The journey to quantum protection
As discussed in Chapter 1, “Cryptography in the quantum computing era” on page 1, we are entering a new cryptographic era. The cryptographic landscape is changing about the kinds of cryptographic algorithms that are implemented across the enterprise today and the ways they are used. For most organizations, it is a journey to quantum protection. IBM is leading the way, assisting businesses and organizations on this journey.
In this chapter, we discuss some of the lessons learned as IBM embarked on the quantum-safe journey and the guidance that was provided by other organizations, such as the National Cybersecurity Center of Excellence (NCCoE), Cloud Security Alliance (CSA), and the European Telecommunications Standards Institute (ETSI). Standards are still evolving in this space and the required changes likely need significant planning and preparation. Every standard that uses public key cryptography will be affected.
IBM learned a great deal during the process of implementing quantum-safe technology in the IBM Z platform. We share some of the details of that journey and steps that can be helpful to your journey in this chapter, which includes the following topics:
2.1 Quantum-safe cryptographic experiences
IBM Z began its own quantum-safe journey and with any new technology comes new challenges. We found it necessary to survey our system landscape and at the same time use knowledge and insights from our IBM Quantum and IBM Zurich Research teams. We also engaged the broader ecosystem, including vendors, legal, and internal organizations that are outside of the IBM Z team with an interest in the subject.
The IBM Zurich Research team started several activities that were focused on developing practical cryptographic solutions that are resistant to the threats that are posed by quantum computers. With these trusted advisors, the IBM Z team has a tremendous opportunity for collaboration and co-creation of exceptional solutions.
In this section, we share IBM experiences and lessons learned (see Table 2-1) in pursuing a quantum-safe cryptographic implementation on IBM Z.
Table 2-1 IBM experiences and lessons learned
|
Educate the team
|
Build a cryptographic inventory and create a roadmap
|
Design and execute with cryptographic agility in mind
|
|
•Educate the security teams and stakeholders
•Follow standards for community and quantum computing
•Learn about quantum-safe crypto options
•Research migration best practices
•Engage with Legal
|
•Build cryptographic inventory (reusable security asset) where crypto is used
•Perform a quantum risk assessment–gap analysis
•Evaluate vendor products
•Develop plans for use of stronger cryptography
•Understand open source effect
•Use a buttom-up approach
|
•Manage internal and external dependencies
•Make it simple to change the underlying crypto from one algorithm, method, or protocol to another
•Remember crypto algorithms are considered secure until broken
•Prepare for future changes
•Develop new applications as flexible as possible to react to new developments
|
2.1.1 Educating the team
IBM Z developers and IBM Zurich researchers have a close relationship. Researchers serve as trusted advisers to developers. Before beginning the quantum-safe transition journey, several educational briefings were held about the topic of quantum-safe cryptography and the effects that quantum computing has on classical cryptography. These briefings served to educate IBM senior management and senior technical leadership in the IBM Z organization.
The leader’s buy-in was critical for allocating the needed resources to establish the IBM Z quantum-safe transition project. A leader for the project was selected, followed by the selection of the core team.
The security stakeholders in the overall organization were then educated on the topic. It was important that the key security stakeholders be educated as their time, effort, and expertise also was required.
The project goals were set forth with the intent of establishing an enterprise-wide effort and a strategy was needed. It was important to establish a diverse group of experts from the organization, including those people responsible for hardware, firmware, software, security architecture, and secure engineering.
The core team carefully followed the National Institute of Standards and Technology (NIST) Post-Quantum Cryptography (PQC) standardization process and the activities of institutional bodies with governance over standards and regulations that are related to public key cryptography and IBM Z interests.
The core team spent time learning about the new quantum-safe algorithms and the mitigation options for various use cases. The IBM Z team researched transition best practices.
The team discussed options carefully with the IBM Zurich Research team to ensure that the proposed actions were secure. They later engaged in more detailed design sessions and created and evaluated proposals on a case-by-case basis.
As the topic of quantum-safe cryptography was starting to be understood by the industry, we found it necessary to establish our own best practices with our research colleagues. The IBM Z team also worked closely with the IBM legal team and sought their guidance to ensure the methods and actions that were taken were in line with approved guidelines.
Consultation with Legal is a common and important practice when embarking on the use of new technology as a product manufacturer. IBM Z held kickoff sessions with the technical leaders so they had some insight into the next steps in the process.
2.1.2 Building a cryptographic inventory
The next critical stage was to create a cryptographic inventory. During this process, the goal was to discover the cryptography that was in use on the platform that leads to the creation of a roadmap to address gaps.
The core IBM Z team worked with IBM Zurich Research to establish a questionnaire that was used to capture important information. The questionnaire was tailored for the IBM Z platform, including several areas, such as hardware, firmware, operating systems, virtualization, applications, solutions, and data elements.
Sessions were held with the component technical leaders to answer any questions they might have about the questionnaire, and how the questionnaire was to be completed. Each component leader worked with their team to complete the questionnaire and return it to the core team. The questionnaire covered nine key areas that were related to cryptography and cybersecurity in general (see Table 2-2 on page 18).
Table 2-2 Cryptographic inventory questionnaire
|
Area
|
Information collected
|
|
Identity
|
•Name of component or application
•Feature or function that uses crypto
•Person responsible for component and contact Information
|
|
Symmetric crypto
|
•Algorithm
•Function (encryption, decryption)
•Symmetric key size
•Length of time data needs to be kept secret
•Sensitivity level of the data protected (H/M/L)
|
|
Asymmetric crypto
|
•Algorithm
•Function/protocol/method
•Asymmetric key size
|
|
Hashing
|
•Algorithm
•Digest size
|
|
Crypto services
|
•Crypto provider
•Crypto provider product version
•Vendor name
•How is crypto provided? (HSM, software library)
•How is the crypto implemented? (hardware, software)
•How is crypto provider version kept current?
|
|
Interoperability
|
•Do you control the full stack?
•Do you work with a vendor or partner?
•Is the partnership internal or external to the team or organization?
|
|
Policies/standards/regulations
|
•Are there policies governing the selection and use of the cryptography? If so, which?
•Are there standards or regulations governing use of the cryptography? If so, which?
•Are there associated configuration files?
•Can the component’s crypto “state” or status, configuration status, and so on, be queried or monitored?
•Consider cyber resilience: Are there single points of failure or simple denial of service (DoS) choke points?
|
|
Key management
|
•Where do the keys come from?
•Where are the keys stored?
•Is a key management system or key server used?
•Is a key transport protocol used?
•Are the derived or created keys used to wrap or protect other keys?
|
|
Preliminary assessment
|
Has a gap been identified? (Crypto being used must be updated, mitigation plan is needed?)
|
Each component leader was asked to gather this information and provide for review by the IBM Z core team. Other information might need to be included in the questionnaire by your organization; however, Table 2-2 on page 18 is a good place to start.
The IBM Z core team reviewed the questionnaires and helped each component team develop preliminary plans for the use of stronger cryptography for symmetric crypto and hashing or quantum-safe crypto schemes for asymmetric crypto. IBM Z looked at areas where crypto was being used and looked for places where cryptographic protections might be added.
This iterative process led to fruitful discussions. Design review sessions were held, and research provided guidance and feedback about the plans and strategies that were developed. Because the cryptographic inventory is a living document, the inventory documentation must be updated as changes are made.
2.1.3 Creating a roadmap
After the IBM Z core team understood the affected areas, it was necessary to prioritize the changes. We developed a multi-phase roadmap with the goal to update protections of the most important areas first.
The IBM Z team also considered areas where the changes were simpler to make. Some items needed to be implemented day one and some items were to be updated over time. Several factors influenced the decisions about where items land on the roadmap.
Evaluating dependencies was critical. The uncertainties, costs, and the value of the option to the system also needed to be considered. The core team had dependencies inside and outside IBM Z, which affected prioritization of changes.
Some of the dependencies included the following examples:
•NIST PQC Standardization Process algorithm recommendations
•Other standards and guidelines not yet updated; for example, IETF community, including:
– TLS/SSL/SSH standards
– PKI standards for certificates
– network security
– communication protocols
•Availability of quantum-safe hardware products from vendors
•Dependencies on IBM software and hardware solutions
•Availability of crypto libraries and hardware that supports the quantum-safe algorithms
The IBM Z approach was to protect the system infrastructure (such as core boot paths and related firmware components) and key security components, such as the Crypto Express hardware security module (HSM) and Trusted Key Entry (TKE). At the same time, customers had to be provided with the capabilities to begin the use of and experimenting with the quantum-safe technology. The IBM Z team considered areas where we controlled the entire stack and dependencies were internal to our system. Implementation complexity might be a function of technology or unresolved dependencies.
After prioritizing the work based on the risks and dependencies, a multi-phase roadmap was created. Flexibility was maintained in the roadmap as discoveries during the plan execution phase were expected.
2.1.4 Designing and running with cryptographic agility in mind
The key to the designs was the need to include cryptographic agility. This became evident because of some uncertainties that were identified early in the process and the necessity to create designs that lend themselves to change with new crypto algorithms in the future.
During the execution phase, the IBM Z team used the following options that were based on the identified use cases:
•Updated encryption by migrating to AES encryption by using 256-bit keys
•Updated hashing algorithms to support SHA-256 or higher
•Implemented dual digital signing schemes by using classical and quantum-safe algorithms
•Implemented hybrid key exchange mechanisms by using classical and quantum-safe algorithms
At this stage of the quantum-safe journey, these options were the most reasonable for the use cases.
The IBM Z team identified all of the operating environments where algorithm support and secured quantum-safe libraries were needed. Vendors were contacted to understand their quantum-safe roadmaps and plans. Based on feedback from these vendors, the IBM Z roadmap was revised.
Discussions with the IBM Zurich Research team, the IBM Quantum team, the IBM Security® team, and IBM Legal team continue as changes were implemented and next steps were documented.
IBM Z designs were created with agility in mind to be prepared for the transition when new standards guidance is provided and to support inevitable future changes to cryptographic algorithm requirements. The purpose also was to lay a foundation for which IBM Z can make the other areas of the system quantum-safe over time.
2.1.5 Quantum-safe journey in review
This high-level overview of the journey that was taken by IBM Z can be used to help start your quantum-safe journey. The IBM Z journey and the recommendations of other experts in the IT industry included the following takeaways:
•Obtain senior level management buy-in
•Educate your organization on quantum risks and quantum-safe cryptography
•Create a quantum-safe crypto core team
•Inventory current crypto in use
•Control access to the inventory
•Identify areas that are most vulnerable
•Research cryptographic agility and quantum-safe cryptographic algorithms to determine which algorithms suit your use cases
•Identify crypto API providers and crypto hardware to accelerate performance
•Develop implementation validation and testing tools
•Identify all communications protocols with quantum-vulnerable crypto algorithms
•Identify automated crypto discovery tools
•Update the processes and procedures of developers, implementers, and users
•Develop a risk-based approach, considering security requirements, business operations, and mission impact
•Identify a transition timeline and resources
•Prepare to follow strategies to protect digital assets and systems
2.2 Starting the quantum protection journey
Several stages must be taken along the journey. Each organization has different cryptography use cases and usage constraints. It is important that the collateral that is created by each team be reviewed to provide the best options and plans for your situation.
Although no one-size-fits-all solution exists, general steps and guidance can be beneficial. Consider your cryptographic use in three broad areas:
– Infrastructure
– Applications
– Data protection
2.2.1 Following industry guidance
Several organizations formed task forces or working groups to discuss quantum-safe cryptography and offer their guidance. We recommend that you review the work being done by these groups. Experts in the field provide insights that can prove to be useful in your situation.
National Cyber Security Center of Excellence (NCCoE)
NCCoE formed a Post-quantum cryptography (PQC) project. The project goal is the development of practices in the form of white papers, playbooks, and demonstrable implementations for organizations to ease the transition from the current set of public key cryptographic algorithms to replacement algorithms that are resistant to quantum computer-based attacks.
For more information, see this NCCoE web page.
Electronic Telecommunications Standards Institute (ETSI)
The ETSI Cyber Quantum Safe Cryptography (QSC) Working Group aims to assess and make recommendations for quantum-safe cryptographic primitives, protocols, and implementation considerations. These considerations are based on the state of academic cryptography research and quantum algorithm research, and industrial requirements for real-world deployment.
For more information, see this ETSI web page.
Cloud Security Alliance (CSA)
CSA formed a quantum-safe security working group. The goal of this working group is to support the quantum-safe cryptography community in the development and deployment of a framework to protect data that is in movement or at rest.
For more information, see this CSA web page.
French National Cybersecurity Agency (ANSSI)
ANSSI is committed to ensuring that public administrations, public services, and businesses can take full advantage of a secure and trustworthy digitalization. The goal is to provide direction to industrials developing security products and outlining the transition agenda for quantum-safe cryptography.
For more information, see this ANSSI web page.
2.2.2 Start now
The threat that quantum computers pose to our current cryptographic systems is well known. Even though large-scale quantum computers are not yet here, it is critical to take action well before their arrival. Organizations need to be planning now, for the upcoming transition to new quantum-resistant cryptographic algorithms. Failure to do so may mean that your information will not be protected from these future attacks.
- Dustin Moody, Mathematician, Post-Quantum Cryptography Project Leader, National Institute of Standards and Technology (NIST)
For the last several years, experts were urging organization to begin planning for the replacement of hardware, software, and services that use the cryptography that is likely subject to attack by a quantum computer.
Based on history, it can take a long time to make changes in all the places where change is required. The initial inventory phases can show surprising findings. This part of the process is often referred to as crypto discovery. Not only do you find crypto that must be migrated, but you might also find areas where cryptographic protections are not in place or that cryptography is not correctly implemented and not suitable for the intended purpose.
You might discover that specific source code is no longer available or build tools are no longer available, which makes change difficult and time-consuming. It is advantageous to find automated tools that help with the inventory process.
The authors of code modules might be unknown or no longer work for the company. The new algorithms are not drop-in replacements. Key sizes, signature sizes, performance, and so on must be considered.
Any number of your IT professional staff might need to get involved in your quantum-safe journey (see Table 2-3 on page 23 for examples).
Table 2-3 Involvement of IT professionals for the quantum-safe cryptography journey
|
Stakeholder
|
Roles
|
|
IT security
|
•Chief information security officer
•Chief security architect
•Key management personnel
•IT security personnel
•Mainframe security administrator
•Enterprise security Architect
|
|
Networking
|
•Network administrator
•Network architect
|
|
Auditors
|
•Security auditor
•Financial regulation office
•Compliance officer/auditor
|
|
Applications
|
•Application architect
•Application programmer
•Application owner
|
|
Management systems
|
•System administrator
•Hardware administrator
•Storage administrator
|
|
External parties
|
•Customers
•ISV representative
•Business partners
|
Another important reason to start the quantum-safe journey now is because you do not want to keep creating assets that are susceptible to quantum attacks. Use protection methods today so that today’s data is protected in the future. New technology takes time to develop, test, and deploy. To avoid costly mistakes and to ensure you have the technology to address your use cases, organizations must start now.
2.2.3 Building your inventory
Consider creating a data inventory and cryptographic inventory:
•The data inventory must contain information about your critical data assets. It is a comprehensive catalog of the data assets in the enterprise.
Document important information about the data protection requirements and how long that protection must be in place. Also, record any standards or regulations that govern the protection of the data.
•The cryptographic inventory must contain information about where and how cryptographic algorithms are used.
The cryptographic inventory provides you with the information you need to create your roadmap and plan. In specific cases, tools do not exist that automate the process of inventorying the crypto in use.
Using a questionnaire
A questionnaire can be a useful tool for gathering the information from the key stakeholders. The questionnaire helps stakeholders understand for what they need to look. The questionnaire can be used with the tools that are available to compile the baseline inventory. IBM Z provides tools that can help with crypto discovery. For more information, see “Establishing a cryptographic inventory” on page 58.
Maintaining and securing the inventory
Maintaining and securing the inventory is critical. Make sure you treat the inventory as the security-sensitive artifact that it is. Access to the contents must be controlled. Component owners can access their information but not the information of other components unless a need to know exists and collaboration among teams is needed.
Performing a gap analysis
By using the inventory, you can perform a gap analysis that leads to the creation of your roadmap. More than likely, you discover that you cannot change every area that is identified in your inventory. Therefore, you must prioritize.
Protect the most critical assets first and make changes so that you do not continue to use vulnerable cryptography where possible.
Determining dependencies
Dependencies can determine the location and timing of changes on your roadmap. You must have a mitigation strategy in place. This strategy includes knowing the mitigation options that are available to you and when to use those mitigations.
It is critical that your strategy include extensive testing. Solutions must be prototyped to understand usability and performance effects. Some of the mitigations involve the use of longer keys and artifacts, which requires more space and resources. It is critical that you review your threat models with your secure engineering team to ensure you did not inadvertently introduced a vulnerability.
2.2.4 Knowing your options
After you understand where crypto is being used, it is critical to know your mitigation options. A transition strategy is needed that is based on industry guidance and the use cases that your organization must address. It is important to perform a risk assessment to inform your decisions about your transition roadmap.
The primary options include the following examples:
•Strengthening symmetric and hashing algorithms by increasing key sizes for strong algorithms, such as AES, to at least 256 bits and hashing digest sizes to at least SHA-256, depending on your use case.
•Implement dual signing. A dual signature consists of at least two signatures on a common message. According to guidance provided by NIST, one signature is generated with a NIST-approved signature scheme as specified in FIPS 196, while the other signatures can be generated by using a different signature algorithm.
For quantum-safe, the second signature is a quantum-safe signature (CRYSTALS-Dilithium is used for IBM z16). The signatures must be parsed and verified separately; if either fails, the signature for the object fails.
•Implement hybrid key establishment schemes. This scheme is a combination of two or more components in which cryptographic key-establishment schemes are used.
According to guidance from NIST, the scheme is considered secure if at least one of the schemes remains secure. Therefore, one of the components of the hybrid scheme must be NIST-approved; for example, a discrete-logarithm based scheme from NIST SP 800-56A or an integer-factorization scheme from SP 800-56B, and the other component is a post-quantum cryptography scheme.
NIST SP 800-56C describes a hybrid key establishment construction. The specification describes a process that allows a key derivation method permitting a shared secret1 “Z” to be concatenated with a value protected by a quantum-safe key encapsulation mechanism (KEM).
Each specific use case must be evaluated to determine whether the implementation costs, performance reduction, and solution complexity can be contained. The hybrid and dual schemes require a security review to ensure that the security-related implementation errors were not introduced.
For more information about common cryptography use cases with challenges a cryptographically relevant quantum computer (CRQC) can present and the quantum-safe solutions that are provided by IBM Z, see Chapter 3, “Using quantum-safe cryptography” on page 27.
2.2.5 Incorporate cryptographic agility
It has probably become clear that piece by piece, enterprises must change the underlying cryptography that they use. However, this instance is not the last time such a change is required. This necessary change is an opportunity to rethink how applications use complex cryptography such that future changes, updates, and patches are much simpler to apply.
Cryptographic agility is the key for cybersecurity.
When we think of cryptographic agility, we must broaden our view of its scope beyond cryptographic migration such that we focus on only swapping from one crypto algorithm or standard to another because of the complexity of the problem. We must think about how we transition to architectures that offer agility for ongoing cryptographic migrations over time.
We know that cryptographic algorithms break or become obsolete. IBM Think® of the dimensions of cryptographic agility as areas where we can focus on agility. The topic of agility is relevant throughout the lifecycle of crypto from its definition and introduction into standards through its retirement as being obsolete or no longer secure.
The early phases of a cryptographic algorithm's lifecycle are handled by experts in the field in academia and industry. Table 2-4 lists the cryptographic agilities that are most important to our discussion.
Table 2-4 Cryptographic agilities
|
Agility
|
Definition
|
|
Algorithm
|
Ability to select algorithms in real time based on their combined security functions or organizational policy
|
|
Protocol
|
Ability to move to new versions of a protocol, such as 1.1 to 1.2 to 1.3, for TLS
|
|
Implementation
|
Ability to add crypto features or algorithms to hardware or software, which results in new, stronger security features
|
|
Platform
|
Ability to adapt to platform-specific constraints or support for cryptographic operations
|
|
Retirement
|
Ability to retire crypto systems that became vulnerable or obsolete
|
Cryptographic agility is an active area of research. Guidance that we see coming out of research areas already recommends no longer hardcoding crypto specifics in applications. Instead, the use of a higher-level abstraction layer allows for passing in those specifics so that they can be changed when needed without changing the application when possible.
From a broader standpoint, cryptographic agility is about an information security system’s ability to rapidly switch to alternative cryptographic primitives and algorithms without making significant changes to the system’s infrastructure.
When considering your cryptographic strategy in light of quantum-safe transition, spend some time studying this topic and explore how to best improve your cryptographic agility.
For more information and an example, see “Considering cryptographic agility” on page 61.
1 Known only to the entities involved in a communication. Possession of that shared secret can be provided as proof of identity for authentication.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.