Almost two months ago, the National Institute of Standards and Technology (NIST) presented a first draft on a topic that will keep cybersecurity managers of all companies around the world busy in the coming years and decades.
Its title: Transition to Post-Quantum Cryptography (PQC) Standards. Its core message: Many currently approved quantum computer-vulnerable encryption systems, such as RSA, ECDSA, EdDSA, DH and ECDH, will be classified as obsolete by NIST from 2030 and will no longer be approved from 2035.
Encryption systems are now used in practically all sensitive and vulnerable areas of a company: to secure the software in use, digital user and machine identities, networks, email and general data traffic. The problem: many of the algorithms used are based on mathematical problems that are difficult for classical computers to solve - with long computing times - but relatively easy for quantum computers to solve - with significantly shorter computing times. It can be assumed that the security level of the global digital ecosystem will be severely affected by the emergence of the first quantum computers with sufficient qubits - unless companies manage to switch to quantum-safe encryption methods 'in good time'.
Don't put off PQC
So what does the NIST announcement mean (even if it is 'only' a first public draft)? The switch to quantum cryptography can no longer be put off in companies. The necessary processes must be initiated - not at some point, but now. The period available for the switch seems long at first glance. 9 years. Most security managers, as this year's 2024 PKI & Digital Trust Report showed again, mistakenly assume that they will be able to complete their PQC switch in four to six years.
Advertising
Subscribe to our newsletter now
Read the best news from B2B CYBER SECURITY once a month
Expand for details on your consent
It goes without saying that we handle your personal data responsibly. If we collect personal data from you, we process it in compliance with the applicable data protection regulations. Detailed information can be found in our
Privacy Policy. You can unsubscribe from the newsletter at any time. You will find a corresponding link in the newsletter. After you have unsubscribed, your data will be deleted as soon as possible. Recovery is not possible. If you would like to receive the newsletter again, simply order it again. Do the same if you want to use a different email address for your newsletter. If you would like to receive the newsletter offered on the website, we need an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. Further data is not collected or only collected on a voluntary basis. We use newsletter service providers, which are described below, to process the newsletter.
CleverReach
This website uses CleverReach to send newsletters. The provider is CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany (hereinafter “CleverReach”). CleverReach is a service that can be used to organize and analyze the sending of newsletters. The data you enter for the purpose of subscribing to the newsletter (e.g. email address) will be stored on the CleverReach servers in Germany or Ireland. Our newsletters sent with CleverReach enable us to analyze the behavior of the newsletter recipients. This can include It is analyzed how many recipients have opened the newsletter message and how often which link in the newsletter was clicked. With the help of so-called conversion tracking, it can also be analyzed whether a previously defined action (e.g. purchase of a product on this website) took place after clicking on the link in the newsletter. Further information on data analysis by CleverReach newsletter is available at:
https://www.cleverreach.com/de/funktionen/reporting-und-tracking/. The data processing takes place on the basis of your consent (Art. 6 Para. 1 lit. a DSGVO). You can revoke this consent at any time by unsubscribing from the newsletter. The legality of the data processing operations that have already taken place remains unaffected by the revocation. If you do not want an analysis by CleverReach, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter message. The data you have stored with us for the purpose of subscribing to the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter and deleted from the newsletter distribution list after you have canceled the newsletter. Data stored by us for other purposes remain unaffected. After you have been removed from the newsletter distribution list, your e-mail address may be stored by us or the newsletter service provider in a blacklist if this is necessary to prevent future mailings. The data from the blacklist is only used for this purpose and is not merged with other data. This serves both your interest and our interest in complying with the legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR). Storage in the blacklist is not limited in time.
You may object to the storage if your interests outweigh our legitimate interest.
For more information, see the privacy policy of CleverReach at:
https://www.cleverreach.com/de/datenschutz/.
Data processing
We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.
However, anyone who has ever changed an encryption system will know that the process is complex and usually much more time-consuming. Just think of the change from SHA-1 to SHA-2 advocated by NIST at the beginning of this millennium. In many companies, this ultimately took more than 12 years.
Tackle tasks:
- 1st creation an inventory of all assets affected by a changeover and their certificates.
- 2. Modernization the PKI and signature infrastructure as well as all cryptographic libraries to facilitate the transition to the new NIST-standardized quantum-safe algorithms.
- 3. Use of PQC laboratories to thoroughly test the quantum-safe certificates equipped with the new algorithms in a PKI sandbox before their implementation.
- 4. Implementation and applying PKI/CLM solutions with powerful automation capabilities to manage and mass implement certificate migration – be it through orchestration or protocols.
All security managers can only be advised to initiate these measures as early as possible. 9 years is not a long time. And what is often forgotten is that quite a few cyber criminals are already one step ahead of the defenders. Even today, they are stealing and storing large amounts of encrypted, sensitive data without being noticed by cyber security. They can wait and are waiting. For the first quantum computers to be available to them in ten to twenty years.
They will then be able to take a closer look at the stolen data - which is very likely to include highly sensitive business data. Security officers would therefore do well to initiate their PQC conversion as early as possible. The damage cannot be completely prevented, but it can at least be contained.
More at Keyfactor.com
About key factors
Keyfactor brings digital trust to the hyperconnected world with identity-based security for people and machines. By simplifying PKI, automating certificate lifecycle management, and securing every device, workload, and object, Keyfactor helps organizations quickly create—and maintain—digital trust at scale.
Matching articles on the topic
