Cryptography use is growing and becoming more widespread within organizations. Although many companies have adopted encryption in flight and at rest for privacy reasons, topics such as cyber security and quantum computing have caused many organizations to step-up their competencies and strengthen their deployment of crypto.
Using quantum as an example, when the day comes that quantum computers are available, the concern is that quantum computers will be capable of performing math computations exponentially faster than the compute platforms used today. It makes sense that there will be a time when a quantum computer will be able to crack the encryption algorithms used today. If you have data encrypted using some of the industry’s older weaker algorithms, this data may be at risk later. An organization’s long-lasting data can be at risk from “harvest now, decrypt later” attacks. These attacks are conducted well after the data is stolen. A bad actor might conduct the attack by collecting data or public information today and later attempt to recover the secret key that is used to encrypt the data. This process might be done via a brute force attack to find the secret key. The private key that is used in a key negotiation step also might be derived by attacking Rivest, Shamir, Adleman (RSA) or Elliptic Curve Cryptography (ECC) if a public key protocol was used for secret key establishment. Here the goal of revealing the secret key used to encrypt the data is possible.
Quantum algorithms exist today which can break the encryption used by many organizations. For example, Shor’s algorithm used for factoring and discrete logarithms can completely break RSA and Eliptic-Curve cryptography. Another example is Grover’s algorithm which can use used to speed up the searching of symmetric keys or reverse engineer a cryptographic hash. Organizations must start the use of quantum-safe methods now to protect their data so that vulnerable data is no longer produced. Several symmetric algorithms such as DES or TDES are not secure when Grover’s algorithm is used to search the key space. Organizations can mitigate the risk by switching to strong encryption algorithms, such as AES, and ensuring the AES key length is at least 256 bits.
Figure 1: Algorithms and quantum safe status
How can organizations start in monitoring and providing an up-to-date view of crypto keys and functions is to have a tool that can help build a crypto inventory. A cryptography inventory is similar to a map of all the cryptography deployed in an organization. The inventory describes what cryptography is used by which applications for what purpose, as well as mapping cryptography use in infrastructure. It can include details of algorithms, keys and key storage, certificates, protocol versions, library versions, as well as non-technical details such as data classification, business purpose, etc.
One tool we find helpful with the infrastructure portion of a crypto inventory is the IBM Crypto Analytics Tool (CAT Tool). This tool consists of a batch data collector component and a graphical interface. that is used display and analyze data that is extracted from the different cryptographic components. The data collection component consists of load modules and compiled REXX execs to extract cryptographic and security-related information from z/OS systems. The extracted data is loaded into a DB2 database which provides snapshots of the entire environment.
The graphical interface or CAT Monitor is run from a user’s workstation and can be used to display and query the DB2 tables. There are DB2 tables which represent the ICSF environment, Crypto Express hardware, keystore datasets, keys and RACF. Most recently additional function has been added to report on AT-TLS (Policy Agent) and Dataset Encryption.
The findings are presented in generated reports. IBM CAT also can apply a set of policy rules that can be used to analyze the extracted data and flag whether the objects are compliant or noncompliant according to the policy rules (such as reporting non-quantum-safe keys, key lengths that are too short, etc.). Snapshots can also be compared to determine if there were any configuration changes within the crypt hardware, ICSF, RACF protection of ICSF resources or with encryption keys themselves.
To find out more, chapter 5 of the Redbook “The Transitioning to Quantum Safe Cryptography on IBM Z” provides an excellent overview of the CAT Tool and how it can play a role in building a crypto inventory on IBM Z systems.
https://www.redbooks.ibm.com/redbooks/pdfs/sg248525.pdf
