Critical infrastructure
News
NIST
Regulation, Standards and Compliance
Risk & Compliance
Secure Remote Access
Secure-by-Design
Threat Landscape
Vulnerabilities

NIST NCCoE publishes preliminary drafts on post-quantum cryptography migration challenges, testing standards

December 22, 2023
NIST NCCoE publishes preliminary drafts on post-quantum cryptography migration challenges, testing standards

The NIST National Cybersecurity Center of Excellence (NCCoE) published this week two preliminary draft practice guides covering migration challenges and testing standards. The agency has solicited comments from stakeholders in the public and private sectors to bring awareness to the challenges involved in migrating to post-quantum cryptography (PQC), from the current set of public-key cryptographic algorithms to quantum-resistant algorithms. The comment period is open now through Feb. 20, 2024.

The public comment period for Volume A was opened in April this year, and it closed in June. The NCCoE is currently reviewing the comments received. 

The NIST SP 1800-38B, Quantum Readiness: Cryptographic Discovery, is a preliminary draft offering a functional test plan that exercises the cryptographic discovery tools to determine baseline capabilities, a use case scenario to provide context and scope of demonstration; an examination of the threats addressed in this demonstration, a multifaceted approach to start the discovery process that most organizations can start today, and a high-level architecture based on use case that integrates contributed discovery tools in the NCCoE’s lab.

NIST SP 1800-38C, Quantum Readiness: Testing Draft Standards for Interoperability and Performance, is a preliminary draft offering the identification of compatibility issues between quantum-ready algorithms, resolution of compatibility issues in a controlled, non-production environment, and reduction of time spent by individual organizations performing similar interoperability testing for their own PQC migration efforts.

The initial testing draft offers the identification of compatibility issues between quantum-ready algorithms; resolution of compatibility issues in a controlled, non-production environment; and reduction of time spent by individual organizations performing similar interoperability testing for their own PQC migration efforts.

In August, NIST released draft standards for three of the four algorithms it selected last year. A draft standard for FALCON, the fourth algorithm, will be released in about a year. The agency has called for feedback on three draft Federal Information Processing Standards (FIPS) that cover post-quantum cryptography standardization.

The NCCoE’s project assesses that it is critical to begin planning for the replacement of hardware, software, and services that use public-key algorithms now so that the information is protected from future attacks. The goal of the project is to initiate the development of practices to ease migration from the current set of public-key cryptographic algorithms to replacement algorithms that are resistant to quantum computer-based attacks.

Working with the public and private sectors to address cybersecurity challenges posed by the transition to quantum-resistant cryptography, the NCCoE is undertaking a practical demonstration of technology and tools that can assist organizations in developing a migration plan, sometimes called a quantum readiness roadmap.

The NIST SP 1800-38B preliminary draft document identified that two demonstration activities were selected to enable and inform migration. “One demonstration is focused on tools that discover where and how public key algorithms are being used; the second involves experiments that measure the performance of the emerging quantum-resistant algorithms for security functions and protocols that are currently reliant on quantum-vulnerable algorithms.” 

The volume covers the demonstration activities focused on the use of automated discovery tools. These tools identify instances of quantum-vulnerable public-key algorithms that are widely deployed across an organization to create a cryptographic algorithm inventory that will help an organization develop its migration roadmap.

The preliminary practice guide can help an organization identify where and how public-key algorithms are being used in its information systems. It will also assist in raising internal awareness and understanding of risk-based cryptographic migration planning through the demonstration of tools, practice, and guidance. It will also help with developing a risk-based playbook, involving people, processes, and technologies while connecting with existing risk management tools, for performing a migration to post-quantum cryptography.

The document helps identify the steps that should be taken to identify vulnerable cryptographic algorithms used by an organization. Automated tools should identify the cryptographic algorithms used in hardware and software modules, libraries, and embedded code. “Automated tools should also identify the cryptographic algorithms currently used by an enterprise to support cryptographic key establishment and management underlying the security of cryptographically protected information and access management processes, as well as algorithms used to protect the source and content integrity of data at rest, in transit, and in use.”

Furthermore, after the vulnerable public-key cryptography components and associated assets in the enterprise are identified, the next objective of the project is to prioritize those components that need to be considered first in the migration using a risk management methodology informed by the sensitivity and criticality of the information being protected over time.

For interoperability and performance testing, the collaborators of the NIST SP 1800-38C preliminary draft document have agreed on a common scope, which allows them to test their implementations using commonly used standards that are either expected to or have already begun migrating to quantum-safe algorithms. In summary, interoperability testing within this context enables the identification of compatibility issues between quantum-ready algorithms;  resolution of compatibility issues in a controlled, non-production environment; and reduction of time spent by individual organizations performing similar interoperability testing for their migration efforts. 

“In the Interoperability and Performance Workstream outlined in this volume, a subset of consortium members contributed working implementations of pre-standardized PQC algorithms in a variety of scenarios, which included the Transport Layer Security (TLS) protocol, Secure Shell (SSH) protocol, and hardware security modules (HSMs), the draft document detailed. “NIST’s NCCoE has begun the process of testing pre-standardized post-quantum implementations in a lab environment to ensure that PQC will work in practice before standards are complete and commercial implementations are finalized, in alignment with Office of Management and Budget (OMB) M-23-02.” 

The document also identified that where interoperability testing has already been ongoing in other venues, such as the X.509 certificate Internet Engineering Task Force (IETF) hackathon, “we leverage and highlight the outcomes from our consortium members in those venues. Interoperability testing of NIST pre-standardized post-quantum cryptographic algorithms was identified as a core focus area to support the ability of technology vendors and standards bodies to migrate and develop new products that utilize PQC.”

It added that organizations that procure systems and software implementing PQC will be able to learn about the quantum-readiness of technologies they are already using and technologies they are procuring to protect their systems. “Benchmarking performance metrics from tests in our lab will assist our consortium members and any technology vendor in optimizing their implementations as they move toward production-grade status. Understanding performance metrics of post-quantum-ready algorithms will play a crucial role in motivating technology providers to provide technologies that will enable organizations’ migrations, and will provide initial data on which post-quantum cryptographic algorithm is best suited for specific use cases.”

In September, not-for-profit organization MITRE announced the launch of a PQC coalition to drive progress toward broader understanding and public adoption of PQC and the NIST PQC algorithms. Made up of a community of technologists, researchers, and expert practitioners, the PQC Coalition has as its founding coalition members – IBM Quantum, Microsoft, MITRE, PQShield, SandboxAQ, and the University of Waterloo.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation