How do I prepare for algorithm changes?
An organisation is crypto-agile when the security team knows all of the algorithms, keys, crypto libraries and protocols in use in their applications and infrastructure, and has a plan that would allow them to change rapidly if necessary.
There are numerous reasons why an organisation might need to change algorithm: the impending arrival of a quantum computer that can break existing asymmetric crypto, compliance rules changing as cryptanalysis advances, a new mathematical discovery, or the slow march of available computing power making previous cryptographic keylengths too short.
In this video Graham explains how you can achieve "crypto-agility" by maintaining an up to date cryptography inventory.
In this whitepaper we discuss why we need crypto-agility and exactly how we should define it. Next we draw on the recent literature from NIST, the NCSC, Gartner, SafeCode and others to put together a five step program you can use to achieve crypto-agility in your organisation, starting today.
Crypto-agility is the ability to support rapid adaptations of cryptographic primitives and algorithms without making significant changes to the system's infrastructure, and without exposure to unacceptable business continuity risks
The collective experience of removing the now-deprecated hash functions MD5 and SHA-1 has highlighted something critical: cryptography migration is hard and resource intensive. In fact, the NSA recently stated that in order to migrate to new cryptography, it would take NSS (National Security Systems) up to 20 years.