Redirecting you to
Podcast Sep 08, 2020

Root Causes 118: Quantum Apocalypse - What Is a Hybrid Certificate?

As part of its quantum safe initiative, Sectigo is now offering its Quantum Safe Kit, which enables the creation of hybrid TLS certificates. In this episode our hosts are joined by guest Alan Grau to explain what hybrid certificates are, how they are essential to transitioning to quantum-safe crypto, and the ways enterprises can begin using them today.

  • Original Broadcast Date: September 8, 2020

Episode Transcript

Lightly edited for flow and brevity.

  • Tim Callan

    Today, Alan, of course, you are a member of the Sectigo Quantum Labs effort, which we talked about in an earlier podcast and you are here today to help us understand I think one of the subtle but important aspects of quantum-safe certificates which is the concept of a hybrid certificate.

  • Alan Grau Sectigo

    Alan Grau

    Exactly, Tim. Yeah. Hybrid certificates are definitely a critical piece of the landscape when you are talking about migrating from existing traditional crypto systems and PKI systems over to the quantum-safe equivalents.

  • Tim Callan

    Ok. So let’s start with some basics. Hybrid. Hybrid of what?

  • Alan Grau Sectigo

    Alan Grau

    So, a hybrid cert is a certificate that takes an existing encryption algorithm, RSA or ECC but also has encoded within it a post-quantum or quantum-safe encryption algorithm. So, there is a couple of new fields that are introduced that include the quantum-safe key and the quantum-safe signature as well as the encoding on which quantum-safe algorithm is used.

  • Tim Callan

    So, it’s kind of like being bilingual? If you and I both spoke English and French, we could speak in English or we could speak in French. They are both in there.

  • Alan Grau Sectigo

    Alan Grau

    Exactly.

  • Tim Callan

    Ok.

  • Jason Soroko

    And, Alan, when you say fields, you are referring to x.509 certificate fields. Is that right?

  • Alan Grau Sectigo

    Alan Grau

    Yeah. So excellent point in case. Let me just take a step back here. We are still talking about our relatively standard x.509 digital certificates.

  • Tim Callan

    So, these would be used in all the ways that you could use an x.509 certificate today. And in principle, this is any kind of existing x.509 certificate right, Alan? It could be SSL. It could be code signing. It could be public root, private root. Like in principle it could be any hosting, correct? All right. So, I have a hybrid cert. I put it on my server. I connect to a client machine. Which algorithm gets used?

  • Alan Grau Sectigo

    Alan Grau

    Great point. And this gets to the reason that hybrid certs have been introduced in the first place. So, when you look at migrating your PKI systems from existing traditional algorithms to quantum-safe algorithms, that really is a huge undertaking because there’s a number of steps that have to happen. You need to upgrade the PKI system. You need to upgrade the servers. You need to upgrade the clients. If it’s Code Signing certificates, you need to upgrade the signing application and you need to upgrade the validation applications. So, it’s really the whole ecosystem has to be touched and upgraded and to further complicate things, it’s a little bit different in some ways than current crypto agility solutions. We’ve talked on this podcast, or you guys have talked on this podcast about crypto agility and moving say from RSA 2048 to 4096 or if you look at an old system from RSA 512 to RSA 2048.

  • Tim Callan

    Sure.

  • Alan Grau Sectigo

    Alan Grau

    Well, when those were done, typically by the time people started making those upgrades both the clients and the servers were using crypto libraries that supported both versions of RSA. So it was a fairly easy migration and you just put the new certificate or the new algorithms, you started using the new keys and the clients and servers both could consume those new certificates and the new keys. With quantum-safe we are at a point in time where the client and server applications need to be upgraded not just to consume the new keys but the whole crypto infrastructure needs to be updated. Very, very few systems today a crypto library that has quantum-safe crypto algorithms available in it.

  • Tim Callan

    On the other hand, RSA, if you want to just take one of the givens of computer science for the past four decades, it has been RSA. Like if you were making a system you just could safely assume that presence of RSA would be there and so everything we have, every piece of software, every piece of firmware, every piece of hardware, every service in the global economy is built on that compatibility?

  • Alan Grau Sectigo

    Alan Grau

    Pretty much. Yeah. I mean we are starting see some systems using ECC, so there’s a few alternatives but yeah, essentially what you say is true. So, when you look at upgrading that and you say, well, we need to upgrade from RSA encryption or ECC encryption to a new quantum-safe crypto algorithm, again it’s not just a matter of saying well we are gonna use more bits in our key and everything will just work. So, we have to update the server applications. We must update the client applications, you know, all the applications need to be updated with new crypto algorithms and that’s not gonna happen all at once and overnight.

  • Tim Callan

    Right. And so, the problem is what you are saying, Alan, is that some things will get switched out - - they’ll get switched out at different times, right? So, if I swap out some of my systems to support the new algorithms once they are finalized or one of the new algorithms in case there’s more than one. I might still have other systems in either my own environment or even in my broader ecosystem that I must connect to that haven’t been swapped out yet and they are all gonna have to coexist for some period of time.

  • Alan Grau Sectigo

    Alan Grau

    Exactly. And that’s the reason for hybrid certificates. So today, if you look at traditional SSL, if you connect to using TLS to a web server there’s a negotiation that goes on that picks the exact details of the crypto algorithm, the key length, and so most web servers will support some different options so they can support different versions of clients that support perhaps slightly different versions of TLS or slightly different versions of keys so that sort of negotiation goes on today but again, in a very narrow band of known encryption algorithms. And while we’re talking about the same analogy except that as systems are updated if they can use the new quantum-safe crypto algorithms and they have hybrid certs they will do so. And getting back to your first question of which algorithm is used, well, you use the new crypto algorithms if both ends of the connection can but older systems that have not yet been updated can still interoperate and use the older RSA or ECC encryption.

  • Tim Callan

    So that implies that soon there will be let’s say server operating systems although I guess the same is true for clients while we are talking about it. Operating systems will have - - well themselves must have hybrid support. Right? I’m gonna stand up a server and some machines will connect to me that will be able to use my post-quantum algorithm and I’ll use that with them, but other machines will connect to me that won’t and I’ll drop back to let’s say ECC to connect with them. So that implies there is some work that is also going on, on that end of things. Is that right?

  • Alan Grau Sectigo

    Alan Grau

    Yeah. Exactly. That’s exactly the point is the work has to happen on all of those systems, but we are not gonna turn on the switch and one day we are on RSA and the next day everything is on post-quantum encryption.

  • Tim Callan

    Right. And it’s like, um, let’s walk through the house keys analogy because you’ve talked about this in the past and I think it’s a good analogy, Alan, so walk us through that.

  • Alan Grau Sectigo

    Alan Grau

    So if you’ve got a, you know, suppose you’ve got a boarding house right and you’ve got several people that have access to the house and you want to swap out your locks but not everybody is there to give them keys on day one, so you change your front door lock to use a new key, which would be the new quantum-safe crypto algorithm, with a new quantum-safe crypto key and so as people access the house you give them the new key, they start using the new front door lock with the new key that’s stronger and more secure but then as people trail in through the back door you can start to see who still needs to be updated but you’ve got a period of time where both the old key and the new key can be utilized.

  • Tim Callan

    So even though someone could use the old key the point is they don’t have to. They get upgraded to the new one and they start using the new one cause it’s the easiest and most convenient and safest thing to do. Meanwhile, we can pick up the lagers and the stragglers and then somewhere along the line we switch it over. We have the locksmith back and they do the backdoor as well and then we are totally on the new key?

  • Alan Grau Sectigo

    Alan Grau

    Yes. Exactly.

  • Tim Callan

    Right. Now, that’s great for my analogy where there is a boarding house and there are 8 people or 20 people that must come and go but, you know, in our real world how long is that switchover process?

  • Alan Grau Sectigo

    Alan Grau

    Well, it’s gonna depend. If we look at it globally, right, on all the systems and all the, right, it’s gonna be a decade or more. If we look at a single enterprise it may be, you know, a matter of a two or three-year process to switch everything over just depending on the scale of the enterprise and how many systems need to be updated. How many third-party applications need to be updated and how much effort and time they put into making the updates.

  • Tim Callan

    And I suppose it could even be more granular than that right? I don’t have to think of my enterprise as a single thing. It’s a large number of independent systems and once I’m confident that a system is purely post-quantum I could go ahead and get rid of my hybrid cert and replace it with a post-quantum cert for that system and I could continue to do that piecemeal through my organization until everything is swapped out, which is probably how it will really happen.

  • Alan Grau Sectigo

    Alan Grau

    No, absolutely. There’s no question that it will and I’m sure there are some legacy systems where the RSA and ECC encryption will linger for many, many years. Right. I mean - -

  • Tim Callan

    So, something that was written in Fortran, yes, exactly!

  • Alan Grau Sectigo

    Alan Grau

    Right. I mean we still see SHA-1 hashing algorithms out there that have been deprecated for how long now? Quite some number of years. So, yeah, that will. But one of the points that you made there that’s critical and I really want to emphasize is the transition period really is designed as a transition period. Any connections that are using the old encryption algorithms no longer are going to be secure once quantum computers have hit that point where they can crack these encryption algorithms. So once things are switched over it’s critical that we deprecate the ECC and RSA roots and switch it over to pure quantum-safe certificates. You know, hybrid certificates are simply a means to an end. They are not the end in themselves.

  • Tim Callan

    So, the hybrid cert, and this is a subtly, but I think this is an important point. Right. Which is the hybrid cert having capabilities for both sets of encryptions in it. So, it has our post-quantum algorithm and it also has our ECC let’s say or our RSA. That means that that hybrid cert could be enabling connections that are being encrypted using ECC or RSA and therefore are quantum vulnerable but also it can be enabling connections that are not quantum vulnerable right? Like the fact that the hybrid cert has ECC in it is not a problem for me if my connection is post-quantum. If it’s using that algorithm.

  • Alan Grau Sectigo

    Alan Grau

    Absolutely. And it’s important that client and server applications are both designed and implemented in such a way that they do prefer the quantum-safe algorithms when they are available.

  • Tim Callan

    Right. And so, I suppose maybe there’s another risk which is that the use of the hybrid certificate masks an unintended or unexpected or unknown pre-quantum connection. Right. That I have a system that isn’t adequately post-quantum and I don’t realize that because I’m using a hybrid cert.

  • Alan Grau Sectigo

    Alan Grau

    Yeah. That’s an interesting point. I think at some point system administrators or the designers of these systems are going to need to either ensure that the servers that are using the hybrid certs, that they have some logging capability so that they can know that oh, we still have these users or these applications that are accessing the system with, as you put it, quantum-vulnerable certificates and keys so that those can be eliminated or at some point they will just have to turn the system off and see what fails. Obviously, that’s not the preferred method but we’ve seen that happen before.

  • Tim Callan

    Yes. Whether it’s on purpose or not. Absolutely. So that would be an important point. I think that’s another good point that’s a subtlety is that as enterprises are dealing with this in the real world or as IT departments are dealing with this in the real world, think about ways to look at how those connections are happening before you go and swap out your cert one day and suddenly you have an outage you weren’t expecting.

  • Alan Grau Sectigo

    Alan Grau

    Right. Exactly.

  • Jason Soroko

    So, guys, I’d like to add, you know, just a little bit of devil’s advocacy here.

  • Tim Callan

    Ok.

  • Jason Soroko

    So, Alan, you’ve described the hybrid certificate concept as being a temporary bridge. I mean it’s gonna be with us for a while obviously. I mean temporary in the sense that quantum computing isn’t gonna be tomorrow, but it will be here eventually and it’s the bridge until at least until that point and at least a certain beyond as well. But I think a point I’d like to make is the assumption that the NIST post-quantum selection process for the algorithms, when it’s finally done, I think that we risk thinking that that selection will be set in stone forever in itself, which I think is wrong. Because first, we know that NIST is going to have more than one mathematical approach, right. They’ve signaled that lattice is a popular approach because of the combination of the strength of the algorithm against quantum computing as well as the fact that operationally it factors very well. It plays nicely. The key sizes are reasonable. So, it’s a good approach. But there are other approaches that may be optimized for other applications. You know, one of the things that we may end up finding is that there’s an ah-ha moment or more likely an uh-oh moment, right, which is where cryptographic agility is something we are gonna need long-term and these hybrid certificate concepts that we are talking about right now, which is fantastic because we are not having to change a solid x.509 standard that’s been with us forever and we’re still going to be using well well into the future. I think that the hybrid certificate concept would allow us to have that - - it will afford us that cryptographic agility to move to another algorithm if we find we must down the road. And, for example, Tim, this might interest you as well. The hybrid certificate concept even in today’s world would allow you to swap from say RSA to ECC.

  • Tim Callan

    Sure.

  • Jason Soroko

    Which is interesting. And we may have equivalent needs to switch algorithms far, far down the road once we do have systems that are starting to be baked in, but we want to swap out algorithms for various reasons. An uh-oh moment or maybe there’s something that we find that’s more palatable, more operationally desirable. So, I just wanted to throw that out there.

  • Alan Grau Sectigo

    Alan Grau

    Yeah. No. I think crypto agility will remain a very important topic essentially as long as we have crypto which, you know, anytime these systems we’ve seen that. We talked about SHA hashing at the beginning. Over time the standards have changed because computing power continues to increase. So even if we stay with the same crypto algorithms there may be different key lengths and things that change and the benefit of hybrid certs is it does allow interoperability in a scenario especially where there is a long upgrade time for systems. If you have systems where they already have multiple crypto algorithms baked in, right, and this is gonna standardize more than one algorithm. So if all the algorithms that are standardized are available on systems then and we want to switch from one to the other then that’s fairly straight forward using kind of existing crypto agility techniques where you just change the cert and off you go but, yeah, when there are scenarios where there are still new algorithms being developed that are not accessible or available to all systems then the hybrid cert plays a role. And there’s one kind of detailed technical piece that we didn’t talk about with hybrid certs and that is that the new fields are actually - - and this gets kind of really into the technical weeds of things but they’re encoded as alternate fields. So what that means is even though the structure of the x.509 cert changed that when legacy applications received that cert they’ll say, oh, here’s an alternate field that I don’t know about and so they’ll just disregard that field and ignore that field. So you really don’t have to change legacy applications to start using hybrid certs right away. Those can be pulled in more gradually and as those devices and servers are updated they can start using them but, you know, a web server from ten years ago, if you are a web client from ten years ago if it sees that hybrid cert it’ll just consume it as it would any other traditional cert and not break anything. So that’s a key piece of the nitty-gritty technical detail that makes this work.

  • Jason Soroko

    Super important point though, Alan. Just because what it means in very plain English is that somebody could take the toolkit today, start issuing these x.509 certificates with say an ECC encryption chosen with the alternate fields with traditional systems and not break a single thing. I think that’s a really important point.

  • Alan Grau Sectigo

    Alan Grau

    Yep. Exactly.

  • Tim Callan

    So, I think what the two of you have been talking about has led to the question I’m gonna ask here, which is, so, Jason, you point out that NIST is deliberately settling on multiple algorithms for a variety of reasons. Some is they may be better for different use cases. Some is just redundancy, right? If something turns out to not be any good, we’ve got backups.

  • Jason Soroko

    That's right.

  • Tim Callan

    So, that might suggest that I will have, when I’m in my transitional period that I will have different subsets of post-quantum algorithms supported by different participating machines. So is it possible to create a multi-hybrid cert with support for four algorithms let’s say?

  • Alan Grau Sectigo

    Alan Grau

    Sure.

  • Tim Callan

    Ok. Is that a thing? Is that gonna come up? Or?

  • Alan Grau Sectigo

    Alan Grau

    I pause partially because I hadn’t really given that any great thought up until now and it’s a question of practicality. Hybrid certs end up being quite a bit larger. You know, many of the key sizes are a bit bigger than they are with traditional key sizes so you certainly can. There’s another kind of edge use case that’s interesting here and that’s the concept of a composite cert which is very similar to a hybrid cert in that it has multiple keys, but the use case is that if you have a system that you a hyper-concerned about security and we recognize it, you know, Jason talked about the uh-oh moment. Right? Where here we’ve developed this new quantum-safe crypto algorithm and then some math genius has an ah-ha moment and says oh I can break that and suddenly what we thought was going to be reliable isn’t. So, a composite certificate you could actually utilize multiple keys and you do them both so that if they break one you are still - -

  • Tim Callan

    You encrypt it and then you encrypt it again?

  • Alan Grau Sectigo

    Alan Grau

    Yep.

  • Tim Callan

    And then you decrypt it and then you decrypt it?

  • Alan Grau Sectigo

    Alan Grau

    Right.

  • Tim Callan

    Yeah. Sure. If you have a worlds gonna end kind of use case then maybe somebody does that.

  • Alan Grau Sectigo

    Alan Grau

    Yeah. So, there’s all kind of fringe cases of course. But yeah, using a composite or hybrid cert that has multiple algorithms there is no reason that you couldn’t use multiple post-quantum algorithms in there. That’s certainly not the primary use case but as we move into the future it’s conceivable.

  • Tim Callan

    So, Alan, we of course have followers of the podcast or Sectigo’s press releases will know that we released our Quantum-Safe Kit. So why don’t you just take a minute and tell us what’s in the Quantum-Safe Kit.

  • Alan Grau Sectigo

    Alan Grau

    Yeah. So the Quantum-Safe Kit currently, you know, we’ve got other things we are planning to do with this in the future but right now, it’s really focused on just building out a self-contained private certificate chain using a hybrid certificate, so it’s got an RSA or ECC cert in there along with a certificate from one of the new quantum-safe algorithms and so it just shows how those certificates can be generated, how they can be used, we show how you can set up TLS connection that’s using quantum-safe crypto using that. So it’s really just a very basic toolkit to allow people to get their toes wet in the quantum-safe world and start thinking about and understanding how those might be applied to their systems.

  • Tim Callan

    Got it. So, you get it. I download this and it has the hard work done for me. The tools I need to start standing up and its private root TLS certs, right? In the first version?

  • Alan Grau Sectigo

    Alan Grau

    Correct.

  • Tim Callan

    Yeah. And that’s another important point just for the listeners. The CA/Browser Forum has not yet dealt with the idea of a hybrid certificate so you cannot get a public root hybrid certificate today because you would be out of compliance with root programs and until that gets dealt with at that level that’s not a thing that let’s say we would be able to offer.

  • Alan Grau Sectigo

    Alan Grau

    Yeah. No one would be able to offer really.

  • Tim Callan

    Right. They better not or it would be a very bad day for them. So great. Alan, Jason, did we miss anything important on the concept of hybrid certs?

  • Alan Grau Sectigo

    Alan Grau

    I think we covered all the basics.

  • Tim Callan

    All right. Well, Alan, as always, thank you for joining us. We always love having you on.

  • Alan Grau Sectigo

    Alan Grau

    Thanks, Tim.

  • Tim Callan

    Jason, always good to talk to you.

  • Jason Soroko

    Been great, Tim. Thank you.

  • Tim Callan

    Listeners, always good to be listened to. And I’m Tim Callan and this has been Root Causes.