Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
NIST
Regulation, Standards and Compliance

NCCoE publishes preliminary draft covering migration to post-quantum cryptography, calls for comments

April 25, 2023
NCCoE publishes preliminary draft covering migration to post-quantum cryptography, calls for comments

The National Institute of Standards and Technology (NIST) released Monday a preliminary draft soliciting comments from stakeholders in the public and private sectors to bring awareness to the challenges involved in migrating to post-quantum cryptography, from the current set of public-key cryptographic algorithms to quantum-resistant algorithms.

Through the National Cybersecurity Center of Excellence (NCCoE), the project focuses on initiating the development of practices to ease migration from the current set of public-key cryptographic algorithms to replacement algorithms that are resistant to quantum computer-based attacks.

In an ‘Executive Summary’ of the NIST Special Publication 1800-38A, the NCCoE acknowledges that advances in quantum computing could compromise many of the current cryptographic algorithms being widely used to protect digital information, necessitating the replacement of existing algorithms with quantum-resistant ones. “Previous initiatives to update or replace installed cryptographic technologies  have taken many years, so it is critical to begin planning for the replacement of hardware, software, and services that use affected algorithms now so that data and systems can be protected from future quantum computer-based attacks.”

NIST has been soliciting, evaluating, and standardizing quantum-resistant public-key cryptographic algorithms. To complement this effort, the NCCoE is engaging with industry collaborators and regulated industry sectors, and the U.S. federal government to bring awareness to the issues involved in migrating to post-quantum algorithms and to prepare the crypto community for migration. 

The NCCoE said that the public comment period for the Executive Summary of this practice guide is now open through June 8, 2023. As the project progresses, this preliminary draft will be updated, and additional volumes will also be released for comment.

The preliminary practice guide, NIST SP 1800-38A can help organizations identify where, and how, public-key algorithms are being used in information systems. It can also mitigate enterprise risk by providing tools, guidelines, and practices that can be used by organizations in planning for replacement/update of hardware, software, and services that use quantum-vulnerable public-key algorithms, and develop a risk-based playbook for migration involving people, processes, and technology. 

The practice guide can help product and service producers perform interoperability and performance testing for different classes of technology. It also helps to strengthen cryptographic discovery tools to produce actionable reports and understand the potential impact that transitioning from quantum-vulnerable algorithms could have on their products and services.

The initial scope of the project will include engaging the industry to demonstrate the use of automated discovery tools to identify instances of quantum-vulnerable public-key algorithm use, where they are used in dependent systems, and for what purposes. Once the public-key cryptography components and associated assets in the enterprise are identified, the next project element is prioritizing those applications that need to be considered first in migration planning. Finally, the project will describe systematic approaches for migrating from vulnerable algorithms to quantum-resistant algorithms across different types of organizations, assets, and supporting technologies.

Some of the challenges are likely to come from organizations that are often unaware of the breadth and scope of application and function dependencies on public-key cryptography. Many, or most, of the cryptographic products, protocols, and services on which we depend will need to be replaced or significantly altered when post-quantum replacements become available. Additionally, information systems are not typically designed to encourage rapid adaptations of new cryptographic primitives and algorithms without making significant changes to the system’s infrastructure, often requiring intense manual effort.

The migration to post-quantum cryptography will likely create many operational challenges for organizations, the NCCoE document evaluated. The new algorithms may not have the same performance or reliability characteristics as legacy algorithms due to differences in key size, signature size, error handling properties, number of execution steps required to perform the algorithm, key establishment process complexity, etc. A truly significant challenge will be to maintain connectivity and interoperability among organizations and organizational elements during the transition from quantum-vulnerable algorithms to quantum-resistant algorithms.

The potential business benefits of the solution explored by this project include helping organizations identify where, and how, public-key algorithms are being used on their information systems. They will also work on mitigating enterprise risk by providing tools, guidelines, and practices that can be used by organizations in planning for replacement/updating hardware, software, and services that use PQC-vulnerable public-key algorithms. It also added that protecting the confidentiality and integrity of sensitive enterprise data and supporting developers of products that use PQC-vulnerable public-key cryptographic algorithms help them understand protocols and constraints that may affect the use of their products.

The recommended project will engage the industry in demonstrating the use of automated discovery tools to identify all instances of the public-key algorithm used in an example network infrastructure’s computer and communications hardware, operating systems, application programs, communications protocols, key infrastructures, and access control mechanisms. The algorithm employed and its purpose would be identified for each affected infrastructure component.

Once the public-key cryptography components and associated assets in the enterprise are identified, the next element of the scope of the project is to prioritize those components that need to be considered first in the migration using a risk management methodology informed by ‘Mosca’s Theorem’ and other recommended practices.

Finally, the project will provide systematic approaches for migrating from vulnerable algorithms to quantum-resistant algorithms across the different types of assets and their supporting underlying technology.

The initial drafts for the Migration to Post-Quantum Cryptography project will demonstrate tools for the discovery of quantum-vulnerable algorithms in various use case scenarios, such as vulnerable algorithms used in cryptographic code or dependencies during a continuous integration/continuous delivery development pipeline, vulnerable algorithms used in network protocols, enabling traceability to specific systems using active scanning and historical traffic captures, and vulnerable algorithms used in cryptographic assets on end-user systems and servers, to include applications and associated libraries. 

The result will be a practical demonstration of technology and tools that can support organizations that use vulnerable public-key cryptography today in their planning of a migration roadmap using a risk-based approach, the NCCoE document identified. In tandem, industry collaborators will publish results/observations/findings from the interoperability and performance workstream in the form of additional practice guide volumes, white papers, or NIST Internal Reports (IRs) to mitigate the gaps and accelerate the adoption of post-quantum algorithms into the products, protocols, and services.

Last November, the U.S. Office of Management and Budget (OMB) described preparatory steps for the heads of executive departments and agencies to undertake as they begin their transition to post-quantum cryptography by conducting a prioritized inventory of cryptographic systems. Further, the memorandum provides transitional guidance to agencies in the period before PQC standards are finalized by the NIST, after which OMB will issue further guidance.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base