QUANTUM SAFE PKI TRANSITIONS

Similar documents
Introduction to Post-Quantum Cryptography

Introduction to Post-Quantum Cryptography

8/30/17. Introduction to Post-Quantum Cryptography. Features Required from Today s Ciphers. Secret-key (Symmetric) Ciphers

The State of Post- Quantum Cryptography. Presented by the Quantum Safe Security Working Group

SHA-1 to SHA-2. Migration Guide

POST-QUANTUM CRYPTOGRAPHY VIENNA CYBER SECURITY WEEK DR. DANIEL SLAMANIG

Table of Contents. Preface... vii Abstract... vii Kurzfassung... x Acknowledgements... xiii. I The Preliminaries 1

BEYOND TRADITIONAL PASSWORD AUTHENTICATION: PKI & BLOCKCHAIN

Keep your fingers off my keys today & tomorrow

PKI is Alive and Well: The Symantec Managed PKI Service

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

About & Beyond PKI. Blockchain and PKI. André Clerc Dipl. Inf.-Ing. FH, CISSP, CAS PM TEMET AG, Zürich. February 9, 2017

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Post-Quantum Cryptography A Collective Challenge

Test Conditions. Closed book, closed notes, no calculator, no laptop just brains 75 minutes. Steven M. Bellovin October 19,

X.509. CPSC 457/557 10/17/13 Jeffrey Zhu

Digital Certificates Demystified

Security+ SY0-501 Study Guide Table of Contents

Spring 2010: CS419 Computer Security

Most Common Security Threats (cont.)

CSE 565 Computer Security Fall 2018

Post-Quantum Cryptography

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

Chapter 9: Key Management

Who s Protecting Your Keys? August 2018

Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015

Overview. SSL Cryptography Overview CHAPTER 1

Using Cryptography CMSC 414. October 16, 2017

Efficient Quantum-Immune Keyless Signatures with Identity

Cuttingedge crypto graphy

Certification Authority

Selection of Cryptographic Algorithms, Post-Quantum Cryptography: ANSSI Views

An Overview of Secure and Authenticated Remote Access to Central Sites

Connecting Securely to the Cloud

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Ten Risks of PKI : What You re not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier

Cryptographic Checksums

Security & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of

UELMA Exploring Authentication Options Nov 4, 2011

Uses of Cryptography

These patterns include: The use of proprietary software

UNIT - IV Cryptographic Hash Function 31.1

Study on data encryption technology in network information security. Jianliang Meng, Tao Wu a

PQ-Crypto Standardization Preparing today for the future of cryptography

Public Key Infrastructure. What can it do for you?

Cryptography in Lotus Notes/Domino Pragmatic Introduction for Administrators

NIST Post- Quantum Cryptography Standardiza9on

The Device Has Left the Building

Authentication, Encryption, Transport, IP Version and VPN Routing

Verizon Software Defined Perimeter (SDP).

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

Key Protection for Endpoint, Cloud and Data Center

Technologies for Securing the Networked Supply Chain. Alex Deacon Advanced Products and Research Group VeriSign, Inc.

U.S. E-Authentication Interoperability Lab Engineer

Towards Post-Quantum Cryptography Standardization. Lily Chen and Dustin Moody National Institute of Standards and Technology USA

Public Key Infrastructure

KNOWLEDGE SOLUTIONS. MIC2823 Implementing and Administering Security in a Microsoft Windows Server 2003 Network 5 Day Course

Lecture 1: Introduction to Security Architecture. for. Open Systems Interconnection

How Next Generation Trusted Identities Can Help Transform Your Business

Authentication Technology for a Smart eid Infrastructure.

Authentication, Encryption, Transport, and VPN Routing

CERN Certification Authority

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

PKI Credentialing Handbook

Digital Certificate Operation in a Complex Environment PKI ARCHITECTURE QUESTIONNAIRE

Diffie-Hellman. Part 1 Cryptography 136

Principles of Information Security, Fourth Edition. Chapter 8 Cryptography

Securing Smart Meters with MULTOS Technical Overview

Key Management and Distribution

Cryptography and Network Security

SSH PK Authentication and Auto login configuration for Chassis Management Controller

Some Lessons Learned from Designing the Resource PKI

Leveraging HSPD-12 to Meet E-authentication E

SAFEcrypto: Secure Architectures of Future Emerging cryptography

Strong Security Elements for IoT Manufacturing

But where'd that extra "s" come from, and what does it mean?

Cryptography and Network Security Chapter 14

Comodo Certificate Manager

Man in the Middle Attacks and Secured Communications

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Crypto meets Web Security: Certificates and SSL/TLS

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Network Security and Cryptography. December Sample Exam Marking Scheme

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

User Authentication Principles and Methods

MASP Chapter on Safety and Security

10/4/2016. Advanced Windows Services. IPv6. IPv6 header. IPv6. IPv6 Address. Optimizing 0 s

Introduction to Public-Key Cryptography

Cryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44

Implementing Secure Socket Layer

egov & PKI By: Alaa Eldin Mahmoud Aly YOUR LOGO

Security Specification

ISACA CISA. ISACA CISA ( Certified Information Systems Auditor ) Download Full Version :

GLOBAL PKI TRENDS STUDY

T Cryptography and Data Security

Security for Wireless Handhelds

Transcription:

QUANTUM SAFE PKI TRANSITIONS

Quantum Valley Investments Headquarters We offer quantum readiness assessments to help you identify your organization s quantum risks, develop an upgrade path, and deliver a plan to move forward. We created the first commercially available security solution to offer quantum resistant algorithms that can replace the classical algorithms that are weak against quantum computing threats.

Agenda Threat The Authentication Challenge Options Conclusions and Recommendations

Quantum Computing Threat

Why Quantum Computers? Exploiting the power of quantum physics to create a new way of computing, with applications to: Drug design Materials science Unstructured search Code breaking Machine learning Chemistry and physics simulations

Cryptographic Challenges For A Post Quantum World Today s security solutions rely on the complexity of the underlying mathematical problems that form the foundation for modern cryptographic systems. The massive processing capabilities found in quantum computers will challenge our current beliefs around complexity.

What needs to be protected today? Any encrypted data where key establishment is communicated or stored along with it will not remain confidential beyond Y2Q. Any digital documents signed today that must maintain their authenticity beyond Y2Q. Any signed software that needs to remain authentic at crossover point.

So, What Is Vulnerable? PRODUCTS which derive their security from these protocols and cryptosystems SECURITY PROTOCOLS relying upon any of these cryptosystems CRYPTOSYSTEMS that have been built on the presumed difficulty of discrete log or integer factorization This is the case for anything that is encrypted after a large-scale quantum computer has been built, anything we encrypt today, and anything we encrypted in the past!

Quantum Computing Authentication

Code Signing Authenticity of software updates are essential to trust Digital signatures are ubiquitous with software updates Frequency of updates are much less than authentication requests at a web server, for example Hash Based Signatures provide a safe option

Secure Email Email continues to be the main communication medium for business Large amounts of sensitive information continues to be sent Mail server breaches can cause enormous brand/financial/trust damage Email can be protected by Server to server encryption Services such as S/MIME and PGP S/MIME and PGP differ on key management Imply need for PKI transition

Quantum Safe Deployment Challenges Moderate deployment effort with a phased deployment possible. Timeline: Years. Legacy Classic Connection Quantum-Safe Connection Upgraded

Quantum Computing PKI

Quantum Resistant PKI Enterprise PKI supporting remote VPN can be quite large and cannot be updated overnight. To avoid service stoppage a sophisticated strategy, clever mechanism, and systematic method are needed to gradually migrate the monolithic PKI system to new algorithms that allow mixture of algorithms, including interim choices of algorithms.

X509 Certificate Chain Issuer = Root CA Subject = Root CA Sign Public Key Signature Extensions Private Key Sign Issuer = Root CA Subject = Intermediate CA Public Key Signature Extensions Private Key Sign Issuer = Intermediate CA Subject = SSL Server Public Key Signature Extensions Private Key

Enterprise Infrastructure CA VPN (SSL) Secure Email (S/MIME) Web Apps (HTTPS)

Upgrade Approaches Forklift upgrade Expensive! Requires you to wait until all systems are made Quantum Safe Many failure points tested all at once Infrastructure risk through waiting

Upgrade Approaches Running a Parallel Infrastructure Multiple user credentials to individually manage Two smart cards? User training on which system to use at which particular moment Cost of running two instances of your systems

Applying Hybrid Ideas to Authentication Using Hash Based Signatures for Root Certificates Subordinate CAs signed with LMS/XMSS Public Key is RSA/ECC End-entity certificates signed with quantum vulnerable scheme Upgrade subordinate CAs, and end entities, as stateless options are finalized Root certificates finalized early Migration across browsers is slow

X509 Certificate Chain Issuer = Root CA Subject = Root CA Sign QR Public Key QR Signature Extensions QR Private Key Sign Issuer = Root CA Subject = Intermediate CA Public Key QR Signature Extensions Private Key Sign Issuer = Intermediate CA Subject = SSL Server Public Key Signature Extensions Private Key

Applying Hybrid Ideas to Authentication Creating Hybrid Certificates Utilize aspects of X.509 to include both quantum vulnerable and resistant keys Allow for an in-place migration of PKI credentials and applications Upgrade systems use quantum resistant credentials Legacy systems continue to quantum vulnerable keys/signatures

Phase One Enterprise Infrastructure CA VPN (SSL) Secure Email (S/MIME) Web Apps (HTTPS)

Phase One Certificate Subject Issuer Validity Public Key Basic Fields Extensions QR Public Key Signature Phase One Hybrid Certificate Subject Issuer Validity Public Key Signature Basic Fields Extensions QR Public Key

Phase One X509 Certificate Chain Issuer = Root CA Subject = Root CA Sign Public Key Signature Extensions Private Key Sign Issuer = Root CA Subject = Intermediate CA Public Key Signature Extensions Private Key Sign Issuer = Intermediate CA Subject = SSL Server Public Key Signature QR Public Key Private Key QR Private Key

Phase Two Enterprise Infrastructure CA VPN (SSL) Secure Email (S/MIME) Web Apps (HTTPS)

Phase Two Certificate Subject Issuer Validity Public Key Basic Fields Extensions QR Public Key QR Signature Signature Phase Two Hybrid Certificate Subject Issuer Validity Public Key Signature Basic Fields Extensions QR Public Key QR Signature

Phase Two X509 Certificate Chain Issuer = Root CA Subject = Root CA Sign Sign Public Key Signature QR Public Key QR Signature Private Key QR Private Key Sign Sign Issuer = Root CA Subject = Intermediate CA Public Key Signature QR Public Key QR Signature Sign Issuer = Intermediate CA Subject = SSL Server Public Key Signature Private Key QR Private Key Sign QR Public Key QR Signature Private Key QR Private Key

Phase Three Enterprise Infrastructure CA VPN (SSL) Secure Email (S/MIME) Web Apps (HTTPS)

Phase Three Certificate Basic Fields Subject Issuer Validity QR Public Key QR Signature Phase Three Certificate Basic Fields Subject Issuer Validity QR Public Key QR Signature

Example

Quantum Safe Cryptography Options for PKI

Hash-Based Signatures Well studied and trusted Fast operations and compact public key But State management Private key sizes

Code-Based Crypto McEliece key transport with Goppa codes still well trusted But Focus on key transport, not signature schemes Key sizes! Constructions do exist focused on Niederreiter variant

Lattice Cryptography Lattice based cryptography offers very fast quantum resistant schemes with excellent key sizes, in the Ring variants But Signature space is much less mature BLISS and pqntrusign TESLA

Isogeny-Based Cryptography Offers crypto based off different hard problems E φ ' φ $ But No efficient signature schemes available E/ R ' φ ' P $ φ ' Q $ φ ' R $ φ $ R ' E/ R $ φ $ P ' φ $ Q ' Still based off modified Zero Knowledge proof constructions Quite slow ψ ' ψ $ ae/ R ' E/ R ', R $ E/ R $ φ ' R $ φ $ R '

Multivariate Public Key Cryptography Offers a variety of digital signature options such as Rainbow, UOV, HFEv- Work has been done on getting it to work on smart cards But Popularity more geographically centred Public key size not as competitive as Hash Based Fewer academic publications

Quantum Key Distribution Promises a physics based approach to Quantum Security But Focus is key distribution Requires a Quantum Resistant algorithm, from the previous slides, to authenticate the exchange Physical limitations

Quantum Computing Conclusions and Recommendations

When Does The Clock Run Out? While this seems enormous, its like drinking the ocean We do have viable solutions today and more are coming. Start planning your transition today!

Thank you! www.isara.com mike@isara.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback