Where is your cryptography? Do you know where and how your crypto is currently being used in your organization and in your supply chain interactions. You will find it useful to do this on a regular basis, and you will want to bring in some central coherence and visibility to this function going forward.
In this blog, we will discuss all the places you will find your crypto. On a panel I was once on, a wise person said “Where isn’t crypto?”.
Where isn’t crypto?
You will, in fact, find cryptography in every layer of your stack and embedded in all protocols that exchange information (data in transit) internally or externally, that secure information while in storage (data at rest), and even those that authorize and secure its processing (data in use). You will find it in the networks, in the devices (microprocessors, IoT, ATM, satellites, set-top boxes, point-of-sales systems, smartphones, cars, etc.), in the applications, in the cloud, at the edge, in the servers, in the firewalls, in DNSSEC, HTTPS, TLS, SSH, IAM, VPN, Wi-Fi and PKI, in secure payment protocols, in key management applications, at the core of cryptocurrencies, in mobile apps, and in your code signing. Well you get the point, “Where isn’t crypto?”
So, this will be an involved process, and one that to be solved effectively and on a timely basis requires a collaborative eco-system – and for verticals that exchange significant digital value between them on a daily basis, this collaboration may be best approached using pre-competitive behaviours.
Create digital trust with hardware security modules
Most people are familiar with the idea that hardware security modules (HSMs) have performed an important role in helping to create digital trust over the last several decades. Most would, however, not recognize that the core of the HSM was developed prior to the emergence of the internet, e-commerce, mobile, applications, platforms, interoperable standards, cloud/multi-cloud, edge, IoT, digital identities and currencies, and so on. All of these ‘new things’ still trace their trust back to the classic HSM.
Visibility is Key
Because we haven’t had to change the family of algorithms since launching the HSM some 25 years ago, the explosion and creep of where and what type of cryptographies exist in the enterprise – and its supply chains – have not been a matter of centralized command and control. Visibility into the crypto domain of an organization becomes an important issue when you have to understand the scope, scale, and concept of operations to change and control a new family of cryptography going forward. And that’s what post-quantum cryptography (PQC) is – a new family that needs to be accommodated not just into the HSM but into your full stack and network protocols.
It comes as no surprise when NIST, DHS, and the Canadian Forum for Digital Infrastructure Resilience speak of the same triad – inventory, assessment and implementation – when encouraging enterprises to begin their journey to accommodating the new families of PQCs. Expect to hear more about this cryptographic inventory topic as it’s the best place to begin your journey – understand what is, bring new coherence to its ongoing evolution, and begin to assess where in your own concept of operations you should begin your implementation.
Planning, budgeting and implementation
One thing to keep in mind as you think through planning, budgeting, and timelines, is who will help you with implementing the solutions? This work should not be considered just a one-time crypto-rotation – as, for example, DES was to AES. That was a single crypto-primitive within the symmetric key crypto-family and could be largely achieved (and that rotation started over 20 years ago…) with minimal impact to existing hardware and software tools.
A change to post-quantum cryptography is a change of all crypto-primitives of the public key crypto-family with a brand new generation of quantum-safe crypto-primitives. In other words, it’s a new crypto-family. And this new family will then expand.
So, when you think about your approach, make sure you focus on two things: new processing hardware and software that accommodates new growth in the new crypto-family without once again having to redo the whole stack. And, if possible, have that new hardware and software also operate between the old and the new crypto-families – it’s crypto-agility, not a crypto-rotation, you want to achieve. Crypto-agility is going to be a very good investment for your future and for your supply chains.
Thanks for reading.