Six Steps for Mitigating Quantum’s Impact on Digital Certificates

Posted on by Murali Palanisamy

Quantum computing threatens to upend everything we know and practice around safeguarding data, especially when it comes to encryption of data at rest and in transit. That’s because digital certificates that encrypt communications — by verifying users, applications and devices are who they claim to be and are authorized to access a resource — are in jeopardy of being “broken” by quantum computers. 


Unprecedented code breaking

Quantum computers can run calculations such as Shor’s Factoring Algorithm and Grover’s Search Algorithm. These types of quantum equations were created to run calculations, such as factoring numbers, at an exponentially faster speed than the if/then logic used by binary code. In theory, powerful quantum computers can easily unscramble the encryption keys used to obscure or “hash” the data in most apps and websites today. 


Current encryption mechanisms rely on a public key to encode data, and a private key to decrypt it, known only (in principle) to an authorized user whose identity has been validated. It employs protocols such as Transport Layer Security (TLS) and Secure Socket Layer (SSL) certificates to secure the encryption, typically using standard algorithms such as RSA and ECC (Elliptic Curve Cryptography). 


Unfortunately, today’s encryption is widely understood to be vulnerable to quantum attacks; researchers have already shown a quantum computer could break some of the tougher encryption used today (considered unbreakable until now) in 104 days. As quantum computing evolves, 104 days could shrink to hours, minutes, or only seconds, for a hacker armed with a quantum processor capable of hashing out encryption keys. 


Creating new challenges

The rise of quantum computing introduces a unique set of challenges related to the management of digital certificates. These include:


Higher Renewal Rates: Certificate lifespans may be significantly reduced due to the rapid evolution of quantum algorithms and the increased likelihood of vulnerabilities being discovered in post-quantum certificates.


Enhanced Validation Protocols: As quantum computers make impersonation and data tampering more feasible, there will be a need for enhanced validation methods, thereby increasing the complexity of certificate issuance and revocation processes.


Increased Storage Requirements: Post-quantum cryptographic algorithms tend to generate larger key sizes compared to traditional algorithms. As a result, post-quantum digital certificates will require more storage in hardware security modules (HSMs) and may impact application performance during encryption and decryption processes.


Migration Complexity: The transition to post-quantum certificates will be gradual, forcing organizations to manage a hybrid mix of traditional and post-quantum certificates for a considerable amount of time. This will require systems that can support this type of interoperability.


Training and Awareness: The complexity of post-quantum cryptography and its implications for digital certificate management will require training for IT and security teams to avoid  management errors that can lead to vulnerabilities.


Legacy Systems Compatibility: Older systems that aren't equipped to handle post-quantum certificates or the larger key sizes associated with them might become obsolete or require significant upgrades. 


Preparing for post-quantum cryptography

This existential threat has cryptographers working to develop post-quantum cryptography (PQC) that can resist attacks from quantum machines when they become mainstream. With the advent of PQC, organizations will need to adopt crypto-agility, which is the ability to quickly adapt and switch to alternative cryptographic methods and protocols in response to potential threats or new vulnerabilities.  


While the transition to post-quantum cryptography is still in the works—the National Institute of Standards and Technology (NIST) is still reviewing algorithms to set standards—now is the time to begin preparing. Security professionals should consider the following best practices to adapt to the post-quantum future: 


  • Assess Risk: Establish visibility, identify which assets and data are critical to the organization, gauge the impact quantum attacks could have on current cryptography, and sketch out a timeline for moving to PQC

  • Get Crypto-Agile Today: On average, most enterprise organizations are issuing certificates from five or more public and private trust Certificate Authorities (CAs). To prepare for PQC, it will be critical to have full visibility, automation and control of certificates to quickly take proactive and reactive actions.

  • Cherry-pick Algorithms: Now is the time to establish flexibility for the transition to post quantum algorithms, while keeping up with the progress of standardization efforts like NIST’s. Meanwhile, consider using hybrid crypto solutions that mix traditional and post-quantum cryptography. 

  • Manage Certificates: Implement strong certificate and key management practices such as key rotation strategies and secure key storage solutions to strengthen security today and lay the groundwork for the quantum transition. 

  • Test and Validate: Work with researchers and other experts to test PQC in the real world. Participating in standardization efforts like NIST’s can put your organization in the cryptographic vanguard. 

  • Monitor Compliance: Prepare to react and remediate quickly by monitoring cryptographic practices continuously and police compliance with the evolving standards. 


Quantum computing may still sound like sci-fi, but it won’t be for long. Like cloud computing, virtual reality, artificial intelligence, and so many other technological leaps in the recent past, it will be here before we know it. Laying the groundwork, earlier than later, for the transition to PQC can reduce the amount of disruption organizations will experience. Implementing crypto-agility best practices is an ideal starting point on this journey. 

Murali Palanisamy

Chief Solutions Officer, AppViewX


PKI encryption strategy & trends access control key management

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs