EJBCA and post quantum preparedness
EJBCA (Enterprise Java Beans Certificate Authority) is an open-source software for managing Public Key Infrastructure (PKI). PKI is used to create, manage, distribute, use, store, and revoke digital certificates which enable secure communication over the internet. EJBCA is platform independent and can easily be scaled out to match the needs of your PKI requirements and it is also developed in Java and runs on a JVM such as OpenJDK, available on most platforms such as Linux and Windows.
The migration to Post Quantum Cryptography (PQC) is and will be the largest cryptographic transition implemented and will affect every application in some way that currently use asymmetric encryption, that is, all applications using one of the RSA, EC, or Ed algorithms since these could all be potentially broken by a cryptographically relevant quantum computer in the future, if one can ever be built. So, EJBCA is constantly working towards incorporating PQC into its functionality by following and incorporating some or all of the NIST (National Institute of Standards and Technology) approved PQC algorithms. NIST is leading an ongoing competition to select a suite of PQC algorithms that will become THE STANDARD for PQC in the near future. Currently, you can implement PQC with EJBCA by integrating it with other libraries, for instance like, for example, Bouncy Castle (a FIPS-certified open-source library for Java which already supports some NIST-standardized PQC algorithms) and then use those PQC algorithms to manage your certificates and keys. Also it’s important to note that although NIST approved these algorithms they are only candidate algorithms for PQC and can change in the future **1.
For general encryption or public-key encapsulation mechanism (KEM), used when we access secure websites, NIST has selected the CRYSTALS-Kyber algorithm. Among its advantages are comparatively small encryption keys that two parties can exchange easily, as well as its fast speed. For digital signatures, often used when we need to verify identities during a digital transaction or to sign a document remotely, NIST has selected the algorithms: CRYSTALS-Dilithium, FALCON and SPHINCS+. Reviewers noted the high efficiency of the first two, and NIST recommends CRYSTALS-Dilithium as the primary algorithm, with FALCON for applications that need smaller signatures than Dilithium can provide. The third, SPHINCS+, is somewhat larger and slower than the other two, but it is valuable as a backup for one chief reason: It is based on a different math approach (based on solving structured lattices) than all other NIST’s algorithm selections. NIST also announced that the PQC standardization process is continuing with the following KEMs still under consideration: BIKE, Classic McEliece, HQC and SIKE. The NIST standardization process is pending to be finalized sometimes during 2024 and its official status can be checked out here **2.
As mentioned above, EJBCA can utilize PQC algorithms through the Bouncy Castle library which already includes implementations for all the above mentioned algorithms: CRYSTALS-Kyber, CRYSTALS-Dilithium, Falcon and SPHINCS+. SPHINCS+ was available in version 1.71 and for 1.72 it has been upgraded to SPHINCS+ 3.1 and Haraka support has been added to it **3.
In EJBCA, you can also run multiple PKI hierarchies on a single server instance, consolidate configuration and govern certificate policies centrally and view detailed (and optionally signed) audit and transaction logs all in one place. Better yet, CAs and certificate templates can easily be configured without requiring admins to be PKI experts.
Certificate formats and standards supported by EJBCA:
– RFC5280 compliant X.509 certificates and CRLs
– PKCS#10, CRMF and SPKAC certificate requests
– PKCS#12, JKS, PEM and PKCS#11 keystores
– EN 319 412 eIDAS compliant certificates
– C-ITS enrollment credentials as per ETSI and IEEE
– OCSP compliant with RFC6960 and RFC5019
– Payment Service Directive 2 (PSD2) ETSI TS 119495 Section 4
– ICAO 9303, EAC 1.11 and EAC 2.10 ePassport and eID
– RFC6962 compliant Certificate Transparency
Protocols supported by EJBCA:
– ACME, EST, and SCEP enrollment/management protocols
– CMP and CMP 3GPP for 4G/5G mobile networks
– Microsoft Auto Enrollment
– Rest API
– Web Services
Hardware security modules (HSMs) supported by EJBCA:
Thales Luna, Entrust nShield, Utimaco, Yubico, AWS CloudHSM, Azure Key Vault, Managed HSM, Fortanix DSM and other PKCS#11-compliant modules. **4
Tutorial for issueing quantum-ready certificates with EJBCA: https://doc.primekey.com/ejbca/tutorials-and-guides/tutorial-create-a-post-quantum-pki
Tutorial for quantum ready-data signing with EJBCA: https://doc.primekey.com/signserver/tutorials-and-guides/tutorial-signserver-post-quantum-signing
References:
**1 KeyFactor Post Quantum readiness article: https://www.keyfactor.com/resources/quantum-leap/2024-state-of-quantum-readiness-report?contentType=whitepaper
**2 NIST PQC standardization status: https://csrc.nist.gov/projects/pqc-dig-sig
**3 Bouncy Castle PQC algorithm support: https://www.keyfactor.com/blog/post-quantum-algorithm-update-in-bouncy-castle/
**4 EJBCA Enterprise datasheet: https://www.keyfactor.com/resources/content/ejbca-enterprise-datasheet?lx=6IfNm7