The digital landscape, including the PKI market, are witnessing a period of increasingly rapid transformations, with Post-Quantum Computing emerging as a key, ongoing development.
As the National Institute of Standards and Technology (NIST) get closer to announcing the algorithms which will replace RSA/ECC in SSL / TLS certificates, the cybersecurity industry is keen to learn what Public Key Infrastructure (PKI) and digital certificates look like in the Post-Quantum world, and more importantly how it will impact organizations that rely on SSL / TLS certificates for their business security infrastructure.
So far, NIST have had four conferences for the standardization of Post-Quantum-Safe algorithms, announcing their latest conference to be held in April 2024 and looking to standardize the first set of selected Post-Quantum-Safe algorithms later in the year. Learn more about the full NIST Post-Quantum timeline here.
However, this is the first of many steps, and there are other obstacles to overcome before Post-Quantum-Safe certificates can be used:
- The RFC for X.509 must be updated to standardize the Object Identifiers (OIDs) of the new algorithms (how we reference the algorithms in the certificate structure) which is currently in progress
- Servers must be updated to be able to present these new certificates
- Clients (web browsers) must also be updated to use these new certificates
- For public trust certificates the Certificate Authority/Browser (CA/B) forum must propose and agree a ballot to accept these new algorithms
- Certificate Authorities (CAs) will need to be able to issue these new certificates, which in turn means the manufacturers of Hardware Security Modules (HSMs) will need to update to support them as well
- The update to HSMs will also probably require updates to RFCs to support the common interfaces to interact with these modules such as PKCS #11 certificates
- The compliance framework which regulates HSMs (FIPS-140) will also need to be updated to support this
While there are still many steps to take before these new certificates can coalesce with the PKI security structure that we have come to know and trust, it is still important to look forward and gain an understanding of what Post-Quantum-Safe certificates could look like.
Post-Quantum Safe certificates are similar to both the Root and Intermediate Certificate Authority (ICA) certificates as they follow the same structure. They have Key Usages which restrict what the certificates can do, have Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) information to show where to check the status, they could also have Cyber-Physical System (CPS) sections.
The key difference, however, is that they each use different key types, with Post-Quantum-Safe certificates using larger keys, which is important to prevent them from being exploited. Both of the Root and ICA certificate examples use Dilithium3.
NIST selected the algorithms in 2022 for digital signatures and will be a likely option for TLS X.509, although at GlobalSign we are aware that this will undergo a name change to reflect changes the finalization of FIPS 204 and instead of Dilithium2/3/5, the algorithms will be known as ML-DSA-44/65/78.
Larger keys, as well as larger signatures, require a larger transfer of data over the SSL / TLS handshake, however the Dilithium and ML-DSA algorithms potentially won’t be significantly more resource intensive in order to verify, meaning that while from a user perspective this should not cause noticeable issues, this may not be the case with smaller devices with less processing power and require SSL / TLS certificates such as IoT devices.
Key Exchange algorithms must also be updated in order for the SSL / TLS handshake to be Post-Quantum-Safe and will likely use Kyber (Updated to ML-KEM as per FIPS 203). Like Dilithium and ML-DSA, this will have larger keys and cipher-texts, but could still be potentially quicker for key generation.
The new, Post-Quantum-Safe certificates are also based wholly on Dilithium/ML-DSA algorithms, and so are not ‘hybrid’ certificates. Hybrid certificates were conceived to be signed twice, once using traditional keys, such as RSA and ECC keys, and once by a Post-Quantum-Safe key. While hybrid certificates were thought to potentially make the transition towards Post-Quantum-Safe certificates easier, the focus has since shifted towards ‘pure’ Post-Quantum-Safe certificates.
Leaf and End Entity Certificates
End certificates are the most recognizable certificate types as these are issued to companies, organizations and people, to provide website security. The Certificate Signing Request (CSR) is submitted to the Certificate Authority (CA) by the client via the CA web portal, an API or using the ACME protocol. These CSRs contain an RSA/ECC public key of a key pair. When trying to request a Post-Quantum-Safe certificate, however, that CSR or ACME request will need to have a Post-Quantum-Safe key type such as Dilithium2.
This means that the protocols used to generate the CSRs will need to be updated to support the new Post-Quantum-Safe algorithms, including ACME clients like acme.sh, certbot and lego, or Webservers such as IIS, OpenSSL, or other managed services.
This is very similar to a normal CSR request, and contains the SubjectDN, including the common name and any organization details, as well as the Subject Alternative Names (SAN), which is a list of the resources that the SSL / TLS certificate is intended to secure, like a domain name or IP address. Once again, the key difference here is that the key type is Dilithium2/ML-DSA.
Once the Post-Quantum-Safe CSR is submitted to the CA, the CA will check the authenticity of the request and that the resources listed in the SANs are controlled by the client. Following these checks, the CA can then issue the certificate to the client.
So that the certificate can be used in conjunction with the corresponding private key, the certificate will still contain all of the details contained in the CSR but will now be issued from a Post-Quantum-Safe, Dilithium hierarchy.
Certificate Status Checks
A PKI-based CA infrastructure provides two ways to check if a certificate has been revoked, namely the OCSP and the CRL, which work in slightly different ways.
As we are planning for when traditional key types are no longer secure, these methods for communicating if certificates have been revoked will also need updating to include Post-Quantum-Safe certificates. Otherwise, malicious parties could try to falsely prove that valid certificates have been revoked or erase the revocation of certificates which should no longer be trusted.
A CRL is a file, published by a CA, which includes a list of certificates which have been revoked. This list is signed by the issuing certificate, to ensure the client can trust it. Again, the signature of the CRL is bigger than the current CRLs with RSA/ECC keys. However, this is unlikely to cause significant issues, as CRLs can become quite large when the issuing CA has processed a large number of revocations.
The OCSP does a very similar job to a CRL, except it is a request and response model. A CA will host an OCSP service, and a client will query the service to check if a single certificate is still valid. The OCSP request shouldn't actually change, but the response will need to be updated. As with the actual certificate objects, the structure will stay the same as the current model, but the signatures and key will be much bigger.
Post-Quantum Computing is a rapidly emerging technology, and many organizations are keen to ensure that they are future-proofed for a Post-Quantum world. However, Post-Quantum-Safe certificates will look quite similar to the certificates that we use today. Preparing for this change will take a lot of cooperation between Certificate Authorities, Clients, and online devices to become familiar with this emerging technology, update our systems, and secure our communications for the future.
The primary uses of Post-Quantum-Safe certificates, and the processes involved in certificate provisioning and PKI security will remain much the same, while the main changes to be expected will actually revolve around updating security infrastructure and software to be able to support these new certificate types. Transitioning towards the use of Post-Quantum-Safe certificates will of course take some planning, but Post-Quantum-Safe certificates, CSRs and ACME requests, as well as revocation and status checks will all follow a familiar structure to what we already know and understand. Knowing what these certificates will look like is just one of many ways that we can prepare ourselves for the transition to a Post-Quantum future.
As this technology develops, GlobalSign is dedicated to ensuring that we are prepared, that your communications and digital certificates are secure, so that with the right support you can be confident that your organization is future-proofed through dedicated research and development into Post-Quantum computing.