#KEYMASTER: When Are You PQC Ready?

The journey to post-quantum cryptography (PQC) readiness is more than just adopting new algorithms; it is about understanding the full scope of migration. In this KEYMASTER episode, Sven Rajala and Tomas Gustavsson explore what it truly means to be PQC ready.

Watch video on YouTube

Understanding the First Steps

The first step is recognizing the importance of discovery—mapping out where traditional cryptography exists across an organization. The concept of a cryptographic software bill of materials (CBOM) emerged as a potential way to track and transition legacy cryptographic components. In an ideal world, once all RSA, EC, and Diffie-Hellman algorithms are replaced with post-quantum alternatives like ML-DSA and ML-KEM, the migration is complete. But is it ever that simple?

TLS 1.3: A Critical Prerequisite

Securing communications against the "harvest now, decrypt later" threat requires moving to TLS 1.3, as post-quantum algorithms will not be integrated into TLS 1.2. This means every web server, client, and internal application must support TLS 1.3 first—no small feat, especially for organizations with significant legacy infrastructure.

Organizations often underestimate the challenge of migrating to TLS 1.3. Some may already be there, while others face significant engineering efforts due to outdated systems.

Firmware and Secure Boot Challenges

Another crucial aspect of PQC readiness is ensuring that software and firmware updates are quantum-safe. The CNSA 2.0 framework emphasizes the importance of securing software updates, especially for constrained devices this can be a challenging task until new hardware is available. Many organizations will need to implement phased migration strategies and, in some cases, undergo hardware refresh cycles to maintain security compliance.

Secure boot mechanisms must also evolve to accommodate quantum-safe signatures. This means revisiting the entire device lifecycle, from manufacturing to in-field security updates.

The Blockchain and OAuth Dilemma

Cryptographic migration doesn’t stop at enterprise IT systems; it extends into blockchain technologies. Most cryptocurrencies rely on elliptic curve cryptography (ECC) for transaction signatures. The shift to post-quantum cryptography could necessitate forking blockchains, issuing new wallets, and implementing entirely new cryptographic primitives.

Similarly, OAuth-based authentication systems will need to accommodate larger post-quantum signatures. JWTs and OAuth tokens, which currently use compact elliptic curve or RSA signatures, could grow substantially in size, impacting authentication workflows and performance.

The Path Forward

Achieving PQC readiness requires a comprehensive approach:

• Inventory Cryptographic Dependencies: Use C-BOMs to identify and plan migration paths.
• Upgrade to TLS 1.3: Ensure infrastructure supports the latest secure protocols.
• Secure Firmware Updates: Implement quantum-safe mechanisms for software distribution.
• Prepare for Larger Keys and Signatures: Factor in the impact of increased cryptographic data sizes.
• Stay Agile: Expect ongoing changes and updates as PQC standards evolve.

Sven and Tomas conclude the KEYMASTER session by emphasizing that PQC migration is more than a technical upgrade—it's a strategic shift in cybersecurity planning. They highlight the importance of starting preparations now, ensuring organizations stay ahead of evolving threats. The session wraps up with a call to action, urging organizations to take proactive steps toward PQC readiness rather than waiting for regulations or imminent quantum threats to force their hand.

Read more about PQC Readiness

• Stay ahead of threats: Keyfactor's Crypto Agility Solution
• Learn, Explore, and Prepare for PQC: Explore the PQC Lab
• Watch KEYMASTER: Understanding Key Encapsulation Mechanisms (KEM)