DHS and NIST release guidance for post-quantum cryptography

news

The U.S. Department of Homeland Security (DHS) and the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) have issued guidance on how to prepare for the risks posed by the evolution of quantum computers.

https://csrc.nist.gov/ projects/post-quantum-cryptography

We believe that it will be possible to build a quantum computer in the next decade or so, in which case we were warned that most current cryptographic algorithms may become useless.

A large-scale quantum computer would be able to break many of the public key cryptography schemes currently in use.

This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere

NIST, which is leading the federal government’s effort to standardize one or more quantum-resistant public key cryptography algorithms, has commented.

The announced roadmap is aimed at making it easier for organizations to migrate to the new post-quantum cryptographic standards as they become available.

This roadmap outlines seven steps that focus on inventorying encrypted systems and prioritizing the data with the highest risk. They are as follows.

  1. The organization’s Chief Information Officer (CIO) should be directed to work more closely with standards bodies on the latest developments regarding required algorithms and changes to dependent protocols.
  2. The organization should create an inventory of the most sensitive and critical data sets that must be protected over time.
  3. Organizations should create an inventory of the most sensitive and critical data sets that need to be protected over time, as this information will aid in future analysis by identifying what data is currently at risk and what data can be decrypted when cryptographically appropriate quantum computers become available.
  4. Organizations should create an inventory of all systems that use cryptography for any function to facilitate a smooth transition in the future.
  5. Cybersecurity personnel within the organization should identify acquisition, cybersecurity, and data security standards that will need to be updated to reflect post-quantum requirements.
  6. Organizations should identify where and for what purpose public key cryptography is being used and note those systems as quantum vulnerable
  7. The decision to prioritize one system over another in a cryptographic transition should be based on an analysis of the organization’s capabilities, goals, and needs.
  8. Using the inventory and prioritization information, organizations should create a plan for system migration when new post-quantum cryptographic standards are released. Cybersecurity personnel should provide guidance for creating a migration plan.

In a statement released, he said, “Now is the time for organizations to assess and mitigate the associated risks and stay ahead of the curve by focusing on strategic and long-term goals while continuing to address pressing cyber challenges.  This new roadmap will help us protect our critical infrastructure and increase the resilience of cybersecurity across the country.

Comments

Copied title and URL