Cryptography has become indispensable in our modern information security systems. It allows us to securely make payments with our bank cards, control traffic lights, and encrypt confidential information. However, cryptosystems can be ‘broken’. For instance, through weaknesses in algorithms, implementation errors, or the emergence of powerful quantum computers that significantly reduce the cryptographic security value.
For these reasons, it is important to consider new vulnerabilities and threats. This can be achieved by making cryptography agile. This agility, for example, enables quick changes to key lengths or the implementation of a different algorithm in a protocol.
Tips from research results
The ‘crypto-agility’ working group of the Quantum-safe Cryptography programme of the Central Government (QvC Rijk) conducted research. They developed a foundation for discussing various aspects of crypto-agility within organisations. They envisioned this concept as a large monster with both bad and good sides. All aspects were then made visible (on a beer coaster). The following tips emerged:
- Crypto-agility is a way to reduce (future) vulnerabilities in cryptographic protocols, primitives, and systems.
- In your risk management process, consider not only the positive effects of agility but also the risks that come with it.
- Choose agility goals and the degree of agility appropriate for your organisation’s risks. Determine how you can achieve these goals.
- Try to map out what agility capabilities you have or want to have in the cryptosystem, and what the dependencies are.
Guidelines
The ‘crypto-agility’ working group of the QvC Rijk programme is currently developing guidelines to support the government and providers of essential services to make systems ‘crypto-agile’.
Are you involved in the design or management of a crypto-agile system? Read the blog about crypto-agility on ncsc.nl (in Dutch) and share your experiences.
