Khatim PKI Server supports Post Quantum Cryptography (PQC)
In the rapidly evolving digital landscape, security is a moving target. With the rise of quantum computing, traditional cryptographic methods are no longer future-proof. Enter Post Quantum Cryptography (PQC)—designed to safeguard against the computational power of quantum computers. Staying ahead of the curve, Khatim PKI Server v5.0 offers experimental support for PQC algorithms, empowering PKI administrators to start future-proofing their security infrastructure today.
Why Post Quantum Cryptography Matters for PKI?
We all know that quantum computing has the potential to break widely-used cryptographic algorithms like RSA and ECC which is the core building blocks for PKI solutions. Due to rising threats, the National Institute of Standards and Technology (NIST) has introduced new standards based on post-quantum cryptographic algorithms designed to resist quantum attacks. The focus is on lattice-based, hash-based, and other quantum-resistant methods, such as those outlined in the CRYSTALS-Dilithium and Kyber algorithms, which offer secure replacements for key exchange and digital signatures. The migration process is expected to take years and will involve extensive updates to software and hardware infrastructures worldwide.
Dilithium OIDs
Khatim PKI Server v5.0 supports the following signing algorithm OIDs for Dilithium as defined by the CSRC:
- 2.16.840.1.101.3.4.3.17
- 2.16.840.1.101.3.4.3.18
- 2.16.840.1.101.3.4.3.19
Dilithium emerged as a finalist in NIST’s initiative to identify cryptographic algorithms resistant to quantum computing advances. This ensures securing signing and verification for applications like:
- PKI
- Document signing
- Secure communication
Dilithium uses mathematical constructs called structured lattices to provide cryptographic strength and is notable for its balance of security, efficiency, and small key/signature sizes.
PQC in Action: What’s Supported in Khatim PKI Server?
Setting up PQC is as straightforward like configuring non PQC cryptographic algorithms. With Khatim PKI Server’s PQC-ready features, PKI admins can generate critical cryptographic objects secured by Dilithium. In the blog, we’ll go through to see how Khatim PKI Server allows PQC to setup for different use cases such as:
-
CA Certificates & CRLs
-
OCSP Responses
-
Timestamp Responses
-
End Entity Certificates
-
PKCS#1 Signatures/Verification
Setting up Root CA/ Sub CA & CRLs
To create a PQC based CAs, while creating a CA, select Dilithium signing algorithm. You can also choose security levels from from Dilithium 2, Dilithium 3 & Dilithium 5.
Once done and downloaded, you can install the CA on Windows and confirm the Dilithium OID inside the Public Key and signature algorithm.
Note: As Windows OS currently doesn’t supprt PQC algorithms hence these certificates can’t be verified.
Configuring CRLs
Similarly you can configure Khatim PKI Server to issued CRLs signed using Dilithium.
Setting OCSP response signing certificate with PQC
You can either use your PQC based CA certificate or issue an PQC based OCSP certificate to sign OCSP responses. To generate PQC based OCSP signing cert, first go to Key Vault > System Keys and generate a Dilithium key pair.
Once done, admin can issue a corresponding PQC certificate.
These certificates can be setup inside Khatim OCSP Server > Policies to respond with PQC OCSP signatures. You can use any OCSP client tool e.g. OpenSSL to test this out. The PQC algorithm can also be checked using OCSP Transaction logs:
Securing Timestamping using PQC
Similarly PKI admin can generate a key pair for timestamp service using Dilithium, issue it’s certificates and finally configure it inside Timestamp Server > Policies. You can use any timestamp client tool to test. You can then confirm the PQC algorithm using Timestamp Transaction logs:
Generating user, device, machine certificate using PQC
Khatim PKI Server’s Certificate Provider (CP) allows business applications to generate any type of X.509 certificates. There are two options:
-
Send CSR requests to issue certificates
-
Geneate keys inside HSM and then certify them
For both cases, PKI Admins can configure policies inside Certificate Provider to generate PQC based End Entity certificates. For this setup a PQC policy:
Here:
-
Key Control can be set to SERVER or CLIENT_CSR (for CSR)
-
In case of SERVER, admin can configure Dilithium as Key Algorithm
-
In case of CSR, the key algorithm is controlled by the requestor while the signing algorithm is set by the issuing certificate which can also be Dilithium
Using Certificate Provider restful interface, PKI Admins can then send certification requests using PostMan or their business application. Once certificate is generated these can be viewed inside the CA > Issued certifcates section i.e.
Enabling PQC for PKCS#1 Signatures
Khatim Sign Server v5.0 also supports generating PKCS#1 signatures using Dilithium algorithm. You need to:
-
Setup a PKCS#1 policy
-
Sending signing request using portman
-
Verify the signature using verification engine
The signing engine’s transaction logs guide you the signature algorithm.
The PKCS#1 generated using KPS using PQC can be verified using Verification engine.
Note: In future, Khatim Sign Server will support PQC algorithms for PAdES, XAdES, CAdES, JAdES and ASic container based signature formats.
Note: NIST has just announced the planned deprecation of the widely used RSA-2048 encryption standard as part of its ongoing efforts to transition to post-quantum cryptography.
Conclusion
While mainstream operating systems are still in the process of integrating post quantum cryptographic (PQC) algorithms, Codegic is ahead of the curve. By introducing experimental PQC support in Khatim PKI Server, Codegic empowers organizations to proactively adapt to the emerging quantum-resilient security landscape.
With this innovative feature, PKI administrators can explore key PQC algorithms, such as Dilithium, to safeguard their cryptographic infrastructure against potential quantum threats. This initiative not only enables early adoption but also equips users with tools to experiment and understand PQC technology firsthand.
By choosing Khatim PKI Server, you’re not just preparing for a quantum-safe future—you’re actively leading its transformation. Get in touch with our team to obtain a trial version and experience the PQC capabilities yourself.