The U.S. National Institute of Standards and Technology (NIST) released an initial public draft of a Cybersecurity White Paper. This document offers a comprehensive analysis of current strategies for achieving crypto agility. It explores the challenges and trade-offs involved and outlines methods for implementing operational mechanisms that ensure crypto agility while preserving interoperability. Additionally, it emphasizes key areas that need further discussion.
The draft white paper intends to establish a common understanding of challenges and identify existing approaches related to crypto agility based on the discussions that NIST has conducted with various organizations and individuals. The paper serves as read-ahead material for an upcoming NIST-hosted virtual workshop where crypto agility considerations will be discussed with the cryptographic community to further identify future areas of work and inform the development of the final paper.
Advances in computing capabilities, cryptographic research, and cryptanalytic techniques periodically create the need to replace algorithms that no longer provide adequate security for their use cases. For example, the threats posed by future cryptographically relevant quantum computers (CRQCs) to public-key cryptography are addressed by NIST post-quantum cryptography (PQC) standards. Migrating to PQC in protocols, applications, software, hardware, and infrastructures presents an opportunity to explore capabilities that could allow this cryptographic algorithm migration and future migrations to be easier to achieve by adopting a cryptographic (crypto) agility approach.
Crypto agility describes the capabilities needed to replace and adapt cryptographic algorithms for protocols, applications, software, hardware, and infrastructures without interrupting the flow of a running system to achieve resiliency. This draft NIST Cybersecurity White Paper (CSWP) provides an in-depth survey of current approaches and considerations to achieving crypto agility. It discusses challenges, trade-offs, and some approaches to providing operational mechanisms for achieving crypto agility while maintaining interoperability. It also highlights some critical working areas that require additional discussion.
NIST also invites discussions among stakeholders to develop sector- and environment-specific strategies for pursuing crypto agility at a future NIST virtual workshop.
In the proposed definition, NIST said that crypto agility is described as an algorithm-agnostic ability to support multiple cryptographic algorithms in systems, protocols, software, and hardware. Crypto agility facilitates migrations between cryptographic algorithms without significant changes to the application that is using the algorithms. Crypto agility must be considered for each specific implementation environment.
NIST provides general considerations for crypto agility within the context of a computing platform, a protocol, and an enterprise IT system. Cryptographic algorithms are implemented in software and hardware to facilitate their use in applications. For example, replacing a cryptographic algorithm in applications will require changes to application programming interfaces (APIs) and software libraries.
Achieving crypto agility requires a systems approach to providing mechanisms that enable a seamless transition to a new algorithm while maintaining security and acceptable operation. This white paper surveys crypto agility approaches in different implementation environments and proposes strategies for achieving the agility needs of varied applications. The paper also discusses crypto agility in different contexts and highlights the coordination needed among stakeholders.
Many security protocols use cryptographic algorithms to provide confidentiality, integrity, authentication, and/or non-repudiation. Communicating peers must agree on a common set of cryptographic algorithms, referred to as a cipher suite, for security protocols to work properly. This aspect of a security protocol is called cipher suite negotiation. The cipher suite may include algorithms for integrity protection, authentication, key derivation, key establishment, encryption, and digital signatures to provide the needed security services. Crypto agility is achieved when a security protocol can easily transition from one cipher suite to another, more desirable one. Each security protocol normally specifies a mandatory-to-implement algorithm to ensure that basic interoperability is supported.
To achieve crypto agility, security protocol implementations should be modular to easily accommodate the insertion of new algorithms or cipher suites. Implementations should also provide a way to determine when deployed implementations have shifted from the old algorithms to the more desirable ones. Crypto agility means that a security protocol must support one or more algorithm or cipher suite identifiers, with the expectation that the set of mandatory-to-implement algorithms will change over time.
A cryptographic application programming interface (crypto API) separates the implementation of applications that make use of the cryptographic algorithms (e.g., email and web apps) from the implementation of the cryptographic algorithms themselves. This separation allows the application to focus on the high-level, application-specific details, while the cryptographic algorithms are implemented by a provider or a library to handle symmetric encryption, digital signature generation and verification, hashing, random number generation, key establishment, and so on.
For example, crypto APIs separate AES-CCM and AES-GCM, which are both authenticated encryption with associated data (AEAD) algorithms, from application implementations by allowing an application to make the same crypto API calls to use either algorithm. Careful selection of default parameter values in the crypto API can make the interface to these two algorithms essentially identical, which facilitates future transition to a new AEAD algorithm.
Some crypto APIs offer implementations of security protocols like TLS or IPsec to further unburden the application. These protocol implementations depend on the crypto API for cryptographic operations. The application provides the list of algorithms or cipher suites that are available and acceptable, and then the algorithm negotiation capabilities for the protocol determine the algorithms that are used in the protocol.
To achieve crypto agility, system designers must introduce mechanisms that streamline the replacement of cryptographic algorithms in software, hardware, and infrastructures. These mechanisms will, at the same time, increase complexity. Therefore, system designers must make sure that the cryptographic interface is easy to use and well-documented to reduce the risk of errors.
Achieving crypto agility demands collaborations and communications among cryptographers, developers, implementers, and practitioners to manage the risk of using cryptography to secure the data. To be actionable, crypto agility requirements must be specific for each implementation and application environment. This section discusses tradeoffs and identifies some areas for future work. Each subsection highlights important areas for consideration and associated stakeholders.
NIST plans to integrate crypto agility into the organization’s existing governance function to establish, communicate, and monitor the cybersecurity risk management strategy, expectations, and policies related to cryptography. This includes understanding crypto standards, regulations, and mandates and communicating these requirements to data owners, IT and development teams, business partners, and technology supply chain vendors prioritized by the criticality of the data.
In conclusion, the NIST whitepaper identifies that crypto agility is a future-proofing strategy to deal with changes. It demands communications among cryptographers, developers, implementers, and practitioners to accommodate evolving security, performance, and interoperability challenges. The pursuit of crypto agility capabilities involves the exploration of new technologies and management schemes. New crypto agility requirements must be developed for each environment. The security analysis and evaluation for protocols, systems, and applications must include mechanisms for transitions.
Last October, the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) laid down proactive steps to facilitate the transition to post-quantum cryptography across OT (operational technology) environments. The agencies analyzed post-quantum threats to national critical functions (NCFs) and contributed to developing guidance for migration to post-quantum cryptography. The initiative comes as outlined in Secretary of Homeland Security Alejandro N. Mayorkas’ March 2021 vision for cybersecurity resilience.
