digital pattern

A Staged Approach of Migration to Quantum-Safe Schemes - An ETSI Perspective

This article featuring ETSI’s perspective is the fourth in a series of different perspectives on post quantum migration.

ETSI is a European Standards Organization that supports European regulations and legislation by creating Harmonized European Standards. Registered in France, this non-profit organization also supports the development, ratification and testing of globally applicable standards for the use of ICT while collaborating with partners around the globe.

In its recent Technical Report, TR 103 619 V1.1.1 (2020-07): CYBER; Migration strategies and recommendations to Quantum Safe schemes, ETSI focuses on the problem of migrating from a non-Quantum Safe Cryptographic State to a Fully Quantum Safe Cryptographic State (FQSCS). The document contains ETSI’s recommendations to ensure a safe migration between the two states through a staged approach.

Staged Approach to Quantum-Safe Schemes Migration

ETSI’s report includes a framework for the actions that organizations should take to enable their migrations to a Fully Quantum Safe Cryptographic State (FQSCS). This migration framework and its plan consists of three stages:

1. Inventory compilation

2. Preparation of the migration plan

3. Migration execution

Stage 1 – Compiling Inventory

Before a Quantum Safe Cryptographic migration can begin, there must be knowledge of the organization’s assets that could be impacted by quantum computing and quantum computers. Therefore, the first stage of the migration must be to inventory the organization’s cryptographic assets and processes in the system. These assets typically include both hardware and software.

ETSI offers two resources for use in compiling the system inventory. A least one of the following resources should be used:

It might be possible that some of the assets are not under the control of the organization. The third party responsible for such assets would be liable to assure the asset’s migration. Key management entities and functions that provide cryptographic protections are also subject to migration.

Stage 2 – Preparing the Migration Plan

Creation of the migration plan

Once the inventory compilation has been completed in stage 1, stage 2, the creation of the migration plan can begin. ETSI recommends that the questions listed in clause A.2 of TR 103 619 V1.1.1 (2020-07) should be used in the creation of the migration plan. The following should also be included in the migration plan:

1. Full inventory of assets previously listed in clause 5

2. For each asset:

  • Will the asset be migrated, retired or made obsolete?
  • When will the asset be migrated?
  • Determine an orderly migration sequence for inter-dependent assets based on their cryptographic relationships and any identified dependencies.
  • Dependency and any other relevant testing

Migration issues

Migration can be defined as the set of processes, procedures and technologies needed for transitioning from non-QSC to QSC.

Considerations for migration impact on hardware-based security environment

The QC risk to a Hardware Based Security Environment (HBSE) is that each implementation might not be optimized for QSC.

Key management during migration

Key management is essential for all cryptographic applications. It may be likely that many Key Management Systems are used with multiple different formats.

Trust management during migration

According to the information in clause 5, the inventory has identified trust infrastructures.

Isolation approaches during migration

Because not all systems will be updated at the same time, sub-systems should be isolated to discrete security domains.

Access to non-QSC protected resources after migration

It may not be economically feasible to migrate all encrypted assets to a QSS. Non-QSC assets should be physically moved to explicitly identified quarantine zones where they can be risk managed.

Migration requires certain requirements to be met to enable the migration to be executed. Business processes need planning, including

  • Appointing a migration manager
  • Allocation of budget for migration
  • Management of down time

Stage 3 – Executing Migration

You can begin stage 3, executing migration after completing inventory compilation (stage 1) and preparation of the migration plan (stage 2). The purpose of stage 3 is to implement the stage 2 plan against stage 1’s inventory.

Mitigation management

Management checkpoints provide the metrics needed to track the progress of the migration. When these checkpoints are missed, the mitigations included in the plan should be followed. An essential part of mitigation management is conducting exercises that simulate and test the migration. The goal of this is to determine whether the plan is viable.

Making an organization quantum resistant requires an understanding of the requirements and their translation into a roadmap. 

Stage 3 business process requirements

There are three elements of management required during a QSC to Fully Quantum Safe Cryptographic State migration. To promote successful management, the migration manager should:

1. Be in charge of and responsible for the process

2. Be given organizational and financial backing

3. Not stop partway through any phase of the migration plan

ETSI focuses on migrating from a non-Quantum Safe Cryptographic State to a Fully Quantum Safe Cryptographic State (FQSCS). ETSI’s recommendation is also to ensure a safe migration through a staged approach. In order to commence migration, testing the readiness of an organization’s infrastructure is a strong recommendation. By identifying and evaluating vulnerabilities, security measures may need to be replaced or upgraded and this should allow for a realistic time frame for the implementation. Start by testing PQC algorithms in your environment!

References

ETSI TR 103 619 V1.1.1 (2020-07) CYBER: Migration strategies and recommendations to Quantum Safe schemes (2020), by the ETSI Technical Committee Cyber Security (CYBER)
 

Descargas

Descargas

Productos relacionados

Productos relacionados

To find more press releases related with below topics, click on one of the keywords:

¿En qué podemos ayudarle?

Hable con uno de nuestros especialistas y descubra cómo Utimaco puede ayudarle hoy mismo.
Ha seleccionado dos tipos diferentes de Download, por lo que necesita presentar formularios diferentes que puede seleccionar a través de las dos pestañas.

Su(s) solicitud(es) de Download:

    Al enviar el siguiente formulario, recibirá enlaces a las descargas seleccionadas.

    Su(s) solicitud(es) de Download:

      Para este tipo de documentos, es necesario verificar su dirección de correo electrónico. Recibirá los enlaces a las Download seleccionadas por correo electrónico después de enviar el siguiente formulario.

      Descargas de Utimaco

      Visite nuestra sección de descargas y seleccione recursos como folletos, fichas técnicas, libros blancos y mucho más. Puede ver y guardar casi todos ellos directamente (pulsando el botón de descarga).

      Para algunos documentos, es necesario verificar su dirección de correo electrónico. El botón contiene un icono de correo electrónico.

      Download via e-mail

      Al hacer clic en dicho botón se abre un formulario en línea que le rogamos rellene y envíe. Puede recopilar varias descargas de este tipo y recibir los enlaces por correo electrónico simplemente enviando un formulario para todas ellas. Su colección actual está vacía.