PMMP-PQC Migration Management Process✱
Pages 144 - 154
Abstract
Organizations have to plan on migrating to quantum-resilient cryptographic measures, also known as PQC. However, this is a difficult task, and to the best of our knowledge, there is no generalized approach to manage such a complex migration for cryptography used in IT systems that explicitly integrates into organizations’ steering mechanisms and control systems. We present PMMP, a risk-based process for managing the migration of organizations from classic cryptography to PQC and establishing crypto-agility. Having completed the initial design phase, as well as a theoretical evaluation, we now intend to promote PMMP. Practitioners are encouraged to join the effort in order to enable a comprehensive practical evaluation and further development.
References
[1]
Agence nationale de la sécurité des systèmes d’information (ANSSI). 2022. ANSSI views on the Post-Quantum Cryptography transition. Technical Report. https://www.ssi.gouv.fr/uploads/2022/01/anssi-technical_position_papers-post_quantum_cryptography_transition.pdf Accessed: 2023-07-09.
[2]
Gorjan Alagic, Daniel Apon, David Cooper, Quynh Dang, Thinh Dang, John Kelsey, Jacob Lichtinger, Liu Yi-Kai, Carl Miller, Dustin Moody, Rene Peralta, Ray Perlner, Angela Robinson, and Daniel Smith-Tone. 2022. Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process. Technical Report NIST IR 8413. National Institute of Standards and Technology, Gaithersburg, Maryland, United States of America. 99 pages. https://doi.org/10.6028/NIST.IR.8413
[3]
N. Alnahawi, N. Schmitt, A. Wiesmaier, A. Heinemann, and T. Graßmeyer. 2022. On the State of Crypto-Agility. In 18. Deutscher IT-Sicherheitskongress. SecuMedia Verlags-GmbH, 103 – 126.
[4]
Nouri Alnahawi, Nicolai Schmitt, Alexander Wiesmaier, and Chiara-Marie Zok. 2023. Towards Next Generation Quantum-Safe eIDs and eMRTDs – A Survey. ACM Trans. Embed. Comput. Syst. (2023).
[5]
Nouri Alnahawi, Alexander Wiesmaier, Tobias Grasmeyer, Julian Geißler, Alexander Zeier, Pia Bauspieß, and Andreas Heinemann. 2021. On the State of Post-Quantum Cryptography Migration. 51. Jahrestagung der Gesellschaft für Informatik P-314 (2021), 907–941.
[6]
William Barker, William Polk, and Murugiah Souppaya. 2021. Getting Ready for Post-Quantum Cryptography:: Explore Challenges Associated with Adoption and Use of Post-Quantum Cryptographic Algorithms. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04282021.pdf.
[7]
William Barker, Murugiah Souppaya, and William Newhouse. 2021. [Project Description]Migration to Post-Quantum Cryptography. Technical Report. NIST. https://csrc.nist.gov/publications/detail/white-paper/2021/08/04/migration-to-post-quantum-cryptography/final
[8]
Jörg Becker, Ralf Knackstedt, and Jens Pöppelbuß. 2009. Developing Maturity Models for IT Management. Bus. Inf. Syst. Eng. 1, 3 (June 2009), 213–222.
[9]
BSI. 2018. Technical Guideline BSI TR-03111 - Elliptic Curve Cryptography. Technical Report. Bundesamt fuer Sicherheit in der Informationstechnik. https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Technische-Richtlinien/TR-nach-Thema-sortiert/tr03111/TR-03111_node.html Last accessed: 2023-04-25.
[10]
BSI. 2021. Kryptografie quantensicher gestalten. Technical Report. Bundesamt für Sicherheit in der Informationstechnik, Bonn. https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Broschueren/Kryptografie-quantensicher-gestalten.pdf?__blob=publicationFile&v=4
[11]
Bundesamt für Sicherheit in der Informationstechnik (BSI). 2020. Migration zu Post-Quanten-Kryptografie - Handlungsempfehlungen des BSI. https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Krypto/Post-Quanten-Kryptografie.html.
[12]
Information Technology Laboratory Computer Security Division. [n. d.]. Post-Quantum Cryptography | CSRC | CSRC. https://csrc.nist.gov/projects/post-quantum-cryptography.
[13]
DIN Deutsches Institut für Normung e. V.2017. German version EN ISO/IEC 27001:2017. Beuth Verlag GmbH, Berlin.
[14]
ETSI. 2020. Migration strategies and recommendations to Quantum Safe schemes. ETSI TR 103 619.
[15]
European Union Agency for Cyber Security (ENISA). 2021. Post-Quantum Cryptography: Current state and quantum mitigation. Technical Report. https://www.enisa.europa.eu/publications/post-quantum-cryptography-current-state-and-quantum-mitigation/@@download/fullReport Accessed: 2023-10-09.
[16]
Harry M. Sneed, Ellen Wolf, and Heidi Heilmann. 2016. Softwaremigration in der Praxis : Übertragung alter Softwaresysteme in eine moderne Umgebung (1 ed.). dpunkt.verlag, Heidelberg.
[17]
Khondokar Fida Hasan, Leonie Simpson, Mir Ali Rezazadeh Baee, Chadni Islam, Ziaur Rahman, Warren Armstrong, Praveen Gauravaram, and Matthew McKague. 2023. Migrating to Post-Quantum Cryptography: a Framework Using Security Dependency Analysis. arxiv:2307.06520 [cs.CR]
[18]
Johanna Henrich 2023. Performance Impact of PQC KEMs on TLS 1.3 under Varying Network Characteristics. In Proceedings of the 2023 Int. Security Conf. (Groningen, Netherlands) (Lecture Notes in Computer Science, Vol. 14411). Springer. https://doi.org/10.1007/978-3-031-49187-0_14
[19]
J. Hohm, A. Heinemann, and A. Wiesmaier. 2022. Towards a maturity model for crypto-agility assessment. In 15th International Symposium on Foundations & Practice of Security (FPS). Springer.
[20]
IBM. 2023. Cryptography Bill of Materials. https://github.com/IBM/CBOM.
[21]
IETF. [n. d.]. Activity in Post-Quantum Cryptography. https://trac.ietf.org/trac/sec/wiki/PQCAgility Last accessed: 2023-04-25.
[22]
ISARA Corporation. 2020. Managing Cryptographic and Quantum Risk.
[23]
David Joseph, Rafael Misoczki, Marc Manzano, Joe Tricot, Fernando Dominguez Pinuaga, Olivier Lacombe, Stefan Leichenauer, Jack Hidary, Phil Venables, and Royal Hansen. 2022. Transitioning organizations to post-quantum cryptography. Nature 605, 7909 (2022), 237–243.
[24]
Chujiao Ma, Luis Colon, Joe Dera, Bahman Rashidi, and Vaibhav Garg. 2021. CARAF: Crypto Agility Risk Assessment Framework. Journal of Cybersecurity 7 (02 2021).
[25]
Chujiao Ma, Luis Colon, Joe Dera, Bahman Rashidi, and Vaibhav Garg. 2021. CARAF: Crypto Agility Risk Assessment Framework. Journal of Cybersecurity 7, 1 (05 2021), tyab013. https://doi.org/10.1093/cybsec/tyab013 arXiv:https://academic.oup.com/cybersecurity/article-pdf/7/1/tyab013/38384910/tyab013.pdf
[26]
Atefeh Mashatan and Douglas Heintzman. 2021. The Complex Path to Quantum Resistance: Is your organization prepared?Queue 19, 2 (2021), 65–92.
[27]
Michael Waidner, Ruben Niederhagen, Thorsten Grötker, and Patrick Reinelt. 2018. Post-Quantum Crypto for dummies (1 ed.). WILEY-VCH Verlag GmbH & Co. KGaA, Weinheim.
[28]
Michele Mosca. 2015. Cybersecurity in a quantum world: will we be ready?https://csrc.nist.gov/csrc/media/events/workshop-on-cybersecurity-in-a-post-quantum-world/documents/presentations/session8-mosca-michele.pdf
[29]
M Mosca and M Piani. 2022. 2021 Quantum threat timeline report global risk institute. https://globalriskinstitute.org/publication/2021-quantum-threat-timeline-report-global-risk-institute-global-risk-institute/. (2022).
[30]
NIST. 2023. Migration to Post-Quantum Cryptography: Preparation for Considering the Implementation and Adoption of Quantum Safe Cryptography. https://www.nccoe.nist.gov/sites/default/files/2023-04/pqc-migration-nist-sp-1800-38a-preliminary-draft.pdf.
[31]
David Ott, Christopher Peikert, and other workshop participants. 2019. Identifying Research Challenges in Post Quantum Cryptography Migration and Cryptographic Agility. http://arxiv.org/abs/1909.07353.
[32]
Anoop Kumar Pandey, Aashish Banati, Balaji Rajendran, S D Sudarsan, and K K Soundra Pandian. 2023. Cryptographic Challenges and Security in Post Quantum Cryptography Migration: A Prospective Approach. In 2023 IEEE International Conference on Public Key Infrastructure and its Applications (PKIA). 1–8. https://doi.org/10.1109/PKIA58446.2023.10262706
[33]
Grishma R. Pandeya, Tuğrul U. Daim, and Adrian Marotzke. 2021. A Strategy Roadmap for Post-quantum Cryptography. In Roadmapping Future. Springer International Publishing, Cham, 171–207. Series Title: Applied Innovation and Technology Management.
[34]
Sebastian Paul. 2022. On the Transition to Post-Quantum Cryptography in the Industrial Internet of Things. Ph. D. Dissertation. Technische Universität Darmstadt, Darmstadt. https://doi.org/10.26083/tuprints-00021368
[35]
PKI Consortium. [n. d.]. PQC Capabilities Matrix. https://github.com/pkic/pqccm
[36]
PKI Consortium. 2023. Post-Quantum Cryptography Conference. https://pkic.org/events/2023/post-quantum-cryptography-conference/.
[37]
L.H. Putnam and W. Myers. 1999. Year 2000 work comes down to the wire. IEEE Software 16, 1 (1999), 90–96. https://doi.org/10.1109/52.744575
[38]
J.E. Schultz. 1998. Managing a Y2K project-starting now. IEEE Software 15, 3 (1998), 63–71. https://doi.org/10.1109/52.676742
[39]
Peter W. Shor. 1997. Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer. SIAM J. Comput. 26 (1997).
[40]
The European Parliament and the Council of the European Union. [n. d.]. REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. https://eur-lex.europa.eu/eli/reg/2016/679/oj Last accessed: 2023-04-25.
[41]
TNO, CWI, and AIVD. 2023. The PQC Migration Handbook. https://www.tno.nl/en/newsroom/2023/04-0/pqc-migration-handbook/.
[42]
TÜV Informationstechnik GmbH. 2020. Whitepaper Post-Quantum Security. https://www.tuvit.de/en/innovations/post-quantum-cryptography/#c530188
[43]
utimaco IS GmbH. 2018. Post-Quanten-Kryptografie: Sichere Verschlüsselung für das Quanten-Zeitalter. https://www.infopoint-security.de/media/Utimaco_Whitepaper_Quantum-Computing_DE_vfinal.pdf
[44]
Bill White, Didier Andre, Gregg Arquero, Ritu Bajaj, Joe Cronin, Anne Dames, Henrik Lyksborg, Alexandra Miranda, and Maxwell Weiss. 2023. Transitioning to Quantum-Safe Cryptography on IBM Z. IBM Redbooks.
[45]
Lei Zhang, Andriy Miranskyy, and Walid Rjaibi. 2021. Quantum Advantage and the Y2K Bug: A Comparison. IEEE Software 38, 2 (2021), 80–87.
[46]
Lei Zhang, Andriy Miranskyy, Walid Rjaibi, Greg Stager, Michael Gray, and John Peck. 2021. Making Existing Software Quantum Safe: Lessons Learned. (2021). http://arxiv.org/abs/2110.08661 arXiv:2110.08661.
Index Terms
- PMMP-PQC Migration Management Process✱
Recommendations
Performance Impact of PQC KEMs on TLS 1.3 Under Varying Network Characteristics
Information SecurityAbstractWidely used asymmetric primitives such as RSA or Elliptic Curve Diffie Hellman (ECDH), which enable authentication and key exchange, could be broken by Quantum Computers (QCs) in the coming years. Quantum-safe alternatives are urgently needed. ...
Improving Total Migration Time in Live Virtual Machine Migration
ICCCT '15: Proceedings of the Sixth International Conference on Computer and Communication Technology 2015Virtualization is the key underlying technology enabling cloud providers to host services for a large number of customers. Live migration is an essential feature of virtualization that allows transfer of virtual machines from one physical server to ...
The Continuity of Out-of-Band Remote Management across Virtual Machine Migration in Clouds
UCC '14: Proceedings of the 2014 IEEE/ACM 7th International Conference on Utility and Cloud ComputingIn Infrastructure-as-a-Service (IaaS) clouds, users remotely manage the systems in virtual machines (VMs) called user VMs, e.g., Through VNC. To allow users to manage their VMs even on failures inside the VMs, IaaS usually provides out-of-band remote ...
Comments
Information & Contributors
Information
Published In
June 2024
235 pages
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 05 June 2024
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
- ATHENE National Research Center for Applied Cybersecurity
Conference
EICC 2024
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 61Total Downloads
- Downloads (Last 12 months)61
- Downloads (Last 6 weeks)11
Reflects downloads up to 06 Feb 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format