Something that almost everybody seems to be talking about these days is “post quantum cryptography.” Everyone seems to relish having a good doomsday scenario to speculate on. And what many are wondering is what we will do when quantum computers become sufficiently powerful to attack the algorithms that we rely on for today’s machine identities.
Right now, we don’t know when that will happen, but it could be sooner than we think. So, that’s why there’s so much urgency for cryptographers who are busy researching new algorithms that are safe against quantum computers. At the same time, we need to be planning how we can migrate to those algorithms once they have been standardised and the need arises.
This isn’t a new problem.
Back in the day when HTTPS was starting to gain acceptance and SSL machine identities started becoming prevalent, most Certificate Authorities (CAs) issued certificates based on MD5 hashes. In 2004, MD5 was broken and the race was on to get rid of all MD5-based machine identities and replace them with new ones based on SHA-1.
SHA-1 served us well for a time, but even in 2005 it was known that it had vulnerabilities and the recommendation soon became not to issue or use certificates based on SHA-1. Indeed since 2017 web browsers have not accepted SHA-1 certificates. This left many organizations scrambling to locate and replace all of their SHA-1 certificates. In fact, there is evidence that some have still not completed that migration. (But that’s another story.)
2017 was also the year that yet another crypto event reared its ugly head. Just as most organizations were finishing their lengthy process of putting SHA-1 to bed, Google announced that it would no longer trust certificates issued by Symantec. So, for the third time we found ourselves with lots of machine identities that had to be revoked and replaced.
Of course, the important difference between these three events and “post quantum” is that with MD5, SHA-1 and Symantec, we already had new algorithms and new CAs that we could use. By contrast, we don’t yet have practical quantum-safe algorithms, but progress is being made, and when those algorithms are ready for us, we need to be ready for them.
Unless you know where all of your machine identities are, and you have automation to manage them quickly and efficiently, a mass replacement of machine identities is a hard thing to do. But you shouldn’t despair just yet. With a robust, agile platform for machine identity protection, you’ll have the visibility, intelligence and automation you need to find and replace certificates across your organization.
Do you have what it takes to replace all of your machine identities tomorrow, if you needed to?
Find out how Crypto4A is pioneering the landscape to quantum readiness.