Crypto-Agility 07-22-2022

How to Improve Crypto-Agility Through Visibility & Automation

Timothy Hollebeek
digicert-blogimages-mar22

September 2023 Update: Marking a nearly seven-year process and the final steps towards the world’s first post-quantum cryptography standards, the U.S. National Institute of Standards and Technology (NIST) released draft standards for quantum-safe algorithms on Aug. 24.

The transition to quantum-safe cryptography will hinge on two steps: inventorying all cryptographic assets and achieving crypto-agility through automation and centralized management. DigiCert’s customers investing in crypto-agility have deployed DigiCert® Trust Lifecycle Manager, which provides a comprehensive solution to discover, manage and automate digital trust across their organization. 

For additional guidance on preparing for the transition to quantum cryptography, please refer to this blog.

Digital transformation has accelerated, increasing the surface area of how businesses, people and things are connected. Thus, it’s essential to have digital trust to enable individuals and businesses to engage online with confidence that their footprint in a digital world is secure. However, quantum computers are a threat to conducting online interactions securely. That’s why NIST has been reviewing potential cryptographic algorithms that could withstand both traditional and quantum computers.

Given NIST’s recent selection of primary quantum-resistant cryptographic algorithms, now is the time to consider your organization’s cryptographic agility. While it may take several years to incorporate NIST’s selected algorithms into various standards, and NIST recommends that there may still be some changes before the standard is finalized, there are steps you can take now to be prepared. The most important thing organizations can do now to prepare for post-quantum cryptography (PQC) is to improve their crypto-agility.

What is crypto-agility & why is it important?

Crypto-agility is the ability of a security system to rapidly switch between encryption mechanisms and is centered on the visibility and dynamic movement of an organization’s crypto assets. Crypto-agility is about knowing how crypto is being used in your organization and having the tools to identify issues and fix them quickly. It includes establishing clear policies around crypto best practices. It also includes the ability to test new cryptographic algorithms, which is especially important now as users of traditional cryptographic algorithms need to start testing how to incorporate NIST’s recommended PQC algorithms into their software.

Becoming crypto-agile is essential for every industry and every organization as the cryptographic algorithms in place today (RSA, ECC) will be vulnerable to compromise by quantum computers. Thus, cryptographic-agility is a competitive advantage, especially as the number of connected endpoints to your network grows. Quantum computers will not be a major threat for at least another five to ten years, but in the meantime every secure internet protocol will need to migrate to NIST’s standardized algorithms.

How to achieve crypto-agility

Achieving crypto-agility will require complete visibility of where encryption is used within an organization and how the encryption technologies are deployed, and the ability to quickly identify and remediate issues when they arise.

However, visibility is just one half of the equation. Equally important is the ability to replace outdated crypto assets without significantly disrupting their system’s infrastructure. One of the best ways to achieve this is through automation. Therefore, crypto-agility can be achieved in two steps: visibility and automation.

Step one: visibility

It’s unfortunately common for many security professionals to lack a full picture of where crypto is being used in their infrastructure. Beyond just helping to prepare for PQC, gaining visibility into your crypto can lower your current risk of attacks. Organizations today have more crypto to secure than ever before. While TLS/SSL certificates for web are still common, in a post-pandemic world, organizations have Public Key Infrastructure (PKI) for hardware, software, identity and access management and more. But increasing connections also increase your organization’s attack surface. Thus, it’s critical to get real-time information on vulnerabilities to identify and remediate them quickly.

So start increasing your crypto-agility by discovering and inventorying what will need to be replaced. This will require a comprehensive scan of systems and applications using public-key cryptography. DigiCert offers a certificate discovery service to give you a real-time picture of your certificate landscape. Discovery service is included in every DigiCert CertCentral account.

Step two: automation

Once you’ve gained visibility over your cryptographic infrastructure, the next step is to replace outdated crypto as necessary with automation. The ability to replace keys and certificates quickly will be key to staying secure in a post-quantum environment. However, managing certificates manually is time-consuming and prone to human error. Instead, automate the certificate renewal and installation process to seamlessly keep your crypto up-to-date and simplify certificate lifecycle management. The easiest way to do this is to use a PKI as a service with an automation manager.

DigiCert’s Automation Manager allows for secure, streamlined certificate automation with up to high volumes of certificates within minutes. Discovery and automation combined with our PQC Tool Kit will help you improve your organization’s crypto-agility now and become compliant with NIST’s standardized algorithms quickly and easily.

Furthermore, these technologies that are available today not only provide the ability to upgrade to post-quantum algorithms but also increase your organization’s ability to respond to whatever cryptographic challenges arise in the future.

Learn more about DigiCert’s recommended tools for crypto-agility below.

DigiCert’s Post-Quantum Computing Tool Kit

DigiCert has been involved in helping NIST set the standards for post-quantum cryptography, and we’ve also created solutions for our customers to prepare for PQC. DigiCert’s PQC Tool Kit is designed for technical users who want to try out the process of installing the hybrid RSA/PQC certificate (TLS or IoT). Whether you’re planning to explore quantum-safe algorithms right away or as a future initiative, DigiCert can provide the expertise and support you need to meet your specific business needs.

If you’d like to learn more about how to acquire the PQC tool kit, contact DigiCert sales, as the kit will be available as a zip file download from CertCentral. The tool kits will include instructions on how to build a post-quantum capable version of OpenSSL (popular SSL/TLS library) and Apache (web server) on a Linux server or workstation and use those programs to run various tests.

Learn more at https://www.digicert.com/blog/digicert-announces-post-quantum-computing-test-kit.

DigiCert® Automation Manager

DigiCert Automation Manager in DigiCert ONE™ solves both the management and security problems posed by automating large numbers of TLS/SSL certificates in a complex network. Automation Manager is a single, on-premises container-based secured connection that meets even the most demanding security and TLS management requirements. By establishing a single point of control through a modern UI, Automation Manager saves time, reduces security risk and streamlines the daily workflows of IT professionals who would otherwise struggle to manage high volumes of certificate automation. As a part of DigiCert ONE, Automation Manager can quickly deploy high volumes of certificates within minutes plus the flexibility the deploy across on-premises, in-country or in the cloud.

Learn more at https://www.digicert.com/blog/digicert-automation-manager-prevents-certificate-outages.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min