Crypto agility: The (cryptographic) key to data security in a digital world
Beatrice Peirani, Chair of the Crypto Sub-Task Force, GlobalPlatform
Beatrice explains that with quantum-computing on the horizon, planning migration to quantum-safe cryptography will be required to protect our digital life.
Crypto agility is already a well-established term, having been discussed by ETSI in its 2014 white paper on quantum-safe cryptography and security, as well as The National Institute of Standards and Technology (NIST) in its 2016 report on post-quantum cryptography. While GlobalPlatform has been discussing it for some time, though, the rapid growth of data and quantum-computing threats are making its adoption increasingly urgent. Fundamentally, crypto agility is essential to future-proofing the cryptographic algorithms that protect our data and communication systems, from future fraudsters armed with powerful quantum-computers.
Quantum-computing: are we really there yet?
Leading technology players are starting to unveil commercial products and while it can’t be said for definite when these super computers will enter the mainstream, their arrival is imminent. Quantum-computers (or more specifically quantum accelerators) will undoubtedly deliver many great benefits, but they also raise security concerns, as they hold the power to crack the current algorithms protecting our data. This capability will undoubtedly be exploited by cybercriminals.
As data is an increasingly lucrative target, it’s not a question of if cybercriminals will leverage quantum-computers to attack our devices and networks but when. What measures can we take now to mitigate risks and migrate to a quantum-safe environment?
What is crypto agility?
Crypto agility allows for a system or application to migrate to alternate cryptographic algorithms without causing a significant disruption to the infrastructure, allowing security updates to be quickly deployed to fix broken algorithms or replace vulnerable ones. In short, crypto agility offers the flexibility to meet the changing security needs of our connected world.
Why is it important?
Cryptographic algorithms are fundamental to keeping data confidential as it moves across networks to the digital devices in our homes, workplaces and cities. While they are used for different things (encrypting, signing etc.), they are ultimately responsible for ensuring the integrity and security of data – be it stored or in transit – from hackers and tampering threats.
The growing threat to data
With 296 billion emails exchanged every day[1], it is easy to see why digital service and network providers are concerned about quantum-computers and the threat it presents to data. For them, crypto agility is an important risk management tool for protecting customers as well as their own reputations now and into the future. It is also necessary for edge and fog device manufacturers, who must demonstrate that their devices can be trusted to manage data securely and deliver digital services to end users.
However, simply identifying threats and selecting the correct algorithm to protect a critical function is not enough in a post-quantum world, especially as new devices and digital services are emerging all the time.
Crypto agility is about being able to anticipate the evolution of threats and migrate to new algorithms as they become available. It means staying one step ahead of cybercriminals and shielding algorithms before they become vulnerable. This requires an industry-wide, collaborative approach, in which security leaders, digital service providers, device manufacturers and developers from all sectors work together to stay ahead.
How GlobalPlatform facilitates industry collaboration to deliver crypto agility
GlobalPlatform is continuously engaging with its members and external security organizations to ensure that security requirements from a broad range of use cases and market sectors are addressed.
Its dedicated Security Task Force (STF) provides regular recommendations to cryptographic algorithms and key lengths, by maintaining a classification table that is based on the recommendations of several national agencies - including NIST and the SOG-IS - that is continuously updated as new threats are anticipated.
As part of this activity, GlobalPlatform has also defined a number of specifications and certification schemes - using cryptographic algorithms - for different uses cases related to the management of standardized Secure Elements and Trusted Execution Environments in digital devices. These specifications deliver security frameworks to help device manufacturers protect their products and associated content across a range of use cases, including payments, telecoms, smart homes/cities, transportation, utilities, healthcare, premium content, government and enterprise ID.
To address the issue of quantum-computing, GlobalPlatform (and the STF) is now outlining best practice approaches for crypto agility and post-quantum cryptography. This includes defining the requirements for a new secure channel protocol and proposing a timeline for migration over the next ten years.
[1] https://www.weforum.org/agenda/2019/04/how-much-data-is-generated-each-day-cf4bddf29f/
Watch Beatrice discuss crypto-agility in this video interview