A quantum-safe future with crypto-agility
In our article on post-quantum cryptography and email security, we highlighted the dangers that current and upcoming developments in the field of quantum computing pose for the security of IT systems. Many experts cite crypto-agility as a central component of a quantum-safe security strategy. But what exactly is crypto-agility?
Quantum computers threaten today’s cryptographic systems
Today’s cryptographic systems are under threat because quantum computers will be able to break current public key procedures in the future. The presentation of the Shor algorithm in 1994 showed that asymmetric encryption can be broken.
The development of a quantum computer on which Shor’s algorithm can be implemented “appropriately” would therefore render asymmetric cryptography useless. Symmetric cryptosystems are threatened by quantum computers that use the Grover algorithm.
Further threats to cryptography
The Fraunhofer Institute for Secure Information Technology SIT speaks of four threats to cryptography in connection with cryptoagility:
The BSI explains that crypto-agility can be achieved as follows:
“In the new and further development of applications, particular attention should be paid to making the cryptographic mechanisms as flexible as possible in order to be able to react to all conceivable developments, implement upcoming recommendations and standards and possibly replace algorithms in the future that no longer guarantee the desired level of security.”
The BSI refers to Marian Margraf from the Free University of Berlin, who focuses on organisational aspects by calling for adequate migration concepts and incident management systems.
How do you become crypto-agile?
These organisational aspects are a central component of crypto-agility. If crypto-agility is defined as the ability of a system or organisation to flexibly adapt the cryptography used and thus react quickly to vulnerabilities, then this process has an organisational aspect in addition to the purely technical one, which makes it possible to implement technical developments.
In other words, it must be possible to replace or update the cryptographic procedures quickly and easily. So we are no longer just talking about the race between the most secure encryption algorithms and the most effective attacks on them, but also about anticipating new technologies and reacting to them as flexibly as possible.
Crypto-agility can be implemented at various levels. Several measures can complement or replace each other, be it flexible hardware, individual interchangeable functions or entire cipher suites, i.e. cryptographic processes that build on each other. However, making everything more flexible does not make sense either, as more crypto-agility makes systems more complex and therefore often slower.
Requirements for cryptoagility
According to the Fraunhofer Institute, cryptoagility always requires the fulfilment of the following requirements:
Crypto-agility should already be an important part of companies’ security strategies today. Although the starting point is often the threat to IT security posed by quantum computers, an agile strategy is also effective for classic attacks using “conventional” computers: these attacks can also evolve and break encryption methods and render them useless. Investing in crypto-agility is worthwhile in any case, because it means preparing today for future attacks, regardless of whether they are quantum-based or not.
Not yet using NoSpamProxy?
With NoSpamProxy you can reliably protect your company from cyber attacks. Request your free trial version now!
