Crypto-Agility – Are You Ready for the Post-Quantum Era?

In a world where cyber threats continue to grow, crypto-agility will be a critical component of organisations’ security strategies. The concept of crypto-agility is becoming increasingly important for sustainable and future-proof protection against cyber attacks – both today and in the post-quantum age. But what exactly does this mean? This blog article sheds light on the relevance of crypto-agility and how you can plan your journey towards a post-quantum era.

People have been encrypting information for thousands of years, but cryptographic processes that once protected secrets become vulnerable over time. As soon as a cryptographic algorithm is cracked, the identities, infrastructures, data and services it secures are massively at risk from attackers. The rapid pace of technological development means that nowadays cryptographic mechanisms have to be replaced or strengthened with increasing frequency. This is where crypto-agility comes into play.

The importance of crypto-agility has become ever more apparent in recent times. Political institutions and experts around the world are warning of the challenges of the post-quantum era. For example, in 2023 the European Policy Centre published a quantum cybersecurity agenda for Europe, and US President Biden signed the Quantum Computing Cybersecurity Preparedness Act. These developments demonstrate just how pertinent it is to prepare for this era. Are you ready?

What Is at Stake?

Quantum computers could well be able to crack our current cryptographic algorithms, which would jeopardise most of today’s digital security systems. This has far-reaching consequences for companies in terms of data integrity, confidentiality and also identities. The aim now must be to create infrastructures that can flexibly switch between cryptographic algorithms and update them depending on the risk assessment.

The following cryptography standards, for example, are no longer secure:

• RSA-2048 (encryption & signature & key exchange)
• RSA-3072 (encryption & signature & key exchange)
• DH-3072 (signature & key exchange)
• 256-Bit ECDSA (signature & key exchange)

Adapting to safe procedures in this way impacts for example:

• AES (symmetric key; encryption), which requires longer key lengths
• SHA-2; SHA-3 (hash; hash function), which create a larger data volume
  

The cryptographic algorithms mentioned are used for example for digital identities, certificates (internally managed, externally managed, unmanaged), for signing (signing contracts, code signing in software development), authentication (of services, of natural persons in the digital environment), encryption of data, etc. We see that the topic of crypto-agility is fundamental in all kinds of areas.

Crypto-Agility Explained

Crypto-agility enables a rapid reaction to changes in cryptographic algorithms and protocols. A cyber security system is considered “crypto-agile” if its cryptographic system can be updated efficiently – and ideally automatically – to achieve a more secure state. This is necessary because cryptographic systems become more vulnerable over time: cryptographic algorithms, key lengths or key generation processes have a limited lifespan and therefore need to be replaced or updated from time to time. Another scenario relates to known weaknesses in the technical implementation of the crypto system. Here, too, replacement is needed.

Some key aspects to consider on your path to crypto-agility:

• The threat posed by quantum computers requires quantum-safe algorithms to be developed and integrated.
• The integration of new cryptographic methods into older systems can be challenging in technical terms.
• Updating security certificates and keys can be time-consuming.
• Introducing crypto-agility into organisations requires awareness and a culture of continuous change and adaptation.
• Implementing crypto-agility s financial and human resources.
• Compliance with regulations and standards can be a challenge.

Crypto-agility emphasises the need for security policies, performance awareness and a clear understanding of the implications of the measures involved.

Why Does Being Crypto-Agile Matter?

The rapid progress in quantum computing has far-reaching implications for a range of technological fields, especially cryptography. Quantum computers pose a security challenge because they can compromise many of today’s cryptographic algorithms in a very short time. The security of the encryption methods offered by conventional algorithms is reduced and even cracked. Against this backdrop, it is crucial that systems are flexible enough to react to such changes in the risk landscape and to implement new, attack-resistant algorithms if necessary.

When Is a System Crypto-Agile?

Crypto-agile systems are characterised by five basic features: 

• Modularity
  Crypto-agile systems should have a modular structure so that encryption features can be easily updated and expanded. It should be possible to replace individual components and encryption algorithms independently of each other without affecting the overall system.
• Flexibility
  Crypto-agile systems must be designed flexibly so they can adapt to new threats and security requirements. This includes the ability to support different encryption algorithms, customise key lengths and implement new security protocols.
• Open standards
  Crypto-agile systems are based on open standards and are transparent in terms of their functionality and implementation.
• Lifecycle management
  A structured approach to the lifecycle management of cryptographic components is an integral part of crypto-agile systems. This includes regularly updating algorithms and keys, monitoring security vulnerabilities and reacting quickly to threats.
• Safety assessment and certification
  Regular security assessments and certifications by independent test centres ensure that crypto-agile systems comply with recognised security standards and are trustworthy.

How Does Your Company Become Crypto-Agile?

When speaking to our customers and partners, we are increasingly being asked how they can make their company crypto-agile. We have summarised the four basic steps with practical tips for you:

1. Understand your cryptographic environment

Take stock of the cryptographic processes in your environment and identify which data needs to be protected. Analyse how these data streams flow and how they are currently protected.

The challenges are familiar issues in the implementation of cyber security projects: the complexity of the evolved architecture and corresponding dependencies in the environment, legacy systems, distributed systems, for example in the cloud, as well as requirements on system and software development such as integrated certificates and interface technologies.

Our practical tips:

• Expand your asset inventory or data processing directory to record the use of cryptographic methods for each item.
• Identify and inventory the cryptographic algorithms used.
  
  

2. Modular architecture design

A flexible infrastructure makes it possible to replace cryptographic components without impairing the overall functionality. This allows you to react to new threats without having to redevelop the entire system. Ensuring modularity and interoperability is a challenge when changing modules, as identities are distributed and often used in interfaces with different partners.

A modular architecture that enables the smooth exchange and parallel use of cryptographic components during the transition phase is an advantage here.

Our practical tip:

• When setting up or expanding your IT infrastructure (software and hardware), make sure that the deployment of cryptographic algorithms is decoupled or abstracted from application or organisational processes as far as possible. Microservice architectures, container solutions or API gateways are ideal for centralised cryptographic data processing.
  
  

3. Communicate with your providers

Maintain a dialogue with your software providers. Your software may contain cryptographic algorithms that are potentially vulnerable to attack. Ask about update schedules and the selection of algorithms. At the same time, the coordination of software updates and algorithms in a system also requires good planning and cooperation. Active communication with software providers and permanent monitoring of the risk situation are therefore essential on the road to the post-quantum era.

Our practical tips:

• Update your list of suppliers or their data processing directory with information on the use of cryptographic methods and your requirements for this. In combination with the risk analysis of the data and processes, prioritise the sequence of supplier communication and coordination regarding the transition to new cryptographic methods.
• Plan and coordinate the next steps for each supplier well in advance, especially in terms of any contract amendments, SLA supplements and other legal requirements.
  
  

4. Regularly test your crypto agility

Carry out regular tests to check whether your crypto-agility measures are effective and whether the systems comply with current security standards. Efficient monitoring of these measures is important for their success to be measured.

Our practical tip:

• Define the necessary tests during the planning phase so that the transition and the modular exchange of methods can be checked and compared. We recommend defining the desired test results at the following levels: single unit, integration, function, security, performance, backward compatibility and recovery.

Crypto-Agility Is No Longer a “Nice-To-Have”

In a constantly changing threat landscape, it is essential that cryptographic algorithms are continuously improved. Even if the post-quantum age is still some time away, crypto-agility is a central issue as quantum computing establishes itself. Secure encryption requires planning, understanding and commitment. Be ready for the challenges of the post-quantum era by starting your crypto-agility journey today!

How? InfoGuard supports you in this process – from the efficient identification of algorithms, protocols and standards used, through the development of crypto-agility strategies and their implementation, right up to the testing of corresponding systems and processes. Put your crypto agility to the test and join us in a “Crypto Agility Assessment” with elements from organisational and technical tests. Contact our experts, they will be happy to advise you!