Cryptographic Lifecycle Management Workshop (W00a)
In this talk we will discuss the methodology of cryptography lifecycle management which helps organizations to identify cryptographic threats, transition to a crypto agile system and to be prepared for any future cryptographic threats, including the quantum computer.
Most organizations are not aware of what type of cryptography is in use in their IT infrastructure. Are secure algorithms and implementations used? Are they compliant with regulatory requirements? Which risk are inherited from third-party products and their selection or implementation of cryptography? Are application vulnerable to the quantum computer threat? Many of those questions are hard to answer or even remain unanswered. Cryptography is a specialized, technical domain, making it difficult for enterprises to find and adequately asses the magnitude and impact of a cryptographic threats, although cryptography is a critical component of every security system.
Digital systems rely on cryptography as the security foundation to maintain trust, confidentiality and authenticity and to date, it has lacked the agility to make necessary changes once deployed. It has become so deeply entrenched across all the digital systems we access daily that it is almost impossible to release updates, patch vulnerabilities and conduct cryptographic lifecycle management. Although, cryptography has evolved significantly in the past decades, the way how the industry is using cryptography has not changed so much in comparison. Integrating cryptography in applications is still challenging, requires special expertise and due to the increased diversity and complexity it has become in many cases more difficult. We will discuss how the concept of cryptographic agility significantly improves the situation and reduces current and future threats.
An emerging future threat is the quantum computer and a perfect example how cryptography lifecycle management prepares organizations to be ready when it is here. Practical quantum technologies that would allow to build a large-scale quantum computer have been actively emerging. According to some experts, it might take another 10-15 years to be able to build one. Quantum computers will open new capabilities for the world. However, in the hands of malicious adversaries, they could become a real threat. All of today’s standardized public key cryptography could be efficiently broken by large-scale quantum computers. For a number of reasons, protection against this threat is required to be available now or in near future. As known from practice, the transfer from one cryptographic suite to another is a hard problem from practical side for many companies.