History has shown that we cannot assume that any suite of cryptographic algorithms will remain secure indefinitely. One reason for this is that the development of cryptographic standards always involves a tradeoff between efficiency and security. Cryptography is often chosen to be as efficient as possible while still being secure. In addition to new attacks being discovered, as computers become more powerful, cryptographic algorithms need to be replaced by stronger cryptographic algorithms. In particular, the upcoming construction of large-scale quantum computers will require a drastic cryptographic migration.
The cryptographic community, including major standards organizations, now recommends designing crypto agile products that have the ability to replace and adapt cryptographic algorithms without disruptions to system operations. One method for attaining this type of crypto agility is to manage your cryptography using InfoSec Global’s AgileSec™ SDK.
The National Institute of Standards andTechnology (NIST) is currently drafting a white paper titled Considerations for Achieving Cryptographic Agility: Strategies and Practices. On Thursday, April 17, 2025, NIST held a workshop to receive feedback on their white paper and “accommodate discussions among stakeholders and inspire the development of environment-specific crypto agility strategies and guidelines.” This two-day event involved five panels and various presentations regarding challenges and approaches to achieving crypto agility.
InfoSec Global's Contribution at NIST 2025 Crypto Agility Workshop
InfoSec Global’s VP of Cryptographic R&D Vladimir Soukharev was a panelist for NIST’s Enterprise Panel. One point that was repeated in both the Financial Services and Enterprise panels was the need to discover cryptographic artifacts as a first step towards designing crypto agile systems. Panelists mentioned that a cryptographic Bill of Materials (CBOM) is not enough. A more detailed cryptographic inventory is needed. For example, InfoSec Global’s AgileSec™Analytics finds and provides a detailed description of certificates, keys, keystores, cryptographic libraries, and cryptographic algorithms. One more important point addressed by Dr. Vladimir Soukharev is that cryptographic agility is needed for many cryptographic usages and applications, not only for Post-Quantum migration.
Additionally, InfoSec Global’s cryptographer Victoria de Quehen was a panelist for NIST’s Software, API, Applications Panel, which covered various concerns regarding designs of crypto agile APIs. Different types or classes of algorithms were discussed. Methods to increase adoption of crypto agile products were mentioned, including the idea of a crypto agile maturity index, which could help measure the crypto-agility of applications, and the possible standardization of a crypto agile API.
One theme that was mentioned throughout the event was that the idea that hardware also containssoftware (e.g., this was mentioned in the context of HSMs), and the value ofbeing able to update it efficiently.
Another theme that was covered, particularly in the panel on Standards, was the increased need to make processes that provide updates faster (e.g., revising standards more quickly). Crypto agility analogously is a dynamic method to adjust to an ever-changing world.
