A business is considered agile if it is able to respond quickly to market changes, adapt to maintain stability. However, without cryptography there is no security and without security there is no business. So, ultimately, the agility of a business will be conditioned by its crypto-agility.
And what does a business need to be crypto-agile? To be able to adopt an alternative to the encryption method in use when the this proves to be vulnerable, with the minimum impact on the organisation’s infrastructure. The faster and more automated the process of replacing a cryptographic algorithm (or its parameters), the greater the crypto-agility of the system.
In Cryptography No Algorithm Is Totally “Safe”, At Most It Is “Acceptable”.
The definition of security in cryptography is incidental. When it is claimed that an algorithm is considered secure, what it actually means is that no security risk is currently known when used in accordance with the appropriate guidelines. The key word here is “currently”, because what is considered secure today will most likely not be secure tomorrow. And this is due to advances in computing (do I hear quantum computer?), advances in cryptanalysis, advances in hardware and advances in mathematics. In other words, an algorithm is considered safe if it is computationally unfeasible to break it today.
The discovery of vulnerabilities in cryptosystems and the removal of the affected algorithms becomes inevitable over time. That’s why you need to be crypto-agile: to be able to update the encryption methods used within the protocols, systems and technologies you use as soon as new vulnerabilities are discovered… or even before they appear!
And it is not just vulnerabilities that need to be considered. In the Real World™, cryptography must comply with regulations and standards, which in many cases will require changes in encryption algorithms and communications protocols.
How to Find Crypto-Agility
The worst time to evaluate your cryptography is after a compromise has occurred with everyone running around like a headless chicken. Being crypto-agile implies complete control over the cryptographic mechanisms and processes in your organisation. Gaining this control is not easy because, as Gartner points out in his report Better Safe Than Sorry: Preparing for Crypto-Agility:
- Cryptographic algorithms break “suddenly”, at least from the end-user’s point of view. Despite the fact that there are chronicles of a death foretold, like the one in SHA-1, there are organisations that do not even know about it until the incident occurs, when it is too late to change the algorithm for another one that does not impact the organisation.
- Most organisations do not know their cryptography: the type of encryption they use, what applications they use or how they use it.
- Developers often remain blind to the details of cryptographic function libraries, so they program cryptographic dependencies while ignoring the flexibility of the libraries. This can make patching or response difficult or unpredictable in case of an incident.
- Open source algorithms are generally considered safe because anyone can audit them, but reviews of their real application are rare.
In this context, every organisation should prepare for the worst. How? According to Gartner, this preparation involves:
- Include by design the crypto-agility in the development of applications or in the workflow of acquisition of applications from third parties.
- Any software created internally must comply with the cryptographic security standards accepted by the industry, such as Suite B or FIPS 140-3; or with current regulations and standards, such as the GDPR.
- It is advisable to use development frameworks, such as JCA or .NET, which abstract cryptography, facilitating the replacement of some algorithms by others without altering the code. Likewise, there are other languages and libraries that favour the reuse and rapid replacement of cryptographic code, which should be given priority over less flexible alternatives.
- When purchasing third-party applications, make sure that the provider follows the above guidelines. All software and firmware should include the latest cryptographic algorithms and techniques that are considered safe.
- Compiled an inventory with the applications that use cryptography and identify and evaluate their dependence on the algorithms. Pay special attention to identity and access management systems, public key infrastructures (PKI) in use in your organisation and how keys are managed. This work will make it easier for you to assess the impact of a cryptographic breach and allow you to determine the risk to specific applications and prioritise incident response plans.
- Include cryptographic alternatives and an algorithm exchange procedure in your incident response plans. For instance, the identification and replacement of algorithms, extension or modification of key lengths, and re-certification of some types of applications. For hardware devices, ask the manufacturer how they handle key and algorithm changes. Be prepared in case you need to decrypt private data with an obsolete key or algorithm to re-encrypt it with a new key or algorithm if compromise happens. And do not forget to include IoT devices in your inventory, because some come with pre-loaded keys and little cryptographic flexibility and are deployed in the field for many years.
Vulnerabilities, regulations, quantum computers, … Cryptographic change is lurking around every corner. Applying these improvements will increase your crypto-agility to react quickly to cyberthreats.