Cryptographic Agility – by Jeff Hall (the ’PCI Guru’)

With the advent of quantum computing, a new threat has been added to the information security mix. The threat is today’s secure cryptography may not be secure once quantum computers reach their potential.  

The threat to cryptography has always existed even without quantum computers as we have seen with the Data Encryption Standard (DES), Triple DES (3DES), Rivest Shamir Adleman (RSA) and many other cryptographic algorithms that have been fully or partially compromised. Whether it is flaws in those algorithms or simply that the computing power brought by arrays of graphical processors (GPUs) in the Cloud has created the capability to crack them. The bottom line is that cryptography is not perfect and will eventually be found to be lacking as flaws are found and computing capabilities increase. 

Jeff Hall CISA, CISM, CDPSE, PCI QSA Jeff Icon

Jeff Hall is a Principal Security Consultant at Truvantis and was the founding President of the Minnesota InfraGard chapter, the public/private partnership between businesses and the US Federal Bureau of Investigation (FBI). 

Watch Jeff discuss the Customized Approach with The PCI Dream Team on the Truvantis Risk Radar. 


That brings us to the topic of cryptographic agility or crypto agility. In its simplest form, crypto agility is the ability for an application, device or organization to readily switch from one cryptographic algorithm to another more secure algorithm. 

Crypto agility is not new, but with the threat of quantum computing, it has become more talked about and more important because it is anyone’s guess as to when quantum computing will deliver on its promise to make today’s cryptographic algorithms useless. As a result, organizations need to be prepared to move quickly to address threats to cryptographic algorithms that could develop overnight. 

Like Zero Trust, crypto agility is easier said than done. This is because in most cases changing cryptographic algorithms is a time-consuming process requiring changes both on the organization’s end as well as on another end by a completely different and independent organization. That is of course assuming an organization knows where all their cryptographic algorithms are used and by what processes they are managed. 

This is why standards such as the PCI DSS v4.0 have added requirements for organizations to document their cryptographic architecture. A cryptographic architecture involves: 

An inventory of all algorithms, protocols, certificates and keys used to protect stored or transmitted data, including details such as key strength and key expiration date (if relevant). 

Procedures that prevent the use of the same cryptographic keys in production and test environments. 

Description of the key or certificate as well as where and how it is used for every key and certificate in the inventory. 

Inventory of all hardware security modules (HSM), key management systems (KMS), and any other secure cryptographic devices (SCD) used for key management including their location. 

Inventory of key custodians and where they work with manually managed cryptographic keys and the procedures for managing those manual keys. 

By having all of this information, an organization can better achieve crypto agility because they can know where they use cryptography and the forms of cryptography they use. That is not to say that the agility will occur overnight but that the organization can quickly identify where compromised algorithms and keys are used and then develop a plan to address those issues. 

Crypto agility can be done either manually or automatically. The reason that automated crypto agility is not more prevalent is that it requires the two endpoints (application or device) to be able to implement the cryptographic algorithm change simultaneously. This entails some sort of secure communication between the endpoints to coordinate the new algorithm to use, and securely share new encryption key information before completing the actual algorithm change.  

Making this automation all the more difficult, it is highly likely that the endpoints are not operated by the same entity. This brings in a legal question of who has the right to ask for such a change and under what conditions. Never mind all of the logistical challenges of licensing all the algorithms (if necessary), having them implemented and ready for use and the necessary encryption key management. 

I am sure at some point we will get to an automated solution for crypto agility but that is likely quite a way off as it will require some engineering that will have to be created. The PKCS #11 standard provides guidance for secure key sharing that will have to be followed by any automated solution. However, the legal ramifications of changing algorithms and keys must be addressed before any automated solution can be implemented. 

Until then, we will have to suffer through manual means to address crypto agility, the time it takes to implement those changes, and the mitigation of risk while the changes are implemented. 

About Truvantis 

Truvantis is a security, privacy and compliance consulting firm providing best-in-class services to secure your organization's infrastructure, data, operations and products. 

We specialize in helping our clients improve their business resilience and manage their risk by implementing, testing, auditing and operating information security programs. 

Our world-class services include security testing and a wide range of flexible compliance and vCISO programs. Truvantis is also an authorized PCI DSS Qualified Security Assessor (QSA) Company. 

Related Articles By Topic

Security Program

Contact Us
Ask us about planning your PCI DSS 4.0 transition
Schedule a call
Contact Us