NIST:

• Post-Quantum Cryptography (PQC).

  1. COI and PQC: APPLIED-CRYPTO-PQC@NIST.GOV

// END //

(C)

• CIS (Center for Internet Security): CIS is a non-profit organization that develops and promotes best practices for cybersecurity. They offer various resources, including benchmarks, configuration guides, and security recommendations, to help organizations improve their security posture. (https://www.cisecurity.org/)

• Cryptography: This refers to the practice of securing information through encryption and decryption techniques. It involves algorithms and protocols that scramble messages during transmission or storage, making them unreadable to unauthorized parties. (https://en.wikipedia.org/wiki/Cryptography)

• CVE (Common Vulnerabilities and Exposures): A CVE is a publicly disclosed record of a cybersecurity vulnerability. It includes details about the vulnerability, how it can be exploited, and potential remedies. CVE serves as a common language for sharing information about vulnerabilities among security professionals. (https://cve.mitre.org/)

(D)

• DAST (Dynamic Application Security Testing): DAST is a testing technique that involves running a web application and attacking it with various payloads to identify security vulnerabilities. DAST tools can help simulate real-world attacks and identify vulnerabilities that might be missed by SAST. (https://en.wikipedia.org/wiki/Dynamic_application_security_testing)

• DDoS (Distributed Denial-of-Service): A DDoS attack overwhelms a system with a flood of traffic from multiple sources, rendering it unavailable to legitimate users. DDoS attacks are often launched using botnets, which are networks of compromised computers. (https://en.wikipedia.org/wiki/Denial-of-service_attack)

(N)

• NIST Cryptography: https://csrc.nist.gov/Groups/Computer-Security-Division/Cryptographic-Technology 

(S)

• SAST (Static Application Security Testing): SAST is a testing technique that analyzes source code to identify potential security vulnerabilities without executing the code. SAST tools can help developers find and fix vulnerabilities early in the development process. (https://en.wikipedia.org/wiki/Static_application_security_testing)

(T)

• TRAINING:

  1. RWPQC Workshop.: 

     • CISA’s efforts in the development of the PQC Automated Asset Discovery Strategy by Dr. Garfield. See PQC.

Asymmetric Algorithms, also known as Public-Key Cryptography. 

• BLUF: 

  1. A type of cryptographic system that utilizes two mathematically linked keys for encryption and decryption: a public key and a private key. This differs from symmetric algorithms, which use a single key for both encryption and decryption.

  2. While asymmetric algorithms offer strong security benefits, they can be computationally expensive compared to symmetric algorithms. Therefore, they are often used in conjunction with symmetric algorithms for bulk encryption, where the public key is used to securely exchange a symmetric key for encrypting large amounts of data.

• Asymmetric Algorithms: (4)

  1. Key Generation: A pair of keys is generated mathematically. These keys are interconnected but computationally infeasible to derive one from the other.

     • Public Key: This key is freely distributed and can be shared with anyone.

     • Private Key: This key is kept confidential and should only be accessible by the authorized user.

  2. Encryption: Data is encrypted using the recipient's public key. Only the corresponding private key can decrypt the message.

     • NIST Releases First 3 Finalized Post-Quantum Encryption (PQE) Standards. (13Aug2024)

  3. Decryption: The authorized recipient uses their well-guarded private key to decrypt the message, revealing the original content.

  4. Digital Signatures (Optional): Additionally, asymmetric algorithms can be used for digital signatures. In this case, a document is signed with the private key, verifying its authenticity and origin by anyone with access to the public key.

• Benefits: (2)

  1. Enhanced Security: Since the private key remains confidential, even if the public key is intercepted, attackers cannot decrypt messages or forge digital signatures.

  2. Secure Key Distribution: Public keys can be widely shared without compromising security.

• Common Applications of Asymmetric Algorithms: (4)

  1. Secure Communication (SSL/TLS): Used to encrypt communication channels like HTTPS, ensuring data privacy during online transactions or communication.

  2. Digital Signatures: Verifying the authenticity and origin of electronic documents.

  3. Secure Email: Protecting the confidentiality of email messages.

  4. Virtual Private Networks (VPNs): Establishing secure encrypted connections over public networks.

• Examples of Asymmetric Algorithms: (3)

  1. RSA (Rivest–Shamir–Adleman): A widely used algorithm for encryption and digital signatures.

  2. Elliptic Curve Cryptography (ECC): Offers smaller key sizes for equivalent security levels compared to RSA, making it efficient for resource-constrained devices.

  3. Diffie-Hellman Key Exchange: Enables secure key exchange over an insecure channel.

What is Post-Quantum Cryptography (PQC)?

1. First, we need to know what quantum and traditional computing are:

   • Traditional Computing (bits): Take a maze; standard computers will go into the maze "One-by-One" to find a solution. This may take time and energy, depending on the size of the maze. 

   • Quantum Computing (qubit): Take the same maze; quantum computers will go into the maze "All at the same time" to find a solution or many solutions. This will reduce time, but need a lot of energy, depending on the size of the maze.

2. The development of cryptographic algorithms (that are thought) to secure against crypt-analytic attacks by a quantum computer. A new class of cryptographic algorithms is designed to withstand attacks from quantum computers.

3. Crypt-analytic attacks decipher the weak points of a cryptographic system. Go to "Attacks & Solutions."

4. It aims to replace traditional public-key algorithms like RSA and ECC, which are vulnerable to Shor's algorithm (a quantum algorithm that can efficiently factor large integers and break these algorithms).

5. Cryptographic Algorithms for Defending Against Crypt-analytic Attacks: (A Combo is used)

6. Symmetric Key Cryptography. (4)

7. AES (Advanced Encryption Standard): Widely considered the gold standard for symmetric encryption, offering strong resistance to various attacks.   

8. DES (Data Encryption Standard): While older, still used in some legacy systems but is generally considered insecure due to its short key length.   

9. 3DES (Triple DES): A more secure variant of DES, but still being phased out in favor of AES.

10. Blowfish and Twofish: Strong symmetric algorithms, though less widely used than AES.   

11. Asymmetric Key Cryptography. (3)

12. RSA (Rivest-Shamir-Adleman): One of the most widely used public-key cryptosystems, used for secure data transmission.   

13. ECC (Elliptic Curve Cryptography): Offers similar security to RSA but with smaller key sizes, making it suitable for resource-constrained devices.   

14. Diffie-Hellman: Primarily used for key exchange, allowing parties to establish a shared secret over an insecure channel.   

15. Hash Functions. (2)

16. SHA-256, SHA-384, SHA-512: Commonly used for data integrity and authentication.   

17. MD5: While widely used in the past, is now considered insecure due to vulnerabilities.   

18. Other Cryptographic Techniques.

19. Block Ciphers: Operate on fixed-length blocks of data.   

20. Stream Ciphers: Encrypt data bit by bit.   

21. MACs (Message Authentication Codes): Provide data integrity and authenticity.   

22. Digital Signatures: Verify the authenticity and integrity of a message.   

23. Key Considerations for Algorithm Selection: (4)

24. Security Strength: The algorithm should offer sufficient protection against known attacks.

25. Performance: The algorithm should be efficient for the intended application.

26. Key Length: The key size should be appropriate for the desired security level.   

27. Algorithm Age: Older algorithms may have known vulnerabilities.   

28. Relies on mathematical problems that are believed to be hard for both classical and quantum computers to solve.

29. Still under development, with no single algorithm yet standardized.

Public-Key Cryptography Algorithms (101) -- (1o2).

• Public-key cryptography is a cryptographic system that uses two mathematically related keys, a (1) Public key and a (2) Private key, to encrypt and decrypt data. The "Public key" is made available to everyone and is used to encrypt the data, while the "Private key" is kept secret by the owner and used for decryption.

• Other functionalities: (1) Digital Signatures: Verifies the authenticity and integrity of a message by using the sender's private key to sign the message, and anyone with the corresponding public key can validate the signature. (2) Key Exchange Protocols: Allows the secure establishment of encryption keys between two parties without openly sharing the private keys.

• The mathematical relationship between the "Public keys" and "Private keys" is typically based on asymmetric algorithms, such as RSA or Elliptic Curve Cryptography (ECC). These algorithms rely on complex mathematical problems that make it computationally infeasible to derive the private key from the public key, ensuring the security of the encryption system.

Private-Key Cryptography Algorithms -- (2o2) -- (6)

1. Advanced Encryption Standard (AES): AES is a commonly used symmetric encryption algorithm that employs a private key of lengths 128, 192, or 256 bits. It is used for encrypting sensitive data in various applications and is considered a highly secure and efficient algorithm.

2. Data Encryption Standard (DES): DES is an older symmetric key encryption algorithm that uses a 56-bit private key. It has been widely used in the past but is now considered relatively weak due to its short key length.

3. Triple Data Encryption Standard (3DES): 3DES is an enhanced version of DES that applies the encryption process three times to increase security. It uses a 168-bit private key (three 56-bit keys) and is more secure than DES but slower.

4. Blowfish: Blowfish is a symmetric-key block cipher that supports a variable key length from 32 bits to 448 bits. It is widely used in various applications, including virtual private networks (VPNs) and secure protocols like HTTPS.

5. Twofish: Twofish is another symmetric encryption algorithm that supports key sizes of 128, 192, or 256 bits. It was one of the finalists for the AES competition and is considered secure and efficient. Twofish is used in several cryptographic applications and protocols.

6. RC4: RC4 is a stream cipher that uses a variable-length private key ranging from 8 to 2048 bits. It has been widely used in applications like wireless protocols and web encryption (e.g., WEP/WPA).

Attacks & Defensive Solutions.

1. BLUF -- The development of cryptographic algorithms (that are thought) to secure against crypt-analytic attacks by a quantum computer. A new class of cryptographic algorithms is designed to withstand attacks from quantum computers, but nothing is 100% secure.

   • Crypt-analytic Attacks decipher the weak points of a cryptographic system by employing a variety of methods to break down cryptographic systems.

     1. Crypt-analytic -- "Attack-Types". (4)

        • Ciphertext-only Attack: The attacker has access only to the encrypted message (ciphertext). This is the most challenging attack for the cryptanalyst.   

        • Known-plaintext Attack: The attacker possesses both the plaintext and its corresponding ciphertext. This information can be used to deduce the encryption key.   

        • Chosen-plaintext Attack: The attacker can choose arbitrary plaintexts and obtain their corresponding ciphertexts. This provides more flexibility in the attack.   

        • Chosen-ciphertext Attack: The attacker can choose arbitrary ciphertexts and obtain their corresponding plaintexts. This is the most powerful type of attack.

     2. Crypt-analytic -- "Attack Techniques". (6)

        • Brute Force Attack: Trying every possible key until the correct one is found. This is computationally intensive but feasible for short keys.

        • Frequency Analysis: Studying the frequency of letters or characters in the ciphertext to find patterns. Effective against simple substitution ciphers.   

        • Differential Cryptanalysis: Analyzing the effects of changes in the plaintext on the ciphertext to find weaknesses in the encryption algorithm.   

        • Linear Cryptanalysis: Finding linear approximations of the encryption function to recover the key.

        • Side-Channel Attacks: Exploiting physical information, such as power consumption or timing variations, to extract the key.   

        • Mathematical Analysis: Applying mathematical techniques to analyze the underlying structure of the cryptographic algorithm.

     3. Common Weaknesses Exploited. (5)

        • Weak Key Generation: Using predictable or easily guessable keys.

        • Algorithm Flaws: Logical errors or vulnerabilities in the cryptographic algorithm itself.

        • Implementation Errors: Incorrect implementation of the algorithm, leading to vulnerabilities.

        • Key Management Issues: Improper handling of cryptographic keys, such as weak storage or distribution.

        • Side-Channel Leakage: Revealing sensitive information through physical characteristics of the system.

2. Defense Solutions: It aims to replace traditional public-key algorithms like RSA and ECC, which are vulnerable to Shor's algorithm (a quantum algorithm that can efficiently factor large integers and break these algorithms).

   • RSA Encryption: (Rivest Shamir Adleman) A well-known public-key or asymmetric cryptographic algorithm. It protects sensitive data through encryption and decryption using a private and public key pair that provides secure communication over public channels. (Ref: Splunk)   

     1. Common uses (3): (1) Secure Communication: RSA is used to encrypt messages and digital signatures. (2) Key Exchange: It's used to securely exchange symmetric keys for faster encryption algorithms like AES. (3) Authentication: RSA can be used to verify the authenticity of digital documents and messages.

     2. How it works using (5): (1) Two Large Prime Numbers: Two very large prime numbers (p and q) are generated randomly. (2) Modulus (n): The product of p and q is calculated (n = p * q). (3) Totient (φ(n)): The totient is calculated as φ(n) = (p-1) * (q-1). (4) Public Key (e): A number (e) is chosen such that it's relatively prime to φ(n), meaning they share no common divisors other than 1. (5) Private Key (d): The private key (d) is calculated using the equation: d ≡ e^(-1) (mod φ(n)).

     3. Encryption-Types (2): (1) Plaintext (M): The message to be encrypted is represented as a number. (2) Ciphertext (C): The ciphertext is calculated using the formula: C ≡ M^e (mod n).

     4. Decryption-Type: (1) Original Message (M): The original message is recovered using the formula: M ≡ C^d (mod n).

   • Defense Against Cryptanalytic Attacks. (6)

     1. Strong Algorithms: Using mathematically sound and well-tested algorithms.

     2. Long Key Lengths: Making brute force attacks computationally infeasible.

     3. Random Key Generation: Ensuring that keys are truly random.

     4. Secure Key Management: Protecting keys from unauthorized access and misuse.

     5. Implementation Best Practices: Carefully implementing cryptographic algorithms to prevent vulnerabilities.

     6. Constant Vigilance: Staying updated on the latest cryptanalytic techniques and vulnerabilities.

   • Cryptographic Algorithms for Defending Against Crypt-analytic Attacks: -- A combination of solutions is used.

     1. Symmetric Key Cryptography. (4)

        • AES (Advanced Encryption Standard): Widely considered the gold standard for symmetric encryption, offering strong resistance to various attacks.   

        • DES (Data Encryption Standard): While older, still used in some legacy systems but is generally considered insecure due to its short key length.   

        • 3DES (Triple DES): A more secure variant of DES, but still being phased out in favor of AES.

        • Blowfish and Twofish: Strong symmetric algorithms, though less widely used than AES.   

     2. Asymmetric Key Cryptography. (3)

        • RSA (Rivest-Shamir-Adleman): One of the most widely used public-key cryptosystems, used for secure data transmission.   

        • ECC (Elliptic Curve Cryptography): Offers similar security to RSA but with smaller key sizes, making it suitable for resource-constrained devices.   

        • Diffie-Hellman: Primarily used for key exchange, allowing parties to establish a shared secret over an insecure channel.   

     3. Hash Functions. (2)

        • SHA-256, SHA-384, SHA-512: Commonly used for data integrity and authentication.   

        • MD5: While widely used in the past, is now considered insecure due to vulnerabilities.   

     4. Other Cryptographic Techniques.

        • Block Ciphers: Operate on fixed-length blocks of data.   

        • Stream Ciphers: Encrypt data bit by bit.   

        • MACs (Message Authentication Codes): Provide data integrity and authenticity.   

        • Digital Signatures: Verify the authenticity and integrity of a message.   

     5. Key Considerations for Algorithm Selection: (4)

        • Security Strength: The algorithm should offer sufficient protection against known attacks.

        • Performance: The algorithm should be efficient for the intended application.

        • Key Length: The key size should be appropriate for the desired security level.   

        • Algorithm Age: Older algorithms may have known vulnerabilities.   

3. Relies on mathematical problems that are believed to be hard for both classical and quantum computers to solve.

4. Still under development, with no single algorithm yet standardized.

Public-Key Cryptography Algorithms (101) -- (1o2).

• Public-key cryptography is a cryptographic system that uses two mathematically related keys, a (1) Public key and a (2) Private key, to encrypt and decrypt data. The "Public key" is made available to everyone and is used to encrypt the data, while the "Private key" is kept secret by the owner and used for decryption.

• Other functionalities: (1) Digital Signatures: Verifies the authenticity and integrity of a message by using the sender's private key to sign the message, and anyone with the corresponding public key can validate the signature. (2) Key Exchange Protocols: Allows the secure establishment of encryption keys between two parties without openly sharing the private keys.

• The mathematical relationship between the "Public keys" and "Private keys" is typically based on asymmetric algorithms, such as RSA or Elliptic Curve Cryptography (ECC). These algorithms rely on complex mathematical problems that make it computationally infeasible to derive the private key from the public key, ensuring the security of the encryption system.

Private-Key Cryptography Algorithms -- (2o2) -- (6)

1. AES (Advanced Encryption Standard): AES is a commonly used symmetric encryption algorithm that employs a private key of lengths 128, 192, or 256 bits. It is used for encrypting sensitive data in various applications and is considered a highly secure and efficient algorithm.

2. DES (Data Encryption Standard): DES is an older symmetric key encryption algorithm that uses a 56-bit private key. It has been widely used in the past but is now considered relatively weak due to its short key length.

3. 3DES (Triple Data Encryption Standard): 3DES is an enhanced version of DES that applies the encryption process three times to increase security. It uses a 168-bit private key (three 56-bit keys) and is more secure than DES but slower.

4. Blowfish: Blowfish is a symmetric-key block cipher that supports a variable key length from 32 bits to 448 bits. It is widely used in various applications, including virtual private networks (VPNs) and secure protocols like HTTPS.

5. Twofish: Twofish is another symmetric encryption algorithm that supports key sizes of 128, 192, or 256 bits. It was one of the finalists for the AES competition and is considered secure and efficient. Twofish is used in several cryptographic applications and protocols.

6. RC4: RC4 is a stream cipher that uses a variable-length private key ranging from 8 to 2048 bits. It has been widely used in applications like wireless protocols and web encryption (e.g., WEP/WPA).

Automated Cryptography Discovery and Inventory (ACDI) 

• BLUF: A process of automatically finding and listing cryptographic keys and algorithms within an IT infrastructure. This is important for security purposes, as it allows organizations to track and manage their cryptographic assets, ensuring they are used properly and securely.

Azure tools that do ACDI: (3)

1. Azure Key Vault: For securely storing and managing cryptographic keys. Azure Key Vault can be integrated with other Azure services to help automate key discovery and management.

2. Azure Security Center: A SIEM (Security Information and Event Management) service that can help identify and inventory cryptographic keys and algorithms in use across an Azure environment.

3. Azure Resource Manager: To manage and deploy resources in Azure, including Azure Key Vault. Azure Resource Manager can be used to automate the process of discovering and inventorying cryptographic keys.

Current Availability:

• At this time, Azure offers tools for exploring and experimenting with PQC, fully production-ready solutions are still under development. Most PQC algorithms are relatively new and require further testing and standardization before widespread deployment.

Recommendations:

• Microsoft recommends a "hybrid" approach where both classical and post-quantum algorithms are used together. This provides security against both present and future threats.

Azure Quantum:

• Resource Estimator: This tool allows you to simulate the performance of post-quantum algorithms on different quantum architectures. This can help you evaluate their suitability for your specific needs.

• Quantum Development Kit (QDK): The QDK provides libraries and tools for programming quantum computers, including libraries for implementing some post-quantum algorithms. However, currently, these libraries are still under development and not production-ready.

Encryption Inventory Library -- using Azure Stack Tools (4).

• BLUF: While Azure doesn't have a specific tool designed for inventorying traditional encryption libraries and communications, it does offer several tools and services that can be leveraged to achieve this goal.

  1. Azure Security Center:

     • Vulnerability Assessment: Identifies potential vulnerabilities in your applications and infrastructure, including outdated or insecure cryptographic libraries.

     • Threat Detection: Detects and responds to threats, such as unauthorized access or data breaches, which may involve weak encryption.   

  2. Azure Monitor:

     • Log Analytics: Collects and analyzes logs from various Azure services, including application logs, network traffic logs, and security logs. This can help identify usage of specific cryptographic libraries and protocols.   

     • Application Insights: Monitors the performance and usage of your applications, including the use of encryption libraries and APIs.   

  3. Azure Policy:

     • Custom Policies: Create custom policies to enforce specific security standards, such as the use of approved cryptographic algorithms and protocols. This can help identify deviations from your organization's security policies.   

  4. Microsoft Sentinel (SIEM: SecInfoEventMgmt + SOAR: Security, Orchestration, Automation, and Response):

     • Threat Detection: Detects and responds to threats, including those related to weak or compromised encryption.  

     • Incident Response: Provides tools and workflows to investigate and respond to security incidents, such as data breaches caused by encryption vulnerabilities. 

     • Log Analysis: By analyzing logs from various sources, including Azure services, network devices, and security applications, you can identify potential misconfigurations or weak encryption settings. For example, you can look for logs indicating the use of outdated or insecure cryptographic algorithms. 

  5. Additional Considerations:

     • Manual Inventory: While Azure tools can help automate parts of the inventory process, manual review and analysis may still be necessary to identify all encryption usage.

     • Third-Party Tools: Consider using third-party tools specifically designed for software inventory and vulnerability assessment, which can provide more detailed information about the cryptographic libraries and protocols used in your applications.

Azure Marketplace:

• Quantum-Safe OpenSSH: A marketplace offering provides an experimental version of OpenSSH with post-quantum cryptography libraries integrated. This allows you to try out PQC for secure server connection testing.

Microsoft Research and Engineering Efforts:

• Post-Quantum TLS Project: Microsoft is actively researching and developing post-quantum TLS protocols that can be used to secure web communication from future quantum attacks.

• Collaboration with NIST and Industry: Microsoft participates in international standardization efforts and collaborates with the National Institute of Standards and Technology (NIST) and the Open Quantum Safe (OQS) project to advance PQC development and adoption.

Resources:

• Building a quantum-safe future - Microsoft Blog: https://cloudblogs.microsoft.com/quantum/2023/06/21/microsoft-achieves-first-milestone-towards-a-quantum-supercomputer/

• Post-Quantum Cryptography - Microsoft Research: https://www.microsoft.com/en-us/research/project/post-quantum-cryptography/

• Azure Quantum | Quantum-safe overview: https://www.microsoft.com/en-us/research/project/post-quantum-cryptography/

CISA's PQC:

• 1. • CISA's PQC Initiative: https://www.cisa.gov/quantum   

     • Covington: CISA and NIST Urge Companies to Prepare to Transition to a PQC Standard. (Link)

       1. CISA: Prepare for a New Cryptographic Standard to Protect Against Future Quantum-Based Threats.

       2. CISA: PQC Roadmap.

Cost Estimation Process.

• Unfortunately, providing a specific range for "inventory" in the context of PQC migration cost estimation isn't possible.

• Factors t Consider (Risk Mgmt): 

  1. The size of your inventory (software applications and systems relying on cryptography) can vary significantly.

  2. Organizational Size: Larger organizations naturally have more software applications and systems compared to smaller ones.

  3. Industry: Certain industries, like finance or healthcare, tend to have more software with critical cryptographic needs.

  4. Technology Adoption Rate: Organizations that readily adopt new technologies might have a larger software inventory compared to those with more traditional approaches.

• Cost Estimation Process: (3)

  1. Inventory Categories: Instead of a single number, consider creating categories within your inventory. This could involve grouping applications based on:

     • Function: Categorize applications by their primary function (e.g., finance, communication, security).

     • Criticality: Classify applications based on their impact on core business functions (e.g., high, medium, low).

     • Vendor: Group applications by their vendor to potentially identify bulk discounts or migration support options.

  2. Sample and Scale: Analyze a sample of the software inventory to understand the PQC migration complexity and cost involved. Then, based on this sample, estimate the overall effort required for the entire inventory.

  3. Focus on High-Impact Applications:  Prioritize creating a detailed inventory for software applications critical to your organization's operations or those handling sensitive data. These high-impact applications will likely require more resources and have a more significant impact on the overall migration cost.

By using these strategies, you can approach the "inventory" aspect in your PQC migration cost estimation without needing a single, definitive range.

Cryptographic Agility (Crypto-Agility) 

• BLUF:

  1. The ability for a system to quickly and easily change parts of its encryption.  This encompasses changing encryption keys, key lengths, encryption algorithms used, and even the libraries used to perform the encryption. 

  2. There is not currently an official crypto agility standard for Federal Agencies (as of 2024), but research into it and resources from CISA led to the identification of three elements of a Cryptographically Agile system:

     • Use modern cryptography

     • Maintain an accurate cryptographic inventory

     • Engineer in the ability to make encryption changes quickly and efficiently

  3. Refers to the ability of a system to easily switch between different cryptographic algorithms and protocols without causing disruptions. This is crucial for future-proofing your data security, as cryptographic algorithms can become vulnerable over time due to advances in computing power and cryptanalysis techniques.

• Encrypt Data-at-Rest (DAR) & Data-in-Transit (DIT).

• Proactive (anticipates a future threat), not Patching (fixes vulnerabilities)

• Attack-Types: Ransomware; 

• Implementing cryptographic agility is an ongoing process. 

• Stay informed about the latest vulnerabilities and advances in cryptography, and regularly update your system to maintain a secure and future-proofed data environment.

• The ability for a system to quickly and easily change parts of its encryption/algorithms. Changing encryption keys, key lengths, encryption algorithms used, and even changing the libraries used to perform the encryption. 

• No current official crypto-agility standard for federal agencies: See CISA [Link]. 3 elements of Cryptographically Agile systems (3): (1) Use modern cryptography. (2) Maintain an accurate cryptographic inventory; (3) Engineer the ability to make encryption changes quickly and efficiently

Value & Benefits of Cryptographic Agility: (4)

1. Enhanced security: You can quickly adapt to new threats and vulnerabilities by adopting more robust algorithms as they emerge.

2. Future-proofing: Your system remains secure even if current algorithms become compromised.

3. Flexibility: You can choose the most appropriate algorithms for different use cases based on factors like performance, security needs, and compliance requirements.

4. Reduced downtime: Changes can be implemented seamlessly without requiring major system modifications.

Implement Cryptographic Agility (CA) w/ Azure: (10) -- 

• BLUF (2) -- (1) Implementing Cryptographic Agility (CA) involves taking steps to ensure that cryptographic algorithms and protocols can be easily updated or replaced as needed. (2) Cryptographic Agility is an ongoing process that requires continuous monitoring, evaluation, and adaptation to evolving security requirements and cryptographic advancements.

• General Steps/Roadmap to Implement Crypto-Agility (via Azure): (10)

  1. Assess Current Cryptographic Implementations: Evaluate the existing cryptographic algorithms and protocols used in your systems and applications. Identify any outdated or vulnerable algorithms that need to be replaced.

     • Azure Security Center: To assess the security posture of your Azure resources, including cryptographic configurations and vulnerabilities.

  2. Stay informed about cryptographic standards and best practices. Keep up-to-date with the latest cryptographic standards, guidelines, and best practices. Stay informed about advancements in cryptographic algorithms and protocols, as well as any vulnerabilities or weaknesses discovered in existing ones.

     • Azure Security Center: Continuously monitor Azure Security Center for security recommendations and best practices related to cryptographic algorithms and protocols.

  3. Design for Modularity and Abstraction: When developing or updating systems, design them in a modular and abstract manner. Separate the cryptographic functionality from the rest of the system, allowing for easier replacement or upgrade of cryptographic components in the future.

     • Azure Key Vault: Utilize Azure Key Vault to securely store and manage cryptographic keys and secrets separately from your applications. This allows for easier replacement or rotation of keys without impacting the application code.

  4. Use Standardized Cryptographic APIs: Utilize standardized cryptographic APIs (Application Programming Interfaces) provided by cryptographic libraries or frameworks. This helps ensure interoperability and simplifies the process of replacing cryptographic algorithms or protocols.

     • Azure Key Vault: Integrate Azure Key Vault with your applications to access cryptographic keys and perform cryptographic operations using standardized APIs.

  5. Implement Key Management Practices: Establish robust key management practices to facilitate cryptographic agility. This includes securely storing and managing cryptographic keys, ensuring key rotation, and implementing mechanisms for key recovery or revocation.

     • Azure Key Vault: Leverage Azure Key Vault's key management capabilities, including key rotation, versioning, and access control, to ensure secure key management practices.

  6. Plan for Algorithm and Protocol Transitions: Develop a transition plan for replacing or updating cryptographic algorithms and protocols. Consider factors such as compatibility, performance impact, and security requirements. Gradually phase out the use of deprecated algorithms and introduce new ones in a controlled manner.

     • Azure Security Center: Stay informed about recommended cryptographic algorithms and protocols through Azure Security Center's security recommendations and guidelines.

  7. Perform Risk Assessments and Testing: Conduct risk assessments and security testing to evaluate the impact of cryptographic algorithm or protocol changes. This helps identify potential vulnerabilities or compatibility issues before implementing the changes in production environments.

     • Azure Security Center: Utilize Azure Security Center's vulnerability assessment and security testing capabilities to identify potential vulnerabilities or weaknesses in your cryptographic implementations.

  8. Monitor and Update: Continuously monitor the cryptographic landscape for new vulnerabilities, attacks, or advancements. Stay proactive in updating cryptographic algorithms and protocols as needed to maintain security and address emerging threats.

     • Azure Security Center: Continuously monitor Azure Security Center for new security alerts and recommendations related to cryptographic algorithms and protocols. Stay updated with the latest security patches and updates provided by Azure.

  9. Document and Communicate: Document the cryptographic algorithms and protocols used in your systems, along with their associated risks and mitigation strategies. Communicate the importance of cryptographic agility to stakeholders and ensure awareness of the need for regular updates and maintenance.

     • Azure Policy: To enforce and document cryptographic configurations and compliance requirements across your Azure resources. Communicate the importance of cryptographic agility to stakeholders using Azure Policy's policy enforcement capabilities.

  10. Regularly Review and Audit: Conduct regular reviews and audits of your cryptographic implementations to ensure compliance with security standards and best practices. This includes reviewing cryptographic configurations, verifying key management processes, and assessing the overall cryptographic agility of your systems.

      • Azure Monitor: Utilize Azure Monitor to collect and analyze logs and metrics related to cryptographic operations. Perform regular reviews and audits of your Azure resources to ensure compliance with security standards and best practices.

Azure tools for Cryptographic Agility: (5)

1. Azure Key Vault: Provides secure storage and management of cryptographic keys for different algorithms.

2. Azure Cryptography Library (ACL): A comprehensive library offering implementations of various cryptographic algorithms and protocols.

3. Azure Security Center: Helps identify and assess vulnerabilities in your cryptographic configurations.

4. Azure Quantum Computing: Allows experimentation with post-quantum algorithms for long-term cryptographic resilience.

5. Azure App Service: Integrates with various frameworks and libraries that support cryptographic agility.

References to CA: (4)

1. NIST Special Publication 800-57 Part 3: Revision 1 - Recommendation for Key Management: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt3r1.pdf

2. NIST Special Publication 800-131A: Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf

3. OWASP Cryptographic Agility: https://owasp.org/www-project-cryptographic-agility/

4. Cryptographic Agility: https://csrc.nist.gov/Projects/Cryptographic-Agility

Identifying and remediating cryptographic risks involves the following specific steps: (8)

1. Inventory and assess cryptographic usage: Identify all cryptographic components in an organization (e.g., encryption algorithms, key management systems) in your infrastructure. Assess their usage, configurations, and compliance with best practices. ~ Note: This task involves collaborating with the customer because it consumes a lot of time to complete.

2. Perform a risk assessment: Evaluate the potential risks associated with cryptographic components. Consider factors such as key management, encryption strength, secure protocols, and compliance requirements.

3. Identify vulnerabilities and weaknesses: Utilize scanning tools, vulnerability assessments, and penetration testing to identify cryptographic weaknesses, outdated protocols, or misconfigurations within your infrastructure.

4. Implement encryption best practices: Review and update your encryption policies and practices. Ensure adherence to standards such as AES-256 for data at rest, TLS 1.2 or higher for network security, and the use of "Secure Hashing Algorithms."

   • Secure Hash Algorithms -- Are cryptographic algorithms that transform an input (or message) of any length into a fixed-size output, known as a hash value or hash code. They are designed to be one-way and irreversible, meaning that it is computationally infeasible to re-create the original input from the hash value. -- VALUE -- Data integrity and ensure that the original message has not been altered in transit or in storage.

   • Commonly used secure hashing algorithms: (5) -- (1) SHA-2 (Secure Hash Algorithm 2): This family of hashing algorithms includes SHA-224, SHA-256, SHA-384, and SHA-512, which generate hash values of different lengths. (2) SHA-3 (Secure Hash Algorithm 3): The SHA-3 family includes SHA3-224, SHA3-256, SHA3-384, and SHA3-512. They were developed as a replacement for the older SHA-2 algorithms. (3) MD5 (Message Digest Algorithm 5): Despite being widely used in the past, MD5 is considered insecure for most cryptographic purposes today due to vulnerabilities discovered over time. (4) RIPEMD (RACE Integrity Primitives Evaluation Message Digest): The RIPEMD family includes RIPEMD-128, RIPEMD-160, RIPEMD-256, and RIPEMD-320. (5) Blake2: A highly efficient cryptographic hash function that is faster than many other algorithms and is resistant to various types of attacks. -- New ones are introduced to stay ahead of potential vulnerabilities.

5. Manage cryptographic keys securely: Establish proper key management processes, including key generation, distribution, rotation, and revocation. Leverage Azure Key Vault for centralized key management, secure key storage, and monitoring key usage.

6. Monitor and detect cryptographic issues: Utilize Azure Security Center and Azure Monitor to gain insights into cryptographic events, anomaly detection, and security alerts. Configure logging and auditing to identify any issues promptly.

7. Perform penetration testing and red teaming: Regularly conduct penetration tests and engage ethical hackers or red teams to simulate attacks on your infrastructure. This helps identify any weaknesses or vulnerabilities before malicious actors exploit them.

8. Training and awareness: Educate IT staff and users about cryptographic best practices, secure coding principles, and potential risks. Raising awareness can prevent common pitfalls and improve the overall security posture.

Azure Tools for Cryptographic Risk Management: (4)

1. Azure Key Vault: A secure and centralized key management solution offering features like HSM-backed key storage, key rotation, and cryptographic operations. 

2. Azure Security Center: Provides visibility into the security state of your Azure resources, offers recommendations, and can detect cryptographic risks or misconfigurations.

3. Azure AD Identity Protection: Helps detect and remediate security vulnerabilities in identity management, such as weak authentication or compromised credentials. 

4. Azure Information Protection: Enables data classification, labeling, and encryption, ensuring sensitive information is protected and controlled.

Remember, consulting Microsoft Azure documentation (official documentation: https://docs.microsoft.com/ and engaging security professionals are crucial for obtaining the most accurate and authoritative guidance specific to your infrastructure and needs.

What is a Cryptographic Bill of Materials (CBOM)?

• CBOM is a structured inventory of all cryptographic algorithms, protocols, and libraries used within a system or application. Similar to a bill of materials for physical products, a CBOM provides transparency and facilitates easier management of the various cryptographic components impacting security.

• Implementing a CBOM effectively requires ongoing commitment and continuous improvement. Utilizing resources like Azure's security tools can significantly streamline the process and enhance your cryptographic posture.

Value & Benefits of CBOMs: (4)

1. Enhanced Security: Provides a comprehensive overview of cryptographic elements, enabling vulnerability identification and mitigation.

2. Migration to Quantum-Safe Cryptography: Simplifies transitioning to quantum-resistant algorithms during the post-quantum cryptography era.

3. Compliance and Transparency: Helps organizations comply with regulations and demonstrate secure cryptographic practices.

4. Improved Software Supply Chain Security: Enables easier monitoring and assessment of dependencies and potential breaches.

Implementing CBOM Guidance (based on NIST) -- w/ Azure Tools: (8)

1. Identify cryptographic components: Identify all cryptographic components used in the system or software. This includes encryption algorithms, key management systems, cryptographic libraries, and other related components.

   • -- TOOLS (6) -- (1) Azure Key Vault: Azure Key Vault is a cloud service that safeguards cryptographic keys and secrets, such as certificates, connection strings, and passwords. It provides centralized storage and management of cryptographic components. (2) Azure Information Protection: Azure Information Protection helps in identifying and classifying sensitive data within documents and emails. It includes cryptographic components for encryption and protection of classified data. (3) Azure AD: Azure AD provides authentication and access management for Azure resources. It uses cryptographic components like tokens and certificates to ensure secure authentication and authorization. (4) Azure Security Center: Azure Security Center provides advanced threat protection for Azure resources. It includes features that identify and monitor cryptographic components used by virtual machines, databases, and other resources. (5) Azure Dedicated HSM: Azure Dedicated Hardware Security Module (HSM) provides a dedicated physical appliance for managing and storing cryptographic keys. It ensures a high level of security for critical cryptographic components. (6) Azure Blockchain Service: Azure Blockchain Service uses cryptographic components like public-key cryptography and digital signatures to secure transactions and data within blockchain networks. 

2. Evaluate cryptographic modules: Evaluate the cryptographic modules used in the system. Ensure that they meet the relevant standards and guidelines, such as FIPS 140-2 for hardware security modules (HSMs) or NIST Special Publication 800-131A for software cryptographic modules.

   • -- TOOLS (5) -- (1) Azure Security Center: Azure Security Center provides continuous monitoring and assessment of cryptographic modules to ensure compliance with industry standards and best practices. It offers recommendations to help improve the security configuration of cryptographic modules. (2) Azure Advisor: Azure Advisor provides personalized recommendations for improving the security and performance of your Azure resources, including cryptographic modules. It can identify misconfigurations and provide suggestions to enhance the security of cryptographic operations. (3) Azure Key Vault: Azure Key Vault is a cloud service that safeguards cryptographic keys and secrets used by cloud applications and services. It provides features like key management, key generation, and secure storage, enabling you to evaluate the security of cryptographic modules and manage cryptographic keys securely. (4) Azure Sentinel (SIEM-SecInfoEvemtMgmt): Azure Sentinel is a cloud-native security information and event management (SIEM) solution that provides intelligent security analytics and threat intelligence. It can help analyze cryptographic module logs and detect any suspicious or anomalous activities related to cryptographic operations. (5) Azure Security Center for IoT: If you are evaluating cryptographic modules for IoT devices, Azure Security Center for IoT can provide insights and recommendations to enhance the security of cryptographic operations in IoT devices.

3. Create the CBOM: Create a comprehensive Cryptographic Bill of Materials (CBOM) that lists all the cryptographic components used in the system. This should include details such as the name, version, vendor, and relevant certifications or approvals for each component.

   • -- TOOLS (5) ~ Note: Azure Does Not offer a specific CBOM tool. However, several common operational services can be used to build a CBOM. -- (1) Azure Key Vault: Azure Key Vault is a cloud service that allows you to securely store and manage cryptographic keys, secrets, and certificates. Using Key Vault, you can encrypt data, generate keys, and control access to cryptographic materials. (2) Azure AD: Azure AD provides identity and access management services. It offers features like multi-factor authentication and integration with Azure Key Vault to secure access to cryptographic materials. (3) Azure Security Center: Azure Security Center is a unified security management and monitoring service. It can help you identify potential vulnerabilities or misconfigurations related to cryptographic operations. (4) Azure Information Protection: Azure Information Protection is a service that enables you to classify and label your data and control its access based on its sensitivity. It provides encryption capabilities to protect sensitive information. (5) Azure Key Encryption Key (KEK): Azure KEK is a tool that allows you to Bring-Your-Own-Key (BYOK) for encrypting and decrypting your Azure Virtual Machine disks using Azure Disk Encryption. This way, you can have greater control over the cryptographic materials used.

4. Maintain and update the CBOM: Regularly update the CBOM to include any new or updated cryptographic components that are added to the system. This helps ensure that an accurate and up-to-date inventory of cryptographic components is maintained.

   • --TOOLS (5) -- (1) Azure Key Vault: To securely store and manage cryptographic keys, secrets, and certificates. It provides centralized control and management of keys, and you can use it to maintain and update the CBOM by storing and managing the cryptographic artifacts. (2) Azure Security Center: A unified infrastructure security management system that provides security recommendations and alerts for Azure resources. It can help you identify and manage cryptographic artifacts and provide recommendations for keeping them up to date. (3) Azure Security Compliance Toolkit: Provides a set of scripts and tools that can be used to assess the security and compliance of Azure resources. It includes PowerShell scripts and other tools that can help you maintain and update the CBOM. (4) Azure Policy: To enforce governance and compliance of your Azure resources. You can use Azure Policy to define policies that require certain cryptographic standards and practices, ensuring that the CBOM is maintained and updated according to your organization's requirements. (5) Azure DevOps: A set of development tools and services that help you plan, develop, test, and deliver software. It includes features like secure pipelines and integrated CI/CD workflows that can help maintain and update the CBOM as part of your application deployment process.

5. Track vulnerabilities and updates: Stay informed about any vulnerabilities, patches, or updates related to the cryptographic components in the CBOM. Regularly monitor vendor websites, security advisories, and other reliable sources to obtain the latest information.

   • -- TOOL (1) -- Azure Advisor: A tool that can track vulnerabilities and updates related to the Cryptographic Bill of Materials (CBOM) in Azure. (1.1) Provides recommendations based on best practices to ensure secure cryptographic usage by identifying potential vulnerabilities and suggesting remediation options. (1.2) Analyzes the configuration and usage of cryptographic resources such as SSL/TLS certificates and cryptographic libraries. (1.3) Provides actionable insights to address any identified risks or issues.

6. Implement risk management measures: Based on the information provided in the CBOM, conduct a risk analysis to identify potential vulnerabilities and threats related to the cryptographic components. Implement appropriate risk management measures, such as patching vulnerabilities, conducting security audits, or enhancing key management processes. 

   • -- VALUE -- Providing visibility, vulnerability assessment, and secure storage for cryptographic keys and secrets

   • --TOOLS (2) -- (1) Azure Security Center: Provides visibility into potential vulnerabilities in Azure resources and suggests mitigation steps. It scans Azure resources to identify missing security updates, insecure configurations, and vulnerabilities in the software installed on VMs. Ensuring that systems and software are up to date, helps address any potential security risks related to the cryptographic components. (2) Azure Key Vault: To securely store and manage cryptographic keys, secrets, and certificates in Azure. It provides a centralized storage location for sensitive information used in your applications, such as API keys, connection strings, and passwords. By leveraging Key Vault, one can ensure proper management of cryptographic keys and certificates, minimizing the risk of unauthorized access to sensitive data.

7. Document security practices: Document the security practices and processes related to the use of cryptographic components. This may include the procedures for key management, secure development practices, or securing storage and transmission of encrypted data.

   • -- TOOLS (5) ~ Note: These tools, in combination with proper implementation and configuration, can help organizations document and enforce secure cryptographic practices as part of their overall security posture within the Azure environment. -- (1) Azure Security Center: Provides visibility into the security state of a cloud environment. It can help document security practices related to CBOM by monitoring and assessing cryptographic controls, such as the use of secure protocols, encryption algorithms, and key management. (2) Azure Policy: Allows organizations to enforce compliance with specific rules and requirements. It can be used to define policies relating to CBOM, ensuring that all cryptographic materials used in Azure deployments adhere to recommended practices and standards. (3) Azure Key Vault: Provides secure storage of cryptographic keys and secrets. It can help document CBOM by centralizing the management and control of cryptographic materials, ensuring that they are securely stored and accessed only by authorized applications and users. (4) Azure DevOps: A set of DevOps services offered by Azure. It can be used to automate application deployment and manage the entire software development lifecycle. By integrating CBOM requirements into the DevOps pipeline, organizations can document and enforce the use of approved cryptographic materials throughout the development and deployment process. (5) Azure Advisor: Provides personalized recommendations to optimize Azure resources for cost, security, performance, and high availability. It can offer insights and suggestions on how to improve CBOM documentation and practices, such as identifying potential misconfigurations or outdated cryptographic algorithms.

8. Regularly review and update the implementation: Conduct regular reviews and updates of the CBOM and the associated security practices to ensure ongoing compliance with relevant standards and guidelines.

   • -- TOOLS (5) ~ Note: There isn't a specific Azure tool that is designed to regularly review and update the implementation of the Cryptographic Bill of Materials (CBOM) by default. However, there are several Azure services and tools that can be used to help in implementing and managing cryptographic materials -- (1) Azure Key Vault: Provides a secure and centralized location to store cryptographic keys, secrets, and certificates. It allows one to easily manage, monitor, and audit access to your cryptographic materials. (2) Azure Security Center: Offers security recommendations and actionable insights for your Azure resources. It helps to identify vulnerabilities, misconfigurations, or outdated software that may impact the security of your cryptographic implementation. (3) Azure Monitor: To collect and analyze telemetry data from various Azure resources. You can use it to set up alerts and monitoring rules to track the performance and security of your cryptographic materials. (4) Azure Policy: Allows one to define and enforce compliance requirements for your Azure resources. One can create custom policies to validate the usage of specific cryptographic algorithms, key sizes, or certificate lifespans to ensure adherence to your CBOM. (5) Azure Automation: Provides a way to automate recurring tasks in Azure. One can create Runbooks (aka Log-Tracker): To periodically review the status and compliance of your cryptographic materials and update them as necessary.

Other Azure Tools for CBOM: (2) 

1. Azure Defender for Cloud: Offers centralized security management with vulnerability assessment and recommendation capabilities.

2. Azure Logic Apps and Functions: This can be used to automate CBOM generation and integration with other security tools.

Resources:

• National Institute of Standards and Technology (NIST) Post-Quantum Cryptography Project: https://csrc.nist.gov/projects/post-quantum-cryptography

• IBM's CBOM project: https://github.com/IBM/CBOM

• Chasing Cyber - Enter the CBOM: https://reciprocity.com/blog/the-differences-between-sbom-and-cbom/

Cryptographic Supply Chain: 

• BLUF: Securing the flow of goods and information to maintain consistency equalling trust.

• Cryptographic Supply Chain is a system that leverages cryptographic techniques to enhance transparency, security, and trust in the flow of goods and information within a supply chain network. These techniques can be applied at various stages, from (1) Securing manufacturing data to (2) Verifying product authenticity at the consumer level.

Key ways to a more Secure and Transparent Supply Chain: (4)

1. Data Encryption: Sensitive information like product formulas, materials used, and shipment details can be encrypted to protect against unauthorized access.

2. Digital Signatures: Products and documents can be digitally signed to verify their authenticity and prevent tampering.

3. Hashing: Cryptographic hashes create unique fingerprints of data, allowing for quick and efficient verification of data integrity at any point in the supply chain.

4. Blockchain Technology: A distributed ledger technology, can be used to create a tamper-proof record of product provenance (place of origin), tracking its journey from raw materials to the final consumer.

Azure Tools for Cryptographic Supply Chain: (5)

Microsoft Azure offers various tools and services that can be used to build and implement a cryptographic supply chain:

1. Azure Key Vault: Securely store and manage encryption keys and digital certificates used for securing data and signing documents.

2. Azure Active Directory: Implement identity and access management to control who can access sensitive data and functionality within the supply chain system.

3. Azure Blockchain Service: Easily deploy and manage blockchain networks for supply chain traceability and transparency.

4. Azure Digital Twins: Create digital representations of physical objects throughout the supply chain, enabling real-time monitoring and analysis of data.

5. Azure Sentinel (SIEM): Streamline security information and event management (SIEM) for threat detection and incident response within the supply chain.

Benefits-Value of a Cryptographic Supply Chain: (4)

1. Increased Transparency: Consumers can trust the authenticity and source of products, while businesses can gain better visibility into their supply chain operations.

2. Enhanced Security: Data breaches and product counterfeiting become less likely, protecting both businesses and consumers.

3. Improved Efficiency: Streamlined processes and automated verification can lead to faster product delivery and reduced costs.

4. Sustainable Practices: Tracking environmental impact and ethical sourcing becomes easier, creating a more responsible supply chain.

Resources:(3)

• Microsoft Azure Blockchain Service: https://azure.microsoft.com/en-us/solutions/web3

• Azure Security: Building Cryptographically Secure Solutions: https://learn.microsoft.com/en-us/security/sdl/cryptographic-recommendations

• The Role of Cryptography in Supply Chain and Procurement: https://epsnews.com/about/

Here's a breakdown of the steps, technologies, and an authoritative reference for conducting a cryptographic inventory within the framework of the Continuous Diagnostics and Mitigation (CDM) Program:

Steps:

1. Define Scope (Systems & Assets):
   
   

   • Identify all systems and assets in scope for the CDM program. Network discovery tools or manual inventory can be used.

   • Prioritize systems based on criticality and potential security risks. (https://www.nist.gov/privacy-framework/nist-sp-800-30)

2. Technology Selection:
   
   

   • Leverage a combination of automated and manual tools based on your environment:

     • Automated Discovery Tools: Network scanners and vulnerability assessment tools like Nessus, OpenVAS, or Qualys can identify cryptographic algorithms and libraries used in applications and systems. (https://www.tenable.com/products/nessus/nessus-professional, https://openvas.org/, https://www.qualys.com/apps/vulnerability-management-detection-response/)

     • Agent-based Tools: Deploy lightweight agents on critical systems to gather detailed information on cryptographic implementations. Tools like Qualys VMDR or Tanium can be considered. (https://www.qualys.com/apps/vulnerability-management-detection-response/, https://www.tanium.com/resources/endpoint-security-solution-brief/)

     • Manual Code Review: Conduct code reviews for custom applications or where automated tools provide incomplete data.

3. Centralized Repository:
   
   

   • Establish a secure central repository to store the inventory data. Options include:

     • Configuration Management Database (CMDB)

     • Dedicated cryptographic asset management tool like Keywhiz or Vaults (https://square.github.io/keywhiz/, https://developer.hashicorp.com/vault/tutorials)

4. Automated Collection:
   
   

   • Use chosen automated tools to scan the environment and populate the repository with data on:

     • Cryptographic algorithms (e.g., RSA, AES)

     • Key lengths and types (symmetric, asymmetric)

     • Hashing algorithms

     • Digital signature schemes

     • PKI details (certificates, authorities)

5. Manual Review:
   
   

   • Conduct code reviews for specific applications where automated tools provide incomplete data.

6. Data Validation & Enrichment:
   
   

   • Implement data validation checks for consistency and accuracy.

   • Enrich data with additional details like:

     • Usage context (e.g., data in transit, data at rest)

     • Business criticality of the system using the cryptography

     • Known vulnerabilities associated with identified algorithms (reference security advisories)

7. Version Control & Audit Logging:
   
   

   • Enable version control for the inventory data to track changes and maintain historical data.

   • Implement audit logging to record access and modifications to the inventory.

8. Mapping to CDM Controls:
   
   

   • Map the inventory data to relevant CDM controls focusing on:

     • Secure Key Management (SKM) practices (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf)

     • Algorithm selection and usage guidelines (https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-63b.pdf)

     • Cryptographic agility considerations (transition to post-quantum cryptography) (https://csrc.nist.gov/projects/post-quantum-cryptography)

9. Risk Assessment Integration:
   
   

   • Integrate the inventory data with your CDM program's risk assessment processes. This allows for:

     • Prioritizing vulnerabilities based on algorithm weaknesses and asset criticality

     • Identifying systems requiring remediation or migration to more secure algorithms

10. Access Controls:
    
    

• Establish access controls to the central repository, granting access only to authorized personnel within the CDM program.

11. Regular Updates:

• Schedule regular scans and code reviews to keep the inventory up-to-date.

12. Security of the Repository:

• Ensure the central repository adheres to strong security practices to protect the sensitive cryptographic information.

Authoritative Reference:

This process aligns with the principles outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 5 "Security and Privacy Controls for Federal Information Systems and Organizations" (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf).

Additional Notes:

• Consider integrating the process with existing CMDB or SIEM systems

Sources

info

1. mdpi-res.com/d_attachment/electronics/electronics-10-00818/article_deploy/electronics-10-00818-v2.pdf?version=1617938300

2. www.ignyteplatform.com/dissecting-fedramp-nist-800-53-nist-800-171-cmmc-2-0-control-structure/

3. www.etsi.org/deliver/etsi_en/303600_303699/303645/02.00.00_20/en_303645v020000a.pdf

4. www.cybrary.it/blog/how-to-conduct-a-cybersecurity-health-check-using-nist-800-53/

5. medium.com/@naresh.kurada/thoughts-on-security-architecture-for-enterprise-permissiond-blockchain-applications-f71d5529a438

6. www.hhs.gov/sites/default/files/hhs-trustworthy-ai-playbook.pdf

Create a PQC Program/Roadmap. 

• BLUF: (1) Presents an exciting challenge and a vital undertaking for protecting sensitive information in the face of emerging quantum computing threats. (2) This is a complex and ever-evolving field, so seeking expert advice and staying informed about the latest developments is crucial for implementing a successful post-quantum program.

• Steps: (5)

  1. (Optional) Initial Collaboration:

     • Collaborate & Share Content: (1) Use SharePoint; (2) Identify Vision & Mission Statement; (3) A 101 about the subject; (4) Document folder; (5) Other Sub-Pages; (6) Calendar of Events; (7) Announcements; (8) Training about the subject; (9) Etc.

  2. Assess Your Risk and Needs: (4)

     • Identify critical assets / High Value Assets (HVA): Start by pinpointing the data and systems most vulnerable to quantum attacks, like financial transactions, healthcare records, and national security information.

       1. Example from HHS: See "OMB M-23-02 (Migrating to PQC)" and the two (2) Excel worksheets the OpDiv's need to fill out: (1) Inventory (2) for Cost factors.

     • Evaluate vulnerabilities: Analyze the cryptographic algorithms used within your infrastructure and assess their susceptibility to quantum algorithms.

     • Prioritize risks: Rank the potential impact of a successful quantum attack on each critical asset to guide your mitigation efforts.

  3. Inventory and Understand Cryptographic Dependencies: (3)

     • Map cryptography usage: Identify all instances where cryptography is employed within your systems, including applications, protocols, and network infrastructure.

     • Document algorithms: Create a comprehensive inventory of the specific cryptographic algorithms used in each instance.

     • Analyze dependencies: Understand the interdependencies between different cryptographic components to ensure a holistic approach to mitigation.

  4. Research and Choose Post-Quantum Algorithms: (3)

     • Stay informed: Actively follow the evolving landscape of post-quantum cryptography and emerging standards.

     • Consult experts: Seek guidance from qualified cryptographers and cybersecurity professionals with expertise in post-quantum solutions.

     • Evaluate candidate algorithms: Consider factors like security strength, performance efficiency, implementation feasibility, and potential interoperability with existing systems.

  5. Develop a Migration Strategy: (3)

     • Phased approach: Plan a gradual migration to post-quantum algorithms, prioritizing high-risk systems and assets first.

     • Backward compatibility: Ensure chosen algorithms can coexist with existing cryptographic systems during the transition period.

     • Testing and validation: Conduct thorough testing of new algorithms within your specific environment to address compatibility and performance concerns.

  6. Implement and Train: (3)

     • Integrate new algorithms: Update systems and applications to incorporate the chosen post-quantum solutions.

     • Monitor and adapt: Continuously monitor your systems for potential security vulnerabilities and be prepared to adapt your strategy as needed.

     • Train personnel: Educate your IT staff and users on the importance of post-quantum cryptography and best practices for secure operations.

• Additional Considerations: (2)

  1. Collaborate: Engage with industry partners, government agencies, and standards bodies to stay informed and contribute to the development of robust post-quantum solutions.

  2. This is a long-term commitment: Remember, transitioning to post-quantum cryptography is an ongoing process, requiring continuous investment and adaptation.

Implement via AuthS. (NIST via NNCoE).

• AV-2: National Institute of Standards and Technology (NIST); National Cybersecurity Center of Excellence (NCCoE)

• Migrate / Implement to PQC: https://www.nccoe.nist.gov/crypto-agility-considerations-migrating-post-quantum-cryptographic-algorithms 

Migrate to PQC -- using Azure. -- (5 Steps) 

1. Assessment and Awareness:

   • Conduct an inventory of cryptographic assets. Use Azure Security Center to assess vulnerabilities and prioritize assets based on risk.

   • Evaluate the potential impact of quantum attacks. Consult NIST resources (Crypto Agility Guide, Interagency Report on PQC) for guidance.

   • Educate stakeholders about PQC: Disseminate information using Azure Communication Services or Azure AD.

2. Algorithm Selection:

   • Stay informed about NIST's PQC standardization efforts: Track progress on the Azure Security Blog or the Azure Government Security Blog.

   • Evaluate potential algorithms based on security, performance, compatibility, and ease of implementation. Leverage Azure Quantum for algorithm testing and prototyping.

   • ~ Important Note: Select algorithms that align with NIST's recommendations and meet specific requirements.

3. Implementation Planning:

   • Develop a transition plan for integrating PQC into existing systems: Use Azure DevOps for project management and Azure Blueprints for configuration management.

   • Assess hardware acceleration needs and software compatibility. Explore Azure Confidential Computing and Azure Kubernetes Services for potentially compatible environments.

4. Implementation and Testing:

   • Integrate PQC algorithms using available libraries or custom implementations: Integrate into Azure services securely using Azure Key Vault for key management and Azure App Service for application deployment.

   • Conduct rigorous testing for functionality, performance, interoperability, and security. Utilize Azure DevTest Labs for testing environments and the Azure Security Center for vulnerability assessment.

   • Regularly audit implementations to identify and address vulnerabilities. Employ Azure Sentinel (aka SIEM-SecInfoEventMgmt) for threat detection, response, and insights.

5. Monitor, maintain, and sustain:

   • Stay updated on ongoing research, NIST standardization, and emerging threats: Subscribe to Azure Security Center threat intelligence feeds.

   • Continuously monitor the performance and security of PQC implementations. Use Azure Monitor for comprehensive monitoring and Azure Sentinel (aka SIEM-SecInfoEventMgmt) for security insights, threat detection, and response.

   • Be prepared to update algorithms or implementations as the field evolves and new standards are established.

Additional Considerations:

1. Explore hybrid approaches with classic and PQC algorithms for a smoother transition. Use Azure's flexibility to support hybrid approaches.

2. Align implementation efforts with NIST's PQC standardization process: Stay updated via the Azure Security Blog and the Azure Government Security Blog.

3. Implement robust key management practices for PQC keys. Utilize Azure Key Vault capabilities for secure key storage and management.

4. Collaborate with industry partners and the research community. Engage through Azure's partnerships and research initiatives.

KeyFactor -- Learn, Explore, and Prepare for PQC.

• BLUF: 

  1. Fed Ramped by early 2025.

  2. Forefront of PKI and quantum cryptography. 

• PQC Lab: 

  1. https://www.keyfactor.com/post-quantum-cryptography-lab/?utm_campaign=2024-q3_sep_content_newpqclab_global&utm_medium=email&_hsenc=p2ANqtz-8zAfKvSbxVuPuH_8K_fKWXSy2oY3lYt7WyUFfVjANFmNgBvt97ySzHGyp-LBDeP7A7I5kDHwDN4dG5BsnWz4vIUwU3RA&_hsmi=327969411&utm_content=327933442&utm_source=hs_email

• Services to Federal Agencies:

  1. Support the latest NIST-approved quantum algorithms 

  2. Operate as a Registration Authority (RA), with the flexibility to split into another instance for enrollment

  3. Adhere to RFC protocols like ACME, SCEP, SPIFE, and Microsoft auto-enrollment, making it a robust solution for any environment.

  4. Use for device identity authentication (mTLS), server certificates (TLS), Wi-Fi and NAC systems (EAP-TLS), and data signing.

Preparing for the looming threat of quantum computers and ensuring "Post-Quantum Readiness" and "Post-Quantum Safety" requires a proactive and multi-layered approach. Here are some key steps you can take:

• 1. Assess your risk:

     • Identify critical assets: Pinpoint your most sensitive data and systems, like financial transactions, national security information, or intellectual property.

     • Evaluate vulnerabilities: Analyze the cryptographic algorithms used across your infrastructure and assess their susceptibility to quantum attacks.

     • Prioritize risks: Rank the potential impact of successful quantum attacks on each critical asset to guide your mitigation efforts.

  2. Inventory and understanding cryptography:

     • Map usage (aka Process Map): Identify all instances where cryptography is employed within your systems and infrastructure.

     • Document algorithms: Create a comprehensive inventory of the specific algorithms used in each instance.

     • Analyze dependencies: Understand the interdependencies between different cryptographic components for holistic mitigation.

  3. Stay informed and plan:

     • Follow advancements: Actively track the evolving landscape of post-quantum cryptography and emerging standards.

     • Seek expert guidance: Consult cryptographers and cybersecurity professionals with expertise in post-quantum solutions.

     • Develop a migration strategy: Create a phased plan for transitioning to post-quantum algorithms, prioritizing high-risk areas first.

  4. Implement post-quantum solutions:

     • Evaluate available post-quantum algorithms: Base it on security strength, performance, feasibility, and compatibility.

     • Integrate technologies: Update systems and applications to incorporate chosen solutions.

     • Test and validate: Conduct thorough testing in your specific environment to ensure compatibility and performance.

  5. Maintain vigilance and adopt:

     • Continuously monitor: Monitor your systems for potential vulnerabilities and be prepared to adapt your strategy as needed.

     • Educate and train: Train IT staff and users on the importance of post-quantum cryptography and secure practices.

     • Collaborate and share: Engage with industry partners, government agencies, and standards bodies to stay informed and contribute to the development of robust post-quantum solutions.

Additional aspects to consider:

• Backward compatibility: Ensure chosen algorithms can coexist with existing systems during the transition period.

• Performance considerations: Be mindful of the potential performance impacts of introducing new algorithms.

• Long-term commitment: Remember, this is an ongoing process, requiring continuous investment and adaptation.

By proactively taking these steps, you can increase your "post-quantum readiness" and significantly improve your "post-quantum safety" posture, safeguarding your valuable information from the potential threats posed by quantum computing.

Remember, there's no silver bullet, and the specifics of your approach will depend on your unique environment and risk profile. However, by being strategic, informed, and collaborative, you can build a resilient defense against the emerging challenges of the quantum future.

The “Approach” (narrative) is in black text (by DOJ) and the “Points” are in red text (by HHS): 

FY24: (4)

1. Policy compliance and awareness Awaiting CISA, NIST & OMB publication of guidance

2. Strategy and Roadmap Development --  Roadmap to Support the Requirements outlined in CISA, NIST, and OMB Guidance.

3. Vendor Research/Identification What guidance exists from GSA (PQC acquisition guidance), NIST (NCCoE vendor testing lessons learned), and CISA (Guidance being developed to support tools that support cryptographic inventory)?

4. Cryptographic Module Categorization -- ?

FY25: (4)

1. Policy Compliance and Awareness -- Introduce Cryptographic Agility and Zero Trust lens

2. Cryptographic Landscape Risk Analysis -- View through supply chain risk management CBOM, based on CBOM entries of products using vulnerable cryptographic standards, must engage them.

3. Vendor Assessment/Analysis of Alternatives -- Engage agency through Zero Trust WGs

4. Cryptographic Inventory Prioritized Roadmap -- What systems are prioritized as part of the funding request for M-23-02.  Also, ZT efforts apply.

FY26 -2035: (3)

1. Policy Compliance, Awareness, and Training -- ?

2. Cryptographic Inventory Effort to Operationalize Cryptographic Data. RANSOMWARE PREVENTION!!

3. Cryptographic Key Management / Cryptoagility Begin executing based on hearing lessons learned from agency leads.