THE NATIONAL ACADEMIES PRESS500 Fifth Street, NWWashington, DC 20001
This project was supported by the National Science Foundation under award number CNS-14194917 and the National Institute of Standards and Technology under award number 60NANB16D311. Any opinions, findings, conclusions, or recommendations expressed in this publication do not necessarily reflect the views of any organization or agency that provided support for this project.
Digital Object Identifier: 10.17226/24636
Copyright 2017 by the National Academy of Sciences. All rights reserved.
Printed in the United States of America
National Academies of Sciences, Engineering, and Medicine. 2016. Cryptographic Agility and Interoperability: Proceedings of a Workshop. Forum on Cyber Resilience Workshop Series. Washington, DC: The National Academies Press. doi:10.17226/24636.
Reports document the evidence-based consensus of an authoring committee of experts. Reports typically include findings, conclusions, and recommendations based on information gathered by the committee and committee deliberations. Reports are peer reviewed and are approved by the National Academies of Sciences, Engineering, and Medicine.
Proceedings chronicle the presentations and discussions at a workshop, symposium, or other convening event. The statements and opinions contained in proceedings are those of the participants and are not necessarily endorsed by other participants, the planning committee, or the National Academies of Sciences, Engineering, and Medicine.
For information about other products and activities of the National Academies, please visit nationalacademies.org/whatwedo.
FORUM ON WORKSHOP SERIES Cryptographic Agility Proceedings of a Workshop |
Anne Frances Johnson and Lynette I. Millett, Rapporteurs
THE NATIONAL ACADEMIES PRESS
Washington, D.C.
www.nap.edu
The National Academy of Sciences was established in 1863 by an Act of Congress, signed by President Lincoln, as a private, nongovernmental institution to advise the nation on issues related to science and technology. Members are elected by their peers for outstanding contributions to research. Dr. Marcia McNutt is president.
The National Academy of Engineering was established in 1964 under the charter of the National Academy of Sciences to bring the practices of engineering to advising the nation. Members are elected by their peers for extraordinary contributions to engineering. Dr. C. D. Mote, Jr., is president.
The National Academy of Medicine (formerly the Institute of Medicine) was established in 1970 under the charter of the National Academy of Sciences to advise the nation on medical and health issues. Members are elected by their peers for distinguished contributions to medicine and health. Dr. Victor J. Dzau is president.
The three Academies work together as the National Academies of Sciences, Engineering, and Medicine to provide independent, objective analysis and advice to the nation and conduct other activities to solve complex problems and inform public policy decisions. The National Academies also encourage education and research, recognize outstanding contributions to knowledge, and increase public understanding in matters of science, engineering, and medicine.
Learn more about the National Academies of Sciences, Engineering, and Medicine at www.national-academies.org.
CYBER RESILIENCE WORKSHOP SERIES COMMITTEE
FRED B. SCHNEIDER, NAE,1 Cornell University, Chair
ANITA ALLEN, NAM,2 University of Pennsylvania
ERIC GROSSE, Google, Inc.
BUTLER W. LAMPSON, NAS3/NAE, Microsoft Corporation
SUSAN LANDAU, Worcester Polytechnic Institute
Staff
LYNETTE I. MILLETT, Director, Forum on Cyber Resilience
EMILY GRUMBLING, Program Officer
SHENAE BRADLEY, Administrative Assistant
FORUM ON CYBER RESILIENCE
FRED B. SCHNEIDER, NAE, Cornell University, Chair
ANITA ALLEN, NAM, University of Pennsylvania
BOB BLAKLEY, CitiGroup, Inc.
FRED H. CATE, Indiana University
DAVID D. CLARK, NAE, Massachusetts Institute of Technology
RICHARD J. DANZIG, Center for a New American Security
ERIC GROSSE, Google, Inc.
DAVID A. HOFFMAN, Intel Corporation
PAUL C. KOCHER, NAE, Cryptography Research Division, Rambus, Inc.
TADAYOSHI KOHNO, University of Washington
BUTLER W. LAMPSON, NAS/NAE, Microsoft Corporation
SUSAN LANDAU, Worcester Polytechnic Institute
STEVEN B. LIPNER, Independent Consultant
DEIRDRE K. MULLIGAN, University of California, Berkeley
TONY W. SAGER, Center for Internet Security
WILLIAM H. SANDERS, University of Illinois, Urbana-Champaign
STEFAN SAVAGE, University of California, San Diego
PETER SWIRE, Georgia Institute of Technology
DAVID C. VLADECK, Georgetown University
MARY ELLEN ZURKO, Cisco Systems, Inc.
Ex Officio
DONNA F. DODSON, National Institute for Standards and Technology
JAMES KUROSE, National Science Foundation
WILLIAM B. MARTIN, National Security Agency
Staff
LYNETTE I. MILLETT, Director
EMILY GRUMBLING, Program Officer
KATIRIA ORTIZ, Research Associate
SHENAE BRADLEY, Administrative Assistant
For more information about the forum, see its website at http://www.cyber-forum.org, or e-mail the forum at cyberforum@nas.edu.
___________________
1 National Academy of Engineering.
2 National Academy of Medicine.
3 National Academy of Sciences.
COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD
FARNAM JAHANIAN, Carnegie Mellon University, Chair
LUIZ ANDRE BARROSO, Google, Inc.
STEVEN M. BELLOVIN, NAE, Columbia University
ROBERT F. BRAMMER, Brammer Technology, LLC
EDWARD FRANK, Cloud Parity, Inc.
LAURA HAAS, NAE, IBM Corporation
MARK HOROWITZ, NAE, Stanford University
ERIC HORVITZ, NAE, Microsoft Research
VIJAY KUMAR, NAE, University of Pennsylvania
BETH MYNATT, Georgia Institute of Technology
CRAIG PARTRIDGE, Raytheon BBN Technologies
DANIELA RUS, NAE, Massachusetts Institute of Technology
FRED B. SCHNEIDER, NAE, Cornell University
MARGO SELTZER, Harvard University
JOHN STANKOVIC, University of Virginia
MOSHE VARDI, NAS/NAE, Rice University
KATHERINE YELICK, University of California, Berkeley
Staff
JON EISENBERG, Director
LYNETTE I. MILLETT, Associate Director
VIRGINIA BACON TALATI, Program Officer
SHENAE BRADLEY, Administrative Assistant
JANEL DEAR, Senior Program Assistant
EMILY GRUMBLING, Program Officer
RENEE HAWKINS, Financial and Administrative Manager
KATIRIA ORTIZ, Research Associate
For more information on CSTB, see its website at http://www.cstb.org, write to CSTB, National Academies of Sciences, Engineering, and Medicine, 500 Fifth Street, NW, Washington, DC 20001, call (202) 334-2605, or e-mail the CSTB at cstb@nas.edu.
Preface
The Forum on Cyber Resilience—a roundtable established in 2015 by the National Academies of Sciences, Engineering, and Medicine—facilitates and enhances the exchange of ideas among scientists, practitioners, and policy makers who are concerned with urgent and important issues related to the resilience of the nation’s computing and communications systems, including the Internet, other critical infrastructures, and commercial systems. Forum activities help to inform and engage a broad range of stakeholders around technology and policy issues related to cyber resilience, cybersecurity, privacy, and associated emerging issues. A key role for the forum is to uncover and explore topics that can help advance the national conversation.
During our early discussions exploring technical aspects of cyber resilience, the question of how to deploy systems whose cryptographic elements would be resistant to eventual quantum computers arose. Further discussion made clear that because we are all highly dependent on widely deployed cryptosystems, there is a complex, rich set of issues, beyond the potential impact of quantum computers, that affects how resilient our information and communications systems are (or could be) with regard to the cryptographic components used to ensure data secrecy, integrity, and authenticity. Cryptographic agility encompasses not just what can be done about the prospects of quantum computing breaking widely deployed public-key cryptography, but also how to address newly-discovered flaws in long-deployed cryptographic components such as Secure Sockets Layer/
Transport Layer Security (SSL/TLS)1 (the technology that secures links between web servers and browsers), as well as challenges related to nation-state preferences for homegrown cryptographic suites in commodity operating systems. Cryptographic agility thus not only poses difficult technical challenges, but also has economic and foreign policy implications.
To explore these issues further, the forum decided to host a workshop. A planning group has been appointed to oversee the forum’s workshop series. This workshop, held on May 9, 2016, in Washington, D.C., featured invited speakers from government, the private sector, and academia. This workshop proceedings summarizes the presentations made by invited speakers and remarks made by workshop participants, as well as the ensuing discussions. In keeping with the workshop’s exploratory purpose and the National Academies’ guidelines, this proceedings does not contain findings or recommendations, nor does it necessarily reflect consensus views of the workshop participants or planning committee. The planning committee’s role was limited to organizing the workshop, and the workshop proceedings has been prepared by the workshop rapporteurs and forum staff as a factual summary of what occurred at the workshop.
The introduction provides an overview of the workshop and reproduces background material provided to all participants. Chapters 1 through 5 summarize speaker presentations. Note that although the chapter headings reflect the titles given to these sessions at the workshop, most speakers covered many aspects of the topic. Chapter 6 describes the content of the final plenary discussion, highlighting some of the broader themes that emerged throughout the workshop. The workshop agenda and participants list are provided in Appendix A. Short biosketches of the planning committee and speakers appear in Appendixes B and C, respectively.
We hope that the workshop and this proceedings will encourage the exchange of ideas and fresh thinking about the critical cryptographic technologies that underpin much of our economy and critical infrastructure.
My sincere thanks to the planning committee, forum members, and staff who planned and organized the workshop as well as the invited speakers for their thoughtful remarks and enthusiastic participation in the discussions that ensued. Writing support was provided by Anne Frances Johnson and Kathleen Pierce, Creative Science Writing. We also extend our appreciation to the National Science Foundation, the National Security Agency, the Special Cyber Operations Research and Engineering Working Group, and the National Institute of Standards and Technology for their support and encouragement of forum activities.
Fred B. Schneider, Chair
Forum on Cyber Resilience
___________________
1 SSL and TLS are two names for the same family of security protocols. SSLv2 and SSLv3 were developed by Netscape and the name of the protocol was changed to TLSv1 when it was standardized by (and change control moved to) the Internet Engineering Task Force.
Contents
Cryptography: If and When It Breaks
Lessons Learned from Real-World Cryptography
2 GOVERNMENT AND INFRASTRUCTURE
How the National Institute of Standards and Technology Thinks About Cryptography
Cryptography Through the Years
3 STANDARDS AND SECURITY IMPLICATIONS
Cryptographic Agility in the Real World
4 ENGINEERING AT SCALE AND USER IMPLICATIONS
Transport Layer Security and the Downsides of Agility
The Importance of the Human Factor in Cryptographic Agility
5 RESEARCH, INDUSTRY, AND POLICY IMPLICATIONS
ACKNOWLEDGMENT OF REVIEWERS
This workshop proceedings has been reviewed in draft form by individuals chosen for their diverse perspectives and technical expertise. The purpose of this independent review is to provide candid and critical comments that will assist the institution in making its published proceedings as sound as possible and to ensure it meets institutional standards for objectivity, evidence, and responsiveness to the project’s charge. The review comments and draft manuscript remain confidential to protect the integrity of the deliberative process. We wish to thank the following individuals for their review of this proceedings:
Paul Kocher, Cryptography Research Division, Rambus, Inc., NAE,1
Brian LaMacchia, Microsoft Corporation,
John Manferdelli, Google, Inc., and
JR Rao, IBM Corporation.
Although the reviewers listed above have provided many constructive comments and suggestions, they were not asked to endorse the views presented at the workshop, nor did they see the final draft of the proceedings before its release. The review of this report was overseen by Samuel H. Fuller, Analog Devices, Inc., NAE, who was responsible for making certain that an independent examination of this proceedings was carried out in accordance with institutional procedures and that all review comments were carefully considered. Responsibility for the final content of this proceedings rests entirely with the authors and the institution.
___________________
1 National Academy of Engineering.