(HelpNetSecurity) Migration to PQC algorithms is a major undertaking. There is no one-size-fits-all solution. IQT-News summarizes this discussion by Alan Grau, VP Business Development (North America), PQShield.
Digital certificates using RSA or ECC encryption are used to provide identities and enable secure communication for everything from websites, DevOps processes, credit cards, and cloud services to connected vehicles, IoT devices, electronic passports, document signing, and secure email. Use of ECC and RSA encryption is pervasive; all systems using RSA and ECC encryption will need to be updated to use the new PQC algorithms.
Many large enterprises are already planning for this migration. Some have created a “Crypto Center of Excellence” or similarly named group to lead this effort. Due to the number of systems requiring updates, and the interdependencies of these systems, this will be a large, multi-year project for most enterprises.
companies need to identify the details of crypto implementations, including:
What systems are using classical encryption algorithms (RSA or ECC)?
Which encryption algorithms are used?
What processes on each system are using encryption?
What are the dependencies between systems using encryption?
Where on each system are cryptographic primitives implemented? (In hardware or in software)?
For software implementations, what software libraries are used?
Once this information is available, a roadmap to update crypto components can be developed. RSA and ECC encryption are frequently used for secure communication, so companies must take into consideration dependencies between systems and devices. If one device is updated, but the systems it communicates with are not, the devices will either fail to communicate or will revert to using classical crypto until all devices are updated.
Starting with software-based PQC reduces dependencies on long hardware design lifecycles and hardware update schedules. New hardware designs generally take 12-24 months. Even if companies are starting now, platforms will not support PQC algorithms in hardware for at least a year or two.
Once hardware support for PQC becomes available, companies can begin migrating to hardware-based PQC, but it will take years to replace all platforms with new systems providing PQC in hardware. Software-based PQC solutions provide a critical migration path.
PQC is needed to protect systems from attacks using quantum computers to break encryption. Quantum computing technology is rapidly advancing but is still in the early stages of development.
For the foreseeable future, quantum computing will remain the province of very large corporations and nation-states. This will change over time, but early adopters of PQC are companies and systems that include nation-state actors in their threat model. Nation-state actors have extremely deep pockets and sophisticated capabilities to carry out cyberattacks. They often have access to zero-day vulnerabilities allowing them to defeat software-based security solutions and penetrating security perimeters.
RSA and ECC-based encryption systems started with software-based implementations. PQC algorithms will follow a similar path. Companies are beginning to invest in hardware-based crypto for securing critical systems. Over time, hardware-based solutions will become cost effective and be widely adopted for PQC. For security-critical applications, companies can begin implementing hardware-based PQC now.