Post-Quantum Migration Planning and Preparation
Focus
Focus
Network Security

Post-Quantum Migration Planning and Preparation

Table of Contents

Post-Quantum Migration Planning and Preparation

Migrate your enterprise to post-quantum readiness.
Where Can I Use This?What Do I Need?
  • PAN-OS
  • PAN-OS 11.1 or later.
Upgrading your network to resist post-quantum attacks requires significant planning and preparation because in addition to upgrading VPNs, you need to transition from classical cryptographic suites to post-quantum cryptographic suites. And it's not just a networking and firewall change, it's also endpoints, applications, client applications, etc.; a complete, end-to-end migration. It's a large investment in time, research, and resources. How large the investment needs to be depends on your business and your network. However, the cost of investment is minor compared to the cost of an attack that steals your most valuable assets, such as financial data, code, PII data, and other potentially long-lived data that is vulnerable to a Harvest Now, Decrypt Later attack.
In addition, regulatory agencies, national security agencies such as the NSA, governments, and standards authorities such as NIST all over world require or will require government agencies and also some business sectors (potentially including transportation and critical infrastructure) to prepare for and defend against post-quantum threats. Preparing the transition to a post-quantum world isn't a matter of should you do it, it's a matter of when will you do it.
So the question is, when should you start the migration?
When you should start the migration depends on the requirements of your digital assets, especially how long their privacy needs to be secured, because of Harvest Now, Decrypt Later attacks, which record encrypted data, including the key material transmitted in the IKE and TLS peering handshake, with the intention of decrypting the captured data when cryptographically relevant quantum computers (CRQCs) become available. The key question is, how long does your data need to be secure? If an attacker has already captured sensitive data and that data is still valid when CRQCs come into play, the attacker will be able to decrypt the stolen data and act on its content. CRQCs could be available as soon as the next decade.
If your company is a potential target of harvesting attacks, each day you delay taking action risks giving attackers more information to decrypt later. The earlier you take action, the sooner you stop attackers from being able to decrypt harvested data in the future.
Historically, most past efforts to replace cryptographic protocols, such as transitioning from 3DES to AES encryption or moving from SHA-1 to SHA-2 hash functions, have taken from 5-20 years after the development of the new standards. That includes time to vet the new protocols in the real world. After NIST standardizes post-quantum cryptographies (PQCs), even though the PQCs have undergone rigorous testing, it will likely take from 5-10 years of real-world experience and attempts to crack the PQCs before we can have confidence that the new PQCs are truly solid.
PQCs are replacements for classical crypto algorithms and provide quantum resistance for key exchange, encryption, and digital signatures.
To safeguard the transition from classic encryption to the new PQCs, the industry is adopting hybrid keys. Hybrid keys provide an extra layer of security by creating the encryption key with multiple key exchange mechanism (KEM) technologies. Best practice is to use a strong classic KEM, such as Diffie-Hellman Group 21, and one or more PQCs. If one of the PQC KEMs used to create the key falls to a vulnerability, the other KEMs still protect the key. Hybrid keys are the best way forward until the new PQCs obtain sufficient real-world experience to give the industry confidence in their security strength.
And Harvest Now, Decrypt Later attacks are not the only post-quantum threat. Technically savvy internal bad actors can download open-source PQCs and bring up their own PQC servers or browser plugins in your network if you don't proactively block unauthorized PQCs on your network.
By the early 2030s, it's likely that data secured with today's classical cryptography won't be secure from post-quantum attacks. So it's important to understand how long a period of time your data needs to be secure and estimate how long it will take you to prepare and execute your post-quantum plan. The earlier you start, the easier it is to keep quality high and costs predictable, and to avoid a rushing through the process as post-quantum threats increase.
One way to think about how soon to start is to use a Mosca model, which presents a simple timeline into which you plug in your time estimates so you can understand the urgency of taking action.
This Mosca model shows how to estimate the timeline to post-quantum vulnerability of your assets and helps you understand how soon to begin the journey to post-quantum readiness. The model compares your estimate of the time it takes to migrate to post-quantum readiness (x, which is likely to be at least five years) plus your estimate of how long-lived your data is (y, which is the length of time from when you achieve post-quantum readiness to the time that exposing the data no longer compromises the data) against the time when CRQCs are likely to be available (z).
The difference between (x + y) and z shows the time your long-lived data is at risk of exposure if it has been harvested or how much of a time cushion you have before your long-lived data is at risk. This helps you understand how much time you have to get started or how late you might be. If (x + y) is greater than z, the difference between those timelines is the time when your data could be exposed if attackers harvested it in a Harvest Now, Decrypt Later attack, shown in the preceding illustration as Risk of Secret Keys Revealed.
As you begin transition planning, there are several things you can do right away to harden your existing VPN connections:
  • Follow RFC 6379 for Suite B Cryptographic Suites for IPsec to upgrade your VPN connections to tough cipher suites. Use Suite-B-GCM-256 and avoid weaker 128-bit AES algorithms, which are vulnerable to Grover's algorithm.
  • Upgrade your CA to 4K RSA key sizes to mitigate brute force attacks that can break smaller key sizes and migrate your VPN certificate authentication to new certificates.
  • Upgrade to higher-bit SHA hash sizes such as SHA-384 and SHA-512. Stop using weak hashes such as MD5 and SHA-1.
  • Implement RFC 8784 and/or RFC 9242 and RFC 9370 to create post-quantum VPNs that resist quantum attacks.
In addition, review your SSL/TLS connections and harden them:
  • Upgrade SSL/TLS connections to tough cipher suites; use TLSv1.3 with Perfect Forward Secrecy (PFS) ciphers.
  • Tunnel SSL/TLS sessions in hardened, client-to-server VPN sessions. Use a post-quantum desktop application to support Reverse Proxy.
To start the transition, the Quantum Economic Development Consortium (QED-C) developed a model for planning and preparing the transition to post-quantum security that Palo Alto Networks has adapted to a five-step model to help you assess migration preparation, time, and resources.
The following sections describe each step of the journey to quantum readiness, for which implementing RFC 8784 to create quantum-resistant IKEv2 VPNs is the first step:

Assign Resources and Build Awareness

The goals of this phase of planning and preparation are to identify the transition team, to get an idea of what resources you need, to engage vendors to understand their post-quantum readiness plans, and to begin to understand the cost involved.
The upgrades that build resistance to post-quantum attacks often dovetail with work your I.T. department is already doing to modernize the network.
  1. Form a dedicated project management team to take responsibility for developing a post-quantum strategy and quantum readiness roadmap to manage the transition. The team is responsible for high-level planning. The team also identifies who is responsible for the parts of the network that are part of the transition. Start early and give yourself enough time for a thoughtful, measured approach to help ensure that quality remains high and costs remain predictable.
  2. Develop an understanding of quantum security technologies and figure out how integrate them into your environment. Post-quantum IKEv2 VPNs (RFC 8784) are the first step to creating a secure post-quantum network, which you can do now without impacting your network. In addition, all organizations will need to replace their existing asymmetric algorithms with the quantum-safe PQCs. To take the next steps, learn about PQCs, hybrid keys, and multiple key exchanges (RFCs 9370 and 9242). Also learn about crypto-agility (using multiple PQCs so you have the ability to switch easily and quickly between PQCs if a PQC is compromised), quantum key distribution (QKD), and Quantum Random Number Generators (QRNGs) to learn if these security measures are justified to protect your data.
    Research quantum technologies and engage your vendors to understand their quantum readiness plans and how that affects your business.
  3. Engage the enterprise's community and develop an understanding of PQC and technology awareness and readiness levels. Build awareness in teams and team leaders and help them understand the potential changes and why they are needed. For example, work with procurement teams to include post-quantum requirements to ensure that new hardware and software is compatible with PQCs and future-proof the infrastructure.
    Initiate cryptographic discovery activities (you might be able to leverage audit documentation) to gain visbility into and identify the organization's current reliance on digital signatures and crytographies that are vulnerable to post-quantum attacks, such as Diffie-Hellman (DH), Elliptic Curve Cryptography (ECC), Elliptic Curve Diffie-Hellman (ECDH), AES-128, RSA encryption that's less than 4K, and so on.
  4. Start work on an internal budget. Adjust the budget as you learn more and formulate the best solution for your business.

Define Responsibilities

Find out who is responsible for each part of the network, including networking, file and data encryption, software applications, endpoints, IAM, application servers, etc. Assign responsibilities to team members in each area and ensure that they understand the reason, urgency, and value of transitioning. Post-quantum vulnerabilities affect all existing asymmetric encryption. Team members should understand that it'll take significant effort to discover, categorize, and upgrade everything in the network in a prioritized manner.

Develop a Crypto Inventory and Priority List

A crypto inventory is a comprehensive list of everything in your network—every device, system, code, application, platform, and vendor in your network, and the cryptography each uses—cyber suites, versions used for TLS, SSH, and VPNs, certificate management, encryption key generation, key sizes, and key storage, etc. The crypto inventory needs to be comprehensive because PQCs pose a threat to the entire end-to-end datapath, including endpoints, applications, and servers of all types. This means you need to plan for a complete end-to-end migration.
The crypto inventory doesn't just list components, it also provides information about each component in addition to the components themselves and the cryptography each uses. For each component, the inventory includes who uses it, what data is stored in it, how it's protected, and how data moves between components. The goal is to understand the types of encryption in use in your network, the data that encryption protects, where the data is stored, where the data goes, and everything about the devices and users involved. In short, a comprehensive inventory of your network cryptography and everything it affects.
Without a comprehensive crypto inventory, you can't identify all the affected components in your network, assess their risk, or effectively prioritize what to upgrade first.
To create your crypto inventory, investigate and document crypto usage (I.T. and SecOps can often help with this):
  • What crypto is used—the crypto ciphers and protocols in current use.
  • Who or what uses each cipher and crypto protocol.
  • Where the crypto is used—what data, servers, browsers, VPNs, remote apps, etc., the crypto protects. Identify who is using the data, which parts of the network it traverses, and how it's secured end-to-end.
  • Categorize by risk for each network element.
  • Determine the required data privacy duration and expected end-of-life for the data to help gauge the risk of losing data to harvesting attacks.
Include vendors and partners in the crypto inventory. For example, interview vendors to understand the cryptography used in their applications and how strong the keys are and how they’re generated. Identify who is using the data and how it's secured end-to-end. Don't leave gaps that attackers can leverage in a post-quantum attack.
When creating your crypto inventory, you might be able to leverage work done for audits, network enhancements, Zero Trust, etc.
Developing your crypto inventory might be the hardest part of the transition. The good news is that taking the inventory builds awareness that helps organizations become more secure even before a quantum threat materializes, because the inventory will identify archaic and obsolete systems.
Palo Alto Networks provides several tools to help you take your crypto inventory:
  • Decryption, Traffic, and Threat logs show which cryptographic protocols run on your network, the devices and users for those protocols, and so on.
  • Vulnerability Protection profile signatures in content release 8692 can detect and alert on PQC usage in logs. You can configure Vulnerability Protection profiles to automatically block unsanctioned PQCs on your network, which is a best practice. (Make required exceptions for internal PEN testing.)
  • Use SSL decryption to automatically block ciphers that the firewall can't decrypt.
Assess the risk of the items in your crypto inventory and determine your security options so you can then prioritize the migration:
  • Understand your data and applications:
    • Identify high priority and high privacy data.
    • Categorize data based on security and risk.
    • Assign privacy duration (how long-lived is the data, how long will it be valid).
    • Understand how applications secure their data.
    • Know who is using the data.
  • Understand your endpoints.
    • Where is the data stored and how is it protected?
    • Which servers host and serve the data?
    • What devices do users use to access the data?
    • How are the endpoints secured?
  • Understand your network.
    • How does the data move through the network?
    • Which devices protect the data?
    • Is the cloud involved? How is the data secured in the cloud?
    • Where are the high-risk network areas?
  • Understand your security options and where you need to apply post-quantum mitigation.
    • Do you need to migrate to newer protocols?
    • Which PQCs should you use and when? (Pay attention to NIST PQC standards.)
    • Will you need to use hybrid keys to secure your data?
    • How will you ensure crypto-agility (the ability to switch between crypto algorithms quickly in case vulnerabilities are discovered in a PQC).
    • Will you need to use QRNGs or QKD?
    • When do you need to transition to post-quantum certificates and authentication?
    • Do the options satisfy your compliance requirements?
When you understand your crypto inventory, analyze the data and set migration priorities based on it. When setting priorities, consider the lifetime of the data to defend against harvesting attacks, the location and sensitivity of the data, and how susceptible the data is to attack. Today, the key exchange is at the highest risk, so implementing RFC 8784 and/or RFC 9242 and RFC 9370 to create quantum-resistant VPNs is job one.
To set migration priorities:
  • Rank tasks by business impact. How critical is the asset to your business? How long does the data need to be secure or private—is the asset at risk from a Harvest Now, Decrypt Later attack? Compare the capital value of at-risk assets to the estimated cost of future data loss to a post-quantum attack.
  • Migrate high impact areas first.
  • Define remediation actions.
  • Set migration timelines and policies.
  • Dedicate resources and fund activities.

Evaluate Solutions, Experiment, and Test

With the information from your crypto inventory, develop the policies, migration plans, and test plans to transition your network to post-quantum readiness and secure your data. Include vendors, partners, and any other external influences on your network security. To develop solution policies and migration plans:
  • Identify the assets that you need to upgrade to PQCs.
    Identify which technologies are required for each priority level and determine how they fit into the migration strategy.
  • Create a transition plan that identifies the algorithms best suited to protect your assets now and later, when you replace or augment classical algorithms with PQCs.
  • Develop key lifecycle policies to reflect the risk to asymmetric and symmetric encryption keys, especially for long-lived data that is at risk from Harvest Now, Decrypt Later attacks.
  • Include implementing crypto-agility in your policies and plans. Crypto-agility ensures that if an algorithm (classical or PQC) is compromised, you're ready to quickly and easily move to a secure algorithm.
Understand that it's a thoughtful transition, not a scorched-earth rip-and-replace. It's likely that you will need to adopt a hybrid approach and layer PQC in with classical cryptographic algorithms to enhance security before you complete a full transition to PQCs.
To test plans and policies, set up proof of concept labs so you can:
  • Thoroughly test all PQC components and interoperability between devices and applications.
  • Understand the performance and capacity differences between classical and PQC algorithms. PQCs have larger key sizes and digital signature sizes than classical cryptographies, which result in larger encrypted file sizes and might also affect latency.
    Test PQC interoperability between components and try to maximize end-to-end quantum resistance, not only within the organization, but also between external parties. Identify the algorithms that make the most sense for each use case and create a transition plan to replace classical cryptographies with PQCs.
  • Test end-to-end and include partners, vendors, and other external parties whose post-quantum readiness could affect your network. Some systems might need upgrades to have acceptable post-quantum performance.
  • Identify incompatible components and assets you need to upgrade.
Experimentation is also another way to build awareness in your organization while at the same time answering questions and providing information about how easy or challenging the transition might be. Seek outside expertise if you have no in-house expertise or can't develop in-house expertise in a reasonable time frame.

Continue to Monitor Progress

Continuously monitor and evaluate the progress toward a quantum-resistant environment to help ensure that the transition stays on schedule and to mitigate the risks of harvesting attacks. Make adjustments to the plan and personnel involved as needed. In addition, work with experts to help ensure that you cover all the bases and leave no gaps that an attacker can exploit in a future quantum attack.