Root Causes 233: CISA Recommendations for Post-Quantum Cryptography

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  We recently discussed the announcement by NIST of the new winning algorithms if you will, for post-quantum, for quantum-safe cryptography and those were released on July 5, 2022 and the same day, surely not by coincidence, the Cybersecurity, and Infrastructure Security Agency, the CISA, put out a bulletin and the headline of this bulletin – I’ll just read it – is, “Prepare for a New Cryptographic Standard to Protect Against Future Quantum-Based Threats”. And they include a bunch of bullet points and they are pretty practical and we thought that it would be fun to just go down them and say what CISA had to say about this and see what we think those mean in the real world. Does that sound good?

  This bulletin is called Prepare for a New Cryptographic Standard to Protect Against Future Quantum-Based Threats. Easily enough to find with a Google search and it’s not that long. It’s got just a couple of short paragraphs basically giving the background on the NIST contest and the new algorithms that are available and includes some links and then when you come out of that they’ve got this list of – it’s one, two, three, four, five, six – top level bullets with some bullets under some of them. So, again, not that complicated and you think they really tried to simple it down and skinny it down to their main takeaway. So, let’s cover what these are.

  So, number one. First bullet reads as follows. I’m gonna read the paragraph above it.

  “Although NIST will not publish the new post-quantum cryptographic standard for use by commercial products until 2024, CISA and NIST strongly recommend organizations start preparing for the transition now by following the Post-Quantum Cryptography Roadmap, which includes:” Bullet Number One: “Inventorying your organization’s systems for applications that use public-key cryptography.” So, Jay?

• 

  Jason Soroko

  I think I’m on record a few times on this podcast saying anytime you are thinking about cybersecurity from the ground up, you have to know what your crown jewels are, you’ve gotta know what your risks are, you’ve got to know systems you are dealing with. You essentially have to take inventory. You can tell that the industry has really started to agree on this idea. Whether it’s checkbox auditors in cybersecurity, whether it’s really grassroots folks in the white hat community, everybody agrees. This should always be the top bullet point and really glad that the CISA has done this.

  I’ll tell you what else this reflects, Tim. There was a podcast not that long ago – I forget the exact name of the podcast but we did talk about federal law that had been proposed which was going to talk about force the U.S. Federal Government to do a lot of things that are similar within the CISA guidelines here. So, I find it interesting that their first bullet point was almost identically written even to the CISA bullet point which is about what are your systems. What would those systems be? Tim, I would say from a public trust world that you well, where are your webservers. There’s one of the first things you need to go take inventory of.

• 

  Tim Callan

  For sure. In general, I mean there’s a lot to say about this and one is I think we’ve been talking for a long time, for years, about figure out what you have. Because if there’s something you don’t know about that becomes the vulnerability. If you upgrade everything you know about and there’s things you don’t know about then those are the vulnerable things. More generally, I think we could even extrapolate this to say this is one of the fundamental tenants of certificate agility. This is one of the fundamental tenants of having a zero trust. Like all of these basic things, if you don’t know where your cryptography is and what your cryptography is and if you don’t know where your PKI is and what your PKI is then you fundamentally cannot operate successfully with these other very basic ideas that a lot of people deem necessary to have a secure functioning high uptime digital environment. So, yes.

• 

  Jason Soroko

  Absolutely fundamental. You got it. And so, that could also be any time you have systems that are doing authentication that are using certificates. It might be, are you doing DevOps? Do you have a Kubernetes cluster? You are probably doing PKI down there somewhere. The list may be longer than you think is where I’ll leave you with that first bullet point, Tim.

• 

  Tim Callan

  And don’t be doing PKI and not know it. We also have used words in lots of other podcasts like rogue certificates and rogue CAs and those are real things that really happen. Don’t be doing PKI and not know it. That is a recipe for disaster.

  Ok. Bullet Number Two: “Testing the new post-quantum cryptographic standard in a lab environment; however, organizations should wait until the official release to implement the new standard in a production environment.” So, again, there’s a lot there. A lot to unpack. So feel free to start, Jay.

• 

  Jason Soroko

  I actually agree with both those halves of the idea. And, in fact, I agree with them so much that an organization I belong to we actually have been talking on this podcast, Tim, about getting your hands dirty and getting your hands dirty now. I think this CISA statement here, testing the new post-quantum cryptographic standards in a lab environment is something that we have been talking about for a while. There are toolkits out there that will allow you to experience not just post-quantum algorithms, cryptographic algorithms, but also new certificate types. Hybrid certificates and the things that will go around it. What does a CA look like in a post-quantum world? What do the certificates look like? How do they operate? What’s the latency? These are all things that I think that are very important and I will tell you, Tim, here is something that’s not in this bullet point because they tried to keep it short but I will add it. I think that for the signature standards that we are gonna be waiting for. We don’t just have Dilithium; we have a couple others as well and you all – all you practitioners of PKI, need to become very opinionated. Well, which one is right for me? Obviously, Dilithium is the one that’s at the top of the list and is suggested by NIST and there’s a couple of others. You should become very aware. You should be able to repeat right off the top of your list, well, I chose X because it’s better for my specific use case for these reasons. I think that that second bullet point, Tim, is what’s gonna allow you to start getting there and start getting opinionated, start understanding all those question marks that you should be devising right now as part of your inventory.

• 

  Tim Callan

  You talked about hybrid certificates. We actually do offer hybrid certificate toolkit. It’s free. It’s on our Quantum Labs site, which is sectigo.com/quantum-labs and you can just go there and download it. We recommend you do that. It’s not the only way to do it but it’s there and it’s available to you. And then the second half of this exactly, is you are not really gonna be able to go too early on these things or it’s gonna be phenomenally difficult. So, first of all, in the public certs world you are not gonna be able to use these algorithms until they make their way through the standards process. Pure and simple. They are not standardized on today. You cannot legally issue a public cert using these algorithms. If you did, you would have to revoke it. On the other half of it though, even inside of your own private CA, you are not gonna have the software support you need. Like you won’t actually be able to use that in a production environment so you can throw it in your sandbox, you can see what you are doing but if I start trying to use a public CA or private CA using these new primitives, my systems aren’t going to be able to talk to it because they are not built to use those. To some degree, we don’t have a choice. We have to wait. The next step now is that vendors – software providers, OS providers, hardware providers, services providers, have to get geared up to support these primitives and until that happens that end enterprise can’t really use these in production.

• 

  Jason Soroko

  That’s exactly right. It might be tempting even to start signing documents with Dilithium-based cryptographic algorithms. There might even be a temptation because why not. It’ll protect that document just that much more in the short term but just keep in mind that what is the correct bit length for it? What is going to be the certificate standard or the certificate profile as defined? The parameterization? Just having the name Dilithium chosen - There’s a reason why there’s gonna be almost two years’ worth of work left, Tim. Therefore, no. Get your hands dirty. With this stuff, we at least have the names. We know what it’s going to be like but there’s still a lot of standards work left to do.

• 

  Tim Callan

  Which still is alarmingly far away. But ok. I know it has to be that way.

  Bullet number three:

  “Creating a plan for transitioning your organization’s systems to the new cryptographic standard that includes:

  1. Performing an interdependence analysis, which should reveal issues that may impact the order of systems transition;
  2. Decommissioning old technology that will become unsupported upon publication of the new standard; and
  3. Ensuring validation and testing of products that incorporate the new standard.”

  So this stuff, again, there’s a lot here and a lot of this we’ve already discussed. So, you need a plan for transitioning (1) perform an independence analysis; (2) decommission old technology and (3) ensure validation and testing of products with the new standard. So, Jay, take it away.

• 

  Jason Soroko

  When you are taking your inventory, I think what is important here in bullet point three is take inventory of your use cases as well because I think that that will be your clearest boundary delineations between system types. In other words, your publicly-trusted certificate usage is probably going to involve webservers, it’s going to involve things such as load balancers and there’s going to be a set of interdependent related technologies and every single one of your use cases will likely have this. Well, what would be affected if you had to have your Kubernetes cluster down for a while and by the way, what systems are consuming the certificates that come off of the CA that’s related to that cluster? That DevOps use case might have some interdependence with your public trust use case but in reality, you can think about them separately. So, I personally would delineate out each of the use cases. That at least is the correct categorization in my mind.

  The second part about decommissioning old technologies, it makes sense. There’s going to be systems that just will never be able to upgraded. Or never be able to consume the new types of certificates and I think before you do the decommissioning the careful choice of which systems are just going to be too risky to you – and that’s the big part of the equation – how much risk is associated with this old system? If the answer comes back too much risk then you really need to decide alright, can this thing, can this older system be decommissioned. I think the hope here is that hybrid certificates will avoid the need for a lot of decommissioning in older systems. However, where I can see this happening the most, Tim, would be in operational technology, IoT, places where certificates are put into very constrained places, constrained networks, because the certificates that we are going to be using - even if they are hybrid - they are gonna be bigger. For those of you who are running systems that can barely run a certificate as it is, well then that’s where maybe we need to look but I think hybrid certificates will be the hope for reducing the amount of need for decommissioning.

• 

  Tim Callan

  I’m just thinking about this. Like you are talking about these constrained environments. It may be that in some cases there is a choice, just a pragmatic choice you can’t afford, which is avoid, which is make the technical investment to make these systems less constrained or have quantum vulnerable encryption and like telling ourselves, oh we can’t doesn’t prevent this from being quantum vulnerable encryption. It still is. People may have some hard choices they have to make here and for some people if quantum vulnerable encryption is simply not acceptable you might be stuck and you might have to make the technical investment to release some of those constraints.

• 

  Jason Soroko

  Whenever we’ve seen systems that were built in a previous era, they were hard built a certain way, very difficult to update them or impossible to update them. Then you and I have used a zero trust concept, which actually comes from a much older idea of enclaving. In other words, network separation. Network isolation. A lot of systems like that can sometimes still live and do their job but they can sit behind a gateway and you can force authentication through a modern system that can handle quantum-safe cryptographic algorithms. Obviously, I’m speaking in extremely generic terms but for those of you in the OT world you know exactly what I’m talking about but that idea also applies to say older enterprise systems. You might have a server rack with an old HR software or old finance software but how do you authenticate to it. Well, you might want to put that on its own network. There are modern ways to separate networks and to force authentication in a safer way. So sometimes with modern technology and a bit of creativity, you can salvage some of these systems but it’s up to you to ask whether it’s worth it.

• 

  Tim Callan

  I think right to all of that. Next bullet:

  Creating acquisition policies regarding post-quantum cryptography. This process should include:

  1. Setting new service levels for the transition.
  2. Surveying vendors to determine possible integration into your organization’s roadmap and to identify needed foundational technologies.

  This is to say, it’s not just gonna be you. It’s mostly not gonna be you. It’s gonna be solutions from other people that have to support this and have to make these upgrades and when are they and what are your expectations for how and when that happens and are these solutions and the vendors you have still gonna be the right ones or does that need to be reconsidered?

• 

  Jason Soroko

  I think that procurement is always an important feature and function and you can imagine that if the Federal Government of which I think a lot of this was copied and pasted from frankly, but it’s a good thing. For the Federal Government, the biggest way that they could control things is through their procurement and so therefore this bullet point is true for everyone in the sense that when you are looking at, where do I get my publicly trusted certs and my certificate lifecycle management software? How am I setting up my CAs for all these use cases that I have in my inventory? Check out that inventory list, check out the vendors and then every single one of those vendors you need to start asking how are you helping me to start integrating and how are you fitting into my greater plan and also, I expect a latency of X. My software needs to work a certain way. My DevOps platform cannot afford to have an extra millisecond of latency here and there so how are you gonna help me. Those are big, big questions to ask. They could have added a third bullet point here but they didn’t want to give too much credit to the vendor industry. Here, the hidden bullet point that I really want to say is, look, go back to bullet point two where our suggestion really truly was come talk to us. That bullet point three of this fourth set of bullet points here is, you really need to work hand in hand with your vendor community.

• 

  Tim Callan

  Absolutely. Let’s not put too fine a point on this. For almost all of the enterprises in the world – there may be some exceptions – but for almost all of the enterprises in the world, the vast lion’s share of this post-quantum crypto implementation is going to be done by vendors of yours. Hardware, software and service providers are going to deliver products to you that are going to do this work and for you as the enterprise, very little of this is going to be you implementing a cryptographic standard and most of this is going to be you implementing solutions that have implemented this cryptographic standard and integrating them intelligently and correctly and on certain schedules. That’s what this is really going to be so ignoring the vendors is ignoring the whole task. Again for almost everybody in the world the vendors will be almost all of the task unless you yourself are a software developer. Short of that most of the task is gonna be getting it from your providers.

• 

  Jason Soroko

  Going all the way back to bullet point one, your biggest task is taking that inventory and the way that I tried to frame it was especially categorizing by use case, you can take that directly to your vendor and start working through all of this.

• 

  Tim Callan

  Alright. Your fifth top level bullet – one more after this one. Your fifth top level bullet:

  “Alerting your organization’s IT departments and vendors about the upcoming transition.”

  Fair enough. You and I have spent the last three years trying to tell people, this is coming. Get prepared. I still believe that your average sysadmin either hasn’t heard of this at all or is not thinking about it in any meaningful way.

• 

  Jason Soroko

  Let me give you an example of how you are dead right, Tim, and it’s still a little scary. When you hear NIST say, it’s gonna take us until 2024 to come up with the standard, there are going to be IT admins who will dust off their hands and go, well, not my problem for two years and it’s like, no, no, no. If anybody in your organization has that opinion, then they are missing a point. That’s fair because they are busy. They are doing a job. They are keeping the lights on. I don’t blame them for being consumed with their own tasks and also dismissing tasks that aren’t where the asterisk says two years from now. I think that what this bullet point is – I like that word alerting. That’s a good word because we are now at the point with the call to standardization to say you have now just enough time to take that inventory and understand how it’s going to affect you and bullet point number two of what we are talking about here – getting your hands dirty with it and understanding what your world is gonna look like in two years. It’s gonna take you that much time to figure it out anyway so you’ve gotta start now.

• 

  Tim Callan

  And let’s use this, it’s alarmingly long. We wish all of this was done now because we’d like to be protecting our blobs now but since it isn’t, let’s at least use that time well.

  Last bullet. And this kind of builds on the bullet we just discussed.

  “Educating your organization’s workforce about the upcoming transition and providing any applicable training.”

• 

  Jason Soroko

  I would say here’s where, I tend to repeat myself sometimes in these podcasts just because the ideas keep coming up. Where the rubber really hits the road on this one and this is the call to the homework assignment really for this bullet point. As part of your inventory figure out who is who and you might have people who are on your payroll that specially deal with say your ACME implementation to go get your publicly-trusted certificates.

  Your Linux administrator that works at a couple levels below your main IT person will have an interesting relationship to all of this because they are going to need training on how to interact with this new systems. It’s not just about taking inventory here at this point, it’s also once you’ve done the lab experiments, once you’ve actually figured out, alright, here is what my world is going to be, you need to now inform everybody whose life is going to change because, believe me, you and I both can tell you, a lot of these systems in and around publicly-trusted certificates, private world certificates authentication, authorization, these systems have been around an awfully long time and so people’s habits and job course of the day is so entrenched that as part of your inventory – again, I gotta go back to that bullet point one that is so important – you also need to be taking inventory of whose job touches these systems and what needs to be changed and so all the different transitioning bullet points we were just talking about, after getting your hands dirty, after talking to your vendors, after looking at what it’s going to become, alright, well, part of filling up the blanks in the inventory is about, alright, what’s the new job coming up?

• 

  Tim Callan

  Right and whose task is it and what are those tasks and how are they delivered. Like let’s make this real brass tacks-y. Let’s say I’m not even gonna change vendors and platforms, it’s just that the software I have is going to require an upgrade. It’s gonna require a patch. Ok. Well then we need to know everything that’s gonna require a patch. We need to know who is implementing the patch, when we expect the patch and was the patch patched. That’s what they are saying and it’s gonna be a big project and there’s a bunch of people that are gonna have tasks on that and we at the end of day need to go through the list and say, ok, they are all delivered. Especially, if we are trying to use hybrid certs to manage a transition because the thing about hybrid certs is if the strong crypto isn’t available, we fall back to the weak crypto. Well, man, if we think strong crypto is available and it’s not then what are we doing? We are falling back to the weak crypto. So, under those circumstances, you need to know that the patches got patched.

• 

  Jason Soroko

  Always, always, and always, Tim. I think we’re at the end of our bullet points, but I gotta tell you. If you want to really – I don’t know, maybe I’m going to try to over simplify this. Taking inventory is job one of everyone who is listening. That’ just “period.” Everything else comes down to, talk to your vendors. Let us help you out, and then you can recommunicate that back into your folks. That’s it.

• 

  Tim Callan

  Believe your vendors are all going to be dealing with this in a big way. This is going to be a big important thing for them as those primitives become standardized on. They’re all going to have projects and things. They’re all going to have trainings, and they’re all going to know about this, and they’re all going to be able to – and they’re going to have to help you.

• 

  Jason Soroko

  Don’t wait. Start now. It’s going to take time.

• 

  Tim Callan

  Alright. I love it, Jay. Thank you so much. So again, this is CISA, the Cybersecurity and Infrastructure Security Agency’s bulletin from July 5. The title is “Prepare for a New Cryptographic Standard to Protect Against Future Quantum-Based Threats.” With that, you can find the bullet list for yourself, and I encourage you to give it a read. Thank you very much, Jay.