How Crypto-agility Prepares You For Risks

While the science and technology behind quantum computers is extremely complex, their computing power has been steadily increasing, from 3 qubits in 1998, to 7 qubits in 2000, to 12 qubits in 2006, and up to 72 qubits in 2018.

All of those projects working on quantum computers are within very specialized research environments, used in laboratories rather than solving actual, practical problems. With all the various predictions out there, there will likely be another 10-15 years until we see commercially available quantum computers. 

What risks does quantum pose to enterprises and manufacturers?

Quantum Computing potentially offers radical improvements in the time required to solve mathematical problems that underpin much of the asymmetric cryptography used widely today. From an information security perspective, the threat is that currently, widely-used algorithms will be easier to break; thus, systems will be more vulnerable once quantum computers are available. 

Looking at the timeline again, one recent estimation to factor 2048-bit RSA is at a “50% chance by 2031”. So arguably, the immediate risk is low, and there is sufficient time to prepare.

One of the steps to prepare is to answer the need for algorithms that are resistant to attacks by Quantum Computers, and an ongoing process to evaluate candidates was started a few years ago.

Cryptomathic devotes significant expert resources to monitoring the “state of the art” of Quantum Computing and the standardization process of quantum-resistant cryptographic algorithms. Cryptomathic will be able to incorporate new quantum-resistant algorithms as soon as they are standardized and there is a market demand backed by HSM suppliers.

What industry is at most risk when it comes to quantum?

Generally speaking, any industry that handles sensitive data and processes them via communications over the internet is at risk.

While there are industries that traditionally handle sensitive data (government, defense, financial industry, e-commerce, healthcare), more and more companies will be impacted by the advent of quantum computers given that there are more and more global standards and regulations addressing privacy concerns of individuals (e.g. GDPR, CCPA).

How can enterprises begin to prepare for quantum?

In 2016, NIST initiated a process to develop and standardize post-quantum (PQ) cryptographic algorithms. The process has now entered the second phase with 17 public-key encryption schemes and 9 digital signature algorithms. A draft standard with the winning algorithms is expected to be ready by 2022-2024. 

That does not mean businesses should wait till this occurs! Phasing out an algorithm and switching to a new, more secure one typically takes a long time. The wider its use and the more participants in such a system, the longer it will take to phase out. 

Therefore, over the past decades, a best practice has been established through trial (and mostly) error, which is to design and implement encryption and key management within computer systems independently from current encryption algorithms. This is to achieve what we call Crypto-Agility: being able to change the key size, or even the underlying algorithm, without a disruptive effect on the business process. 

Being crypto-agile is important even without the looming threat of quantum computers:  cryptographic algorithms always had a certain lifespan defined by the growing capacity of conventional computing systems, think Moore’s Law, or because of new vulnerabilities being discovered - consider MD5, SHA1, RC4 or 3DES: all have known security flaws which were discovered and described a long time ago. Yet, there are still many legacy systems that make use of them. Often organizations won’t even know about this as they might be hard-coded into the codebase of applications developed long ago.

Thus, even if it takes 10-15 years for quantum to become a real threat, it is important to start analyzing your organization’s use of cryptographic keys and implementing crypto-agile systems right now.

What are you working on in the crypto-agility space?

We, at Cryptomathic, take a holistic view of the challenge. Over decades of working with clients on very large and complex key management systems, it has become very clear to us that it is always the combination of people, process, and product that will allow you to tackle the challenge of using cryptographic keys (and certificates) in an agile and sustainable way.

Our expertise in designing, architecting, implementing, and maintaining these large-scale systems is what we bring to the table.

One building block is providing the product. Over the past 8 years, we have developed a platform that allows delivering Crypto-as-a-Service to your entire organization. Centralized management of key components and key use, along with centralized policy enforcement and audit logs, give you the tools you need to achieve crypto-agility within your organization.

What does an organization need to do to be crypto-agile?

Crawl, walk, and then run is a strategy for breaking down the "crypto-agile" process into actionable steps.

To begin with, it’s important to take an inventory of all your systems and how they make use of cryptography today. Once you have an overview, you can begin to prioritize and find the right approach for your organization.

Rolling out use case by use case is an approach that we have seen succeed many times. It allows us to ease into the learning curve with small iterations rather than requiring the “big bang” change.

What are your typical use cases?

Ever since Cryptomathic was founded in 1986, we have been a supplier to the financial services industry. With our expertise, we work with many of the world’s largest financial services providers – Banks, Payment Processors, and Payment Networks.

We observe two trends in our clients' organizations: migration of major systems into the cloud (public, private, hybrid, or multi), and a shift toward mobility and away from conventional brick-and-mortar.

Both trends pose immense challenges as they fundamentally change the way those large organizations think about service delivery. On the other hand, they also fundamentally change the attack vectors and how data is moved, stored, and operated in those environments.

How would you describe crypto-agility and why is it important in 2020 and beyond?

To put crypto-agility in a one-sentence description, I’m quoting an article posted on our blog in 2018: “Crypto-agility, or cryptographic agility, is the capacity for an information security system to adopt an alternative to the original encryption method or cryptographic primitive without significant change to system infrastructure.”

I would consider crypto-agility to be a journey rather than a goal. Change the way your business conceives of information security within your systems, and acknowledge that a shift in the use of cryptographic algorithms is inevitable.

This change should not have an impact on your applications consuming the cryptographic operations. As explained earlier, crypto-agility has always been one guiding principle in the systems Cryptomathic designs, builds, delivers, and maintains.

What do you envision happening with cryptography over the next handful of years?

While quantum will likely have the single biggest impact, other areas, such as global regulations and accelerated digitalization, will continue to influence cryptography in the near future.

1. New and advanced cryptographic algorithms – Preparing for the post-quantum age, to establish forward secrecy and maintain information security for the upcoming decades. One example is the NIST-initiated process of post-quantum cryptography.
2. Regulations around the globe – Privacy is more and more the focal point of many global regulations (GDPR, CCPA). There are also other areas with regulations adapting to changing environments and technological advancements (PSD2, eIDAS, FIPS 140-3, PCI).
3. Continued or even accelerated digitalization – Consider how cryptography needs to support required adjustments and changes within organizations to provide for a digital future. The continued trends of remote working, learning, and living might become an additional driving factor accelerating the digitalization efforts as we are experiencing an impact on just about every aspect of our lives.

The original interview was posted at https://www.pkisolutions.com/the-pki-guy-discusses-crypto-agility-with-johannes-lintzen-of-cryptomathic/

References and Further Reading

• Selected Articles on Quantum Cryptography (2017-today), by Dawn M. Turner, Rob Stubs, Terry Anton and more

• Selected Articles on Crypto-Agility (2017-today), by Dawn M. Turner, Jasmine Henry, Rob Stubs, Terry Anton and more
• Post-Quantum Cryptography (retrieved April 2020), by the NIST Information Technology Laboratory, COMPUTER SECURITY RESOURCE CENTER

• Final Version of NIST Cloud Computing Definition Published by the National Institute of Standards and Technology, October 2011.
• Study on Cryptography as a Service (CaaS) by Yudi Prayudi and Tri Kunturo Priyambodo, November 2014.
• NISTIR: Report on Post-Quantum Cryptography by the National Institute of Standards and Technology, April 2016.
• Cryptomathic Answers Compliance-Driven Call for Crypto-Agility by Cryptomathic, May 2018.