Time to Add Cryptographic Algorithms to Your Asset Inventory
It is very difficult to have good computer security without a good software and hardware inventory. You can’t protect what you don’t know you have. An up-to-date, accurate inventory is an essential starting point for any mitigation strategy. It’s vital to know what software you have so you can apply patches and other protections when new, related, critical vulnerabilities arise. Most hardware contains firmware and drivers which must also be tracked and appropriately patched. It’s essential to have inventories to measure the impact of any pending end-of-life issues. And for a long time, we’ve known that the location of our data has to be tracked. You can’t protect it if you don’t know where it is.
It is now becoming increasingly clear that every organization should track which cryptographic algorithms they have and use – encryption, authentication, integrity algorithms and cryptographic and hash key sizes. Every cryptographic algorithm that we use and trust eventually weakens against sustained attacks over time. Some become completely broken and worthless. Today’s highly protective, non-trivial-to-break cipher becomes tomorrow’s severely weakened deprecated algorithm. They say the only guaranteed things in life are death and taxes. I think broken ciphers run a close second.
For the entirety of our digital existence, we’ve had previously relied upon ciphers, digital signatures, and hashes became no longer trusted. This can be said of Data Encryption Standard (DES), Riverst Cipher 4 (RC4), RC5, Message Digest 5 (MD5), LANManager (LM) and Secure Hash Algorithm (SHA1) hashes, and soon, most traditional asymmetric algorithms (e.g., RSA, Diffie-Hellman) and key sizes below 256-bits. That’s because quantum computers are soon getting to the point where they will be able to quickly crack the most relied upon asymmetric ciphers and weaken nearly everything else in half. Quantum-susceptible ciphers and key sizes will need to be replaced and upgraded. This pending critical update will likely start by 2023 or sooner.
If you want more information on the coming quantum crypto break check out my previous articles:
· You Should Start Preparing for the Coming Quantum Crypto Break Now
https://www.dhirubhai.net/pulse/you-should-start-preparing-coming-quantum-crypto-break-roger-grimes/
· Want to understand quantum physics and computing better?
Try my primers:
https://www.dhirubhai.net/pulse/quantum-mechanics-computing-primer-roger-grimes/
· Quantum Supremacy Achieved and What It Means to Your Company
https://www.dhirubhai.net/pulse/quantum-supremacy-achieved-what-means-you-your-company-roger-grimes/
Regardless of the coming quantum crypto break, we have to periodically upgrade our cryptographic algorithms because all algorithms weaken over time. I’ve been in the computer security world for over 32 years. I’ve seen and participated in upgrades from DES, RC4, MD5, LM, and SHA1. As a long-time Microsoft consultant, I was heavily involved in hundreds and hundreds of LM to NT and SHA1 to SHA2 migrations. I’ve been a part of many cryptographic upgrade projects. I’ve seen what works and what doesn’t. I’ve seen the commonalities in failures and poor performance.
The upgrade process is significantly easier if you know what cryptographic routines your organization uses and where they are located. If you don’t have that, you have to run around like a chicken with your head cut off every time a supposed emergency cryptographic upgrade is needed.
Most cryptographic upgrades are not suddenly needed. Usually, the world has had a decade or more to prepare, but most organizations don’t react and prepare until the last possible instance, making it seem like an emergency upgrade. For example, the U.S. National Institutes of Standards and Technology (NIST) said we needed to upgrade to SHA3 a few years ago, before we all had upgraded from SHA1 to SHA2. If we had been smart about it, we all would have upgraded from SHA1 to SHA3 instead of SHA1 to SHA2, knowing that in a few years, we’d need to do it all over again and go from SHA2 and SHA3.
In 2016, NIST and the National Security Agency (NSA) said we all needed to start preparing for migrating to “post-quantum” (i.e., quantum-resistant) cryptography. NIST is in the middle of reviewing 26 different quantum-resistant cryptographic algorithms and will likely choose one or more winners for both asymmetric and digital signature algorithms by 2022. It could be chosen sooner if it is found that someone has broken our traditional cryptography before then. Either way, within a few years, we all are going to have to migrate the majority of the current cryptography in our organizations and world to something else. The post-quantum migration will impact most of the Internet, WiFi, multi-factor authentication, digital certificates, PKI, crypto-currencies, banking, credit cards, and basically 95% of our current digital world. It is coming and you will likely be participating in some way in that migration, if not leading it.
Most organizations do not know what cryptographic algorithms they use, where they are, and what data each protects. Knowing this information makes any cryptography mitigation easier. If you don’t have this information, and you probably don’t, make the pitch to your IT team about the necessity of tracking such information. Get everyone on board. Add the necessary fields to your asset tracking database or make a custom database. You want at the very least the following information for each program and data repository protected by cryptographic algorithms:
· Names of cryptographic algorithms (e.g., RSA, DH, SHA2, AES, unknown, etc.)
· Type of cryptography: encryption, asymmetric, symmetric, digital signature, hash
· Key size (e.g., 128-bit, 256-bit, 2048-bit, 4096-bit, unknown, etc.)
· Any involved expiration dates
You may want to add a field on whether you think the cryptography update will be hard or not. Call it something like “Expected Ease of Upgrade” or something like that. As an example, if a program includes a hard-coded cryptography algorithm and the source code is not available and a programmer cannot be found…that would qualify as “hard to upgrade”. If the vendor’s program is “crypto agile”, which means the encryption is easy to upgrade and replace, that would be considered easy to upgrade. Whatever information you can collect that will help your organization prepare for its many expected cryptography upgrades, the better.
Upgrade Your Policies Today
On a related note, stop the pain. Stop inviting weaker crypto into your environment. Upgrade your policies today so that new programs and cryptographic algorithms being considered for your organization must meet a minimum set of requirements. You don’t want to allow the normal buying processes and purchasing cycles to end up making your current situation worse. Make sure that all purchases of software and hardware involving cryptography include a cryptography review process and that the appropriate information gets recorded in the asset tracking database.
If you are in the cybersecurity world longer than five years, chances are you’ll be involved in a cryptography upgrade. If you’re likely to be involved in leading one of those upgrades, having an accurate inventory of what cryptography your organization has and where it is will make your job significantly easier.