Cryptographic agility in action

Long description immediately follows
Long description – Figure 1

Figure 1 is a diagram that describes an example of how a cryptographically agile system responds to a new vulnerability found in an algorithm that it currently supports. It shows how the detection of the vulnerability changes the configuration of the cryptographically agile system and changes the interactions with the system moving forward.

There are four icons at the top of the diagram to represent the following items:

  1. “Remote Server”
  2. “Cryptographic system”
  3. “Administrator”
  4. “Security News”

The administrator and cryptographic system items are grouped together to demonstrate they are within an organization, while the remote server and the security news entities are outside of an organization. The diagram follows the time progression of a cryptographically agile system identifying a vulnerability within a supported algorithm and responding swiftly. The steps are as follows:

  1. The starting state of the cryptographic system includes a list of the cryptographic algorithms that are currently supported.
  2. A vulnerability is found in a specific algorithm, call it Algorithm A, by someone outside of the organization and a security notice is posted publicly by the Security News entity.
  3. This security notice is seen by the administrator of the cryptographic system. The administrator is responsible for maintaining, updating, and properly configuring the cryptographic system.
  4. The administrator finds that Algorithm A is currently supported by the cryptographic system and subsequently reconfigures the cryptographic system to remove Algorithm A from the supported algorithms.
  5. An updated set of algorithms that are supported by the cryptographic system moving forward are shown, which indicates the administrator has successfully removed Algorithm A from the supported algorithms. By this step the cryptographic system has successfully responded to the vulnerability with a quick configuration change, a capability possible due to its cryptographic agility. The next steps show how these changes effect future interactions between this cryptographic system and a remote server.
  6. There is an initial interaction between a remote server and the cryptographic system where the first step is to agree on which cryptographic algorithm to use in their communications. The remote server has sent a list of the algorithms they can support.
  7. The cryptographic system responds to the remote server with the sub-list containing the algorithms which they also support. That sub-list does not contain Algorithm A as the cryptographic system no longer supports it after the administrator’s change.
  8. The remote server then selects one of the common algorithms from the sub-list it received from the cryptographic system to use moving forward in their interactions.



Source link