Cryptography has become the foundation of digital trust in our modern society. It is ubiquitous yet often unseen, embedded into the applications we use daily — every time you use a mobile banking app or purchase a product or service online, cryptography secures your transaction.
Whether securing human and machine identities, safeguarding network communications, or protecting data confidentiality and integrity, cryptography is crucial for businesses and governments everywhere.
RSA and ECC: Keeping data secure for more than 30 years
Cryptography has remained remarkably stable over time. The Rivest-Shamir-Adleman (RSA) algorithm, introduced in the 1970s, continues to underpin numerous Internet standards more than 50 years later. Elliptic Curve Cryptography (ECC), initially proposed in the 1980s, has been widely used for more than 20 years. As computing power has increased and cryptographic attacks have become more sophisticated, the key to maintaining effective security has been to simply increase the key length without changing the underlying algorithm. For example, RSA keys were typically 1,024 bits long in the 1990s but are now often 4,096 bits.
But all of that is about to change.
Quantum computing and the need for crypto agility
Cryptographically relevant quantum computers (CRQCs, or simply, quantum computers) are on the horizon and will quickly render RSA, ECC, and many other widely used cryptographic algorithms obsolete. The U.S. National Institute of Standards and Technology (NIST) has proposed deprecating RSA and ECC by 2030 and disallowing them completely by 2035. The rise of quantum computers will require organizations everywhere to undergo a fundamental refresh of their cryptographic algorithms.
An organization’s ability to update its cryptographic algorithms with minimal impact on its applications and systems — that is, its cryptographic agility — will be vital to maintaining trust in digital infrastructure, applications, and data security.
What is cryptographic agility?
Cryptographic agility requires a holistic approach that encompasses people, process, and technology:
- People: Cryptographic agility starts with human capability and awareness including accountability, training and awareness, and executive leadership.
- Process: Processes inform how governance, compliance, and risk management influence an organization’s ability to adapt to changing cryptographic needs.
- Technology: Technology solutions must be able to find and inventory cryptographic assets, centrally manage and apply policies, evaluate compliance, identify risk, and automate the lifecycle of cryptographic assets.
The journey to crypto agility for a quantum-safe future
Unfortunately, cryptographic agility isn’t easy to achieve. Organizations need to move public key cryptographic systems from where they are today — using RSA and ECC algorithms — to new quantum-safe algorithms. Although that might seem simple on the surface, it’s a big job entailing complete cryptographic inventories of assets and technology, mapping this to sensitive data, and developing and executing a post-quantum cryptography (PQC) migration strategy. It’s a full-scale project that will touch every piece of IT infrastructure and span several years.
About This Article
This article can be found in the category:
