    - Evaluate systems at risk from quantum threats based on sensitivity and lifespan. 2. Preparation Phase:    - Conduct pilot testing of candidate PQC algorithms in existing infrastructure.    - Develop a hybrid approach that combines classical and post-quantum algorithms to ensure interoperability during transition. 3. Implementation Phase:    - Replace vulnerable cryptographic methods with PQC in a phased manner.    - Ensure scalability, performance, and compatibility with existing systems. 4. Monitoring and Updates:    - Continuously monitor the effectiveness of implemented solutions.  Challenges in PQC Migration - Performance Impact: PQC algorithms often have larger key sizes, increased latency, and greater computational demands compared to classical algorithms. - Interoperability: Ensuring smooth integration with legacy systems poses significant technical challenges.  Best Practices - Use hybrid encryption to maintain compatibility while testing PQC algorithms. - Engage in collaboration with vendors, industry groups, and government initiatives to align with best practices and standards. Conclusion The transition to post-quantum cryptography is a proactive measure to secure data and communications against future threats. NIST emphasizes the importance of starting preparations immediately to mitigate risks and ensure a smooth, efficient migration process. Organizations should focus on inventorying dependencies, piloting PQC solutions, and developing cryptographic agility to adapt to this transformative technological shift.

💡 Meta publishes their approach to transition to #PQC Meta publishes a detailed article showing how they approach the transition to PQC in a move that shows commitment to continuously raise its security bar to deploy the most advanced security and cryptographic protection techniques, and to lead by example. First actions taken include: 👉 Creating a workgroup to migrate to PQC, spanning from internal infrastructure to user-facing apps. 👉 Recognizing that this is a highly complex multi-year effort. 👉 Executing a priority analysis. Their first target has been securing the confidentiality in internal TLS traffic. They took this decision because: ☝ they control both endpoints and manage their own TLS library, so they have no external dependencies, ✌ they regard internal TLS as a highly sensible use case, so it is a top priority. Their choice for key exchange is Kyber + ECC X25519 in hybrid mode. They use Kyber768 as default and Kyber512 in some use cases where they need low latency. They explain different issues found in the process, like bugs in the liboqs library, increased latency with Kyber768 due to the size of the public key exceeding the maximum network packet size or when resuming TCP Fast Open (TFO). They also confirm that Kyber768 seems to require less CPU cycles than X25519, as indicated previously by Bas Westerbaan from Cloudflare (https://lnkd.in/dB9pFCph). The authors (Sheran Lin, Jolene Tan, Ajanthan Asogamoorthy, Kyle Nekritz, Rafael Misoczki, PhD and Sotirios Delimanolis) report that Meta has deployed post-quantum hybrid key exchange for most internal service communication to protect against the SNDL threat already. However they recognize that implementing post-quantum hybrid key exchange to external public internet traffic poses several additional challenges, such as dependency on browsers’ TLS implementations and crypto libraries’ PQC readiness, increased communication bandwidth due to larger payloads, and more. We should thank all the different organizations sharing their experiences as they explore their way to transition to quantum-safe cryptography. This demonstrates it is not an easy task, but the accumulated experience shared by many will make it possible. https://lnkd.in/drJpMU4r

🔑"𝐇𝐚𝐫𝐯𝐞𝐬𝐭 𝐍𝐨𝐰, 𝐃𝐞𝐜𝐫𝐲𝐩𝐭 𝐋𝐚𝐭𝐞𝐫" (𝐇𝐍𝐃𝐋) attacks intercept RSA-2048 or ECC-encrypted files, stockpiling them for future decryption. Once a powerful quantum computer comes online, they can unlock those archives in hours, exposing years’ worth of secrets. This silent threat targets everything from personal records to diplomatic communications. 🔐 📌 HOW CAN CYBERSECURITY LEADERS AND EXECUTIVES PREPARE? 🎯🎯𝐁𝐮𝐢𝐥𝐝 𝐂𝐫𝐲𝐩𝐭𝐨𝐠𝐫𝐚𝐩𝐡𝐢𝐜 𝐀𝐠𝐢𝐥𝐢𝐭𝐲: Ensure your systems can swiftly swap out cryptographic algorithms without extensive re-engineering. 𝐂𝐫𝐲𝐩𝐭𝐨-𝐚𝐠𝐢𝐥𝐢𝐭𝐲 𝐢𝐬 𝐭𝐡𝐞 𝐚𝐛𝐢𝐥𝐢𝐭𝐲 𝐭𝐨 𝐫𝐚𝐩𝐢𝐝𝐥𝐲 𝐭𝐫𝐚𝐧𝐬𝐢𝐭𝐢𝐨𝐧 𝐭𝐨 𝐮𝐩𝐝𝐚𝐭𝐞𝐝 𝐞𝐧𝐜𝐫𝐲𝐩𝐭𝐢𝐨𝐧 𝐬𝐭𝐚𝐧𝐝𝐚𝐫𝐝𝐬 𝐚𝐬 𝐭𝐡𝐞𝐲 𝐛𝐞𝐜𝐨𝐦𝐞 𝐚𝐯𝐚𝐢𝐥𝐚𝐛𝐥𝐞. Designing for agility now will let you plug in PQC algorithms (or other replacements) with minimal disruption later. 🎯𝐈𝐦𝐩𝐥𝐞𝐦𝐞𝐧𝐭 𝐇𝐲𝐛𝐫𝐢𝐝 𝐂𝐫𝐲𝐩𝐭𝐨𝐠𝐫𝐚𝐩𝐡𝐲: Do not wait for the full PQC rollout. 👉 𝐒𝐭𝐚𝐫𝐭 𝐮𝐬𝐢𝐧𝐠 𝐡𝐲𝐛𝐫𝐢𝐝 𝐞𝐧𝐜𝐫𝐲𝐩𝐭𝐢𝐨𝐧 𝐍𝐎𝐖! Combine classic schemes like ECDH or RSA with a post-quantum algorithm (e.g. a dual key exchange using ECDH + Kyber). 🎯𝐌𝐚𝐢𝐧𝐭𝐚𝐢𝐧 𝐚 𝐂𝐫𝐲𝐩𝐭𝐨𝐠𝐫𝐚𝐩𝐡𝐢𝐜 𝐁𝐢𝐥𝐥 𝐨𝐟 𝐌𝐚𝐭𝐞𝐫𝐢𝐚𝐥𝐬 (𝐂𝐁𝐎𝐌): 👉𝐈𝐧𝐯𝐞𝐧𝐭𝐨𝐫𝐲 𝐚𝐥𝐥 𝐜𝐫𝐲𝐩𝐭𝐨𝐠𝐫𝐚𝐩𝐡𝐢𝐜 𝐚𝐬𝐬𝐞𝐭𝐬 𝐢𝐧 𝐲𝐨𝐮𝐫 𝐨𝐫𝐠𝐚𝐧𝐢𝐳𝐚𝐭𝐢𝐨𝐧: algorithms, key lengths, libraries, certificates, and protocols. A CBOM provides visibility into where vulnerable algorithms (like RSA/ECC) are used and helps prioritize what to fix. 🎯🎯𝐀𝐥𝐢𝐠𝐧 𝐰𝐢𝐭𝐡 𝐍𝐈𝐒𝐓’𝐬 𝐐𝐮𝐚𝐧𝐭𝐮𝐦 𝐌𝐢𝐠𝐫𝐚𝐭𝐢𝐨𝐧 𝐑𝐨𝐚𝐝𝐦𝐚𝐩: Follow expert guidance for a structured transition. 𝐓𝐡𝐞 𝐔.𝐒. 𝐠𝐨𝐯𝐞𝐫𝐧𝐦𝐞𝐧𝐭 (𝐂𝐈𝐒𝐀, 𝐍𝐒𝐀, 𝐚𝐧𝐝 𝐍𝐈𝐒𝐓) 𝐚𝐝𝐯𝐢𝐬𝐞𝐬 𝐞𝐬𝐭𝐚𝐛𝐥𝐢𝐬𝐡𝐢𝐧𝐠 𝐚 𝐪𝐮𝐚𝐧𝐭𝐮𝐦-𝐫𝐞𝐚𝐝𝐢𝐧𝐞𝐬𝐬 𝐫𝐨𝐚𝐝𝐦𝐚𝐩, starting with a thorough cryptographic inventory and risk assessment. Keep abreast of NIST’s PQC standards timeline and recommendations.  National Institute of Standards and Technology (NIST) #𝐇𝐍𝐃𝐋 Cyber Security Forum Initiative #CSFI 🗝️ Now is the time to future-proof your encryption! 🗝️ 𝑌𝑜𝑢 𝑠ℎ𝑜𝑢𝑙𝑑𝑛'𝑡 𝑎𝑠𝑠𝑢𝑚𝑒 𝑡ℎ𝑎𝑡 𝑦𝑜𝑢𝑟 𝑑𝑎𝑡𝑎 𝑖𝑠 𝑠𝑒𝑐𝑢𝑟𝑒 𝑗𝑢𝑠𝑡 𝑏𝑒𝑐𝑎𝑢𝑠𝑒 𝑖𝑡 𝑖𝑠 𝑒𝑛𝑐𝑟𝑦𝑝𝑡𝑒𝑑...

The recent Executive Order (amending EOs 13694 & 14144) isn’t just rhetoric, it formalizes deadlines that align with NIST’s PQC roadmap: ⚠️ Deprecate classical crypto: by 2030 ⛔️ Disallowed entirely: by 2035 📊 Agencies and vendors must begin migration today Let’s unpack why this isn’t optional: - 𝗡𝗜𝗦𝗧 𝗜𝗥 𝟴𝟱𝟰𝟳 𝗺𝗮𝗻𝗱𝗮𝘁𝗲𝘀 agency inventories and tight transition timelines. - 𝗙𝗜𝗣𝗦 𝗮𝗽𝗽𝗿𝗼𝘃𝗮𝗹 𝗼𝗳 𝗣𝗤𝗖 𝗮𝗹𝗴𝗼𝗿𝗶𝘁𝗵𝗺𝘀 (CRYSTALS-Kyber, Dilithium, SPHINCS+) came Aug 2024 and government-grade crypto is now available. - 𝗠𝗜𝗧𝗥𝗘’𝘀 𝗣𝗤𝗖 𝗿𝗼𝗮𝗱𝗺𝗮𝗽 urges phased transitions NOW, classifying high‑risk organizations as “urgent adopters”. - 𝗧𝗵𝗲 “𝗵𝗮𝗿𝘃𝗲𝘀𝘁 𝗻𝗼𝘄, 𝗱𝗲𝗰𝗿𝘆𝗽𝘁 𝗹𝗮𝘁𝗲𝗿” 𝘁𝗵𝗿𝗲𝗮𝘁 means adversaries are already collecting encrypted data to exploit in the future. - 𝗙𝗲𝗱𝗲𝗿𝗮𝗹 𝗣𝗤𝗖 𝗺𝗶𝗴𝗿𝗮𝘁𝗶𝗼𝗻 𝗰𝗼𝘂𝗹𝗱 𝗰𝗼𝘀𝘁 $𝟳𝗕+, mirroring the scale of Y2K preparations. 𝘐𝘧 𝘺𝘰𝘶'𝘳𝘦 𝘩𝘢𝘯𝘥𝘭𝘪𝘯𝘨 𝘴𝘦𝘯𝘴𝘪𝘵𝘪𝘷𝘦 𝘥𝘢𝘵𝘢, 𝘦𝘴𝘱𝘦𝘤𝘪𝘢𝘭𝘭𝘺 𝘸𝘪𝘵𝘩 𝘭𝘰𝘯𝘨 𝘴𝘩𝘦𝘭𝘧-𝘭𝘪𝘧𝘦, 𝘺𝘰𝘶 𝘢𝘳𝘦 𝘢𝘭𝘳𝘦𝘢𝘥𝘺 𝘪𝘯 𝘵𝘩𝘦 𝘥𝘢𝘯𝘨𝘦𝘳 𝘻𝘰𝘯𝘦. 𝘞𝘢𝘪𝘵𝘪𝘯𝘨 𝘶𝘯𝘵𝘪𝘭 𝘱𝘰𝘴𝘵‐𝘲𝘶𝘢𝘯𝘵𝘶𝘮 𝘤𝘰𝘮𝘱𝘶𝘵𝘦𝘳𝘴 𝘢𝘳𝘳𝘪𝘷𝘦 𝘮𝘦𝘢𝘯𝘴 𝘺𝘰𝘶𝘳 𝘤𝘶𝘳𝘳𝘦𝘯𝘵 𝘥𝘢𝘵𝘢 𝘪𝘴 𝘢𝘵 𝘳𝘪𝘴𝘬. 👉 Action Steps: • Complete crypto 𝗮𝘀𝘀𝗲𝘁 𝗶𝗻𝘃𝗲𝗻𝘁𝗼𝗿𝘆 with analytics metadata (CBOM). • Map 𝗱𝗮𝘁𝗮 𝗳𝗹𝗼𝘄𝘀 and categorize systems by shelf-life. • 𝗖𝗹𝗮𝘀𝘀𝗶𝗳𝘆 𝘂𝗿𝗴𝗲𝗻𝗰𝘆: “urgent adopters” start now, “regular” make a roadmap. • Choose 𝗣𝗤𝗖 𝗰𝗼𝗺𝗯𝗼: key-establishment (Kyber/HQC) + digital signatures (Dilithium/SPHINCS+). • 𝗠𝗼𝗻𝗶𝘁𝗼𝗿 solution maturity and FIPS transitioning. 𝗧𝗵𝗶𝘀 𝗶𝘀𝗻’𝘁 𝗷𝘂𝘀𝘁 𝗮𝗻𝗼𝘁𝗵𝗲𝗿 𝗽𝗿𝗼𝗷𝗲𝗰𝘁, 𝗶𝘁’𝘀 𝗺𝗶𝘀𝘀𝗶𝗼𝗻-𝗰𝗿𝗶𝘁𝗶𝗰𝗮𝗹 𝘀𝘂𝗽𝗽𝗹𝘆 𝗰𝗵𝗮𝗶𝗻 𝗮𝗻𝗱 𝗻𝗮𝘁𝗶𝗼𝗻𝗮𝗹 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗶𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲. 🔗 Get your PQC Readiness Report: https://lnkd.in/gxFpnz26