Cryptography has been the backbone of security in our digital world, and it continues to grow in importance as more services, capabilities, and our lives become ever more digital. Cryptography increases in importance daily as we see new reports about cyber-attacks. Hospitals, retail stores, businesses of all sizes, governments – all are under constant threat of attack to exfiltrate data, disrupt critical systems, or other nefarious purposes.
Today’s cryptography is very strong against the capabilities of current computers. Indeed, data breaches, for example, are not successful because they break cryptography. Rather, successful attackers mostly obtain digital identities and masquerade as authorized entities to gain access to data and systems. Consequently, we operate on the well-founded belief that the cryptography used to protect our digital lives is, in fact, very secure.
A new threat – quantum computing – is challenging that belief. Cryptographers have known for decades – in fact, well before the development of quantum computers began – that a quantum computer of sufficient power would be able to break some of the most important cryptographic algorithms we depend on today. Significant advances in quantum computing are being announced every few months, putting pressure on organizations to prepare for their arrival.
To counter the threat of quantum computing, organizations worldwide face the challenges of moving from a small set of well-known, traditional cryptographic algorithms to a larger set of new algorithms specifically developed to withstand quantum computing. These new algorithms are known as post-quantum cryptographic algorithms.
Examining the past to chart a course for the future
It is difficult to think of any area of an organization’s digital landscape that isn’t touched by cryptography. Every user login and machine authentication, such as a Web server identifying itself to a browser, requires cryptography. Securing data in transit and at rest requires cryptography.
With such widespread use of cryptography today, the transition to post-quantum cryptography will take time. Organizations will only succeed in that transition by first understanding where and how they use cryptography today. Each organization owns the overall security posture of its own digital environment, although the organization may not have a complete understanding of their cryptographic assets.
Organizations need a comprehensive cryptography inventory and management. This inventory provides insight into the algorithms, keys, protocols, and software libraries in use today and where they are used. Underscoring its fundamental importance, US federal government agencies are currently mandated to generate a full cryptography inventory. Similarly, organizations processing credit card data must produce a cryptography inventory by March 2025 to meet industry compliance standards.
Only with a comprehensive cryptography inventory can organizations truly understand their cryptography landscape and prioritize which areas to tackle first in their journey to post-quantum readiness.
The critical role of crypto agility
The US National Institute of Standards and Technology (NIST) is currently standardizing a family of new algorithms capable of withstanding the threats of quantum computing. These new algorithms present significant differences from the traditional algorithms they are intended to replace. There is uncertainty over which post-quantum algorithms will stand the test of time and, of course, we should expect more post-quantum algorithms to be developed and standardized over time, as well. Consequently, unlike the past, software and hardware security solutions will need to offer customers a set of cryptographic algorithms together with the ability for customers to easily select and subsequently change the selection of the algorithms in use by specific applications.
When considered at the scale of large organizations, selecting and later modifying the selection of cryptographic algorithms for applications needs to be manageable. This means that organizations need to be able to change the cryptographic algorithms used by applications in a timely, policy-driven manner without requiring changes to the applications themselves. Simply put, this is the definition of agile cryptography, often referred to as “crypto agility”.
There is no stopping progress in the digital age, and there is no uncertainty about cryptography’s importance to that continual progress. A post-quantum future enabled by crypto agility will be a better, more manageable place for organizations to benefit from cryptography’s essential capabilities.
The first step to that future is organizations capturing a full inventory of their cryptography to better understand their digital landscapes. Step two leverages that inventory to create a prioritized plan for transitioning applications to agile, manageable cryptography.
About the Author
Dr. Taher Elgamal is a Visionary Leader in the field of Cybersecurity, widely recognized as the “father of SSL” – the internet security standard, Secure Sockets Layer. His contributions over four decades span entrepreneurship, investment, and technical leadership, shaping the landscape of online security.
Taher’s career is marked by innovation. He is a prolific inventor, holding numerous patents in data security, payments, and data compression. He has founded several successful companies, including InfoSec Global, NokNok Labs, and Securify. His tenure as Chief Technology Officer, Security at Salesforce.com further solidified his reputation as a leading expert.
Taher’s dedication to the field is reflected in his numerous accolades. He is the recipient of the RSA Conference 2009 Lifetime Achievement Award and the 2019 Marconi Prize, a testament to his lasting impact on the industry.
Taher can be reached at www.linkedin.com/in/taherelgamal/ and at www.infosecglobal.com.
