What Does Good ‘Cryptographic Health’ Look Like?

When we talk about an asset being secure or insecure, this concept usually makes sense to the majority of us. But once we go to the next step, asking what it really means to be secure, this is where things become unclear. That said, this is where we address the core part of security (cryptography) so understanding what good security, or “cryptographic health” looks like is important.  

What is cryptographic security?

First of all, let’s consider the three components that go into attaining good cryptographic health: Confidentiality, Authenticity, and Integrity. You will always need at least one of these from the list, depending on the use case. Whenever there is a chance that the goal *might* not be achieved with non-negligible probability, then your cryptographic health is considered bad, as it means that if someone wants to eavesdrop or penetrate into your secure data, they can.

In practice, your cryptographic security is as strong as your weakest component. This is a very important point. For evaluation of how “good” many other solutions are in other fields, one can truly rely on averages. Cryptography is different, as it only takes the weakest link to be broken to destroy your protection. Think of a very strong, tall and thick fence around your organization, with just one or a few unmonitored human sized holes. The average perimeter fencing will appear fine, but is your organization secure from anyone entering the premises? 

How do I assess cryptographic health?

Therefore, good cryptographic health is about the level of security that the weakest link provides. This means if you want to be secure, your weakest links should ideally be as strong as your strongest links, meeting appropriate security levels.

This is why, to truly assess your cryptographic health, you need to have the full visibility of your cryptographic assets. You need to understand how they are used, and find all those weakest links to replace them with proper schemes that meet the security requirements. You then have to make sure that those links are properly combined together, which is important for security as well as efficiency.

July 15, 2021
Crypto-Agility

What Does Good ‘Cryptographic Health’ Look Like?

Dr. Vladimir Soukharev
Principal Cryptographic Technologist at InfoSec Global

When we talk about an asset being secure or insecure, this concept usually makes sense to the majority of us. But once we go to the next step, asking what it really means to be secure, this is where things become unclear. That said, this is where we address the core part of security (cryptography) so understanding what good security, or “cryptographic health” looks like is important.  

What is cryptographic security?

First of all, let’s consider the three components that go into attaining good cryptographic health: Confidentiality, Authenticity, and Integrity. You will always need at least one of these from the list, depending on the use case. Whenever there is a chance that the goal *might* not be achieved with non-negligible probability, then your cryptographic health is considered bad, as it means that if someone wants to eavesdrop or penetrate into your secure data, they can.

In practice, your cryptographic security is as strong as your weakest component. This is a very important point. For evaluation of how “good” many other solutions are in other fields, one can truly rely on averages. Cryptography is different, as it only takes the weakest link to be broken to destroy your protection. Think of a very strong, tall and thick fence around your organization, with just one or a few unmonitored human sized holes. The average perimeter fencing will appear fine, but is your organization secure from anyone entering the premises? 

How do I assess cryptographic health?

Therefore, good cryptographic health is about the level of security that the weakest link provides. This means if you want to be secure, your weakest links should ideally be as strong as your strongest links, meeting appropriate security levels.

This is why, to truly assess your cryptographic health, you need to have the full visibility of your cryptographic assets. You need to understand how they are used, and find all those weakest links to replace them with proper schemes that meet the security requirements. You then have to make sure that those links are properly combined together, which is important for security as well as efficiency.

About the Author
Vladimir Soukharev is a cryptographer and a post-quantum expert at InfoSec Global. He’s relentlessly focused on cryptographic research and development and is inspired by continuous innovation. Vladimir obtained his PhD from the University of Waterloo’s David. R. Cheriton School of Computer Science specializing in Cryptography, Security and Privacy under the supervision of David Jao.  His thesis title was “Post-Quantum Elliptic Curve Cryptography”. He was part of the Centre of Applied Cryptographic Research, CryptoWorks21 and has contributed and published work at world-renown conferences and journals, such as PQCrypto and the Journal of Mathematical Cryptology. Vladimir is recognized as one of the major contributors to research in the area of Post-Quantum Cryptography based on Elliptic Curve Isogenies. He is also the proud recipient of numerous prestigious scholarships. Since completing his formal studies, he has dedicated his work-life to advancing the knowledge and application of advanced cryptography and cyber security technologies to protect vital information and communications in complex, highly regulated environments. Vladimir is also a core part of the team that has submitted a proposal for Post-Quantum Cryptographic standards to NIST. Their scheme is based on elliptic curve isogenies, and is called SIKE – Supersingular Isogeny Key Encapsulation protocol.
Related Posts