Reflections from this year’s Keyfactor Community Tech Meetup

2024-10-17

Post-quantum cryptography, software supply chain security, and TECHSynergy collaboration were in focus at the Keyfactor Community Tech Meetup in Stockholm in September. In this blog, Malin Ridelius, VP Community at Keyfactor share her insights.

For this year’s Community Tech Meetup, I had the privilege of working closely with our industry experts, developers, and engineers to design a program that tackles two pressing challenges in cybersecurity today: preparing for post-quantum cryptography (PQC) and securing the software supply chain.

Our timing could not have been better, as NIST recently announced new standards for PQC just over a month ago. We were fortunate to welcome Christopher Robinson Director of Security Communications at Intel, and Chairperson of the OpenSSF Technical Advisory Council, as our keynote speaker.

Christopher started the day by introducing us to OpenSSF, highlighting innovative projects and initiatives that are advancing software supply chain security. He discussed several key projects, including SLSA, in-toto, SigStore, OpenSSF Score Card. We are proud that Keyfactor joined OpenSSF in September of this year.

The event featured discussions on practical solutions and provided hands-on experiences with cryptography, PKI, and signing—core pillars in cybersecurity. Together, we are laying the groundwork for a more resilient, future-proof, and secure software ecosystem for all.

The Importance of Preparing for Post-Quantum Cryptography (PQC)

In their first presentation, Tomas Gustavsson, Chief PKI Officer, and David Hook, VP of Software Engineering, Crypto Workshop, discussed the latest updates from NIST on newly standardized post-quantum cryptographic (PQC) algorithms, including ML-DSA, ML-KEM, and SLH-DSA. They highlighted post-quantum signature processes and new Key Encapsulation Mechanisms (KEMs), which differ significantly from traditional methods like RSA and Diffie-Hellman. The presentation also covered various protocol changes required for a quantum-safe future, such as updates to TLS and CMS.

Emphasizing the importance of crypto agility, Tomas and David stressed the need for organizations to swiftly update cryptographic protocols to maintain security. With the rapid advancement of quantum computing, they encouraged organizations to inventory their current algorithms, assess vulnerabilities, and establish a timeline for transitioning to quantum-resistant solutions.

Tomas and David also explored the role of hybrid systems in the transition to PQC. They emphasized crypto agility once again, discussing how hybrid systems enhance security and interoperability during migration. The presentation covered various migration strategies—complete, transitional, and hybrid—each designed to meet specific organizational needs. Additionally, the session reviewed hybrid PKI options and emerging standards for hybrid certificates, which utilize dual-key mechanisms to facilitate a smoother transition from classical to quantum-resistant cryptographic systems.

In a third presentation, Tomas followed up on last year’s sessions on PQC, hardware security modules (HSMs), and PKI with new findings from the Interoperability Testing of PQC PKI/EJBCA with HSMs. The presentation looked into the testing of post-quantum cryptographic algorithms with HSMs, focusing on key areas such as the ML-DSA algorithm, certificate size, signing speed, and the issuance process, using various comparative metrics. Tomas emphasized that HSMs play a crucial role in PKI and signing solutions, making it essential to include HSMs in any PQC migration and interoperability testing plans for organizations.

Securing the Software Supply Chain with Keyfactor and Chainloop

Miguel Martinez Trivino (co-founder of Chainloop), Ben Dewberry (Product Manager, Signing and Key Management at Keyfactor), and Christofer Vikström (formerly a master thesis student at Keyfactor and now a developer in the SignServer team) joined us in our presentation. They discussed the importance of securing the software supply chain in response to the rising supply chain attacks and new regulatory requirements such as the Cyber Resilience Act (CRA). Ben highlighted the challenges of dependency management and talked about frameworks like SLSA that provide structured steps to enhance supply chain security. Tools for signing images, creating Software Bills of Materials (SBOMs), and vulnerability management were emphasized. Miguel outlined the role of platforms like Chainloop in collecting and managing metadata related to software artifacts and attestations, enabling organizations to enhance their security posture and meet compliance requirements.

Christopher shared findings from his master’s thesis, which explored implementing these practices in enterprise contexts and showcased the benefits of enhanced transparency, accountability, and security.

Key Insights

The rise in supply chain attacks necessitates immediate action to bolster software supply chain security.
Frameworks like SLSA provide actionable steps for improving supply chain security.
Tools like SBOMs and image signing are crucial for managing vulnerabilities and ensuring compliance.
Platforms like Chainloop facilitate collecting and managing software supply chain metadata, enhancing visibility and accountability.

A Changing Landscape in Cybersecurity

The increasing complexity of securing IoT devices, software supply chains, and critical infrastructure is indisputable. Andreas Philipp Senior Business Development Manager, IoT, Keyfactor and Florian Handke’s Smart Production Engineer, Campus Schwarzwald presentation at the meetup, which handled use cases like Secure Boot, Over-the-Air (OTA) updates, and OPC-UA industrial cyber security, drove home just how essential it is to develop robust and adaptable security systems that can protect devices throughout their entire lifecycle.

One theme that came up repeatedly during the day was the Cyber Resilience Act (CRA) and its implications, for manufacturers of IoT devices, especially in the industrial and IoT sectors. The CRA mandates cybersecurity compliance for all products with digital elements, classifying them into critical and non-critical classes. This legislation clarifies that manufacturers must provide secure updates throughout a product’s lifecycle—no exceptions. As we discussed, that’s easier said than done, particularly for industrial IoT devices with long service lives.

Openness and Collaboration in Tackling Emerging Security Challenges

At Keyfactor, we understand the critical role of openness and collaboration. During our “Ask Me Anything” session on EJBCA and SignServer, our product owners and architects took the stage to engage with the audience, answering questions about strategies and product features. Our focus on engagement and collaboration with our community and technology ecosystem is essential for staying ahead in the rapidly evolving security landscape.

At this year’s meetup, we introduced TECHSynergy demo points—showcasing use cases driven by integrations within the tech ecosystem. The use cases included secure over-the-air updates, Industrial CyberSec with open62541, signing with GitHub actions, PKI and multi-cluster Istio service meshes, and more. These demos highlighted how our PKI and signing solutions seamlessly integrate into the broader context of modern cybersecurity practices.

Looking Ahead

As we look ahead to a world where quantum computing, crypto agility, and supply chain security become more than just buzzwords, I am encouraged by the progress so far and the ongoing conversations. We are on the cusp of significant changes, and events like our Community Tech Meetup are vital in shaping how we address the future of cybersecurity. Together, we can build resilient, adaptable, and secure systems—today and tomorrow.

If you didn’t make it to this year’s meetup, I highly encourage you to engage with us in future events and discussions and explore our online assets. We are excited to have you along for the journey.

Stay up to date with the Keyfactor Comunity newsletter.