The Power of Crypto-Agility: A Defence-in-Depth Strategy for Quantum and Beyond
Dr. Sarah McCarthy
August 2, 2023
The transition to quantum security is not instantaneous, and the iterative nature of updating cryptography will pertain past the point at which everyone has adopted PQC. One approach quickly gaining traction is crypto-agility, which enables a systemic level of trust with the ability to swiftly adapt and switch cryptographic methods. By embracing crypto-agility, organizations who steward sensitive or critical data can effectively build a defence-in-depth strategy, fortifying their data protection against the future advances in decryption methods and tools.
The Quantum Threat and the Need for Defence-in-Depth
Quantum computers possess extraordinary computational power that will eventually break the public key cryptography that currently secures all our sensitive information as it travels around the world. This calls for a comprehensive and multi-layered defence strategy. A defence-in-depth approach involves employing multiple layers of security, making it exponentially more difficult for attackers to compromise critical data. In the context of quantum threats, defence-in-depth is not limited to a single layer of quantum-resistant encryption; it extends to the concept of crypto-agility.
Crypto-agility is the ability to adapt and switch cryptographic algorithms seamlessly and efficiently. It empowers organizations to stay ahead of cryptographic vulnerabilities and embrace emerging encryption standards, ensuring data remains secure even in the face of quantum computing advancements or other breakthroughs in algorithmic attacks. Crypto-agility is not solely focused on implementing quantum-resistant algorithms; it encompasses the broader concept of being adaptable to future cryptographic developments.
Crypto-Agility within a Progressive Cryptographic Environment
Backwards compatibility: being crypto-agile allows for support of legacy cryptographic algorithms alongside PQ, until legacy systems are discontinued, and the older algorithms can easily be swapped out
Hybrid approaches: the modular approach characteristic of a crypto-agile platform makes it easier to stack or nest multiple algorithms, as per NIST’s recommendations for migration to PQ
A cryptographic inventory, as a recommended first step in the migration to PQ, facilitates crypto-agility, as it generates the knowledge of where all the certs, keys and other elements are that would need to be swapped when conducting an agile move to a different cryptographic algorithm.
Crypto-agility facilitates the ability to update remotely by providing scaffolding within which to replace certificates and keys
Without crypto-agility, it would take longer to re-secure your network following an attack/patch, opening opportunities for attacks. It would also be more costly due to manpower required to switch, and the potential need to purchase new SW/HW
True cryptographic agility allows for adaptations of all scales, which may just be an increase in key size or parameter, a subprocess like the sampling or hashing algorithms, or a bug in the code. And these updates must take place in a secure way, which is set up via the crypto-agile platform
Crypto-agility assists certificate chain revocation, in the case where the root (or sub) CA has become compromised, meeting the need to re-issue the certificates rapidly, perhaps in an automated way, reducing the downtime of the network users
Consider the scenario when all devices may not be online at the same time; crypto-agility provides the ability to update crypto gradually, and maintain backwards compatibility during this timescale, until all devices in the family are updated
When a standards body releases new standards, they additionally must define all the micro steps for each user to follow, which won’t all happen at the same time. There is no on/off switch and ability maintain secure connections with other systems at different stages is essential. Agility eases this process by providing a system to make the required switches.
Benefits of Crypto-Agility in a Defence-in-Depth Strategy
Future-Proofing: By adopting a crypto-agile approach, organizations can future-proof their cryptographic infrastructure against advancements in quantum computing or other algorithmic breakthroughs. They can quickly transition to new, robust encryption algorithms without significant disruptions or vulnerabilities.
Rapid Response to Emerging Threats: In the fast-paced world of cybersecurity, threats evolve rapidly. Crypto-agility equips organizations to respond swiftly to emerging threats. They can promptly replace outdated cryptographic algorithms with stronger alternatives, minimizing the window of opportunity for attackers.
Flexibility: A crypto-agile posture allows organizations to adapt their cryptographic solutions to fit changing requirements or regulatory compliance. Additionally, it enables the successful integration of complementary systems and cryptographic protocols, by allowing the addition of new algorithms in the ciphersuites during the negotiation.
Cost-Effectiveness: The adoption of a crypto-agile approach can result in cost savings in the long run. Instead of being locked into a single cryptographic standard, organizations can transition to new algorithms as needed, eliminating the need for expensive and time-consuming cryptographic overhauls.
In the face of quantum-powered threats and future algorithmic advances, crypto-agility provides a powerful tool for organizations to build a defence-in-depth strategy. By swiftly adapting and switching cryptographic algorithms, businesses can future-proof their data security, respond rapidly to emerging threats, ensure flexibility, and achieve cost-effectiveness. Embracing crypto-agility enables organizations to stay ahead of future advances in code breaking and navigate the ever-changing landscape of data protection.
freQuency, a newsletter from evolutionQ
One interesting thought and one interesting link. Every other Wednesday.