Crypto Agility: Transition to post-quantum safe algorithms for secure key exchange and certificate generation

The quantum era is arriving, which poses a significant threat to traditional encryption and public-key cryptography standards. Due to this development, many cryptographic algorithms are broken, as the underlying mathematical problems could be solved by future quantum computers within a short amount of time. With the appearance of quantum computers, cryptographic algorithms have also evolved. New quantum-safe algorithms have been standardized in the past year, but only a few applications already use them. To ensure a secure environment this will need to change.

Faced with these challenges and the rapid improvements in the area of quantum computing, the global cybersecurity landscape plunges into a highly precarious state. It is therefore important to test and deploy the new cryptographic algorithms today.

This bachelor thesis aims to demonstrate how two recently standardized post-quantum secure algorithms can be used by testing their compatibility with a Hardware Security Module (HSM) in a controlled environment. To demonstrate how these could be implemented in a quantum-safe manner at a later stage, two different use cases will be realized. The algorithms used are CRYSTALS-Kyber and CRYSTALS-Dilithium.

First, two Proof of Concepts (PoCs) were written, that demonstrate the compatibility between the HSM architecture and the two CRYSTALS algorithms. Afterward work on the two use cases began in parallel. The use case: Bring Your Own Key (BYOK) demonstrates how locally generated keys can be imported into the HSM in a quantum-safe manner. In this demonstration, the Key Encapsulation Mechanism (KEM) CRYSTALS-Kyber is used to generate a
shared secret so that the client application can communicate to the HSM using AES.

The second use case focuses on a Public Key Infrastructure (PKI) based on a post-quantum secure infrastructure. The HSM is used as a key store to secure the identity of the Root Certificate Authority (CA), which acts as the root of trust. This ensures that keys are never exposed in clear text in memory. Furthermore, the quantum-safe signature scheme CRYSTALS-Dilithium is used to sign certificates which further increases security.,

Further research and development work can be carried out in the future based on the insights gained through the implementation of these use cases. In addition, the implementation facilitates the replication of a similar use case for enterprise architecture and the transition from today’s legacy algorithms to the new secure post-quantum algorithms with increased efficiency. Both the BYOK and PKI implementations could also still be extended to provide more functionality, and higher security standards based on the algorithm versions or protocol used. The PKI implementation could also be further improved by using a quantum-safe variant of Transfer Layer Security (TLS).