Because Quantum is Coming, Your Firm’s Crypto-Ability Must be Underscored With Crypto-Agility, or The Sky May Fall

Overcoming crypto assessment challenges to improve quantum readiness

Key points…

+  The lack of urgency concerning cryptography is one of most significant problems facing most enterprises as they consider what steps they should be taking to survive in a post-quantum world. With Y2K, for instance, the deadline to revamp systems with two-digit date codes was obvious. That’s not the case here – the timeline is anything but certain. It could happen in two or three years or it might happen in 10-15 years, or it might never happen. At the current rate of advancement, most experts expect that functional quantum computers capable of breaking current-grade cryptography such as RSA will arrive within the next 10 years. Maybe. Or maybe not.

Despite the uncertainty surrounding the arrival of quantum computing, sitting back and waiting for the sky to fall is a sure recipe for disaster. Avoid the worst-case scenario by at least documenting how your organization uses cryptography across all business-critical systems.

+  Every enterprise is different and the only way to know how your organization will fare in a post-quantum world is to gain an understanding of what systems are doing cryptographic signing or encryption. The ultimate goal is a listing all the applications, systems and devices across the organization and its subsidiaries detailing the type of cryptography and algorithms in use. You’ll also want to evaluate exposure to attack, the sensitivity of information that is being protected, and whether there’s support for crypto agility to determine if the system will need to be replaced by something more agile. Such information is often not immediately obvious and may require special tools, expert-level sleuthing and discussions with vendors to figure out. Given a general lack of urgency toward quantum, few enterprises are likely to invest the necessary resources for a comprehensive cryptography audit.

+  Even if you aren’t sure about post-quantum impact, having a list of all the systems and algorithms is important for other security controls and standards as well as knowing where your risks are. So even if the quantum supremacy is never realized, it’s still a good process to go through – it’s not wasted nor is it only for the doomsayers. What’s more, cryptographic algorithms are constantly evolving. Having a list of the type of cryptography in use makes it relatively simple to move to stronger algorithms as needed. Researchers are constantly looking for ways to crack encryption algorithms and sometimes they are successful, such as the discovery of a significant flaw that caused all major browser vendors to flag SHA-1 certificates as unsafe, finally putting that outdated algorithm to bed.

Source:  Help Net Security.  Mark B. Cooper,  Overcoming crypto assessment challenges to improve quantum readiness…

Content may have been edited for style and clarity.