Post-Quantum Preparedness

Written by Ascertia.

The world of cryptography is on the cusp of a significant change. Quantum computers, once thought of as mere science fiction, are rapidly becoming a reality.

While widespread availability of these powerful machines might not be imminent, their potential to break current cryptographic methods poses a serious threat to internet security, digital signatures, and secure code signing. Businesses that rely on these technologies for data protection need to start preparing for a post-quantum world.

This guide will equip you with the knowledge and steps necessary to ensure your business remains secure as the digital landscape continues to shift.

Why the urgency?

Current cryptographic algorithms like RSA and Elliptic Curve Cryptography (ECC) form the backbone of internet security. They are used to secure online transactions, protect sensitive data, and verify the authenticity of digital signatures.

However, quantum computers leverage the principles of quantum mechanics to perform calculations that are impossible for traditional computers. This capability makes them adept at breaking the encryption used in these widely deployed algorithms.

While large scale use of quantum computers might still be years away, the threat is real. Businesses that wait until these machines become readily available risk exposing themselves to a period of vulnerability. By taking proactive steps now, you can ensure a smooth transition to post-quantum cryptography (PQC) and safeguard your valuable data.

What you can do today

The first step towards post-quantum preparedness is gaining a clear understanding of your current cryptographic landscape. Here is how to get started:

• Cryptographic capability and certificate audit: Conduct a thorough audit of your IT systems to identify where cryptography is used. Ask yourself: “Where am I using encryption?” and “Do the suppliers of these systems have a plan for PQC compatibility?”
• Focus on key and certificate management: Identify systems that rely on keys and certificates for encryption and digital signatures. Determine if these systems can be upgraded to support PQC algorithms. Engage with your suppliers or internal developers to assess their PQC readiness.
• Document audit: Conduct a comprehensive document audit to locate all digitally signed documents within your organisation. Analyse the type of digital signatures used and identify documents requiring long-term preservation. Determine if the current signatures support archival and can be enhanced for extended validity.

Understanding digital signature levels (ETSI Standards)

The European Telecommunications Standards Institute (ETSI) defines four levels of digital signatures, facilitating interoperability and futureproofing:

• PAdES-B-B: These baseline signatures remain valid as long as the signing certificate is active (not revoked or expired).
• PAdES-B-T: This level incorporates a timestamp token from a trusted source, proving the document existed at a specific point in time.
• PAdES-B-LT: This level embeds all cryptographic materials required for signature validation – the signing certificate, certificate chain, timestamp server certificates, and revocation data. This allows for offline signature validation using the embedded information.
• PAdES-B-LTA: This level extends PAdES-B-LT by adding a cryptographic timestamp token from a trusted source directly to the document and validation material. This “document timestamp” proves the validation materials existed at the time of signing, ensuring future validity even if signing algorithms or certificates expire.

Preparing your digital signature for the post-quantum future

Here is how to leverage those ETSI standards and available solutions to secure your digital signature is a post-quantum world:

• Identify documents requiring long-term retention: During your document audit, prioritise documents needing long-term preservation.
• Extend signatures to PAdES-B-LTA: If possible, enhance the signature level of these documents to PAdES-B-LTA. This ensures future validation capability even with changes in cryptographic algorithms.
• Regularly refresh timestamps: Regularly refresh the timestamps on your PAdES-B-LTA signatures to maintain their validity.

Looking ahead: Quantum-safe timestamping

The future of cryptography hinges on developing quantum-resistant solutions. While specific vendors and products are still under development, the core functionalities you will need to secure your digital signatures in a post-quantum world are clear.

PQC key and certificate generation

A crucial step involves generating quantum-resistant keys and certificates for your trusted timestamp authority (TSA). These keys will be the foundation for creating secure timestamps that are immune to attacks from quantum computers.

The specific algorithms used for key generation will depend on the chosen PQC standard. Though, the overall process will ensure the continued validity of your timestamps even when traditional cryptographic methods become vulnerable.

Applying quantum-resistant timestamps

Once you have PQC keys and certificates in place, you can leverage them to apply quantum-resistant timestamps to all your PAdES-B-LTA documents.

This process adds an additional layer of security to your existing digital signatures. The PQC timestamps will act as a guarantee that the validation materials for your signatures were indeed valid at the time of signing. This remains even if the underlying cryptographic algorithms used in the original signature are compromised by quantum computers in the future.

This approach offers a two-fold benefit. Firstly, it preserves the existing digital signatures on your documents, eliminating the need for large-scale re-signing efforts. Secondly, it ensures the long-term validity of your signatures, protecting them from potential attacks – even as the cryptographic landscape evolves.

By implementing these functionalities, businesses can achieve a smooth transition to a post-quantum world and safeguard the integrity of their critical documents for years to come.

Preserving Non-ETSI signatures

White ETSI standards offer a robust framework for digital signatures, there may be instances where you encounter documents with non-ETSI compliant signatures. These documents, while still valid, might pose challenges in a post-quantum world. Here are some strategies to mitigate these risks:

PDF Portfolio Creation: A valuable tool for managing non-ETSI signatures. This versatile format allows you to combine various document types, including those with incompatible signatures, into a single, secure PDF file.

Consolidation and enhanced security: If you have a large number of documents with non-ETSI signatures, consider creating a dedicated PDF Portfolio. Here is a step-by-step approach:

• Gather and assemble: Collect all documents with non-ETSI signatures and add them to a single PDF Portfolio.
• Centralised signature: Apply a PAdES-B-LTA signature to the entire PDF Portfolio. This single signature acts as an umbrella, securing all the contained documents within the portfolio.
• Maintaining validity: To ensure the continued validity of the portfolio signature, regularly refresh the timestamps associated with the PAdES-B-LTA format.
• Quantum-resistant safeguards: As quantum-resistant solutions become commercially available, consider apply a quantum-resistant timestamp to the entire PDF Portfolio. This additional layer of security provides ultimate protection for the contained documents in the face of potential quantum attacks.

By adopting this strategy, you can effectively mitigate the risks associated with non-ETSI signatures and ensure the long-term security and accessibility of your critical documents.

Proactive steps for a secure future

The emergence of quantum computing necessitates a proactive approach to cybersecurity. By taking the steps outlined in this guide, you can ensure your business remains secure in the face of an evolving technological landscape.

By following these steps, you can achieve a smooth transition to post-quantum cryptography and safeguard your valuable data for years to come. Remember, even though the widespread threat of quantum computing might not be imminent, acting now demonstrates a commitment to long-term security and future-proofs your business for the exciting new era of quantum technologies.