Crypto-agility, or cryptographic agility, is the capacity for an information security system to adopt an alternative to the original encryption method or cryptographic primitive without significant change to system infrastructure. Crypto-agility may be achieved through the adoption of new frameworks for incident response and application development, as well as the acquisition of a service software layer to facilitate crypto-agility in legacy applications.
Why Crypto-Agility Matters
Public key encryption, digital signatures, and key exchange are the core of modern information systems, payment systems, and the global communications infrastructure. However, no single method of encryption is unbreakable. Recent discoveries of vulnerabilities in major algorithms has provided evidence that organizations must be prepared to transition between standards quickly.
In cryptography, the discovery of vulnerabilities and the retirement of algorithms is inevitable. Organizations should adopt crypto-agility capabilities, or a stance in which encryption methods can be updated within protocols, systems and technology as vulnerabilities are discovered.
Recent activities that demonstrate the relevance of cryptography are:
Importance of Data Protection
Organizations should not underestimate the importance of cryptography that is used for data protection. There are many instances when undetected cryptography that was not properly managed surprised a major brand with a data breach bringing unwanted headlines and causing highly visible system outages.
Crypto Agility
Cryptographic Agility is the ability for an organization to quickly and efficiently enforce the use of new cryptographic policies across its digital footprint. Its purpose is to respond to unpredictable cryptographic vulnerabilities and ensure digital assets are protected throughout the digital ecosystem with company defined policies for cryptography.
Crypto Visibility
The first step toward crypto agility is understanding the organization’s current cryptographic dependencies. Building a cryptographic inventory is key to developing an efficient response plan in the event of cryptographic compromise and start the transition to crypto agility. Unfortunately, many organizations do not have a complete inventory of where cryptography is being used.
Not having an accurate picture of cryptographical instances puts organizations at a disadvantage when it comes to determining where and how to prioritize the replacement of post-quantum algorithms – an inevitable exercise.
Post-Quantum Cryptography
Classical public key cryptography used broadly to protect our current digital environment will eventually be broken by a future quantum computer. NIST started the process to standardize new “quantum-resistant” cryptographic algorithms (PQC) in 2016. The final standards are planned to be released between 2022 and 2024. Multiple options for PQC algorithms will require organizations to carefully select the new cryptographical standards based on use cases and security constraints. Crypto agility will be necessary to navigate safely between multiple complex PQC algorithms.
Regulations on Encryption
As of January 1, 2020, China began enforcing a new cryptographic law that regulates the usage of cryptography across both private and public sectors. This new law impacts international business, “Under Article 28 of the Encryption Law, importers must obtain a license if the imported commercial encryption item “may impact national security or the public interest” and “provides an encryption protection function,” as reported by Inside Privacy. Crypto Agility will be a must-have for ensuring compliance with multiple cryptographic standards across a global landscape.The growth of regulations surrounding cryptographical use cases underscores the need for organizations to manage cryptographical assets more efficiently to support increasing demands from international business interests.
Cryptography will constantly evolve, and an agile approach to managing cryptographical instances must be adopted to keep pace with growing use cases, regulations and standards.
We bring this article with our partner Entrust.
Contact us for more information!