By Judith Furlong, Dell Technologies with Matthew Lyon, Dell Technologies; Janet Jones, Microsoft; Souheil Moghnie, NortonLifeLock; Brian Rosenberg, Raytheon Technologies; Steve Lipner, SAFECode

In our second blog post we outlined high-level phases for adoption of post-quantum cryptography and identified immediate and short-term activities an organization should take to support an orderly and gradual migration to quantum-safe cryptography.

The first step towards migration to quantum-safe cryptography is determining what needs to be migrated.  Organizations should conduct a cryptographic inventory to identify where and for what purposes they use cryptography.  This cryptographic inventory is essential for identifying which cryptographic capabilities and dependencies are not quantum-safe and for assessing the impact a PQC migration will have on their environment.  While conducting the cryptographic inventory, an organization should also assess the sensitivity and retention requirements of stored encrypted data in order to identify data that could be subject to ‘record now, decrypt later’ attacks and data that will need to be decrypted and re-encrypted with quantum-safe algorithms.

Scoping and preparing for the inventory

Organizations should assemble any existing information about how and for what purposes cryptography is used in their environment.  Potential sources of information include import/export compliance documentation, open source and third-party component inventories, cryptographic and key management policies, materials submitted for FIPS 140 or Common Criteria validations and/or evidence provided for a compliance audit. Additionally, things to consider would include: key management, key vaults, key rotations, and policies around cryptographic activities in general.

For most organizations, cryptography is used pervasively by essential applications and IT infrastructure and the products and/or services that they provide to their customers.   Organizations therefore need to identify a systematic and efficient way to break down the inventory process into manageable phases that can be completed independently and used to create the overall picture of where and how cryptography is used in their environment.  Different organizations will make different choices about the structure of these phases; such as reviewing one application or one aspect of the IT infrastructure (e.g. network, endpoints, etc.) at a time.  Technology providers will not only need to assess the status of each product and/or service they provide, but also need to consider the status of the infrastructure they use to support the distribution, deployment and support of those products and services.

Conducting and maintaining a comprehensive cryptographic inventory

Once an organization has its inventory execution plan in place, the work begins.  For each phase, the individuals conducting the inventory first need to identify and categorize the cryptographic features and functions that exist in the application, component, product or service being assessed.  Feature and function categories include:

  • Identity and Access Control
  • Data at Rest Protection
  • Data in Motion Protection
  • Blockchain/Distributed Ledger
  • Secure Communications Protocols
  • Key Management
  • Code Signing

For each identified and categorized feature or function the following information should be recorded:

  • Implementation: The component (file, library, processor, service, etc.), which includes the implementation of the cryptographic feature/function, including the entity or supplier that is responsible for the implementation.
  • Cryptographic Protocol: Identify any cryptographic protocol(s) associated with the feature or function.
  • Cryptographic Module: The subcomponent that implements the cryptographic algorithms including the entity or supplier that is responsible for the implementation.  A cryptographic module may be a software toolkit such as OpenSSL; a hardware module such as a smart card, a computer board or an external device that connects to the computer; or may be capabilities provided by the platform (OS).
  • Cryptographic Algorithms: List all public key (asymmetric), symmetric, key derivation, and hash algorithms used in the implementation.
  • Cryptographic Parameters: Associated parameters for the identified algorithms including key size, message digest size, modes, etc.
  • Entropy Sources: List entropy source(s) used to seed Pseudo and True Random Number Generators (RNGs) and other cryptographic functions.
  • Operating Environment: Platform information including hardware characteristic, operating systems, etc.
  • Security Infrastructure: Identification of any infrastructure (e.g. Public Key Infrastructure (PKI), Code Signing Infrastructure, Symmetric Key Manager, etc.) that supports the feature/function.  Note that an inventory of any identified security infrastructure should also be conducted as part of the organization’s inventory process.

It is important to note that a cryptographic inventory is a snapshot of cryptographic use in an organization at the time the inventory is conducted.  So organizations need to ensure that the cryptographic inventory is kept up-to-date as the use of cryptography changes in the organization.  Steps may include monitoring to detect and report on changes in the environment after the inventory is performed and/or incorporating periodic updates to the cryptographic inventory as part of an established auditing process.

While public key (asymmetric) cryptographic implementations are the main focus of most PQC migration plans, organizations should also assess their symmetric and hash implementations to ensure that they are using key and message digest sizes that are of sufficient strength for a post quantum computing world.  The organization should work with its technology providers and supply chain vendors identified in the inventory to ensure that those entities are also engaged in planning their post quantum cryptographic migration.

Conclusion

In this blog, we provide guidance for how an organization can plan, conduct and maintain a cryptographic inventory for its environment.  The organization will leverage the inventory to identify the most impacted aspects of their environment and to prioritize their PQC migration plans. The cryptographic inventory is also an essential reference for a number of the migration activities that will be discussed in subsequent blogs in this series.