Cryptography has come a long way since ancient times, and the pace of development has been especially quick over the last 2 decades. Indeed, many fundamental aspects of our modern world – finance, communications, e-commerce, national security – are built on the bedrock of cryptography.
But what does the next 10 years hold, and how should your organization prepare for the changes to come? In this 3-part article, we look at trends and emerging technologies, such as blockchain, IoT, quantum technology and cloud computing, and predict what impact they will have.
Cryptographic algorithms are the foundation of security protocols and applications, but they are not constant – they must continue to evolve in the arms race against cyber threats.
NIST, the US National Institute for Standards and Technology, plays a prominent role in setting global cryptographic standards through their Computer Security Resource Center. However, new algorithm candidates are typically developed within industry and academia, where much of the cryptanalysis research takes place. Secretive government agencies, such as the NSA (USA) and GCHQ (UK), also have a role to play, although their influence is mostly behind-the-scenes.
Computing power is constantly increasing according to Moore’s law, allowing ever-larger keys to be brute-forced, while unpredictable leaps forward in cryptanalysis can significantly reduce the computing effort required to break an algorithm. Consequently, algorithms that we once considered to be strong are now known to be weak, such as MD5, SHA-1 and DES. Others, such as RSA and 3DES, are only considered to be safe with suitably large keys and/or frequent key updates.
The good news is that today we have a range of cryptographic algorithms we trust, such as AES, ECDSA and SHA-2. We also understand how to implement and apply these algorithms (often in combination) to provide a level of security that, when used correctly, no-one can break with today’s technology. But what about tomorrow?
Hashing algorithms: SHA-2 was created as a replacement for older hashing algorithms such as MD5 and SHA-1, and we now have SHA-3 as well (although this isn’t yet in widespread use). Despite their similar-sounding names, SHA-3 is very different to SHA-2 and was created to provide a viable alternative should vulnerabilities one day be discovered in SHA-2. In any event, these two algorithms should comfortably see us through the next decade.
Asymmetric algorithms: ECDSA was created as an alternative to RSA and the less popular DSA, which require longer-and-longer keys to combat advances in computing power. Using elliptic curve technology, ECDSA is far more efficient than RSA – a 256-bit ECDSA key offers similar strength to a 3,072-bit RSA key (i.e. equivalent to a 128-bit symmetric key). Whilst ECDSA (and even RSA, given a long enough key) are expected to remain resistant to cryptanalysis by classical computers over the next decade, quantum computers are another story – see below.
Symmetric algorithms: AES was created as a replacement for 3DES, which NIST plans to deprecate for new applications in the near future and phase out completely by the end of 2023. With 3DES still widely used, this will create a major challenge for some industries over the next 5 years. AES is expected to remain safe over the next decade, even with the possible advent of quantum computing (provided 256-bit keys are used).
Unfortunately, old algorithms die slowly. This is perhaps most notable within the electronic payments industry, where algorithms are often locked into global standards that must be maintained for interoperability and which are implemented within non-upgradable infrastructure with a 5 to 10-year lifecycle. This inertia makes change very difficult and painfully slow, requiring industry-wide initiatives and collaboration. Later in this article, we will see why crypto agility is becoming increasing important and how new technologies may help.
With the growing threat of cyber attack, the broadening reach of privacy legislation, such as GDPR, and the increasing ease of employing encryption technology, the trend is towards encrypting all private data, especially data that is particularly sensitive or valuable in some way (e.g. personal or financial data).
Today, all financial transactions are encrypted and, following a concerted industry effort over the last couple of years, the majority of web traffic is now encrypted with strong algorithms using the TLS protocol.
The next target for many organizations is to encrypt data-at-rest, whether residing within databases, within the cloud or in other forms of storage. However, this creates a new challenge – lots of cryptographic keys to manage. If these are not properly protected, then the data being encrypted is not fully protected either.
Thus, there is an increasing demand for tools to help organizations manage their keys. Many vendors will offer basic key management tools as part of their encryption solutions, but these invariably fall short of supporting all the applications within organizations. As a result, organizations often have to use multiple proprietary key management tools, which is costly, inefficient and difficult to audit.
Enterprise key management solutions try to provide a complete solution to this problem, but many applications still require bespoke integration. It remains to be seen whether the KMIP standard will be adopted beyond certain niche applications or whether some other standard will emerge.
Thus any centralized key management solution will need the flexibility to support a range of APIs with both off-the-shelf and bespoke integration options for at least the next 5 years.
In part 2 of this 3-part series, we will look at new applications such as blockchain and IoT, as well as the impact of quantum technology.
References and further reading
- Cryptography – The Next 10 Years (Part 1) (2018), by Rob Stubbs
- Cryptography – The Next 10 Years (Part 2) (2018), by Rob Stubbs
- Cryptography – The Next 10 Years (Part 3) (2018), by Rob Stubbs
NIST SP800-130: A Framework for Designing Cryptographic Key Management Systems (2013) by Elaine Barker, Miles Smid, Dennis Branstad, and Santosh Chokhani
NIST SP800-57 Part 1 Revision 4: A Recommendation for Key Management (2016) by Elaine Barker
- Selected articles on Key Management (2012-today) by Ashiq JA, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Martin Eriksen, Peter Landrock, Peter Smirnoff, Stefan Hansen and more
- Selected articles on HSMs (2013-today), by Ashiq JA, Peter Landrock, Peter Smirnoff, Steve Marshall, Torben Pedersen and more
Image: "2008, 2009" courtesy of NYCandre, Flickr, (CC BY 2.0)