Tanja Lange, Technische Universiteit Eindhoven, Tony Cox, VP Partners, Alliances and Standards, Cryptsoft Pty Ltd. The enterprise key management standards space has been incredibly dynamic over the last decade as a group of over twenty vendors have worked together during the last eight years under OASIS to create a standard that represents the combined needs of a broad range of applications and devices and deployment scenarios. From embedded systems, authentication tokens, mobile devices, desktops, servers, mainframes and virtualised platforms we now have a mature key management standard that has been widely deployed. However, the key management area is facing a dark cloud at the horizon in the form of quantum computers. The expectation is that large quantum computers will be built sometime after 2025. This may seem like a long ways into the future, yet KMIP has to protect keys today that must remain secure (unbroken) for well over 30 years. Quantum computers will effectively cut the security of existing symmetric algorithms, such as AES, in half. AES-128 will provide only 64-bits of security in a post-quantum world.
64-bits of security is insecure even by today’s standards. This drives an immediate need to upgrade symmetric keys to AES-256, which will provide an acceptable security level of 128-bits. Currently used asymmetric algorithms such as RSA and ECC use keys which are expected to remain unbroken using current computer technology – but if quantum computers live up to their promises they will be able to break these systems in a matter of days, if not hours. RSA and ECC will need to be abandoned entirely, to be replaced with modern, well-analysed algorithms that will stand up to quantum computers. Our talk covers the steps KMIP has already taken to gradually replace quantum-unsafe algorithms with PQC algorithms, starting with the most at-risk components of the key management infrastructure: those where data captured and stored today would allow a future attacker with a quantum computer to compromise the key management effort. The talk includes next steps that should be taken to secure key management when an active attacker with a future quantum computer can perform a real-time attack on key exchange. This includes steps already taken by NIST and the European Union to address the coming storm. We additionally provide suggestions for other components of the security ecosystem, such as the IETF TLS working group, for changes that will need to be made in their components to ensure key management will remain secure in a post-quantum world.

Quantum-Safe Crypto Track