NIST PKI 2024 – SafeCipher

Post Quantum PKI

PKI and the anticipation of NIST-Approved Quantum-Resistant Algorithms in 2024

As organizations anticipate the release of NIST approved standards this year, specifically, the new Lattice-based Digital Signature Standard, SafeCipher have put together a list of actions for PKI construction to help organizations embark on the journey.

Building a New CA

1. Regulatory and Standards Compliance: Ensure the new CA is designed to be compliant with relevant regulations and standards (e.g., NIST post-quantum standards, WebTrust, ETSI).

2. Future-Proof Technology Selection: Choose technology solutions (HSMs, CA software) that are not just compliant with current standards but are also expected to support future quantum-resistant algorithms.

3. Flexible Architecture: Design the CA infrastructure with flexibility in mind to accommodate updates to algorithms and policies with minimal disruption.

4. Audit and Certification: Plan for and engage with auditors who are knowledgeable in post-quantum cryptography to certify your CA under the new standards.

5. Vendor Engagement: Engage with vendors to understand their roadmaps for quantum-resistant solutions and establish SLAs that account for future upgrades.

6. Pilot Programs: Once the new algorithms are available, run pilot programs to gain experience with the operational aspects of the new CA.

7. Stakeholder Involvement: Involve internal and external stakeholders early in the process to understand their requirements and ensure the CA’s services will be aligned with their needs.

8. Security Practices: Establish strong security practices around the CA’s operations, including physical security, personnel security, and cybersecurity.

9. Interoperability Testing: Test the interoperability of the new CA with existing systems and software that will rely on its certificates.

10. Phased Rollout: Consider a phased approach to rolling out the new CA to manage risks effectively.

Rekeying Internal CA PKI

1. Assessment of Current PKI: Evaluate the existing PKI setup, including certificate policies, lifecycle, HSM capabilities, and software dependencies.

2. Policy Update: Update your Certificate Policy (CP) and Certificate Practice Statement (CPS) to accommodate future algorithms and outline the transition process.

3. Algorithm Selection: Stay informed about the NIST-approved algorithms and be prepared to select suitable quantum-resistant algorithms once they are announced.

4. Compatibility Check: Ensure that the chosen algorithms are compatible with the existing infrastructure or determine what upgrades will be necessary.

5. HSM Upgrade/Replacement: Work with vendors to understand the timelines for HSMs that support quantum-resistant algorithms and plan for upgrades or replacements.

6. Key Management: Implement robust key management practices that will facilitate a smooth transition to new algorithms, including key generation, storage, and destruction processes.

7. Test Environment: Set up a parallel test environment that incorporates the new algorithms to conduct thorough testing without affecting the current infrastructure.

8. Training: Train the relevant staff on new processes and technologies to ensure operational efficiency once the transition begins.

9. Transition Plan: Develop a detailed transition plan for rekeying that includes timelines, responsibilities, and rollback procedures in case of issues.

10. Communication: Communicate the upcoming changes to all stakeholders, including timelines and expected actions on their part, if any.

Continuous Monitoring and Updating

Monitor Industry Developments: Keep abreast of industry developments in quantum computing and cryptography to anticipate future changes.

Regular Review and Update Cycles: Set regular intervals to review and update your PKI infrastructure and CA setup in response to emerging threats and technology updates.

In both rekeying your internal PKI and building a new CA, it’s crucial to maintain flexibility and prepare for ongoing updates. Transitioning to post-quantum cryptography is not a one-time event but a continual process that will require regular updates and adjustments as the field evolves and as new threats and technologies emerge.