What Does Good ‘Cryptographic Health’ Look Like?

When we talk about an asset being secure or insecure, this concept usually makes sense to the majority of us. But once we go to the next step, asking what it really means to be secure, this is where things become unclear. That said, this is where we address the core part of security (cryptography) so understanding what good security, or “cryptographic health” looks like is important.  

What is cryptographic security?

First of all, let’s consider the three components that go into attaining good cryptographic health: Confidentiality, Authenticity, and Integrity. You will always need at least one of these from the list, depending on the use case. Whenever there is a chance that the goal *might* not be achieved with non-negligible probability, then your cryptographic health is considered bad, as it means that if someone wants to eavesdrop or penetrate into your secure data, they can.

In practice, your cryptographic security is as strong as your weakest component. This is a very important point. For evaluation of how “good” many other solutions are in other fields, one can truly rely on averages. Cryptography is different, as it only takes the weakest link to be broken to destroy your protection. Think of a very strong, tall and thick fence around your organization, with just one or a few unmonitored human sized holes. The average perimeter fencing will appear fine, but is your organization secure from anyone entering the premises? 

How do I assess cryptographic health?

Therefore, good cryptographic health is about the level of security that the weakest link provides. This means if you want to be secure, your weakest links should ideally be as strong as your strongest links, meeting appropriate security levels.

This is why, to truly assess your cryptographic health, you need to have the full visibility of your cryptographic assets. You need to understand how they are used, and find all those weakest links to replace them with proper schemes that meet the security requirements. You then have to make sure that those links are properly combined together, which is important for security as well as efficiency.