Already have a hybrid CA? And can we see it?
2 min
This question could easily be in the script of a sequel to the movie Ball Lightning. But it's much more likely to be asked by a security auditor - and certainly not for years to come.
In the following article you will find out how to combine traditional keys with signatures resistant to quantum attacks. Because post-quantum threats don't ask if you have time.
Because today, local CAs, whether in the form of a root certificate or a large PKI infrastructure, have become a critical part of almost every organization. And with the growing risk of quantum attacks, the issue of their post-quantum security is coming to the fore.
What is a Hybrid Certification Authority?
A Hybrid Certificate Authority (CA), is essentially still the same combination of X.509 certificate and encryption key that you use now, plus an alternative quantum threat resistant encryption key algorithm. Examples of these algorithms today include Dilithium, or the as yet unapproved Falcon.
The advantage of the hybrid approach is that the certificate remains backward compatible - devices that cannot work with post-quantum cryptography simply use a traditional key. At the same time, the hybrid certificate also provides protection against future quantum attacks.
Deployment? Surprisingly simple
You may be surprised to learn that deploying hybrid CA in a self-signed local authority environment is not difficult. Perhaps the most well-known library, OpenSSL,has supported hybrid encryption since version 3, along with the Open Quantum Safe library . You can then build a complete PKI infrastructure on, for example, the EJBCA from Keyfactor. The hybrid CAs and sub-authorities created will issue a hybrid certificate that is easily verifiable by older versions of OpenSSL, or implementable in a Windows CA.
When is the right time?
Are your root certificates about to expire? Or are you planning to strengthen them? With certificates typically valid for more than five years or more - and hand on heart, once a PKI is issued and operational, it can be difficult to regenerate it unless there is a strong motivation to do so - perhaps now is the ideal time to move to a hybrid solution.
Do you already have your hybrid CA :)?
The author of the text is Martin Koucký, Head of Network and Application Security Department at ITS Joint Stock Company
What else to read
See more news from the world of IT and ITS
