Why businesses can’t ignore crypto agility - facing the facts before we’re in a post-quantum world

Today’s encryption algorithms, when pitted against quantum tools, will be considerably less resilient and leave huge amounts of data vulnerable as a result.

Experts have been predicting that this may happen as soon as 2025 – a forecast which has remained the same since the 1970’s. But where billions of dollars of investments are being made to facilitate AI, accelerate new material research, data analysis and more, research into post-quantum cryptography is still growing.

Because of these risks, there are a number of ways cybersecurity researchers, vendors and experts are debating about how to approach this reality. There are already efforts to develop technology that is resistant to quantum hacking, and some academics are even looking to leverage quantum-based cryptographic systems as a more secure alternative than their conventional analogues. This current line of thinking is called “crypto agility” – and it encompasses the range of policies, technology and initiatives organizations must dedicate themselves to in becoming resilient against quantum computing.

Crypto agility for quantum resilience

Crypto agility, which stems from post-quantum cryptography (sometimes also called quantum-resilient encryption) combines both strategic and technological initiatives to ensure effectiveness. In practice, it recommends two lines of action:

  1. Temporary solution: Architect your products and infrastructure in such a way that you can run a classical and a quantum secure algorithm in parallel.
  2. Permanent solution: Architect your products and infrastructure in a way that combines 2 quantum-safe cryptographic methods.

The benefits of being crypto-agile include the ability to quickly respond and recover from a crypto-incident (wide-scale or targeted), your organization’s encrypted data is increasingly resilient even as algorithms become compromised, and the cryptography supporting the backbone of your organization is even more sustainable in the face of quantum computing.

An uphill initiative

The challenges of implementing crypto agility protocols, coupled with the fact that this is still a growing faction of research, means organizations will likely struggle to get it right initially. Current protocols are generally used throughout the organization, but under systems controlled by different branches of business. Crypto agility initiatives will challenge organizations to coordinate successfully across them all – whether that is 1,000 employees, 500 administrators and 200 systems. Outlining and implementing unique best practices, as well as choosing and deploying the best technology for their systems will not be quick decisions. But ultimately, future-proofing for a post-quantum world is not something businesses cannot afford to ignore.

Crypto against the clock

There are a few factors that can help businesses make some smart choices about when to kickstart their crypto agility plan. (Hint: sooner is always better than later.) For example, organizations that need to keep “secrets” or ensure data remains confidential for long periods of time should implement crypto agility as soon as possible. However, because a system’s overhaul can be so time-intensive, it’s increasingly likely that the recommended time to start is now, regardless of industry.

Depending on the cost of the crypto-agility update and the value of the assets to be secured, businesses may also want to invest time and money into testing the rollout to determine, for example, the efficacy of the new deployments and note any disruptions or hiccups throughout the process. Blackberry, for example, spent 5 years to move from the Triple DES algorithm to AES as their basis for data encryption – while they were in control of all devices and the server.

So, when do businesses need to begin their crypto agility initiatives to ensure their algorithms are viable against the quantum computer? By calculating, in years, the lifetime of the product or asset that needs to be secured, added to the amount of time needed for testing and roll out and estimating when new, safe algorithms will be available, businesses can work backwards from an estimated deadline.

Here is a brief guide for decision-making based on industry:

  • government: With a lifetime of at least 30 years for IT infrastructure and 15 years for government-issued documents and passports, government entities should already be well on their way to crypto agility.
  • automotive: As the vehicles on our roads become increasingly smart, even working towards becoming fully autonomous, it becomes critical that their systems remain quantum-resilient. Product life is upwards of 15 years and development time is nearly 6 years on average, crypto agility should be integrated at least 21 years ahead of quantum computing.
  • energy: Like automotive, the energy industry is becoming smarter and more connected each day, effectively expanding the Industrial Internet of Things (IIoT). Energy and utilities organizations should integrate crypto agility based on the product lifetime of a smart meter ranging from 12-15 years.
  • healthcare and Science: Connected medical devices such as remote vital signs monitors have a product lifetime of around 5 years, whereas medical records must be kept confidential for 5-10 years depending on location. Hospitals, insurers and device manufactures should be starting their crypto-agility initiatives 5-10 years – plus the time to takes to develop and test the product – ahead of quantum computing.

Getting started

Before embarking on their crypto agility journey, it’s recommended that organizations compile a precise and detailed inventory of their cryptographic assets – where each and every key has been injected across IT infrastructures and where they are stored.

Once the organization has a clear picture of its cryptographic ecosystem, it can begin to define strict policies for employees to manage the keys. Key groups are implementing the activity needed to secure their systems within the framework of post-quantum cryptography (PQC). With roles dispersed across the organization, it can act much quicker and be more effective should any of its algorithms become compromised. Driving this “culture” of crypto agility will likely be the IT/security team.

When it comes to the technology implementation and designing crypto agility into the foundation of protocols, it’s often recommended to use stateful hash-based signatures, which are widely accepted as a strong quantum-secure option. This is especially true for code signing. Nearly all experts agree that this can be accomplished today with existing technology.

A hybrid approach – marrying both stateless and stateful schemes – is another option for organizations looking to maximize quantum-resilience. For a given environment, organizations will need to consider signature size, performance and implementation concerns when considering which scheme will be implemented where, leveraging the benefits of each depending on the use case.

NIST has held an open call for quantum-resistant cryptographic algorithms for new public-key crypto standards, including digital signatures and encryption/key-establishment. With submissions closed in late 2017, the group is planning on selecting one or more quantum-safe algorithms to standardize and implement on a wide variety of platforms and applications. It’s likely that this will become one of the highly endorsed quantum-resilient options, however, it’s not recommended for organizations to wait until this becomes available.

A stronger foundation

It’s no secret that crypto agility initiatives will be challenging, especially as entities and individuals across the globe work out PQC in real time. However, the threat of the quantum computer against current algorithms is too great to ignore. Without crypto agility in place, organizations’ cryptographic assets become their Achilles’ heel.

First published on:
Infosecurity Magazine – Why Businesses Can’t Ignore Crypto Agility

About the author

Dawn M. Turner is a professional author with a passion for technical regulations and standards, as well as for their relevance and impact on corporate operations and industry in general. Dawn has more than 10 years of IT industry experience in hardware, programming & systems & network engineering. Her educational background includes a Certificate in computer operations & programming, CompTIA and Microsoft certifications, including A+, MCSE and MCP, Associates degree with major in business & minor in computer science, Bachelors of Science degree with major in business forensics & minor in accounting and an MBA with concentrations in finance & economics.

¿En qué podemos ayudarle?

Hable con uno de nuestros especialistas y descubra cómo Utimaco puede ayudarle hoy mismo.
Ha seleccionado dos tipos diferentes de Download, por lo que necesita presentar formularios diferentes que puede seleccionar a través de las dos pestañas.

Su(s) solicitud(es) de Download:

    Al enviar el siguiente formulario, recibirá enlaces a las descargas seleccionadas.

    Su(s) solicitud(es) de Download:

      Para este tipo de documentos, es necesario verificar su dirección de correo electrónico. Recibirá los enlaces a las Download seleccionadas por correo electrónico después de enviar el siguiente formulario.

      Descargas de Utimaco

      Visite nuestra sección de descargas y seleccione recursos como folletos, fichas técnicas, libros blancos y mucho más. Puede ver y guardar casi todos ellos directamente (pulsando el botón de descarga).

      Para algunos documentos, es necesario verificar su dirección de correo electrónico. El botón contiene un icono de correo electrónico.

      Download via e-mail

      Al hacer clic en dicho botón se abre un formulario en línea que le rogamos rellene y envíe. Puede recopilar varias descargas de este tipo y recibir los enlaces por correo electrónico simplemente enviando un formulario para todas ellas. Su colección actual está vacía.