How to Improve your Organization’s Crypto-Agility

As the sheer number of connected devices continues to rise and technology continues to develop toward a future full of quantum computers, securing devices/applications and becoming “crypto agile” is fundamental to an organization’s effort to become and stay secure, today and in the future. Read on to discover how to improve your organization’s crypto-agility.

A common enterprise goal is to improve business agility. The ability to quickly adapt to market changes gives an organization a competitive advantage and can also prevent unnecessary losses. Information is an organization’s lifeblood, and the information security department is responsible for establishing and maintaining secure connections between IT systems and all external devices. As a best practice encryption should always be used between diverse systems that have to interoperate. Your organization should require encrypted links to protect the information in transit, whether it is destined for internal or external systems. As the number of connected devices grows, becoming “crypto agile” is a key component of an organization’s business agility.

Poor visibility limits agility

A common issue most security professionals face is not having a full understanding of where crypto is being used throughout the IT infrastructure. Maintaining a software inventory is something security professionals are familiar with, and they need to develop the same insight into all connected devices.

Among the most common crypto in use today are TLS/SSL certificates, which are used to establish secure connections between browsers, servers and an ever-expanding number of devices and applications.

TLS uses both asymmetric and symmetric encryption via a Public Key Infrastructure (PKI), which is the set of hardware, software, people, policies and procedures that are needed to create, manage, distribute, use, store and revoke digital certificates. PKI is also what binds keys with user identities by means of a Certificate Authority (CA). PKI benefits from using both types of encryption. For example, in TLS communications, the server’s TLS certificate contains an asymmetric public and private key pair. The session key that the server and the browser create during the TLS handshake is symmetric.

What crypto-agility is and is not

Crypto-agility involves knowing everywhere that crypto is being used in your organization (e.g. protocols, libraries, algorithms, certificates, etc.), knowing how it is being used and having the ability to quickly identify issues and remediate them. True crypto-agility allows you to seamlessly replace outdated crypto as necessary via automation.

Crypto-agility is not just the ability to use different algorithms for critical functions (e.g., hashing, signing, encrypting, etc.), nor is it the ability to choose which algorithm (e.g. SHA-1 or SHA-256) to use for a particular function.

SHA-2, the successor to SHA-1, contains the same cryptographic weakness (although its increased length offers better protection against breaking). Still, SHA-3 is the recommended replacement for SHA-1 and SHA-2, but the problem is that almost no hardware or software products support it yet.
Simply trying to get the supported algorithms into place everywhere they need to be can be a tall order, and that makes striving to achieve crypto-agility more difficult. Most crypto transitions happen at internet scale, and transitioning off of one crypto algorithm to a new one requires working with all of your vendors.

Crypto-agility best practices include the following:

  • Establish and communicate clear policies
  • Inventory all crypto assets
  • Identify crypto vulnerabilities (internal to your org and with vendors)
  • Have the ability to test new cryptographic algorithms
  • Have the ability to replace vulnerable keys and certs quickly
  • Maintain ownership information
  • Automate management
  • Automate replacement tracking

The first step in establishing crypto-agility within your organization is to create and clearly communicate policies around TLS best practices (for information on TLS best practices reach out to your DigiCert rep). After policies are established, the next step is the inventorying of all crypto assets, which can be accomplished through the use of a modern certificate management platform with a comprehensive discovery feature (see CertCentral for more information on certificate discovery). Once the inventory is complete and you have visibility and control of all your organization’s crypto assets, you will have the flexibility to start testing new algorithms as they become available and/or replace vulnerable keys, without the concern of leaving your organization unsecured or breaking critical processes.

As you achieve visibility and control and can freely swap crypto at your choosing, your next focus point is on maintaining crypto-agility. You will want to make sure the correct people or departments retain ownership of their respective crypto-assets and that automation of crypto-assets like TLS certificates are being used whenever possible to make sure replacement and tracking are being completed even when everyone is away.

Achieving crypto-agility requires that all your hardware vendors also can update their devices in a timely manner. How security conscious a hardware vendor is can play a role in helping organizations retain crypto-agility. If you have a vendor with a history of being slow to roll out security updates, that creates a risk. If you work with vendors that provide regular updates, disclose what crypto they’re using and support the latest algorithms, you minimize risk and improve your crypto-agility level. That will enable your organization to more quickly respond to a large crypto threat and mitigate any potential damage.

Your vendors (example: IT hardware/software providers), business partners and third-party service providers need to be able to provide you with information on how they will support your plan. Make it your policy to work with vendors who use the best current cryptography and add support for modern standards and improved algorithms within a reasonable timeframe. Software and firmware need to be upgradable in a reasonable timeframe, and with a reasonable amount of effort. This will enable you to quickly replace anything from previous crypto eras that leave your organization open to security vulnerabilities. This policy should also be taken with remote software updates, but if you have taken steps to maintain visibility and control and to automate your crypto-assets, you should not be negatively affected.

Finally, you need to start at least thinking about the transformation of your IT infrastructure that quantum computing will drive in the not-too-distant future. Quantum computing will enable computers and IoT devices to run calculations much faster than what is possible today. It promises to fundamentally change the way we approach everything, from researching cures for cancer to alleviating traffic in urban centers. But realizing those visions requires overcoming the new IoT security challenges quantum computing will create.

Today, connected devices rely on RSA or ECC cryptography to protect the confidentiality, integrity and authenticity of electronic communications. Web browsers also use RSA and ECC signature verification to establish a secure connection over the internet or validate digital signatures. However, NIST and other security industry watchdogs predict that within a decade, large-scale quantum computing will break RSA public-key cryptography.

The benefits and risks quantum computing presents will affect virtually every industry, including financial services, healthcare, energy and manufacturing. The realization of quantum computing-driven IT systems may still be at least five to 10 years down the road, but it’s something to consider now as you work to improve your crypto-agility levels today and tomorrow.

Closing thoughts to consider:

  • Cryptography that can protect remote software update (hash-based signatures) exists today and should be deployed.
  • This will allow software to be updated to NIST-approved post-quantum algorithms when they are available.
  • The technologies that are available today not only provide the ability to upgrade to post-quantum algorithms in the future, but also increase your organization’s ability to respond to whatever cryptographic challenges arise in the future.
Posted in PKI, SSL