The race to crypto-agility The cryptography imperative… It may not be evident to most people in their day-to-day lives, but cryptography is an integral part of the modern economy.

Without the ability to encrypt, and thus secure, data transmissions over the internet, learning assisted vulnerability discovery (such as ML Fuzzing) and cryptanalysis so much of what we do online—from shopping to working to socializing—would be technology will likely accelerate the number of vulnerabilities uncovered in so risky as to be effectively impossible. hardware crypto modules, encryption software and security libraries.

Unless we take action, this is exactly what we could face. Existing cryptography It all adds up to a significant impending problem for today’s businesses. Digital works because it’s so hard to break with classical computing technology. Even a security, privacy and trust are fundamental components of operating in the supercomputer would need hundreds of years just to break a single public-private modern age. But the foundations of that trust are weakening just as the threats key, for example. But rapidly advancing next-generation computing technology grow stronger and more numerous. Organizations risk being pushed into threatens to change this radically. Quantum computing, specifically, promises such uncharted territory with an unclear path to guaranteed digital security. vastly increased computational power that existing cryptographic methods would be breakable fast enough to render the entire internet insecure. This is why organizations must look to become crypto-agile as a matter of urgency. The objective is to stay ahead of both known and unknown At the same time, other advanced threats to internet encryption are threats and risks while the security industry finds its way to a secure future continuously emerging. Figure 1 shows, for example, the number of crypto- in the quantum era. The Windows Cryptography API: Next Generation associated vulnerabilities discovered each month over the past 20 years. (CNG) framework is a good example of this, demonstrating that it’s possible And these are only the ones we know about. Developments in machine to achieve modularity and extensibility at many levels while remaining cryptographically agnostic.

The race to crypto-agility 2 Figure 1: Crypto-associated vulnerabilities discovered each month since 2000

14

12

10

8

6

4 Number of CVEs per month per CVEs of Number

2

0

01/00 10/00 07/01 04/02 01/03 10/03 07/04 04/05 01/06 10/06 07/07 04/08 01/09 10/09 07/10 04/11 01/12 10/12 07/13 04/14 01/15 10/15 07/16 04/17 01/18 10/18 07/19

Source: Accenture Cyber Threat Intelligence

The race to crypto-agility 3 The race to replace RSA

The method commonly used today to secure data transmissions is based such as the RouterSploit framework to hack millions of IoT devices still running on the Rivest-Shamir-Adelman (RSA) algorithm invented in 1977. In the 40+ older unpatched versions of OpenSSL vulnerable to HeartBleed. years since, this algorithm has come to be widely trusted for everything from security signatures and encryption to certificates and even blockchains. The industry has been layering new security controls on top of existing technology to mitigate vulnerabilities as they are discovered. However, some of The reason for RSA’s longevity is its asymmetric public-private key cryptosystem the new proposed security standards and technologies may end up competing design, which rests on the extreme difficulty of factoring large prime numbers. This with each other, some may prove insecure in the future, and others may simply near-impossible feat for classical computing technology means the reliability of RSA never be adopted in practice. This complexity exacerbates an organization’s has become an assumed default on which much of the modern internet relies. ability to stay ahead of the curve.

It has not all been plain sailing, however. To maintain this factoring difficulty, But it is quantum computing which is the greatest threat to RSA cryptography. the National Institute of Standards and Technology (NIST) has increased the Once mature, this technology will be able to break some RSA and Diffie-Helman recommended key size for RSA-based cryptography alongside the growth in keys trivially using algorithms such as Shor’s.1 As a result, NIST is creating new classical computing power. This has created its own challenges in upgrading Post-Quantum Cryptography (PQC) standards which rely on concepts like existing hardware, removing hard-coded key sizes, revoking unsafe small lattices, rings, codes, key-encapsulations and supersingular isogeny in place certificates and upgrading legacy software/services to support new standards. of RSA’s time-tested prime factoring.

Furthermore, organizations have had difficulty responding to critical vulnerabilities These new standards are expected by 2022.2 But in the meantime quantum discovered in their cryptography, such as the CVE-2014-0160 (aka HeartBleed computing research is surging ahead. The technology has already surpassed Bug) exploit seen in 2014. In 2018 adversaries reportedly used malicious tools the world’s most powerful supercomputers—a feat demonstrated in 2019.3 The clock is ticking for internet security.

The race to crypto-agility 4 What is crypto-agility?

Crypto-agility is the ability of an organization to quickly and easily change its processes and cryptographic technology (in other words, its approach to encryption, signatures, and certificates).

A crypto-agile organization will have several specific qualities:

Repeatable Flexible Reactive Nimble

Able to change its cryptographic Able to support multiple crypto Has the speed and flexibility to Able to adopt new technology systems and processes at will protocols and primitives with the change course in response to new faster, with reduced operational without compromising consistency, freedom to switch back and forth cryptographic security incidents risk, while increasing competitive speed, or the ease of future changes. as desired. and threats. advantage.

The risks of quantum computing technology and increasingly advanced cyber-threats are such that every organization should be preparing to be crypto-agile in the near future. For this reason, we have developed an accelerator offering which can help organizations achieve crypto-agility faster by working with cloud partners.

The race to crypto-agility 5 Stay ahead of the threats in the post-quantum world

The precise point at which quantum computing will become a viable tool for adversaries is unknown. But it could happen quickly, effectively rendering existing cryptographic techniques obsolete overnight, and with no upgrade path for many legacy systems. Advanced persistent threats (APTs) are probably already collecting encrypted data with a view to decrypting it as new quantum techniques emerge. Those organizations who don’t understand what, where and when encryption is currently used in their own environment will inevitably be caught flat-footed.

Moreover, if organizations are not able to stay compliant with new PQC standards, they will severely hinder their ability to adopt future technologies at pace. Indeed, having the ability to quickly change to the best new cryptographic primitives on demand may become the baseline standard for businesses that want to remain secure and trusted by their customers. Being crypto-agile will also mitigate the challenges of transitioning between standards and the organizational paralysis that can result from having to maintain both old and new standards simultaneously.

At the same time, companies must recognize that new PQC standards will not be a panacea. These standards may also break unexpectedly as new quantum attacks are realized. NIST crypto standards have historically undergone constant updating, deprecation and retirement in response to new attacks, and no-one should expect NIST’s 2024 PQC standards to be any different.

The race to crypto-agility 6 How do you become crypto-agile?

Increasing the crypto-agility of your organization needs to start with a clear understanding of where you stand now. That means conducting a crypto inventory audit and risk assessment of your current environment, with a special emphasis on identifying the systems and functions in your organization which are not yet crypto-agile.

Understand “as is”

Creating this inventory will involve auditing every device, system, code, platform and vendor your organization uses. The scale of this undertaking means at least some degree of automation will be essential. The resulting inventory should furthermore be updated and tested frequently to maintain its accuracy. It also needs to be searchable and user-friendly – enabling the fast and easy identification of crypto priorities. Figure 2 provides an illustrative example of what the inventory process should initially cover.

It’s essential to document any cryptographic dependencies uncovered in the audit, along with any vendors you rely on for cryptographic services. You should also look to identify the legacy systems or applications in your organization’s environment that will be most impacted by cryptographic primitive changes. Plans of actions and milestones (POA&M) for making those legacy systems and applications more crypto-agile should be documented.

The race to crypto-agility 7 Figure 2: Crypto-agility inventory example

CERTIFICATE CATALOG HARDWARE SECURITY MODULE CATALOG CRYPTOGRAPHY AUDIT

Type Certificate policies Certs Type Systems Keys

Certificate Secure Key (OCSP) Version # Authenticators Stores Authorities (CA) Backups

Cert Chains & Certificate Stapling Issuer(s) Crypto processors Servers Generation Trust Anchors

Certificate Root Certificates Expirations Crypto Libraries Databases Rotation Revocation (CRL)

Trusted Platform CAA Records Self-Signing Algorithms Algorithms Size Modules

Registration Certificate Alt DNS Protocols API Function Authorities (RA) Transparency

Certificate Certification Paths Signature Cipher Suites VPNs Ownership Management Systems

Certificate Reuse Fingerprint Proxies Algorithm

Access Management Wildcarding Authority Key ID Keying Material Systems

The race to crypto-agility 8 Plot a route to “to be” Give yourself time to choose the right crypto algorithms… The audit and assessment can inform the development of a new set of crypto-agility requirements for your organization. These Selecting new cryptographic protocols, algorithms and suites should requirements can then be disseminated to all hardware, software, ideally happen before your cryptosystems suffer a compromise. But it’s and services suppliers, or used to assess the suitability of new equally important not to rush this process. The key is to start planning early, suppliers as appropriate. At the same time, it will often pay to bring giving yourself time to explore each option and its associated tradeoffs (for in external expertise and capabilities, to accelerate the process. example between security and performance). These tradeoffs will need to be considered during the selection of different classes of cryptographic Getting the whole organization up to speed on the need for crypto- algorithms as well as the operational environment in which those agility is another key plank of the strategy. Training programs and algorithms will be implemented. policies will need to be updated and communicated, using consistent and clear language to avoid sowing confusion. You should also It’s also important to bear in mind that each additional algorithm you consider establishing a Threat Awareness Program to identify new adopt increases your flexibility but adds to the time required for testing, intelligence, best practices and security compliance changes to configuration, deployment, and maintenance. There is a risk that the cryptography caused by emerging technology risks. organization is using so many algorithms, they end up being implemented in an insecure way and thus compromise the security of your data. You need to develop plans for selecting specific crypto algorithms, Thorough testing must be included as part of this process. documenting crypto swap-out playbooks, and backup alternatives. Crypto-agility must also be integrated into the software development lifecycle and procurement workflow (for example, by using configurable cryptographic classes instead of hard-coding specific crypto-functions).

The race to crypto-agility 9 …but don’t wait too long

The risk of waiting for the mandatory approval and retirement of crypto algorithms is that your organization’s data, users and systems are exposed to emerging technology threats that move faster than the standards institutions can respond to.

However, there are voluntary algorithms and mechanisms being promoted by organizations which aim to create a common set of cryptographic mechanisms. Many industry leaders have already started influencing these selections by implementing support for specific algorithms in their products or services. For example, Google’s Chrome browser has started experimenting with a lattice-based algorithm called “New-Hope”. And Amazon and Microsoft have started adopting the ‘Supersingular Isogeny Key Encapsulation’ (SIKE) algorithm into their products.

That said, it’s important not to fall into the trap of selecting an algorithm simply because one of the industry leaders is using it. New algorithms will have different performance, standards and storage requirements—and will weaken at different rates over time. While one specific lattice algorithm may be popular today, a novel lattice reduction attack could be discovered tomorrow which would result in its deprecation and retirement. If you had everything tied to that single algorithm, and are not crypto-agile, you will almost certainly have more trouble switching to other options in the future.

The race to crypto-agility 10 How will crypto-agility change what you do?

It’s important to understand how and where crypto-agility will impact your organization. First and foremost, cryptographic modules (hardware, firmware, software) will need to support rapid and easy updates and/or configuration changes to respond to new disruptions, attacks and vulnerabilities caused by emerging technological risks.

However, this agility must be balanced with strong cryptographic protections of the cryptography modules themselves to mitigate against adversaries attempting to tamper with or compromise their integrity.

In addition, software and information integrity using hashing functions will need to be addressed with the use of new future-resilient hashing and updated records (for example, replacing MD5, SHA-1 and SHA-2). Access enforcement and identity management based on A-symmetric cryptography will also need to be replaced with new crypto algorithms or safeguards that remain agile.

Cryptographic key management systems will need the agility to rotate to new crypto primitives and standards when disrupted by new threats.

The race to crypto-agility 11 Crypto-agility for the post-quantum world Cryptographic bindings, such as checksums, keys, and certificates will likely need to be redesigned for agility. Cryptographic identification devices, such as tokens, will • Double key lengths and select quantum resistant need to be redesigned to be resilient to attacks and exceed solutions where possible. standards for the expected lifetime of the device.

• Run development tests and benchmarking to evaluate Encryption will need mitigating security controls and/or PQC feasibility and impact. refreshed encryption schemes and standards to protect the confidentiality of data from future threats. Encrypted portable • Automate private key rotation to mitigate future threats media will need to be evaluated for its ability to remain crypto-agile, with secure media destruction procedures in while transitioning to PQC where possible. place if needed. Cryptographically protected passwords will need additional security protections or stronger standards. • Transition to Keccak derived hash functions (such as Transitioning to passwordless styled authentication schemes SHAKE256) which will likely provide the most crypto- should be considered. agility for hashes with variable length outputs. On top of this, software developers should avoid hardcoding • Investigate whether Quantum Key Distribution (QKD) cryptographic processes to keep the code-base agile for methods (such as BB84, E91) are suitable for your the future. Software development and code reviews will also organization. need to include automated tools/techniques to find new vulnerabilities in cryptographic methods.

The race to crypto-agility 12 Get a head start in the race for crypto-agility Accenture can recommend a crypto assessment and remediation plan tailored The big picture? Organizations need to be preparing today for the crypto-agility which will be to your needs and exposure level. This essential tomorrow. That means increasing flexibility, acquiring component independence, and includes a process of data discovery and simplifying cryptography. Ideally this can be achieved with abstraction layers designed with classification of systems to understand crypto-agility goals in mind for the entire supply chain. what the crypto is protecting. We can then suggest a phased threat mitigation As part of this preparation, modularity is key. When security protocols are modular in design, approach covering the following steps: new algorithms and cryptographic suites can be switched in and out in a repeatable and easy manner. Crypto-agility also offers a strong strategy for interoperability between new and deprecated algorithms. It means you can drop support for old crypto as soon as its risk-tolerance Enhancing current production requires it, while simultaneously selecting the strongest crypto option at every opportunity. 01 Cryptographic Security

This interoperability question will also need to be addressed more broadly, by cryptography Performing a crypto-agility institutions and industry leaders. An unwillingness to abandon weak crypto in order to maintain proof-of-concept (PoC) operability with slow adopters will ultimately degrade the security of everyone who continues to 02 support the old algorithms. Upgrading to Post-Quantum Crypto-agility offers both a strategic and a tactical approach for confronting growing 03 Cryptography (PQC) where needed cryptography-related threats. This is an uncertain world, in which adversaries are getting smarter and more capable just as the principal cryptography methods risk being undermined by quantum computing. The question for organizations is how to prepare for this challenging future. Acquiring crypto-agility is a big part of the answer.

The race to crypto-agility 13 Accelerate your crypto-agility with a trusted partner

Third-party services, such as Accenture’s Crypto-Agility Accelerator, can significantly accelerate an organization’s journey to crypto-agility. But when examining these offerings there are some key questions to ask:

Which standards are they Do they provide early warnings Can they train your staff to supporting? and intelligence on emerging be aware and stay informed technology risks to crypto? of the crypto threat? What is their approach for quantum safety in the cloud? What is their framework for Do they have industry crypto risk management? partnerships and alliances to accelerate your journey Can they automate the to crypto-agility? identification of unsafe crypto Do they have cryptanalysis in your environment? capabilities for proactively identifying potentially weak algorithms?

The race to crypto-agility 14 Crytography Timeline

July SHA-1 August TDES approval Skipjack deprecated Elliptic from the year SHA-1 attack is by NIST Curve Digital 2030 reduced approved October published Signature to 2023 by NIST by NIST Triple DES January Algorithm (TDES) is August August Skipjack (ECDSA) is October SHA-0 SHA-0 specified to RSA standards RSA standards approval for identified to DSA approval approved approval replace DES modified by modified by encryption have security withdrawal by NIST withdrawn by NIST NIST NIST withdrawn issues drafted by NIST

1976 1993 1994 1995 1997 1999 2001 2002 2005 2007 2010 2011 2012 2013 2015 2019 2020

November February June November SHA-1 attack December January Two-key February Data Skipjack DES is Rijndael published DSA publicly TDES variant of RSA-250 Encryption approved publicly algorithm for attacked approved 3DES retired is factored Standard by NIST broken the Advanced May through the (DES) is Encryption DES approval year 2030 August approved February Standard is withdrawn by NIST Secured Hash as a Standard Digital Signature (AES) is Algorithm by NIST Algorithm (DSA) selected July 3 (SHA-3) approved by NIST by NIST to SHA-2 approved replace DES standards by NIST February modified Rivest-Shamir- by NIST Adleman (RSA) algorithm approved by NIST

The race to crypto-agility 15 Resources:

Report on post-quantum cryptography Post-quantum cryptography A method for obtaining digital signatures nvlpubs.nist.gov/nistpubs/ir/2016/nist.ir.8105.pdf csrc.nist.gov/Projects/post-quantum-cryptography/ and public-key cryptosystems April 2016 June 2020 people.csail.mit.edu/rivest/Rsapaper.pdf February 1978 RFC:7696 Guidelines for cryptographic algorithm agility Cryptographic module validation program and selecting mandatory-to-implement algorithms csrc.nist.gov/projects/cryptographic-module-validation- Quantum supremacy using a programmable tools.ietf.org/html/rfc7696 program/standards superconducting processor November 2015 June 2020 nature.com/articles/s41586-019-1666-5 October 2019 Recommendation for key management Prototyping post-quantum and hybrid key nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST. exchange and authentication in TLS and SSH Quantum computing: progress and prospects SP.800-57pt1r5.pdf openquantumsafe.org/papers/NISTPQC-CroPaqSte19.pdf doi.org/10.17226/25196 May 2020 July 2019 2019

Transitioning the use of cryptographic Post-quantum key exchange for the internet A systematic review of fuzzing based on algorithms and key lengths and the open quantum safe project machine learning techniques nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST. openquantumsafe.org/papers/SAC-SteMos16.pdf arxiv.org/ftp/arxiv/papers/1908/1908.01262.pdf SP.800-131Ar2.pdf July 2017 August 2019 March 2019 Cryptographic agility: future proofing Cryptographic agility CNSA suite and quantum computing FAQ today’s secure systems media.blackhat.com/bh-us-10/whitepapers/Sullivan/ apps.nsa.gov/iaarchive/library/ia-guidance/ia-solutions- assets.website-files.com/59380a833f6af42c BlackHat-USA-2010-Sullivan-Cryptographic-Agility-wp.pdf for-classified/algorithm-guidance/cnsa-suite-and- 073f0b6a/5b36420a852a6d945e751acc_ISG_ July 2010 quantum-computing-faq.cfm AgileSec-Crypto_Whitepaper.pdf January 2016 2016

A framework for designing cryptographic Top recommendations for your security program, 2020 key management systems www.forrester.com/report/Top+Recommendations+For+ nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST. Your+Security+Program+2020/-/E-RES159378# SP.800-130.pdf April 2020 August 2013

The race to crypto-agility 16 Sources Contacts 1 National Institute of Standards and Technology, https://www.nist.gov/ Rexall Thexton Senior Managing Director, Applied Cybersecurity Services 2 NIST’s Post-Quantum Cryptography Program Enters ‘Selection Round’, NIST, July, [email protected] 2020, https://www.nist.gov/news-events/news/2020/07/nists-post-quantum- cryptography-program-enters-selection-round Lisa O’Connor 3 Quantum supremacy using a programmable superconducting Managing Director, Global Lead of Cyber Security Research and Development processor, Nature, October, 2019, https://www.nature.com/articles/s41586-019-1666-5 [email protected]

Authors Malek Ben Salem Accenture Labs Fellow, Americas Security R&D Lead [email protected]

Benjamin McCarty Research Principal, Cyber Security Research and Development [email protected] About Accenture About Accenture Labs

Accenture Labs incubates and prototypes new concepts through applied R&D Accenture is a global professional services company with leading projects that are expected to have a significant impact on business and society. capabilities in digital, cloud and security. Combining unmatched Our dedicated team of technologists and researchers work with leaders across the experience and specialized skills across more than 40 industries, we company and external partners to imagine and invent the future. Accenture Labs is offer Strategy and Consulting, Interactive, Technology and Operations located in seven key research hubs around the world: San Francisco, CA; Washington, services—all powered by the world’s largest network of Advanced D.C.; Dublin, Ireland; Sophia Antipolis, France; Herzliya, Israel; Bangalore, India; Technology and Intelligent Operations centers. Our 514,000 people deliver Shenzhen, China and Nano Labs across the globe. The Labs collaborates extensively on the promise of technology and human ingenuity every day, serving with Accenture’s network of nearly 400 innovation centers, studios and centers of clients in more than 120 countries. We embrace the power of change to excellence to deliver cutting edge research, insights and solutions to clients where create value and shared success for our clients, people, shareholders, they operate and live. For more information, please visit www.accenture.com/labs partners and communities. Visit us at www.accenture.com. About Accenture Security

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security

Copyright © 2021 Accenture. All rights reserved. Accenture and its logo are registered trademarks of Accenture.