Next year, the National Institute of Standards and Technology (NIST) expects to publish its first set of post-quantum cryptographic standards, intended to withstand even quantum computers. Entities will need to update, replace or “significantly alter” many currently used cryptographic products, protocols and tools that rely on at-risk algorithms, according to a fact sheet published Monday by NIST, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA).
But organizations shouldn’t wait for 2024 to get started readying for that shift.
Transitioning to new encryption methods can be time-consuming, and organizations that start planning now may have a faster, easier changeover.
Threat actors may also be working now to prepare for the day quantum computers are able to crack public key encryption, the agencies warn. Malicious actors may be currently targeting data that is likely to remain sensitive in the long term, with plans to hold onto it until the day that they can use quantum computing to decrypt it.
The federal entities encouraged organizations to establish project management teams who can plan out their transitions. The teams should be able to identify where their organization relies on quantum-vulnerable algorithms, assessing the risks posed and which systems ought to be prioritized for migrating to quantum-resistant algorithms. In some cases, other security steps could be taken to help mitigate risks of continuing to use technologies that still employ quantum-vulnerable algorithms.
“Systems and assets with quantum-vulnerable cryptography include those involved in creating and validating digital signatures, which also incorporates software and firmware updates,” the fact sheet notes.
Cryptographic discovery tools can help organizations find where they’re using quantum-vulnerable algorithms but may not catch everything — embedded cryptography within vendors’ products could be a blind spot.
Organizations need to be aware of risks both in their custom-built solutions and in those obtained from vendors of cloud-based and commercial off-the-shelf (COTS) products. They should connect with their vendors to discuss the latter’s plans and timelines for testing post-quantum cryptographic algorithms and adopting them in their offerings, the fact sheet advised.
Find out more here: https://www.cisa.gov/sites/default/files/2023-08/Quantum%20Readiness_Final_CLEAR_508c%20%283%29.pdf
