Cryptographic agility, or crypto-agility, refers to the ability of a system to rapidly and effectively adapt encryption methods. This includes modifications to encryption keys, key lengths, algorithms, and encryption libraries used.
While there is currently no formal standard for crypto-agility there are three essential components of a Cryptographically Agile system:
1. Utilization of modern cryptography.
It is recommended to adhere to FIPS 140-2 validated implementations, as outlined by the National Institute of Standards and Technology (NIST).
Key Types, Algorithms, and Minimum Key Sizes
Key Type | Algorithms and Minimum Key Sizes |
Digital Signature | RSA (2048 bits), ECDSA (Curve P-256) for authentication; Non-repudiation: RSA (2048 bits), ECDSA (P-256 or P-384) |
Key Establishment | RSA (2048 bits), Diffie-Hellman (2048 bits) |
Data Encryption | AES (128 bits) |
Hashing | SHA-256 |
TLS version 1.3 should be used for encrypting network traffic, with a fallback to TLS 1.2 if necessary. Custom cryptographic algorithms should be avoided; instead, well-established libraries like OpenSSL that are FIPS 140-2 approved should be used.
2. Maintenance of a precise cryptographic inventory.
An accurate cryptographic inventory is crucial for identifying which algorithms are utilized across systems, covering data in transit, at rest, and in use. This inventory should include details such as encryption location, algorithms, key lengths, and tools used.
3. Incorporation of the ability to implement encryption changes swiftly and effectively.
Agility in cryptography refers to swiftly adapting to encryption adjustments. Systems should aim to rotate encryption keys annually and maintain documented procedures for key and certificate rotation.
The response time to mitigate a key compromise should ideally be measured in minutes. When developing software, it is crucial to design systems that allow for easy updates to encryption libraries and configurations. The Heartbleed incident with OpenSSL is a stark reminder of the need for rapid patching capabilities.
Some suggested Development Process Targets are
Minutes to rotate a key.
Minutes to update a library.
Hours to change key lengths.
Less than 1 sprint to alter an algorithm or library.
Cryptographic agility is vital for a more flexible architecture and effective software development. By integrating its key aspects early, organizations can enhance their readiness to manage cryptographic challenges.
The Cyberify team is committed to providing guidance for implementation across systems, which will lead to overall improvements in security posture.
If interested in knowing more about how we can help, feel free to book a quick meeting.
Comments