Post-Quantum Cryptography: Lessons Learned from SHA-1 Deprecation

What SHA-1 history can teach us?

Can the cybersecurity industry learn anything from the problems encountered with the move from the deprecated SHA-1 to the stronger and safer SHA-2 hashing algorithm?

Since 2005, SHA-1 has been regarded as unsafe against well-funded adversaries.  SHA-1 was officially deprecated by NIST in 2011 and its usage for digital signatures was prohibited in 2013. Since 2020, chosen-prefix attacks against SHA-1 are feasible. As a result, it was recommended to immediately eliminate SHA-1 from all products and replace it with SHA-2 or SHA-3. It is especially urgent to replace SHA-1 wherever it is used for digital signatures.

Despite all the emphasis around the shift from SHA-1 to SHA-2, 35% of websites were still utilizing SHA-1 certificates as of November 2016, according to research from Venafi in 2017.

“The results of our analysis clearly show that, while the most popular websites have done a good job of migrating away from SHA-1 certificates, a significant portion of the Internet continues to rely on them,” said Walter Goulet, a cloud solutions product manager at Venafi, in 2017.

Sponsorships Available

Sponsorships Available

The transition away from SHA-1 installments was very slow, although all tech vendors had issued concrete steps on how to mitigate to the SHA-2 family of hashing algorithms. For businesses still using the broken SHA-1, they were facing serious risks, including:

• Increased possibility of a collision or man-in-the-middle attack
• The presence of wildcard SSL certificates
• Website being restricted by common web browsers.
• Loss of revenue from customers who could not access a business website.
• Damaged brand reputation and loss of future business.

The same issues, or even worse, will be faced in the near future if businesses, organizations and agencies fail to be proactive in establishing concise and comprehensive policies and practices for migrating to a post-quantum encryption regime.

Challenges toward post-quantum cryptography: confidentiality and authentication

The threat to confidentiality is obvious: quantum computers will be able to decrypt not only currently-transmitted data but also data that has already been recorded and stored. The threat model for authentication is a little more complicated: a quantum computer could be used to stage a man-in-the-middle attack, for instance, and to modify aspects of the past message, like the sender’s identity, retroactively. Both threat models should be considered because they present issues for current traffic and any traffic delivered in the future.

Updates to the complicated encryption system create both technical and managerial hurdles, according to Cloudflare’s blog:

• Technically speaking, can we use the post-quantum signatures in our handshakes despite their greater sizes and longer computation times?
• How are we going to organize the migration of this intricate system, from a management perspective? Is there going to be a ceremony to upgrade the algorithms? How will we respond if certain systems have updates while others have not? How can we cancel expired certificates?

Crypto-agility

To overcome these challenges, careful planning is required. NIST has developed a whitepaper which outlines the steps for migration to post-quantum cryptography.

The best practice is being crypto-agile, and Venafi encourages our customers to do the same. There will be a fresh batch of algorithms to support preparation for Post Quantum Cryptography (PQC). The first step is to check your crypto inventory and general post-quantum readiness right away so that you can start preparing.

Prepare a quantum-safe architecture now. Start by examining all your crypto-dependent applications. Would the application still operate if you changed the algorithm? What must you do to make them function if they fail? Make sure to do this for each application inside your company that relies on cryptography.

Learn from the mistakes of the past to create a strategy that will ensure business continuity. Your organization will migrate to data protection in a quantum-safe environment more easily if you start early.

—-

NOTES:

*The four algorithms selected by NIST are:  (1) The CRYSTALS-Kyber algorithm has been selected in general encryption, (2) CRYSTALS-Dilithium, (3) FALCON, and (4) SPHINCS+ as the three algorithms for digital signatures. NIST suggests CRYSTALS-Dilithium as the primary algorithm and FALCON for applications requiring smaller signatures than Dilithium offers.

Related Posts

• 21% of Websites Still Use SHA-1. Don’t They Know It’s Broken?
• Venafi Research: 35 Percent of Websites Are Still Using Insecure SHA-1 Certificates and Putting Users at Risk
• SHA-1 Deprecation

Post-Quantum Encryption Algorithms Announced

The National Institute of Standards and Technology (NIST) has chosen the first collection of cryptographic protocols designed to withstand future quantum computers. The announcement follows a six-year project supervised by NIST, which in 2016 called on the world’s cryptographers to create and evaluate encryption algorithms that could withstand an attack from a future quantum computer.

The four chosen cipher algorithms* will be included in the NIST’s post-quantum cryptographic standard, which is expected to be finalized in around two years.

For NIST’s scientists, crypto agility was an important factor. Three of the chosen algorithms (CRYSTALS-Kyber, Crystals-Dilithium, and Falcon) are based on a class of mathematical problems known as structured lattices, whilst SPHINCS+ use hash functions. Dustin Moody, a mathematician and project lead at NIST, explains, “We wanted to ensure that we had a backup strategy in the event that someone discovers a breakthrough and an attack on lattices.”

“>