Digital trust is essential to enable people and businesses to participate online with the confidence that their footprint in a digital world is safe. However, quantum computers pose a threat to secure online interaction. Given this scenario, in countries like the United States, the NIST (National Institute of Standards and Technology) has looked at possible cryptographic algorithms that could support both traditional and quantum computers.
Given NIST’s recent selection of primary quantum-resistant cryptographic algorithms, now is the time to consider cryptographic agility in organizations. While it may take several years to incorporate NIST’s selected algorithms into various standards, the entity recommends that while there may be some changes before the standard is finalized, there are steps you can take now to prepare. . Most importantly, what organizations can do now is to prepare for post-quantum cryptography (PQC) and improve cryptography agility.
Crypto Agility: What Is It And Why Is It Important?
Cryptoagility is the ability of a security system to quickly switch between encryption mechanisms and focuses on the visibility and dynamic movement of an organization’s crypto assets. This practice examines how cryptography is used in your organization and how you should have the tools to quickly identify and resolve issues. It also includes establishing clear cryptographic best practices policies. It also includes the ability to test new cryptographic algorithms, which is especially important as users of traditional cryptographic algorithms begin testing how to incorporate NIST-recommended PQC algorithms into their software.
“Becoming crypto agile is essential for all industries and all organizations as today’s existing cryptographic algorithms (RSA, ECC) will be vulnerable to quantum computer compromise. Therefore, cryptographic agility is a competitive advantage, especially as the number of endpoints connected to your network grows.” by Timothy Hollebeek, Industrial Technology Strategist at DigiCert
Quantum computers won’t pose a major threat for the next five to 10 years, but in the meantime, all secure Internet protocols should be migrated to NIST’s standardized algorithms.
Achieve crypto agility
Achieving this process requires a complete understanding of where encryption is used within an organization and how encryption technologies are deployed, and the ability to quickly identify and resolve issues as they arise.
Visibility, however, is only half the equation. Equally important is the ability to replace obsolete crypto assets without significantly disrupting your system infrastructure. One of the best ways to achieve this is through automation. Therefore, this practice can be achieved in two steps: visibility and automation.
First step: visibility
Unfortunately, it is common for many security professionals to have a complete picture of where cryptocurrencies are used in their infrastructure. In addition to helping you prepare for PQC, gaining insight into your crypto can reduce your current attack risk. Organizations today have more crypto to protect than ever before. While TLS/SSL certificates for the web remain common, organizations in a post-pandemic world have a Public Key Infrastructure (PKI) for hardware, software, identity and access management, and more. But increasing connections also increases the attack surface of organizations. Therefore, it is essential to obtain real-time information about vulnerabilities in order to quickly identify and remediate them.
“It is recommended to start increasing your cryptographic agility by discovering and inventorying what needs to be replaced. This requires a thorough analysis of systems and applications that use public key cryptography. DigiCert offers a certificate discovery service to give you a real-time view of your certificate landscape” Hollebeek added.
Second step: automation
Once you have gained insight into the crypto infrastructure, the next step is to replace legacy crypto with automation if necessary. The ability to quickly replace keys and certificates is essential to remain secure in a post-quantum environment. However, manual certificate management is time consuming and prone to human error. Instead, it’s a good idea to automate the certificate renewal and installation process to keep your cryptography up to date and simplify certificate lifecycle management. The easiest way to do this is to use a PKI as a service with an automation manager.