Hi @denbesten
Yes, I do, unfortunately, if I may - it is not just a question of migrating to a new cryptographic algorithm i.e. SSLv3 to TLSv1.2 - knowing the payments industry too six years to actually agree, argue and then did something about it.
Thank you for the question.
This migration is far wider than this, it will affect all Public Key Infrastructure, RSA cryptographic algorithms, and all industries including OT applications, engineering, Operating Systems, Data Storage systems, Databases,Telecommunications systems, Communications systems, Cloud providers etc.
In a simplified approach:
1) Yes, we know you keep Asset records, Owner, location, impact of loss, and implications to the business - well extend this cryptographic algorithms throughout your business - including the algorithms used, versions, Keys, method being used etc. So you end up with the Cryptographic Bill of Materials (CBOM) instead of a Software Bill of Materials (SBOM). This means doing an extensive discovery, static and dynamic scanning of your applications, databases, OS, storage methods etc. Validate the regulations and compliance conditions you have to endure by legislation - by industry and standards including PCI DSS, Government standards etc.
You will need discovery tools, OWASP already have some open source ones available.
2) Check out the current NIST Approved Post Quantum Cryptography (PQC) algorithms, valid which ones are suitable for your organisation, applications, storage systems, OS, systems including IoT, IoMT, OT etc and the list grows. Set up a test laboratory or use a commercial one such as Thales with Quantinium partnership, or others. Those who use Hardware Security Modules (HSMs) can they migrate to Post Quantum Cryptography algorithms or do you need a bridging application or additional model to achieve this. Or if you are lucky, your HSMs are coming up for renewals and vendors are preparing to overcome this issue.
3) You need to achieve Cryptographic Agility, why because the first PQC algorithms will be released in 2024, but the second round has been publicised by NIST for the next set of algorithms in development. You need to test your vital replacement algorithms for performance, speed and any other issues which will be bound to turn up in formal testing use cases, scenarios. Test extensively, can you substitute an alternative algorithm, to do a better job, or will your applications simply stop working.
4) And don't forget the Public Key Infrastructure Key Management will also be redundant too, so you have to shift to a Quantum Key Management system, suitable for your organisation too.
Currently it is cited that it will take at least the Payments Industry 8 years at best to be able to migrate, as long as they do not delay and take this seriously.
The good news is there is some Quantum Computer resistant algorithms currently existing namely AES-256 bit keys but AES-512 bit would be better in Galois Mode or GCM for storage systems - for instance Japanese regulations require that personnel data is held securely for 100 years, which is a bit extreme.
But think all Blockchain, cryptographic exchanges for Coins, Payment Systems will have to migrate too, or the Harvest Now, Store Later or alternatively Exploit Now, Decrypt Later brigade i.e. state actors are definitely waiting in the foreground, capturing data, with patience - imagine a ransomware attack in the future, we captured your data in 2026, but we waited until 2031 to decrypt it.
It is a series issue, planning and education needs to happen to prepare all organisations for this - it is not going to be an easy ride at all. Extensive testing will be required, validation, proving the system will work, or it will have to be replaced or is it worth re-engineering to make it work vs the costs and effort etc.
Example: during WWII the American Verona Project was borne, to capture German and Russian communications traffic. The same traffic was being decrypted up until the 1950s, when an American defector revealed it to the Russians!
Every where we go, encryption and algorithms are being used, we need to know where they exist, how they are being used, what they are protecting, and what the impact will be if that data is revealed or exposed to the organisation or to the individual. This data is also encrypted at EV Chargers within databases for charging purposes and for payment purposes etc.
These are major changes - so start planning, educating, and prepare - is my advice - there are no smoking mirrors here, it is inevitable.
You may not agree, but history tells us repeatedly things may not go as smoothly as many would like. There are plenty of examples and more to come to keep us on our toes.
Regards
Caute_Cautim
