A crypto-abstraction layer (CAL) is, in its most general sense, an application programming interface (API) - also known as a library- that hides cryptographic details from program developers that they don’t need to know about (such as the brand of hardware they are using for their source of random numbers). They are essential in the world of InfoSec because those who are expert developers are not usually expert cryptographers or even security personnel and so they need all the help they can get when it comes to implementing cryptography.
Each API has its own design and philosophy and degree of abstraction and its extremely interesting to compare and contrast them - some barely lift the developer away from the highly technical world of cryptography and insist that every single aspect must be hard-coded; the poor developer then has to hit the books to appreciate the difference between the cipher block chaining and galois counter modes(!); whereas other APIs offer a much cleaner, highly-abstracted, solution to the problem such that simply knowing whether you need to encrypt or decrypt is sufficient (leaving the details to the expert security team).
The Recent Case for Crypto-Abstraction Layers
NIST recently published draft guidance proposing a five-year timeline to disallow the 3DES algorithm following the discovery of the Sweet32 vulnerability which exploited a known risk of collision attacks in 64-bit cipher suites such as 3DES. The classification of 3DES as a security risk and proposed retirement timeline is likely to create challenges around infrastructure, payments, and interoperability for organizations in the finance industry.
Many financial institutions and other organizations in private industry rely on hardware security modules (HSM) technology to manage deployments of crypto algorithms. The adoption of CAL technology between legacy applications and HSMs can provide a solution for updating 3DES or other primitives without significant recoding effort because when only the algorithm needs to change (and in this case probably to AES) the code doesn’t- the details have been abstracted away (to a policy file).
Over the past three decades, there has been a shift in business computing trends from on-premises deployments to cloud computing through the advancement and adoption of distributed systems which are centrally virtualized. NIST defines cloud computing as a form of information technology services categorized by a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources….that can be rapidly provisioned and released with minimal management effort or service provider interaction." Virtualized service models and applications can enable organizations to achieve flexibility while saving on software licensing and infrastructure costs.
The CAAS model demonstrated a new scheme of cryptographic implementation which could reduce endpoint vulnerabilities by separating the cryptographic process from the endpoint device. Robinson’s research provided evidence that a new, cloud-based scheme of cryptographic implementation could increase security and lower costs by placing the key management process within a middleware layer.
Simultaneously, advancements in technology have created additional threats to major algorithms in public key encryption and key exchange systems (i.e. both quantum and classical attacks on RSA) . The adoption of crypto-abstraction layers can enable organizations to meet NIST recommendations for the immediate development of a crypto-agility capacity.
How Crypto-Abstraction Layers Create Technological Agility
Crypto-abstraction solutions act as a technological intermediary between business applications and a small cluster of HSMs. Applications use a RESTful interface or client libraries to send commands to the crypto-abstraction layer, which distributes a workload among available HSMs. This network-based approach to cryptography can facilitate enterprise crypto-agility throughout the application lifecycle, including during legacy application updates and the deployment of new applications.
To update cryptographic primitives in legacy applications away from 3DES or another algorithm, administrators simply need to make changes to the policy file from within the administrative portal. Since everything is centralized, these solutions can also enable continuous compliance, easy auditing and active performance monitoring across the network
Additionally, a crypto-abstraction layer can facilitate crypto-agility during the deployment of new applications with a HSM. Using a cloud solution for crypto as a strategic point for new applications makes the integration of advanced cryptography deployments significantly faster and simpler.
Unlocking Agility with Central Crypto Policy Enforcement
In order to achieve crypto-agility, organizations need visibility and control for central policy enforcement. Crypto-abstraction solutions offer a single, centralized platform for managing cryptographic resource and monitoring dynamic change across legacy applications. This category of gateway solutions provide organizations with the ability to update and deploy crypto resources within minutes, instead of weeks or months.
Traditional approaches to updating cryptographic primitives at the application layer have created outcomes of inefficiency, compromised security, and complexity. With a high volume of deployments of crypto across information systems, organizations have historically struggled to overcome a lack of visibility. Network-based solutions for cryptography-as-a-service enable transparency and agility across information systems with centralized policy change and enforcement.
- Final Version of NIST Cloud Computing Definition Published by the National Institute of Standards and Technology, October 2011.
- Study on Cryptography as a Service (CaaS) by Yudi Prayudi and Tri Kunturo Priyambodo, November 2014.
- Applying Cryptography as a Service to Mobile Applications by Peter Robinson. February 2014.
- NISTIR: Report on Post-Quantum Cryptography by the National Institute of Standards and Technology, April 2016.
- Cryptomathic Answers Compliance-Driven Call for Crypto-Agility by Cryptomathic, May 2018.