The Troubles With PKI: What Every Business Needs to Know
Author: Patrick Shore, Program Manager, QuSecure
Is Public Key Infrastructure (PKI) broken? PKI is subject to many typical vulnerabilities and implementation mistakes; however, the most significant design flaw becomes apparent when examining the security of Certificate Authorities (CA). PKI relies heavily on CA for secure transactions, but in recent years, CA has been breached, and false CAs have been used to attack visitors and monitor transactions on hundreds of websites. Hundreds of trusted CA on our browsers allow secure access to every webpage. This means that if just one CA is compromised and a hacker can access the private key, the hacker could produce false certificates for thousands of websites. This “weakest link” fundamental design flaw is the Achilles heel of PKI, where a single point of failure risks compromising the whole system. Moreover, reliance on third-party CA’s reduces the speed with which the communications process occurs.
The fundamental security competence of PKI and CAs is encryption. Encryption algorithms generate public and private keys that make up the trusted components of CAs. With a classical computer, these encryption algorithms are complicated to break (given a large enough key size). However, cryptanalytically relevant quantum computers (CRQCs) will be able to break PKI encryption algorithms with ease, thereby exposing private keys and making CAs vulnerable to multiple vectors of attack and manipulation.
Enter post-quantum cryptography. Post-quantum encryption algorithms use complex mathematics for key exchanges in a process resilient to attacks from both classical and quantum computers. Through post-quantum encryption, we can ensure secure communication even in the face of a quantum computer attack. And with post-quantum cybersecurity measures, our networks and systems will remain protected against these advanced threats.
One post-quantum cryptographic option is the NIST Kyber algorithm. It was selected as a post-quantum candidate in 2016 and this year became the first post-quantum public key encryption algorithm selected to be standardized by NIST. Kyber offers high levels of efficiency, making it suitable for use in low-resource devices such as IoT. It also provides key encapsulation, meaning that the encryption key is embedded within the encrypted message, reducing the need for third-party validation.
As post-quantum cryptography becomes more widely adopted, it is essential to start preparing for the transition to post-quantum. NIST Kyber is just one option for post-quantum encryption, but it offers advantages for implementation in various devices and communication scenarios. Organizations in the public and private sectors need to begin preparing for the post-quantum transition by auditing their networks for PKI vulnerabilities and consulting post-quantum experts.
At QuSecure, we are dedicated to deploying post-quantum cryptography to offer a more secure and reliable solution for communication. Trust us with your post-quantum cybersecurity needs. The future of the digital world depends on it.