Luna HSM: TalkingTrust Video Series

Luna HSM: TalkingTrust Video Series

Secure your devices, identities and transactions with
Thales Luna HSMs and ecosystem partners – the foundation of digital trust

TalkingTrust with Thales and Isara – Quantum Safe Crypto

TalkingTrust with Thales and Isara – Quantum Safe CryptoThe Quantum era is quickly approaching, threatening to impact security, as we know it. But how will it really impact you and how can you prepare? In this TalkingTrust video you will learn about:

  • The quantum landscape and where we’re at
  • The quantum threat to use cases and industries and how it impacts internet security
  • How crypto agility enables you to quickly react to cryptographic threats
  • How to ensure your IoT devices can remain in use and secure from spoofed software updates
  • Why it’s important to start preparing today with solutions that are readily available
  • How Luna HSMs provide the foundation of trust for Isara's Quantum Safe Security solutions with its keys in hardware approach



Thales and Isara discuss the quantum landscape and where we’re at, the quantum threat impacting internet security, how crypto agility enables you to quickly react to cryptographic threats, securing your IoT devices from spoofed software updates, and preparing today with solutions that are readily available.

David Madden, Director of Business Development at Thales
Angelo Fasulo, VP Executive: Sales & Marketing, Channel, Technology Partnerships, Operations, B2B & B2C, Isara 

Thales Technology Partner:

Partner website:


Video Transcript

TalkingTrust Series – Thales and Isara – Quantum Safe Crypto 


00:10 Hello everyone. 

00:11 We're here today to talk about quantum

00:13 crypto,

00:14 what is available and where the market

00:17 is, and we're glad to have

00:18 here today my colleague Angelo Fasulo, 

00:22 Director of

00:23 Strategic Partnerships with our

00:25 quantum partner Isara,

00:27 who's one of the leading experts in

00:29 the quantum crypto industry,

00:31 and he's here today to help us

00:33 understand this a critical

00:35 and emerging market. So let's get started

00:37 with the short history

00:39 and background of quantum, including some

00:41 of the challenges of adjusting

00:42 organizations

00:44 who are dealing with innovation, cloud

00:46 IoT, and digital transformation,

00:48 and some of these impacts, so to start

00:49 with a little history.

00:51 Sure, that sounds good Dave. Thanks for

00:54 having us. Isara is

00:56 very happy to be a partner of Thales

00:59 and join you and the client base

01:02 on the journey

01:03 to quantum safe, and we thought

01:05 we'd start off with a few

01:07 slides to kick off the discussion, so

01:09 I'll

01:12 start here. So just generally

01:13 speaking, there is a ton

01:16 of good great content

01:19 available on quantum

01:22 computing,

01:24 how quantum computing is going to sort

01:27 of

01:27 revolutionize the compute industry, and

01:30 the different things that quantum

01:31 computing

01:33 is going to be able to do that a

01:35 traditional computer

01:37 can't do. I'm by no means an expert in

01:40 the field. I'm on the

01:41 business side, but at a high level 

01:43 so everybody understands,

01:46 quantum computers will be able to

01:49 solve problems that traditional

01:50 computers

01:52 don't solve, and today there are a number

01:55 of

01:55 nations, virtually all of big tech,

01:59 that are investing very heavily in

02:03 making sure that this materializes and

02:05 that this happens. With

02:06 right now moving from theoretical

02:09 to practical, and then you know there's

02:12 the next challenge which is going to be

02:14 moving from

02:15 practical to actual commercial use cases. 

02:18 But there will be a time it isn't a

02:19 matter of if it is, more of

02:21 a matter of when. 

02:22 When companies will be

02:25 able to

02:25 get shared quantum computing

02:28 services

02:29 in the cloud, and use those services

02:32 to improve things like drug design,

02:33 machine learning,

02:36 big data optimization for financial

02:40 modeling, optimization for traffic

02:42 modeling, all sorts of really cool

02:45 and exciting stuff. Now one thing

02:48 as well, and it's kind of why we're here

02:50 today and why

02:51 Isara and Thales is partnering,

02:54 is one of the big problems that quantum

02:56 computers will be able to solve. 

02:58 Factoring is complex math and

03:02 as all of you know complex math is

03:04 behind

03:05 the algorithms that are used to

03:08 protect

03:09 pretty much all layers of our

03:12 technology infrastructure. Crypto is

03:16 pretty much everywhere in the technology

03:18 stack

03:19 and that crypto, specifically

03:22 asymmetric crypto, is a

03:24 threat. Using something called Shores

03:26 Algorithm,

03:27 with the right quantum computing

03:29 computer, in the wrong hands - 

03:33 you know it's very important that

03:35 customers

03:36 start to, and when I say customers, I mean

03:39 customers of ours, customers of Thales,

03:41 we mean anyone from an

03:43 enterprise

03:45 to government should really start to

03:48 prepare

03:49 for migrating their cryptography so that

03:52 it's

03:52 quantum safe, and Angelo, to your

03:55 point, you know we're really looking at

03:56 digital transformation here. I mean

03:58 at the end of the day, everybody's moving

04:00 to a digitally transformed business.

04:02 So in effect when we talk about

04:04 customers, we're literally talking anyone

04:06 that's going to be here

04:07 10 years from now. They've got

04:09 to start worrying about this today,

04:11 and one thing,

04:14 one of the things,

04:14 I think we've all seen 20

04:16 years ago was

04:18 Y2K was a big issue. People

04:22 had to move from old systems to new ones

04:24 and it sounds like

04:25 with quantum we're seeing something

04:27 similar. Can you describe this in a little

04:28 more detail?

04:29 Yeah, and you know there's a common

04:31 term in the quantum industry Y2Q. 

04:33 The difference between Y2K and Y2Q is

04:36 with Y2K we knew when it was going to happen

04:38 but we don't know when it’s going to

04:39 happen for Y2Q. 

04:41 It's the opposite. We know what's

04:43 going to happen, we just don't know

04:45 when.

04:45 It is actually going to happen so what

04:48 we advise

04:49 most organizations now

04:52 is to focus on crypto agility, which

04:55 essentially means

04:57 getting themselves ready, and that's

05:00 different

05:00 depending upon the type of organization

05:02 that you're in. 

05:03 For example, if you are an organization

05:06 that builds

05:06 long life devices, satellites,

05:09 infrastructure,

05:11 cars, anything that has to be in the

05:14 field for a long period of time,

05:16 those solutions that you are shipping

05:19 out now

05:20 need to be quantum safe essentially now

05:23 because you know they're going to be in

05:24 life

05:25 for the next 10 or 15 years, and that

05:27 they will be susceptible to a threat

05:30 during that time. So we're encouraging

05:33 you know a lot of the preparation to

05:35 begin through

05:36 POCs for those companies to understand

05:39 the algorithms, understand how they will

05:41 perform

05:42 in their chips, in their memory, in their

05:44 communication,

05:45 in their sensors, so that their next 

05:48 product life cycle will have

05:50 quantum safe algorithms embedded. That's

05:52 one place, and the other

05:53 place is

05:54 for large enterprise, financial

05:56 institutions,

05:58 governments, anybody with a very complex

05:59 PKI.  I think we all know that it's

06:02 extremely

06:02 difficult and complex to migrate and

06:06 to

06:06 upgrade cryptography across the board, so

06:09 starting now and putting together those

06:11 plans

06:12 is a really critical, important

06:14 element

06:15 to the whole piece of the puzzle.

06:17 Right, and I guess like Y2K, to your point

06:20 people didn't really think

06:22 about that when they started building

06:23 computer systems, but today

06:25 we can start planning as you say for

06:27 crypto agility and quantum

06:29 now. Get it right, and by the way, as you

06:31 say in this slide,

06:32 people have to start worrying about this

06:34 stuff today to get it right.

06:36 You know, 10, 20 years from now when we

06:38 know

06:39 that those Shores Algorithms can be

06:41 broken, so how are we approaching this

06:43 from

06:44 a more specific view Angelo. Can we

06:46 describe in a little more detail

06:48 how we're approaching these customers?

06:51 One thing that we often get

06:54 asked about quite a lot is when

06:57 will,

06:59 how do you know what is going to be safe, 

07:00 what are the right algorithms

07:02 to use, et cetera. Right now NIST is going

07:05 through a very detailed

07:06 process, a selection process. Isara

07:09 as an example that follows that process very

07:11 closely. 

07:13 NIST will sort of lay the foundation

07:17 of what are the right algorithms

07:19 to be used and for the right, different use

07:21 cases,

07:23 so it's a matter for companies to do a

07:25 few different things.

07:26 Understand their infrastructure, follow

07:29 the process

07:30 that NIST has worked with vendors who are

07:33 also following

07:34 that same process so that when the time

07:36 is right,

07:37 they can move from early

07:40 evaluation,

07:41 to POC, to production. So

07:44 Isara at its core has a

07:47 quantum-safe toolkit. That quantum safe

07:50 toolkit basically allows developers to

07:53 take those algorithms and easily

07:55 implement those in their environment you

07:58 know. One of the partnerships that we

07:59 have, one of our

08:00 strongest partnerships, is with Thales,

08:02 and that's why we're here today

08:04 with Dave.

08:05 Thales has taken that tool kit and

08:08 embedded it

08:08 into it's Luna HSM, and

08:11 a customer can then take that HSM

08:15 and start to use the algorithms in a

08:18 number of different

08:19 use cases. That's what we're

08:23 encouraging clients to do, look at things

08:25 like

08:26 code signing, document signing,

08:29 certificates,

08:30 smart cards, and look at ways to start to

08:34 prepare to make those

08:36 elements of their of their

08:38 infrastructure

08:39 quantum safe. That's what

08:41 Thales and Isara

08:43 work together on.

08:46 One of the things I think is

08:47 interesting as we talk about crypto

08:49 agility is 

08:50 people are probably familiar with a

08:51 hardware security module being either a

08:52 physical device

08:54 that's stored on-premises safely or run

08:57 in the cloud,

08:58 and as you say, well if we've got crypto

09:00 agility what happens if

09:02 different crypto algorithms become

09:04 ratified by NIST. How do we evolve

09:06 those change over time?

09:08One of the things that Isara and

09:09 Thales have done is have what's called a

09:11 functionality update to the HSM, to

09:13 support those different

09:15 algorithms for quantum safe

09:18 algorithms 

09:18 over time as part of the Isara toolkit,

09:21 and then leverage those as we say into

09:23 these different

09:24 partners like DigiCert for code

09:26 signing, document signing,

09:28 public infrastructure, so you can issue

09:30 quantum safe keys

09:32 today and use them down the road as well.

09:35 So let me ask this though.

09:36 i'm sure what’s going through a lot of people's

09:37 minds is what about NIST

09:40 and this certification process? i'm

09:41 hearing there's a number of candidates.

09:44 Angelo, can you describe in a little more

09:45 detail how that's going. Who might win

09:48 and how do customers think about this.

09:50 That's a good question, and I think

09:53 we all have to keep in mind

09:54 that it is

09:56 going to be a continually evolving

09:59 process.

10:00 We're all going to learn what

10:03 algorithms are,

10:04 the best algorithms for the best use

10:06 cases, and then we'll all 

10:08 efficiently use those algorithms in the

10:10 best way and process

10:11 possible, and NIST is the

10:13 leader to

10:16 put those standards together for

10:18 us so then we can follow suit. So what I

10:20 mean, what Isara

10:22 does, this is a good

10:24 slide that covers it. 

10:26 We take the NIST candidates,

10:29 and NIST has gone through this selection

10:30 process.

10:31 The selection is getting

10:33 narrower and narrower

10:35 than even within the algorithms,

10:38 things will

10:39 change so we have extensive

10:42 researchers who

10:43 follow that process, look at the

10:47 algorithms, figure out the best way to

10:50 optimize it, and then basically

10:53 put it in a in a kit so that developers

10:56 don't have to do all of that work. 

10:58 They can make it easy for

11:00 developers to then go and use those

11:01 algorithms for the products that they're

11:03 trying to

11:04 bring to market. So 

11:07 with a Thales functionality module on an

11:10 HSM, and

11:10 the Isara toolkit, what you're

11:12 getting is ongoing

11:15 support and an ongoing 

11:18 commitment to the evolution of our

11:20 products

11:21 as the NIST process gets finalized.

11:25 And even after finalization as it

11:27 changes,

11:28 we can ensure that our toolkit

11:30 will always have those latest and

11:32 greatest changes

11:33 and make it easy for customers to evolve

11:35 their products. 

11:36 The best thing to do though

11:38 right now is to start,

11:40 is to take certain algorithms,

11:44 work with parties like us or open source

11:48 or a bit of both,

11:49 and to start to test, to start to

11:51 understand how they perform

11:53 within your environment, within your

11:55 product, so you

11:56 get the familiarization and you can more

11:58 easily and more confidently put a

12:00 plan in place to go to

12:03 market. A good

12:04 example of that is probably

12:07 right here with actually

12:08 code signing. We probably find 

12:12 code signing to be the most

12:13 common use case today.

12:16 If you take anyone who has a

12:19 long life

12:20 device, if you are in the infrastructure

12:23 business

12:24 and you have things that are going to be

12:27 in the field for

12:28 10, 15 years, you know that they are going

12:31 to be susceptible

12:32 to a looming threat, and you would want

12:35 to take something like

12:37 our toolkit and start to

12:40 embed those algorithms into the

12:43 different elements of your

12:45 overall

12:45 code signing solution. Right, so we work

12:48 with

12:49 Thales so that your Luna HSM can be enabled

12:52 with

12:53 those algorithms. You might have a code

12:56 signing service,

12:57 internal or external, you would want to

13:00 make sure that that service

13:02 is enabled with the algorithms. If you're

13:06 at the point where that service

13:07 eventually will be

13:09 a certificate authority like a DigiCert

13:12 for example,

13:13 or your internal certificate

13:17 services, you want to make sure that they

13:19 understand

13:20 the algorithms and then finally you know

13:22 the verification of those algorithms on

13:24 the actual end

13:25 device itself. So we look at this

13:28 as

13:28 the four different components in

13:31 the total solution that you would want

13:33 to make quantum safe,

13:35 and what Dave and I have both found

13:38 because we've been now

13:39 talking to a lot of enterprises over

13:41 the last year or two, 

13:42 typically where one would start

13:44 is with the HSM

13:47 and getting an HSM into some sort of

13:49 POC environment

13:51 to host the algorithms and to start

13:54 the process off.

13:56 That's a great example Angelo, and

13:58 as a lot of people are aware 

14:00 code signing’s been around for a

14:01 couple of decades now.

14:03 Organizations are improving their

14:05 processes to make them more

14:06 robust if you will, and you know

14:08 there's been a number of

14:10 very high profile issues around the code

14:13 sign process of whether it's

14:14 authentication to that process,

14:16 securing the keys without process. But

14:19 as they say, there's been a lot of issues

14:21 and this is one of the use cases that's

14:23 you know as

14:24 companies become more digitally focused on

14:26 services software,

14:28 cloud native containers, they have to

14:31 worry about

14:32 protecting those digital assets in a

14:34 very secure way. And

14:35 you know, code signing has been around

14:37 for a long time, and with Isara what

14:39 we're trying to do is

14:40 ensure that not only with today's crypto

14:42 they can secure their

14:44 digital assets, they can also do this in

14:46 a secure way

14:47 in a crypto agile world with quantum, and

14:51 this is really part of our

14:52 whole Modern HSM and modern story at

14:55 Thales as

14:56 we help our critical customers on

14:58 their path to digital transformation.

15:00 So let's take a closer

15:03 look now at

15:05 at one question that I think a lot of

15:06 people have. Angelo, I know

15:08 you don't control this process,

15:10 but as you say Isara and your team are

15:12 very

15:13 close to the team, but if you had to

15:14 guess, is there a high-level time frame

15:16 that you anticipate NIST finalizing

15:19 some of these details for us

15:21 around this. Is it a year out, is it two

15:23 years out?

15:24 Yes, NIST is this is already making tons

15:27 of 

15:28 progress right now. They've issued a

15:30 stateful, or a special publication

15:32 on stateful hash-based algorithms.

15:35 Stateful hash-based algorithms are

15:37 really good for

15:39 code signing, so

15:42 the process evolves but

15:45 you'll see updates in between 2022 and

15:49 2024, and you can expect a lot of

15:52 finalization to occur within that period.

15:55 I think it could happen

15:58 in

15:58 pieces versus all at once, but the

16:01 good news is that progress

16:03 is there and what we're 

16:06 kind of encouraging that 

16:09 you look at that process between

16:11 now and 2026. You really should have

16:13 everything

16:14 ready and underway and being able to

16:17 execute,

16:18 because thereafter, five or ten

16:21 years after that,

16:22 the threats could really

16:25 be more than just

16:26 the conversation that we're having

16:27 right now and we can start to see some

16:30 some real examples. So it's best to be

16:32 prepared.

16:33 Great and to your point, the first

16:35 link that we're going to share with you

16:36 is our

16:37 Crypto Agility Risk Assessment tool, and

16:39 this was designed for CISOs to

16:42 to be able to run through an

16:44 assessment in 10 minutes online,

16:46 and calculate their organization's risk

16:48 profile. Someone

16:49 building cars or planes

16:52 or trains may have a longer

16:54 assessment than someone building

16:55 software services, but

16:57 in either case it's vital now to take an

17:00 assessment. And then of course the second

17:02 phase is

17:02 to try this out as a POC with

17:05 the Isara toolkit

17:06 that one can use with our Thales Luna

17:08 HSMs running the

17:10 the quantum safe crypto. Plug that into

17:13 third-party applications like a

17:15 DigiCert PKI

17:16 to create applications like code signing and

17:18 have quantum crypto safe

17:21 code signing solutions.  So thanks

17:23 again for joining us today on this talk

17:25 Angelo.

17:26 As I say, Isara is a critical partner of

17:28 Thales as we

17:29 we move to this agile crypto world,

17:32 and we're going to be building solutions

17:34 now and for the next

17:36 decade to help secure companies as they

17:38 transform their businesses digitally.

17:40 This has been part of our Modern HSM

17:42 campaign and hope you've enjoyed this. As

17:44 I said, there's lots more information

17:46 we can share with you if you click on

17:47 those links, and please feel free reach out if

17:49 you have questions or ideas.

17:51 I want to thank Angelo for joining

17:53 us today and hope

17:54 this webinar was useful. Thanks for

17:57 having us Dave.  

17:57 Take care. Take care everybody.

Post-Quantum Crypto Agility Risk Assessment Tool

Post-Quantum Crypto Agility Risk Assessment Tool

Are you post-quantum ready? In just 5 minutes you will gain a better understanding of your organization’s post-quantum breach risk.

Securing Emerging Technologies with Thales Luna HSMs - Solution Brief

Securing Emerging Technologies with Thales Luna HSMs - Solution Brief

In today's digital world, enterprise and government are in a state of flux. Organizations are optimizing by taking workloads to the cloud, or forging ahead transforming, taking advantage of a wide variety of emerging technologies. They are revisiting their strategies due to...

Becoming Crypto Agile and Quantum-Safe with Thales Luna HSMs - White Paper

Becoming Crypto Agile and Quantum-Safe with Thales Luna HSMs - White Paper

This white paper will focus on the use of Thales Luna Hardware Security Modules to enable the most seamless, trustworthy and cost-effective method of transitioning to quantum-safe security with a crypto agile solution.The challenges and solutions outlined within will show how...

Thales and ISARA Corporation - Solution Brief

Thales and ISARA Corporation - Solution Brief

The onset of large-scale quantum computing will break current public-key cryptography, resulting in widespread vulnerabilities within everything that connects and transacts. This results in a unique problem for long-lived connected devices deployed today which need to remain...

Luna Network HSM

Luna Network HSM - Product Brief

Secure your sensitive data and critical applications by storing, protecting and managing your cryptographic keys in Thales Luna Network Hardware Security Modules (HSMs) - high-assurance, tamper-resistant, network-attached appliances offering market-leading performance and...

ISARA Radiate Quantum-Safe Toolkit

ISARA Radiate Quantum-Safe Toolkit

The ISARA Radiate Quantum Safe Toolkit includes a high-performance, standards-based quantum-safe cryptographic library and integration tools built for developers. 

Guide: Managing Crypto and Quantum Risk

Guide: Managing Crypto and Quantum Risk

A non-technical and hype-free explanation of what’s at risk, what you can do, and why you should act now.