Page 1 Cite

Suggested Citation:"Workshop Introduction." National Academies of Sciences, Engineering, and Medicine. 2017. Cryptographic Agility and Interoperability: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24636.

×

Workshop Introduction

The Forum on Cyber Resilience of the National Academies of Sciences, Engineering, and Medicine hosted a Workshop on Cryptographic Agility and Interoperability at its Spring 2016 meeting, on May 9, 2016, in Washington, D.C.

The workshop featured 11 speakers who addressed various aspects of cryptographic agility and interoperability. These distinguished researchers, computer scientists, and industry leaders shared their diverse experiences and expertise related to the history and practice of cryptography, its current challenges, and its future possibilities. They also asked questions, probed assumptions, and explored uncertainties when dealing with cryptography.

The meeting was open to the public. This proceedings was created from the presenters’ slides, the rapporteurs’ notes, and a full transcript of the workshop; it is intended to serve as a public record of the workshop presentations and discussions.

OPENING REMARKS

Fred B. Schneider, Samuel B. Eckert Professor of Computer Science at Cornell University, member of the National Academy of Engineering, and workshop chair, opened the meeting with a brief description of the National Academies’ Forum on Cyber Resilience. The forum convenes experts from various backgrounds to examine the complicated issues

Page 2 Cite

Suggested Citation:"Workshop Introduction." National Academies of Sciences, Engineering, and Medicine. 2017. Cryptographic Agility and Interoperability: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24636.

×

surrounding cybersecurity and, more broadly, cyber resilience. The forum offers experts in technology, policy, and research an opportunity to discuss critical emerging issues or raise topics that are insufficiently addressed or perceived to be underappreciated. Although the forum does not conduct traditional National Academies’ studies, Schneider noted that forum members and the ideas discussed at workshops hosted by the forum can lead to the creation of such studies when deemed appropriate.

Schneider noted that this workshop focused on challenges surrounding cryptographic agility and interoperability. Cryptography is the creation of codes or algorithms to secure communications. Cryptographic agility refers to how easy it is to evolve or replace the hardware, software, or entire information technology (IT) systems being used to implement cryptographic algorithms or protocols (and, in particular, whether the resulting systems remain “interoperable”). Although cryptographers and computer systems designers might be confident in their work and may not see a strong need for cryptographic agility, “the reality is that we now know that cryptography breaks,” Schneider said.

For example, Schneider cited concerns about the possibility of quantum computers—technologies in very early research stages that would employ a fundamentally different approach from today’s computers. If quantum computing becomes a reality, today’s public-key cryptography systems—which are the basis for securing electronic communications in open environments such as the Internet—would be vulnerable to compromise. Agility would make defense against the emergence of quantum computers easier because it would allow simple substitution of quantum-resistant public-key algorithms for today’s widely deployed (and quantum-susceptible) algorithms.

Schneider also drew attention to some immediately practical issues, beyond developing defenses against hypothetical quantum computers, that improvements in cryptographic agility could help address. For example, what happens when foreign nations or other entities want to add their own cryptographic suites to commodity software, instead of using cryptographic approaches provided by the manufacturer? Support for this kind of change requires cryptographic agility in the deployed systems. The prospect of deploying more agile cryptography systems also raises some hard questions about trust: Who should be authorized to change cryptography in a deployed system? Schneider noted that changing cryptography systems can typically cause “really annoying little headaches,” such as the need to change key size or format, and the difficulty and expense of replacing cryptographic code that pervades several layers of software. Such headaches are actually symptoms of a broader set of issues that encompasses not only engineering and design problems but also questions of trust, policy, and even foreign relations, Schneider said.

Page 3 Cite

Suggested Citation:"Workshop Introduction." National Academies of Sciences, Engineering, and Medicine. 2017. Cryptographic Agility and Interoperability: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24636.

×

Despite this broad set of issues, Schneider noted that there has not yet been much discussion of this topic outside of highly technical communities. The intent of this workshop is to help explore the issues, educate a wider community, and identify where further work is needed.

Page 4 Cite

Suggested Citation:"Workshop Introduction." National Academies of Sciences, Engineering, and Medicine. 2017. Cryptographic Agility and Interoperability: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24636.

×

Workshop Context and Charge

The following information was provided to workshop speakers and attendees to offer context on cryptographic agility and interoperability and to provide a structure for the workshop and its intended purposes.

Background

This workshop is an activity of the National Academies’ Forum on Cyber Resilience. The Forum on Cyber Resilience facilitates and enhances the exchange of ideas among scientists, practitioners, and policy makers who are concerned with urgent and important issues related to the resilience of the nation’s computing and communications systems, including the Internet, other critical infrastructures, and commercial systems. Forum activities help to inform and engage a broad range of stakeholders around issues related to technology and policy in the context of cyber resilience, cybersecurity, privacy, and related emerging issues. A key role for the forum is to surface and explore topics that can help advance the national conversation. This workshop focuses on the topic of cryptographic agility and interoperability. Additional context and questions to consider for discussion are below.

Context

We rely on established cryptographic algorithms, protocols, and implementations to secure our data and communications. Greater agility with respect to cryptosystems could potentially help stakeholders better adjust to rapidly changing cybersecurity and privacy landscapes. For example, security leaders might desire the ability to quickly substitute one algorithm, protocol, or implementation for another following the discovery of significant weakness. Individual users may desire the ability to customize the security and speed of their communications, depending on the nature of their use. Governments may wish to set their own standards, especially if they do not trust those developed by other entities. Achieving such agility, however, poses both technical and policy challenges.

Generally although cryptographic algorithms and protocols are being deployed in an ever wider array of systems, our understanding of how to achieve agility, when to prioritize it, and how best to deploy it is limited. Today, some widely used systems have elements of cryptographic agility. For example, the widespread practice of software updates has been a way to achieve a measure of agility by allowing changes to be made through the deployment of security patches. Some protocols, including SSL/TLS and SSH, allow implementations to negotiate algorithm combinations. However, the authenticity and integrity of the software update mechanisms or negotiation processes are themselves ensured with cryptography—which may or may not be agile. Today, our understanding of how cryptosystems can improve agility, as well as the associated limitations and risks, remains limited.

There are two main technical problems that have to be solved to achieve agility in practice. The first is deployment: how to securely deploy new code to all the places where it needs to run. The second is selection: how to choose the cryptographic suite to use; it must be one that all the parties to the communication can handle, and it must meet the requirements of all the applications and legal jurisdictions involved.

Deployment itself needs cryptography to authenticate that the new code that is received and installed is what was intended. How can we make this cryptography itself agile? In addition, code that implements cryptographic algorithms and protocols runs in many different kinds of endpoints, in some cases in special purpose hardware such as network interface controllers and trusted platform modules. How can we create code that can run in all these endpoints, and how can we ensure that it gets deployed to all of them?

Page 5 Cite

Suggested Citation:"Workshop Introduction." National Academies of Sciences, Engineering, and Medicine. 2017. Cryptographic Agility and Interoperability: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24636.

×

An endpoint can usually run several different cryptographic suites so that it can talk to a variety of other endpoints (including old ones), meet legal or contractual requirements, or make trade-offs between security and performance. Today the application and the operating system together specify a set of acceptable suites for each endpoint, and the endpoints together try to select the “best” suite that is acceptable to all of them. Both of these processes are complicated and poorly specified, and have given rise to many bugs. How can we design a selection mechanism that meets these needs, is understandable, and is implemented correctly? What mechanisms can we put in place to protect against defaulting to the weakest algorithm in the set?

Challenges related to cryptographic agility cover the following areas:

Cryptographic algorithms—algorithm-specific cryptanalytic advances or fundamentally new techniques (such as quantum computing) may necessitate algorithm replacements;
Cryptographic protocols—updates to how cryptographic protocols negotiate and use cryptographic methods and other agreements may be needed to address security issues or to add/remove functionality;
Endpoints—cryptographic implementations in endpoint devices and systems range from more agile approaches (such as updatable software) to more robust but less agile approaches (such as implementations in hardware);
Key management—changes to how keys and credentials are generated, exchanged, stored, replaced, and revoked may be desired;
Trusted parties—some agility mechanisms rely on trusted third parties, such as product developers or certification authorities, to produce and distribute updates; and
Users—some agility mechanisms depend on user involvement, for example to make configuration decisions, resolve security alerts, or consent to updates, while some devices (such as “Internet of Things” devices) lack any user interface.

Separate from the technical challenges are questions of prioritization and economic trade-offs. When is it appropriate to design for agility and when might an emphasis on designing for truly long-term security be appropriate? For instance, for some critical applications it may be preferable to deploy cryptography that can persist and be secure for a century and those who need such security would have to be willing to tolerate significantly reduced performance to do so. Moreover, although on the surface decisions related to cryptographic agility appear technical, there are economic trade-offs in the decision to support multiple standards. It is not obvious that these trade-offs have been well understood or assessed in the past.

The workshop was designed to feature presentations on the drivers and technical and societal implications of increased cryptographic agility, addressing the following:

Motivations for and benefits of increased agility (security, technical, social, political),
Challenges to implementation (technical, social, political), and
Impacts (security, technical, social, political).

Page 6 Cite

Suggested Citation:"Workshop Introduction." National Academies of Sciences, Engineering, and Medicine. 2017. Cryptographic Agility and Interoperability: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24636.

×

Discussion Questions for Speakers and Participants to Consider

Why is cryptographic agility useful and what are its potential risks and impacts?

What approaches have been attempted for improving cryptographic agility, and how successful have they been? For example, how easy is it today to replace defeated or outdated cryptographic tools in widely deployed commercial software and systems?

How should the trade-off be made between supporting multiple algorithms (thus enabling agility in case of future problems) and supporting fewer algorithms? How does that trade-off differ by domain? What economic, social, and policy factors enter into that decision?

What are the consequences of supporting cryptographic agility on legacy data and systems? What are the trade-offs related to continuity (e.g., allowing continued use of existing encrypted, signed, or hashed data) and compatibility (such as systems having varying configuration settings and update status) when cryptographic regimes are deprecated?

How might more control over (and more variation in) cryptographic routines affect trust in systems by individuals, companies, and governments? For example, are there ways to address concerns that updates may (accidentally or intentionally) create new security vulnerabilities?

Does the complexity of agility mechanisms themselves or the security modes they enable create security risks?

How might privacy and human rights be affected by cryptographic agility?

What likely market or economic drivers affect how and whether companies support and improve cryptographic agility in their products? What might happen if support is not maintained for deprecated routines given longer-lasting embedded systems, such as found in Internet of Things devices?

What are likely geopolitical drivers of more crypto-agile systems, and what might be the impacts on the global Internet and international politics?

What are the consequences of cryptographic agility for the interoperability and usability of communications systems?

How and on what basis should efforts to improve cryptographic agility be prioritized?

What are the key opportunities for standards bodies, governments, researchers, systems developers, and other stakeholders with regard to cryptographic agility?

Cryptographic Agility and Interoperability: Proceedings of a Workshop (2017)

Chapter: Workshop Introduction

Workshop Introduction

OPENING REMARKS

Welcome to OpenBook!

Get Email Updates