Root Causes 264: Crypto Agility for 2023
We define the important needs and initiatives that are changing the crypto agility landscape. We discuss topics including CA independence, cryptography in public clouds, post-quantum cryptography (PQC) agility, hybrid certificates, and FIDO 2/WebAuthn.
- Original Broadcast Date: December 23, 2022
Episode Transcript
Lightly edited for flow and brevity.
-
Tim Callan
‘Tis the season, and we are doing end-of-year lookback episodes. Although this one is almost a look forward episode, isn’t it? What we want to talk about is crypto agility for 2023. In other words, crypto agility itself isn’t really a new term. We will probably redefine it here. That’s an idea that’s been around for a while, but how has the crypto agility landscape changed and what are the ways that a modern approach to crypto agility might be different to what we were doing even just a couple years ago? Does that sound fair?
-
Jason Soroko
Sounds great.
-
Tim Callan
Alright, crypto agility for 2023. First of all, let’s define crypto agility. Jason, what’s your crisp definition of crypto agility.
-
Jason Soroko
Crypto agility - - you know, Tim, I think what we are gonna find out in this podcast is that it’s meaning several different things, but maybe the crispest way to talk about it is your ability to move between states with your crypto algorithms, with your crypto infrastructure, your readiness to swap out various kinds of primitives. It’s the ability to move between even infrastructure that you are not hosting yourself. It’s a number of things, Tim, and I think that’s part of what is expanding in 2023. Crypto agility is meaning a lot of things to a lot people. I think it’s all valid and we want to bring it all together in this podcast.
-
Tim Callan
If you break down the word, it is a rather self-explanatory term. It means being able to adjust your cryptography as frequently and as quickly and as comprehensively as needed to keep it current and secure and interoperable and meaningful in our world. And, you know, it used to be that cryptography was very slow moving. People would implement primitives and use them for decades. Literally. And things were hard-coded and you couldn’t get around it and there was stuff that’s gonna last as long as the hardware lived or as long as the software lived and that’s how it was, and it was felt to be ok. But nobody feels like that’s ok anymore, and I think part of what we are seeing and what we are gonna touch on today is the areas in which this need to be able to change our cryptography as frequently as you want and as quickly as you need to are expanding. And in new things we hadn’t previously really considered.
-
Jason Soroko
Absolutely right, Tim. Including – and this is a great, great podcast because quite often you and I come up with topics, Tim. Quite often, Tim,you are bringing us the news from the public trust world and I go into the idiosyncrasies of the private trust world and quite often, never the twain shall meet. This is where it meets hardcore right in the middle.
Because it doesn’t matter. Crypto agility is important for all of us, public and private, and I think we should just get right into what some of these new categories where crypto agility really touches hard.
-
Tim Callan
Yeah. Give me 30 seconds to frame what the old categories might have been.
The old categories were things like I need to update my hashing algorithm. My SHA-1 is not secure anymore and now I want to move on to a later version. And so, that’s sort of what we all think of. And part of that, of course, is swapping out the mechanisms like certificates that cause this cryptography to occur. So, it’s not just get rid of your SHA-1 but it’s also get new certs that are enabling the right hashing algorithm. Things like that.
Let’s use that as the baseline but now we are gonna reach beyond that to other areas where the need for agility is manifesting itself. Let’s just start – I’ll throw one out at you, Jason. The ability to be public CA independent.
-
Jason Soroko
Sure. I don’t know too many large enterprises out there that don’t have different divisions that aren’t using different CA vendors’ certificates. And, of course, Tim, we’ve had previous podcasts about the idea of shadow IT and the problems associated when you don’t have full visibility to your certificates. To me, that ability to consolidate or move between CA vendors is very important. And a lot of people have always thought about well, geez, the main reason I want CA independence is just in case there’s some sort of distrust event. We’ve seen that before with Symantec.
-
Tim Callan
We just saw TrustCor get distrusted very recently.
-
Jason Soroko
That’s right. And so if you were to walk into one of those vendors, it would be painful for you then to have to go through your infrastructure and do the manual swapping. It would be a lot better to have full visibility to all your certificates and then be able to say, hey, these certificates here with this particular vendor I want to move over. But it’s not just distrust events, Tim, it’s even things such as, as I said, you might want to have Let’s Encrypt for some of your experimental websites and a Sectigo certificate for your main website and then perhaps there’s even other certificates that you want to track that are being used on your behalf by your CDNs and just the list goes on and on and on but why you might use multiple CA vendors and being able to have visibility to it, the ability to then swap them if necessary. That’s part of crypto agility going into the end of this year and into next.
-
Tim Callan
For sure. I know you touched on this but also being able to have them coexist as a blend, right? Let the old certs expire out and replace them with new certs as that goes or just be able to maintain them in two different places. Second sourcing is considered to be a fundamental practice in so many areas, wherever there is a supply chain and a lot of people would like to be able second source certificates, by way of example. That for sure is definitely raising in visibility and importance and people are paying attention to it in a way that they weren’t, I would say, quite recently.
Next one on the list. How about agility with regard to cryptography and public cloud?
-
Jason Soroko
Sure. It’s almost a special case of the first one in a way, Tim, because you might have public cloud services that are handling your compute in Amazon AWS and in Google and in Azure, and you might be using some of their certificate management services both for public and private. What happens if your CIO comes up to you and says, you know what, Vendor X just gave us a better deal. We are moving everything to that.
-
Tim Callan
That’s right. Moving it all.
-
Jason Soroko
Moving it all.
-
Tim Callan
You still gotta have cryptography. It’s gotta work. You gotta have certs.
-
Jason Soroko
It’s gotta work.
-
Tim Callan
It’s gotta work.
-
Jason Soroko
Well, I can tell you right now that the experience of swapping cryptography in general of public clouds is a fairly - - your response to your CIO is going to be, “well, that’s gonna be a lot of work”. And it is gonna be a lot of work. Well, what happens if you are running through an intermediary? What happens if you are using good certificate lifecycle management that is actually integrated into those public clouds and essentially act like an abstraction layer between, Tim?
That allows you to then say to that CIO, “got it”. No problem at all. It will be tracked to our governance program. All the changes we need to make will be clean and secure and you’ll be able to give a good answer and I think, Tim, that’s just gonna become that much more common as public clouds become the operating system defacto standard for all of us. Much more even than our traditional desktop or server operating systems, cloud operating systems are and your lock-in to those cloud vendors shouldn’t stop you from taking advantage of being able to move around in the cloud.
-
Tim Callan
And treat them all the same way. You talked about governance. Your governance rules should be - - it should be a single set of governance policies. Even if your policies will be subtly different for public cloud certs than for on-premise certs, which is a possibility, you would still want them all to be considered as a single set of policies. You would want to account for them all in one place. You’d want to report them all together. You would want to be able to apply them equally and with equal ease and alacrity. All of that is part of having a true cloud independent crypto agile system.
-
Jason Soroko
So important, Tim. Every one of the vendors makes you play a different kind of a game. And that’s fine. They do that in order to lock you into them. In fact, the cryptographic services that they all offer are very, very bent towards keeping you within their system. And if you are any one of those big public cloud vendors, you are nodding your head and it’s hard to disagree, but they do that for competitive reasons. And so for you, as the user, you want to be free of that and you want to be able to take advantage of that ability to be independent of those specific CAs whether they are public or private.
-
Tim Callan
Yeah. Especially since flexibility and what do I want to say, ease of repatriation is so important for users of public cloud. One of the things that you see a lot when you look at the research is that this idea that I am not locked in is very compelling, and it’s part of how purchases are made. Part of why people stay with vendors that they stay with is because they know they can make these moves and, yeah, I get why the public cloud providers want to lock you in, but the IT professionals that I talk to don’t want to be locked in. So, that definitely becomes one of the important governing factors in all of this.
-
Jason Soroko
When you are speaking to vendors for certificate lifecycle management, make sure you are asking hard questions about integrations into those public clouds, Tim. It’s becoming important and in 2023, I can tell ya, if you haven’t done it already, it’s gonna be a theme of your job in 2023.
-
Tim Callan
And the other way, when you are shopping for a public cloud, find out how they are providing interoperability with your CLM. You can ask them, too. Because they gotta win your business, too.
-
Jason Soroko
How easy is it to do bring your own key (BYOK), right? In various services including desktop, virtual desktops, etc. They all have something around that but some of them are a lot easier to use than others so check it out.
-
Tim Callan
Number 3 that I can think of, of course, is that we are moving into the era where instead of it being a future thing that some mathematicians were working on that we were all watching with interest, we are moving to the area where we are really gonna have to start actually implementing post quantum crypto. So I would say PQC agility is definitely on the list starting in 2023.
-
Jason Soroko
Oh, it’s huge. In fact, Tim, this is where I’ve gotta bring it up, but the idea of hybrid certificates being the bridge between the systems that you have today and the systems that you are gonna have sometime in the future. Don’t even know when. When we are completely away from RSA and ECC. We are gonna be in an RSA and ECC world for years to come and that ability to utilize hybrid certificates will help to bridge that world and give us the agility to move into quantum readiness.
-
Tim Callan
We did a whole episode on hybrid certificates so you can go listen to that to get the full story and I highly recommend that. Jason, what’s the 30-second capsule summary of what hybrid certificates offer?
-
Jason Soroko
Hybrid certificates – think of TLS certificates with the good old x.509 standard except with an extra field and that field is helping to define whether the certificate is utilizing RSA or ECC basically on the outside of the certificate and then essentially within the inside of the certificate almost think of it like a key within a castle. The encoded message that’s being protected is being protected by a post quantum algorithm, you know, it could be one of your choice but that ability to have both the old world algorithms and new world algorithms within the same certificate, Tim, that’s what it is.
-
Tim Callan
And I just looked it up. It’s our Episode 118. So, if you want to hear more about hybrid certs, go to Root Causes 118 and we explain the whole concept.
Hybrid certificates are maybe not essential for everything, but for many use cases they’re absolutely essential, and I would guess that probably for the vast majority of systems implementations, applications, and use cases and organizations’ enterprises, they really are going to be essential.
-
Jason Soroko
They really are. And I do have to say, Tim, the time to get your hands dirty with them is now. And, in fact, we’ve seen news announcements out of Sectigo about the fact that, you know, do we have toolkits available for you to check out. We’ve now had news releases from vendors such as Cloudflare, a big CDN. They’re already using hybrid certificates to be able to utilize draft versions of post quantum algorithms within some of their certificates for CDN. And also, Tim, great news out of ISARA, a partner of ours. They are open sourcing the idea of hybrid certificates and, in fact, we are gonna cover that in a separate podcast just because it’s such a cool thing.
-
Tim Callan
Alright. So, here’s my last one and this one, I’d say it still qualifies and you will see why. In 2022 we saw some important developments in terms of making PKI-based login and validation available to ordinary consumers using their devices across a broad range of sites that they might attach themselves to. And this is using the WebAuthn protocol and FIDO2. It has various names on the various platforms, but we’ve seen support in major desktop and mobile device platforms, and one of the advantages of this of course is this puts it all into the system that itself is highly agile. So, as we need to change our PKI for our logins, all you really need to do is get a relatively small number of auto updating operating systems to get onto the current cryptography. Like if something came along tomorrow and we had to change fundamentally how we were approaching this stuff, it would be so much easier of a lift than it had been prior to WebAuthn. Because you get Apple and Microsoft and Android to push an update and they are all into auto updating systems, you get an update that’s gonna be necessary anyway occurring on the backend systems if that cryptography is really, you know, suddenly deprecated or not worthy of trust and bang, a massive ecosystem overnight has moved to a new set of cryptographic standards. And, you know, prior to widespread use of something like WebAuthn, I can’t even imagine how that kind of event would be possible.
-
Jason Soroko
Right. Changing the cryptographic algorithms that are run inside a client, those clients would have to update it themselves and that’s done in a piecemeal nature, different operating systems; we do it in the cloud, etc., etc. Now that it’s going to be fundamentally a first-class citizen directly within the main desktop and even mobile operating systems, those guys have solved a lot of those problems and thankfully are probably going to make us a lot more agile in 2023 and beyond.
-
Tim Callan
Now hopefully that particular event doesn’t come up, but we have to be prepared for those. There have been times in the past where deprecations have occurred and sometimes they’ve occurred kind of quickly and so, being able to keep everything current, if need be very rapidly, is absolutely an essential aspect of a secure going-forward, wide scale, PKI-based authentication ecosystem.
-
Jason Soroko
As cryptography becomes even more and more ubiquitous, Tim, this had to happen. And so, you know, we’re getting there. I think this is one of the very first steps to making it one of those first-class citizens in a regular update type of scheme. But I think we still need more down the road and, uh, but at least this is a good first start
-
Tim Callan
I think that’s great. Anything else for crypto agility for 2023, Jason?
-
Jason Soroko
You know, Tim, I just want to finish it off with the idea that a lot of what Tim and I just talked about in this podcast is brought to you by Certificate Lifecycle Management. Good old fashion discovery, provisioning, and a lot of technologies that are not your grandpa’s PKI. And thank goodness for that because as you are going through your digital transformation in your enterprise or even just you as a standard citizen trying to log into your various systems, these kinds of crypto agilities are being brought to you by new technology, new thinking, and better ways to think about cryptography and PKI in all the ways that it works. An important year-end topic and a lot more to talk about this next year.
-
Tim Callan
Excellent. I’m sure. I’m certain we are gonna be returning to all of these things next year. So, thank you very much, Jason. That’s crypto agility for 2023 and on the one hand, it’s to some degree, it’s the old crypto agility we all know about but, as you see, it’s taking some new directions, it’s got some new requirements that really are unique to the times right now and that’s how these things go.