The race to crypto-agility

The race to crypto-agility 2

The cryptography imperative…

Without the ability to encrypt, and thus secure, data transmissions over the internet, so much of what we do online—from shopping to working to socializing—would be so risky as to be effectively impossible.

Unless we take action, this is exactly what we could face. Existing cryptography works because it’s so hard to break with classical computing technology. Even a supercomputer would need hundreds of years just to break a single public-private key, for example. But rapidly advancing next-generation computing technology threatens to change this radically. Quantum computing, specifically, promises such vastly increased computational power that existing cryptographic methods would be breakable fast enough to render the entire internet insecure.

At the same time, other advanced threats to internet encryption are continuously emerging. Figure 1 shows, for example, the number of crypto-associated vulnerabilities discovered each month over the past 20 years. And these are only the ones we know about. Developments in machine

learning assisted vulnerability discovery (such as ML Fuzzing) and cryptanalysis technology will likely accelerate the number of vulnerabilities uncovered in hardware crypto modules, encryption software and security libraries.

It all adds up to a significant impending problem for today’s businesses. Digital security, privacy and trust are fundamental components of operating in the modern age. But the foundations of that trust are weakening just as the threats grow stronger and more numerous. Organizations risk being pushed into uncharted territory with an unclear path to guaranteed digital security.

This is why organizations must look to become crypto-agile as a matter of urgency. The objective is to stay ahead of both known and unknown threats and risks while the security industry finds its way to a secure future in the quantum era. The Windows Cryptography API: Next Generation (CNG) framework is a good example of this, demonstrating that it’s possible to achieve modularity and extensibility at many levels while remaining cryptographically agnostic.

It may not be evident to most people in their day-to-day lives, but cryptography is an integral part of the modern economy.

The race to crypto-agility 3

Figure 1: Crypto-associated vulnerabilities discovered each month since 2000

Source: Accenture Cyber Threat Intelligence

01/00

14

Num

ber o

f CVE

s pe

r mon

th

12

10

8

6

4

2

010/00 07/01 04/02 01/03 10/03 07/04 04/05 01/06 10/06 07/07 04/08 01/09 10/09 07/10 04/11 01/12 10/12 07/13 04/14 01/15 10/15 07/16 04/17 01/18 10/18 07/19

The race to crypto-agility 44

The race to replace RSAThe method commonly used today to secure data transmissions is based on the Rivest-Shamir-Adelman (RSA) algorithm invented in 1977. In the 40+ years since, this algorithm has come to be widely trusted for everything from security signatures and encryption to certificates and even blockchains.

The reason for RSA’s longevity is its asymmetric public-private key cryptosystem design, which rests on the extreme difficulty of factoring large prime numbers. This near-impossible feat for classical computing technology means the reliability of RSA has become an assumed default on which much of the modern internet relies.

It has not all been plain sailing, however. To maintain this factoring difficulty, the National Institute of Standards and Technology (NIST) has increased the recommended key size for RSA-based cryptography alongside the growth in classical computing power. This has created its own challenges in upgrading existing hardware, removing hard-coded key sizes, revoking unsafe small certificates and upgrading legacy software/services to support new standards.

Furthermore, organizations have had difficulty responding to critical vulnerabilities discovered in their cryptography, such as the CVE-2014-0160 (aka HeartBleed Bug) exploit seen in 2014. In 2018 adversaries reportedly used malicious tools

such as the RouterSploit framework to hack millions of IoT devices still running older unpatched versions of OpenSSL vulnerable to HeartBleed.

The industry has been layering new security controls on top of existing technology to mitigate vulnerabilities as they are discovered. However, some of the new proposed security standards and technologies may end up competing with each other, some may prove insecure in the future, and others may simply never be adopted in practice. This complexity exacerbates an organization’s ability to stay ahead of the curve.

But it is quantum computing which is the greatest threat to RSA cryptography. Once mature, this technology will be able to break some RSA and Diffie-Helman keys trivially using algorithms such as Shor’s.1 As a result, NIST is creating new Post-Quantum Cryptography (PQC) standards which rely on concepts like lattices, rings, codes, key-encapsulations and supersingular isogeny in place of RSA’s time-tested prime factoring.

These new standards are expected by 2022.2 But in the meantime quantum computing research is surging ahead. The technology has already surpassed the world’s most powerful supercomputers—a feat demonstrated in 2019.3

The clock is ticking for internet security.

The race to crypto-agility

The race to crypto-agility 5

Crypto-agility is the ability of an organization to quickly and easily change its processes and cryptographic technology (in other words, its approach to encryption, signatures, and certificates).

What is crypto-agility?

Able to change its cryptographic systems and processes at will without compromising consistency, speed, or the ease of future changes.

Able to support multiple crypto protocols and primitives with the freedom to switch back and forth as desired.

Has the speed and flexibility to change course in response to new cryptographic security incidents and threats.

Able to adopt new technology faster, with reduced operational risk, while increasing competitive advantage.

The risks of quantum computing technology and increasingly advanced cyber-threats are such that every organization should be preparing to be crypto-agile in the near future. For this reason, we have developed an accelerator offering which can help organizations achieve crypto-agility faster by working with cloud partners.

A crypto-agile organization will have several specific qualities:

Repeatable Flexible Reactive Nimble

The race to crypto-agility 6

Stay ahead of the threats in the post-quantum world

6

The precise point at which quantum computing will become a viable tool for adversaries is unknown. But it could happen quickly, effectively rendering existing cryptographic techniques obsolete overnight, and with no upgrade path for many legacy systems. Advanced persistent threats (APTs) are probably already collecting encrypted data with a view to decrypting it as new quantum techniques emerge. Those organizations who don’t understand what, where and when encryption is currently used in their own environment will inevitably be caught flat-footed.

Moreover, if organizations are not able to stay compliant with new PQC standards, they will severely hinder their ability to adopt future technologies at pace. Indeed, having the ability to quickly change to the best new cryptographic primitives on demand may become the baseline standard for businesses that want to remain secure and trusted by their customers. Being crypto-agile will also mitigate the challenges of transitioning between standards and the organizational paralysis that can result from having to maintain both old and new standards simultaneously.

At the same time, companies must recognize that new PQC standards will not be a panacea. These standards may also break unexpectedly as new quantum attacks are realized. NIST crypto standards have historically undergone constant updating, deprecation and retirement in response to new attacks, and no-one should expect NIST’s 2024 PQC standards to be any different.

The race to crypto-agility 7

How do you become crypto-agile?

Creating this inventory will involve auditing every device, system, code, platform and vendor your organization uses. The scale of this undertaking means at least some degree of automation will be essential. The resulting inventory should furthermore be updated and tested frequently to maintain its accuracy. It also needs to be searchable and user-friendly – enabling the fast and easy identification of crypto priorities. Figure 2 provides an illustrative example of what the inventory process should initially cover.

It’s essential to document any cryptographic dependencies uncovered in the audit, along with any vendors you rely on for cryptographic services. You should also look to identify the legacy systems or applications in your organization’s environment that will be most impacted by cryptographic primitive changes. Plans of actions and milestones (POA&M) for making those legacy systems and applications more crypto-agile should be documented.

Understand “as is”

Increasing the crypto-agility of your organization needs to start with a clear understanding of where you stand now. That means conducting a crypto inventory audit and risk assessment of your current environment, with a special emphasis on identifying the systems and functions in your organization which are not yet crypto-agile.

The race to crypto-agility 8

Type Certificate policies Certs

Certificate Authorities (CA) (OCSP) Version #

Cert Chains & Trust Anchors Certificate Stapling Issuer(s)

Root Certificates Certificate Revocation (CRL) Expirations

CAA Records Self-Signing Algorithms

Registration Authorities (RA)

Certificate Transparency Alt DNS

Certificate Management Systems Certification Paths Signature

Certificate Reuse Fingerprint

Wildcarding Authority Key ID

Type Systems Keys

Secure Key Backups Authenticators Stores

Crypto processors Servers Generation

Crypto Libraries Databases Rotation

Algorithms Trusted Platform Modules Size

Protocols API Function

Cipher Suites VPNs Ownership

Proxies Algorithm

Access Management Systems Keying Material

CERTIFICATE CATALOG HARDWARE SECURITY MODULE CATALOG CRYPTOGRAPHY AUDIT

Figure 2: Crypto-agility inventory example

The race to crypto-agility 9

Plot a route to “to be” Give yourself time to choose the right crypto algorithms…

The audit and assessment can inform the development of a new set of crypto-agility requirements for your organization. These requirements can then be disseminated to all hardware, software, and services suppliers, or used to assess the suitability of new suppliers as appropriate. At the same time, it will often pay to bring in external expertise and capabilities, to accelerate the process.

Getting the whole organization up to speed on the need for crypto-agility is another key plank of the strategy. Training programs and policies will need to be updated and communicated, using consistent and clear language to avoid sowing confusion. You should also consider establishing a Threat Awareness Program to identify new intelligence, best practices and security compliance changes to cryptography caused by emerging technology risks.

You need to develop plans for selecting specific crypto algorithms, documenting crypto swap-out playbooks, and backup alternatives. Crypto-agility must also be integrated into the software development lifecycle and procurement workflow (for example, by using configurable cryptographic classes instead of hard-coding specific crypto-functions).

Selecting new cryptographic protocols, algorithms and suites should ideally happen before your cryptosystems suffer a compromise. But it’s equally important not to rush this process. The key is to start planning early, giving yourself time to explore each option and its associated tradeoffs (for example between security and performance). These tradeoffs will need to be considered during the selection of different classes of cryptographic algorithms as well as the operational environment in which those algorithms will be implemented.

It’s also important to bear in mind that each additional algorithm you adopt increases your flexibility but adds to the time required for testing, configuration, deployment, and maintenance. There is a risk that the organization is using so many algorithms, they end up being implemented in an insecure way and thus compromise the security of your data. Thorough testing must be included as part of this process.

The race to crypto-agility 10

The risk of waiting for the mandatory approval and retirement of crypto algorithms is that your organization’s data, users and systems are exposed to emerging technology threats that move faster than the standards institutions can respond to.

However, there are voluntary algorithms and mechanisms being promoted by organizations which aim to create a common set of cryptographic mechanisms. Many industry leaders have already started influencing these selections by implementing support for specific algorithms in their products or services. For example, Google’s Chrome browser has started experimenting with a lattice-based algorithm called “New-Hope”. And Amazon and Microsoft have started adopting the ‘Supersingular Isogeny Key Encapsulation’ (SIKE) algorithm into their products.

That said, it’s important not to fall into the trap of selecting an algorithm simply because one of the industry leaders is using it. New algorithms will have different performance, standards and storage requirements—and will weaken at different rates over time. While one specific lattice algorithm may be popular today, a novel lattice reduction attack could be discovered tomorrow which would result in its deprecation and retirement. If you had everything tied to that single algorithm, and are not crypto-agile, you will almost certainly have more trouble switching to other options in the future.

The race to crypto-agility

…but don’t wait too long

The race to crypto-agility 11

How will crypto-agility change what you do?

However, this agility must be balanced with strong cryptographic protections of the cryptography modules themselves to mitigate against adversaries attempting to tamper with or compromise their integrity.

In addition, software and information integrity using hashing functions will need to be addressed with the use of new future-resilient hashing and updated records (for example, replacing MD5, SHA-1 and SHA-2). Access enforcement and identity management based on A-symmetric cryptography will also need to be replaced with new crypto algorithms or safeguards that remain agile.

Cryptographic key management systems will need the agility to rotate to new crypto primitives and standards when disrupted by new threats.

It’s important to understand how and where crypto-agility will impact your organization. First and foremost, cryptographic modules (hardware, firmware, software) will need to support rapid and easy updates and/or configuration changes to respond to new disruptions, attacks and vulnerabilities caused by emerging technological risks.

The race to crypto-agility 12

• Double key lengths and select quantum resistant solutions where possible.

• Run development tests and benchmarking to evaluate PQC feasibility and impact.

• Automate private key rotation to mitigate future threats while transitioning to PQC where possible.

• Transition to Keccak derived hash functions (such as SHAKE256) which will likely provide the most crypto-agility for hashes with variable length outputs.

• Investigate whether Quantum Key Distribution (QKD) methods (such as BB84, E91) are suitable for your organization.

Crypto-agility for the post-quantum world Cryptographic bindings, such as checksums, keys, and certificates will likely need to be redesigned for agility. Cryptographic identification devices, such as tokens, will need to be redesigned to be resilient to attacks and exceed standards for the expected lifetime of the device.

Encryption will need mitigating security controls and/or refreshed encryption schemes and standards to protect the confidentiality of data from future threats. Encrypted portable media will need to be evaluated for its ability to remain crypto-agile, with secure media destruction procedures in place if needed. Cryptographically protected passwords will need additional security protections or stronger standards. Transitioning to passwordless styled authentication schemes should be considered.

On top of this, software developers should avoid hardcoding cryptographic processes to keep the code-base agile for the future. Software development and code reviews will also need to include automated tools/techniques to find new vulnerabilities in cryptographic methods.

The race to crypto-agility

The race to crypto-agility 13

Get a head start in the race for crypto-agilityThe big picture? Organizations need to be preparing today for the crypto-agility which will be essential tomorrow. That means increasing flexibility, acquiring component independence, and simplifying cryptography. Ideally this can be achieved with abstraction layers designed with crypto-agility goals in mind for the entire supply chain.

As part of this preparation, modularity is key. When security protocols are modular in design, new algorithms and cryptographic suites can be switched in and out in a repeatable and easy manner. Crypto-agility also offers a strong strategy for interoperability between new and deprecated algorithms. It means you can drop support for old crypto as soon as its risk-tolerance requires it, while simultaneously selecting the strongest crypto option at every opportunity.

This interoperability question will also need to be addressed more broadly, by cryptography institutions and industry leaders. An unwillingness to abandon weak crypto in order to maintain operability with slow adopters will ultimately degrade the security of everyone who continues to support the old algorithms.

Crypto-agility offers both a strategic and a tactical approach for confronting growing cryptography-related threats. This is an uncertain world, in which adversaries are getting smarter and more capable just as the principal cryptography methods risk being undermined by quantum computing. The question for organizations is how to prepare for this challenging future. Acquiring crypto-agility is a big part of the answer.

Accenture can recommend a crypto assessment and remediation plan tailored to your needs and exposure level. This includes a process of data discovery and classification of systems to understand what the crypto is protecting. We can then suggest a phased threat mitigation approach covering the following steps:

010203

Enhancing current production Cryptographic Security

Performing a crypto-agility proof-of-concept (PoC)

Upgrading to Post-Quantum Cryptography (PQC) where needed

13

The race to crypto-agility 14

Accelerate your crypto-agility with a trusted partner

Third-party services, such as Accenture’s Crypto-Agility Accelerator, can significantly accelerate an organization’s journey to crypto-agility. But when examining these offerings there are some key questions to ask:

Which standards are they supporting?

What is their approach for quantum safety in the cloud?

Can they automate the identification of unsafe crypto in your environment?

Do they provide early warnings and intelligence on emerging technology risks to crypto?

What is their framework for crypto risk management?

Do they have cryptanalysis capabilities for proactively identifying potentially weak algorithms?

Can they train your staff to be aware and stay informed of the crypto threat?

Do they have industry partnerships and alliances to accelerate your journey to crypto-agility?

The race to crypto-agility 14

The race to crypto-agility 15

Crytography Timeline

SHA-0 approved by NIST

SHA-1 approved by NIST

SHA-0 approval withdrawn

October Triple DES (TDES) is specified to replace DES by NIST

Skipjack attack is published

August RSA standards modified by NIST

August RSA standards modified by NIST

SHA-1 deprecated by NIST

January Skipjack approval for encryption withdrawn

August Elliptic Curve Digital Signature Algorithm (ECDSA) is identified to have security issues

July TDES approval from the year 2030 reduced to 2023 by NIST

October DSA approval withdrawal drafted by NIST

November Data Encryption Standard (DES) is approved as a Standard by NIST

February Skipjack approved by NIST

February Digital Signature Algorithm (DSA) approved by NIST

February Rivest-Shamir-Adleman (RSA) algorithm approved by NIST

June DES is publicly broken

November Rijndael algorithm for the Advanced Encryption Standard (AES) is selected by NIST to replace DES

SHA-1 attack published

MayDES approval is withdrawn

December DSA publicly attacked

January TDES approved through the year 2030 by NIST

JulySHA-2 standards modified by NIST

Two-key variant of 3DES retired

AugustSecured Hash Algorithm 3 (SHA-3) approved by NIST

February RSA-250 is factored

1976 1993 1994 1995 1997 1999 2001 2002 2005 2007 2010 2011 2012 2013 2015 2019 2020

The race to crypto-agility 16

Resources:

Report on post-quantum cryptographynvlpubs.nist.gov/nistpubs/ir/2016/nist.ir.8105.pdfApril 2016

RFC:7696 Guidelines for cryptographic algorithm agility and selecting mandatory-to-implement algorithmstools.ietf.org/html/rfc7696November 2015

Recommendation for key managementnvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdfMay 2020

Transitioning the use of cryptographic algorithms and key lengthsnvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdfMarch 2019

CNSA suite and quantum computing FAQapps.nsa.gov/iaarchive/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/cnsa-suite-and-quantum-computing-faq.cfmJanuary 2016

A framework for designing cryptographic key management systemsnvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-130.pdfAugust 2013

Post-quantum cryptographycsrc.nist.gov/Projects/post-quantum-cryptography/June 2020

Cryptographic module validation programcsrc.nist.gov/projects/cryptographic-module-validation-program/standardsJune 2020

Prototyping post-quantum and hybrid key exchange and authentication in TLS and SSHopenquantumsafe.org/papers/NISTPQC-CroPaqSte19.pdfJuly 2019

Post-quantum key exchange for the internet and the open quantum safe projectopenquantumsafe.org/papers/SAC-SteMos16.pdfJuly 2017

Cryptographic agility: future proofing today’s secure systemsassets.website-files.com/59380a833f6af42c 073f0b6a/5b36420a852a6d945e751acc_ISG_AgileSec-Crypto_Whitepaper.pdf2016

Top recommendations for your security program, 2020www.forrester.com/report/Top+Recommendations+For+Your+Security+Program+2020/-/E-RES159378#April 2020

A method for obtaining digital signatures and public-key cryptosystemspeople.csail.mit.edu/rivest/Rsapaper.pdfFebruary 1978

Quantum supremacy using a programmable superconducting processornature.com/articles/s41586-019-1666-5October 2019

Quantum computing: progress and prospectsdoi.org/10.17226/251962019

A systematic review of fuzzing based on machine learning techniquesarxiv.org/ftp/arxiv/papers/1908/1908.01262.pdfAugust 2019

Cryptographic agilitymedia.blackhat.com/bh-us-10/whitepapers/Sullivan/BlackHat-USA-2010-Sullivan-Cryptographic-Agility-wp.pdfJuly 2010

1 National Institute of Standards and Technology, https://www.nist.gov/

2 NIST’s Post-Quantum Cryptography Program Enters ‘Selection Round’, NIST, July, 2020, https://www.nist.gov/news-events/news/2020/07/nists-post-quantum-cryptography-program-enters-selection-round

3 Quantum supremacy using a programmable superconducting processor, Nature, October, 2019, https://www.nature.com/articles/s41586-019-1666-5

Contacts

AuthorsMalek Ben SalemAccenture Labs Fellow, Americas Security R&D Lead

malek.ben.salem@accenture.com

Benjamin McCartyResearch Principal, Cyber Security Research and Development

benjamin.g.mccarty@accenture.com

Rexall ThextonSenior Managing Director, Applied Cybersecurity Services

rexall.e.thexton@accenture.com

Lisa O’ConnorManaging Director, Global Lead of Cyber Security Research and Development

lisa.oconnor@accenture.com

Sources

Accenture Labs incubates and prototypes new concepts through applied R&D projects that are expected to have a significant impact on business and society. Our dedicated team of technologists and researchers work with leaders across the company and external partners to imagine and invent the future. Accenture Labs is located in seven key research hubs around the world: San Francisco, CA; Washington, D.C.; Dublin, Ireland; Sophia Antipolis, France; Herzliya, Israel; Bangalore, India; Shenzhen, China and Nano Labs across the globe. The Labs collaborates extensively with Accenture’s network of nearly 400 innovation centers, studios and centers of excellence to deliver cutting edge research, insights and solutions to clients where they operate and live. For more information, please visit www.accenture.com/labs

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security

About Accenture Labs

About Accenture Security

Accenture is a global professional services company with leading capabilities in digital, cloud and security. Combining unmatched experience and specialized skills across more than 40 industries, we offer Strategy and Consulting, Interactive, Technology and Operations services—all powered by the world’s largest network of Advanced Technology and Intelligent Operations centers. Our 514,000 people deliver on the promise of technology and human ingenuity every day, serving clients in more than 120 countries. We embrace the power of change to create value and shared success for our clients, people, shareholders, partners and communities. Visit us at www.accenture.com.

Copyright © 2021 Accenture. All rights reserved.Accenture and its logo are registered trademarks of Accenture.

About Accenture