The quantum apocalypse is coming. It may not be next week, or even next year, but the day is fast approaching when a quantum computer will be able to break the encryption that protects our most sensitive data. For those of us in the security world, this is not a matter of “if,” but “when.”
And for the data that’s being harvested today, it’s already too late.
### The “Harvest Now, Decrypt Later” Threat
Imagine an adversary, right now, recording all of your encrypted traffic. Your financial transactions, your confidential emails, your sensitive intellectual property. They can’t decrypt it today, but they don’t have to. They can simply store it, waiting for the day when they have a quantum computer that can break the RSA and ECC encryption we rely on.
This is the “harvest now, decrypt later” threat, and it’s one of the most pressing challenges in cybersecurity today. The data we think is safe is actually sitting on a time bomb.
### Your First PQC Project: A No-Nonsense Guide
The good news is that we’re not powerless. The National Institute of Standards and Technology (NIST) has already standardized a new set of post-quantum cryptography (PQC) algorithms that are resistant to attack by quantum computers. The time to start migrating is now.
But where do you start? The task of replacing all the cryptography in your organization can seem daunting. Here’s a no-nonsense guide to your first PQC project:
**Step 1: Inventory Your Cryptographic Assets**
You can’t protect what you don’t know you have. The first step is to create a comprehensive inventory of all the cryptographic assets in your organization. This includes:
* **Your codebase:** What cryptographic libraries are your developers using?
* **Your infrastructure:** What are your servers, network devices, and other infrastructure components using for encryption?
* **Your data:** Where is your most sensitive data stored, and how is it protected?
You can use a combination of automated tools and manual inspection to create this inventory. There are a number of open-source and commercial tools that can scan your codebase and infrastructure for cryptographic assets.
**Step 2: Identify Your Most Vulnerable Assets**
Once you have your inventory, you can start to identify your most vulnerable assets. These are the assets that are using legacy algorithms like RSA and ECC to protect sensitive data with a long shelf life.
**Step 3: Start with a Pilot Project**
Don’t try to boil the ocean. Start with a small, manageable pilot project. A good place to start is with a single TLS endpoint or an internal service’s key exchange.
**Step 4: Replace RSA/ECC with CRYSTALS-Kyber**
For your pilot project, we recommend using CRYSTALS-Kyber, one of the PQC algorithms that has been standardized by NIST. Kyber is a key-encapsulation mechanism (KEM) that is designed to be a drop-in replacement for the key exchange mechanisms in TLS, SSH, and other protocols.
There are a number of open-source libraries that provide implementations of Kyber, including the official reference implementation from the CRYSTALS team.
**Step 5: Address Performance and Compatibility**
One of the challenges of migrating to PQC is that the new algorithms can have different performance characteristics than the legacy algorithms they’re replacing. You’ll need to carefully test your pilot project to make sure that the performance is acceptable.
You’ll also need to consider compatibility. Not all of your clients and servers may support the new PQC algorithms. You may need to implement a hybrid scheme that uses both classic and PQC algorithms to ensure compatibility.
### The Time to Act is Now
The quantum threat is no longer a distant concern. It’s a clear and present danger. By starting your PQC migration today, you can protect your organization from the “harvest now, decrypt later” threat and ensure the long-term security of your most sensitive data. The future of your business depends on it.
0 Comments