Open Access Article

Title: Impact of post-quantum hybrid certificates on PKI, common libraries, and protocols

Authors: Jinnan Fan; Fabian Willems; Jafar Zahed; John Gray; Serge Mister; Mike Ounsworth; Carlisle Adams

Addresses: Information Security Research Group, School of Electrical Engineering and Computer Science, University of Ottawa, Ottawa, Ontario, Canada ' Information Security Research Group, School of Electrical Engineering and Computer Science, University of Ottawa, Ottawa, Ontario, Canada ' Information Security Research Group, School of Electrical Engineering and Computer Science, University of Ottawa, Ottawa, Ontario, Canada ' Entrust, Ottawa, Ontario, Canada ' Entrust, Ottawa, Ontario, Canada ' Entrust, Ottawa, Ontario, Canada ' Information Security Research Group, School of Electrical Engineering and Computer Science, University of Ottawa, Ottawa, Ontario, Canada

Abstract: In this work, we assessed the impact of post-quantum (PQ) cryptography on public key infrastructure (PKI). First, we modified a commercially available certification authority (CA) to issue 'hybrid' certificates (X.509 certificates with PQ extensions). Then we assessed the impact of using these certificates on some existing protocols, including TLS, OCSP, CMP, and EST, with open-source libraries OpenSSL and CFSSL, and with a commercially available cryptographic toolkit. We found that most of the protocols and libraries we tested worked with hybrid certificates, and some of the failures could be overcome with minor modifications to the existing software. Our work differentiates from and extends previous work by focusing on the impact of PQ algorithms on certificate issuance, revocation, and management protocols, which are necessary for enterprises to manage PKI in their environments. The impact on TLS is also investigated, allowing consistency with previous results to be evaluated.

Keywords: post-quantum cryptography; security; certification authority; certificate authority; X.509 certificates; hybrid certificates; public key infrastructure; PKI; OpenSSL; transport layer security; TLS; online certificate status protocol; OCSP; certificate management protocol; CMP; enrollment over secure transport; EST.

DOI: 10.1504/IJSN.2021.117887

International Journal of Security and Networks, 2021 Vol.16 No.3, pp.200 - 211

Received: 05 Mar 2020
Accepted: 04 Oct 2020

Published online: 24 Sep 2021 *