How Crypto-Agile Is Your Organization?

July 9, 2020
Steve Fox

Cryptographic agility (crypto-agility) is the new imperative for CIOs. The National Institute of Standards and Technology (NIST) calls crypto-agility the new imperative for the quantum computing era. The idea of agility in business is nothing new; our digital transformation has catapulted the idea of product flexibility within tumultuous markets into a standard best practice. Quantum computing has arrived ...

But the concept of crypto-agility has risen to the forefront of tech in part because of the staggering volume of cryptographic algorithm breaks occurring. As the number of digitally connected devices skyrockets, how should your crypto technology that makes these diverse platforms interoperable remain secure?


To the layperson, the nebulous idea of encryption may be the standard, but IT security teams know what can be made, can also eventually be broken. Think back to 2017’s discovery of “Secure” Hash Algorithm 1’s (SHA-1) weakness that allowed cybercriminals to forge a digital fingerprint to create fake software updates. When Google released the latest Chrome version, they marked SHA-1 HTTPS certificates as unsafe and NIST banned their use way back in 2010. But we know organizations still rely on these algorithms to process credit cards and protect electronic documentation.

Fast forward to 2020, where we’re on the cusp of quantum computing, a time when Security Boulevard predicts, “Along with this greater power, some of today’s foundational crypto algorithms will be broken by quantum computers, making data security in a post-quantum world a top concern.”

The idea of algorithm security is cybersecurity at the micro-level. Creating a security strategy for the backbone functions used to encrypt digital data flows requires a level of crypto-agility that is both necessary and difficult for the average enterprise to transition to.


The first step toward crypto-agility is to inventory the digital tools that use these algorithms. This is extremely difficult when the list of digitally connected devices is so long. While it’s standard to maintain a software and hardware inventory, tracking cryptographic algorithms takes security to a new level. But without this kind of visibility, your organization simply will not stay ahead of security threats. Crypto-agility requires an understanding of the encryption algorithms your vendors are using and how often and how quickly they provide updates. Some best practices include:

  • Look for hardware vendors that have a certificate for the use of crypto algorithms such as Transport Layer Security (TSL)/Secure Sockets Layer (SSL).
  • Select vendors that use public-key cryptography such as RSA to encrypt messages.
  • Symmetric-key encryption with sizes from 128 to 256 bits is important. (The higher the key size the harder it is to break.)

But this is just the first step toward crypto-agility. The point is that, like any IT security, the threats are evolving. For example, SHA-2 has the same weakness as SHA-1, so most security teams recommend SHA-3. But SHA-3 is so new that most software and hardware don’t support it yet. In either case, creating a plan for how your enterprise will migrate from older crypto algorithms is the next step in the process toward true agility.

But quantum computing is coming, and that is perhaps one of the best arguments for why crypto-agility will be so important in the future. With the new era of faster, smarter computing comes more risk that our core crypto algorithms will become a security threat. In fact, NIST and other security watchdog groups say that quantum computing will break RSA public-key cryptography, which is our current encryption standard.

Organizations must make the move to crypto-agility. The worst time to consult a cybersecurity firm is when you need one. Consult with a qualified cybersecurity team to help your organization be proactive in evaluating and mitigating emerging security threats.

join our email list