Why ignoring Cryptographic Agility is dangerous.Robert Levine
Cryptography forms the basis of trust, authorization, authentication, data integrity and privacy. Modern organizations use cryptography across their entire operations ranging from the products sold to customers to internal functions such as payroll. Given the incredible reliance on cryptographic underpinnings you would expect tight control of it, but sadly this isn’t the case. Most organizations don’t have an inventory or any ability to report and make changes to their cryptographic underpinnings.
How devastating would it be to your organization should a material issue crop up with the cryptographic algorithms used? Would your organization be able to service its customers? Would its products be at risk? Would the entire organization be at risk?
Over the past 20 years enterprises updated the cryptographic underpinnings of our organizations a few times. Most updates were planned and followed the natural product upgrade cycle over the course of 5 to 10 years due to the lack of urgent risk. Unfortunately, a few updates required to be done on an emergency basis, such as the TLS Heartbleed bug (https://en.wikipedia.org/wiki/Heartbleed) which allowed anyone the keys used to protect information flows.
The current reality is that with both planned and unplanned update scenarios, organizations experienced elongated risk exposures due to long remediation timelines and high manual efforts. When urgent problems like Heartbleed or planned obsolescence events such as eliminating old versions of TLS (V1.0 and V1.1) occurred, enterprises first had to discover where and what parts of their IT infrastructure used the cryptology that needed to be replaced. Once discovered, they had to test and update the environments often one-by-one. The simple fact of finding the libraries required herculin manual effort of searching every system concurrently with requesting vendors to search their code base. Testing and deployment require effort from every application team and in many cases vendors to supply new code.
In the next 3 to 5 years we’re looking at another set of planned cryptographic upgrades and very likely emergencies due to quantum computing capability of nation states achieving the ability to perform the Shor’s (https://en.wikipedia.org/wiki/Shor%27s_algorithm) algorithm rendering of the core algorithms protecting the internet useless.
While most enterprises look at quantum breaking of security with skepticism the government is taking it very seriously. In fact, in July 2022 they released four candidate algorithms to address the risk and are running well funded projects to upgrade the government systems along with providing outreach to industry.
So, what should organizations do? Quickly put in place a program to figure out what their most critical protocols are and what applications use cryptography. Then put in place structures and technology to collect and report on cryptographic inventory, configuration and usage so with the goal of quantifying their business risk should a change be required along with a prioritized remediation approach should an emergency change is required. Lastly, they should look at means to implement cryptographic agility into their corporate infrastructure that not only provides reporting but also eases the upgrade process.