Encryption keys act like locks protecting your data. Robust keys guarantee that your information can only be accessed by authorized personnel, thereby reducing the risk of data leakage or theft.

The length of the key determines the number of possible combinations needed to guess it. A 256-bit key, for example, provides far greater protection than a 128-bit key, as it is exponentially more difficult to crack.

The choice of algorithm depends on the use context. AES is ideal for large-scale data encryption, while RSA or ECC are preferred for secure exchanges.

Weak or misconfigured keys can easily be compromised by brute-force attackers with serious consequences: financial losses, damage to the company’s reputation, or legal repercussions (GDPR), …

The security of today’s exchanges is based on public-key cryptography whose robustness depends on the current impossibility of solving certain complex mathematical problems.

However, with the progress made by quantum computers in recent years, there is a non-negligible risk, referred to as the “quantum apocalypse“, of those machines cracking existing security keys (notably RSA keys), which would systemically compromise the security of all our communications and financial transactions.

To anticipate such an eventuality, “post-quantum” cryptography uses new keys. Based on mathematical problems that quantum computers can’t solve, post-quantum keys are a solution to the quantum threat.

There are currently four algorithms on which these new keys are based. They have been published by the NIST (National Institute of Standards and Technology).

Their names are: CRYSTALS-Kyber, CRYSTALS-Dilithium, Sphincs+ and FALCON. Apart from Sphincs+, which uses hash trees, the other three are based on problems that are difficult to solve on Euclidean networks.

Post-quantum keys are capable of running on conventional computers, making them easy to deploy. Businesses and institutions need to acquire “crypto-agility” now, i.e. be able to update the security keys used in their systems very quickly. Because post-quantum keys can potentially be cracked overnight, requiring swift replacement.

Cryptographic keys must be protected from loss, corruption or unauthorized access.

Different tools are available to meet the challenge:

To avoid the risks associated with extended key use, it is advisable to implement regular rotation policies, for example every six or twelve months, in line with industry security standards.

In the event of a proven risk of compromise, the compromised key must be revoked immediately to prevent its misuse. If it is associated with a digital certificate, the certification authority must be contacted to revoke the certificate and report it using a list while informing the parties concerned.

A new key pair must then be generated in a secure environment and effectively protected using solutions such as an HSM (Hardware Security Module) or a KMS (Key Management Service). Finally, the compromised key must be replaced in all the impacted systems, the certificates updated, the secure connections renegotiated, and sensitive data re-encrypted if necessary.

Moreover, it is more necessary than ever to keep abreast of security standard developments, as they are constantly evolving with new technologies and the ongoing emergence of new threats. Keeping up to date with best practices and recommended algorithms guarantees optimum protection.

The choice and management of encryption keys are essential to guarantee data security. By adopting robust keys, revoking them as soon as a proven risk of compromise occurs, and using appropriate management tools, CIOs and CISOs effectively strengthen the protection of their companies’ sensitive information. In the face of emerging threats, notably quantum computing, anticipating them by adopting post-quantum keys becomes essential to maintaining a high level of security.