Understanding your Cryptographic Risk

Guest blog by Dr. Daniel Shiu, Chief Cryptographer at Arqit Quantum Inc. #techUKCyberInnovation

The time is now

It is globally agreed that the world needs to rethink its usage of cryptography and migrate away from legacy methods to secure the twenty-first century Internet. This is potentially an exceedingly long journey that might take years or decades to complete; how then should we start? The experts studying the challenges of migration agree that the first step for cryptography users needs to be discovery and inventory of their current use of cryptography. Unfortunately, they offer less advice on how users are supposed to take this first step. For almost all users, cryptography is not a hands-on experience; understanding the subject requires great expertise. Most consumers rightly look to cryptography to quietly perform its job unnoticed. This is true even at the Sys Admin and CISO level.

People will need help to take that initial step of cataloguing and understanding their network’s use of cryptography. This creates a demand for Cryptographic Inventory as a service. This allows companies to identify, organise, assess, and adjust the totality of their encryption usage, and get ahead of the game of upgrading their cryptography for the twenty-first century. In this piece, we will walk you through the stages of what a good Cryptographic Inventory service can and should provide.

Discovery

Experienced security professionals know that almost all Internet encryption makes use of a small handful of protocols, whose connections can be tied closely to port numbers on an enterprise’s computers. With light-touch probing, it is easy to identify the usage of the protocols and the other end of the connection whether inside or outside of the home network. External connections can often be geolocated so that users understand their use of Internet services based in other countries and decide if this represents a risk.

The scanning can also identify which version of a protocol is being used, and whether that version is considered legacy or future-proof. An in-depth understanding of the internals of a protocol also allows the service to identify the cryptographic building blocks that have been chosen in that instance to authenticate the communicators and secure their data in transit. Again, some of these choices might have been made a long time in the past, and better options could be possible today.

Reporting

Generating the information in the Discovery step is important, but data is only as useful as it is to consume. Cryptographic Inventory tooling then needs to process the Discovery findings to make it easier for the network owner to understand. User experience is key here. Interactive summary screens give an overview of the full estate, but Cryptographic Inventory should also provide the user with the ability to drill down for more detail.

Analysis

Being aware of the cryptography that is used within a network is important, but being able to tell legacy cryptography, from current best practice, and from methods resistant to future attacks is not straightforward. Good Cryptographic Inventory should triage out deprecated cryptography such as MD5, DSA, or RC4. It should also be quick to identify uses of cryptography that are known to vulnerable according to CVE databases. It should compare key sizes used for other algorithms against the recommendations of standards bodies and national agencies, so that users can select security appropriate to their regulatory environment. It can also inform as to the appropriateness of mitigations against future threats such as quantum computing.

Again, these findings should be presented in a consumable way to customers, using easy grading of threats using Red-Amber-Green warnings, which can be filtered according to the source of the guidance. Common threats across multiple connection should be grouped so that it is clear whether an issue is unique or repeated across many devices.

Actionable intelligence

Knowing of a problem is not the same as solving the problem. Where simple defences and mitigations can be applied, these should also be communicated. The correction might be as simple as a change to a configuration file or a software upgrade. Other cryptographic choices might be outside of the control of the customer: an external server might be limited in the cryptography that it supports, or cryptography may be operating at the hardware level. Simple instructions on the best way to communicate the risk to the service provider or hardware vendor should also be provided. Cryptographic Inventory should also make clear when the issues do not have a simple remedy and when expert cryptographic consultancy is required.

Summary

Cryptographic Inventory is a vital part of a robust cyber security posture, particularly as the cryptographic landscape is undergoing major changes. These services must be thorough in their discovery of encrypted connections, but accessible in their reporting. The raw data must be triaged and explained clearly to owners so that the threats and risks are easily understood. The steps that can be taken to mitigate the dangers should also be detailed simply. These are the principles that Ampliphae and Arqit have cleaved to when designing their Encryption Intelligence offering. We encourage you to reach out and contact us for a demonstration.

Encryption Intelligence (arqit.uk)

Encryption Intelligence - Ampliphae

Daniel Shiu | LinkedIn

techUK’s Innovation in Cyber Security and Resilience Impact Day 2024

We will be highlighting our members experience and expertise in this space, as well as shedding light on the challenges and opportunities when it comes to developing new innovations which strengthen the UK’s CNI and economy in the face of an ever-evolving cyber threat landscape. #techUKCyberInnovation

Find all the insights here!