(LinkedIn) In this blog, the always excellent Andreas Baumhof, VP of Quantum Technologies at Quintessence Labs explains that virtually all enterprises he has visited lack seriously in crypto-agility.
Example of Failure to Address Crypto-Agility
Baumof illustrates his point with an example. “MD5 is a hashing algorithm. It is a one-way function that produces a short 16 byte text that is supposed to be different for each input. Hashing functions are used everywhere from cryptocurrencies, password verification, integrity checking and much more.
Various attacks to MD5 started to appear and since 1996 NIST recommends the use of SHA-1 instead of MD5. (since 2013 this can be attacked in just seconds on regular computers).
However in 2019 one quarter of widely used content-management-systems still use the vulnerable MD5 for password hashing
To fix this, a simple move to a different hashing algorithm is all that is required. The newer hashing algorithms are even much faster than MD5 (!). The only downside is that newer hashing algorithms produce a longer text.
The problem is that we have known since 1996 that MD5 needs to be replaced. We have alternatives that are much faster and still in 2019 you can find MD5 everywhere. We had 25 years to do something about it and we are still in such a bad shape? That doesn’t give us much confidence that any upgrade to more fundamental cryptographic algorithms (like public key cryptography) is going to happen anytime soon.
Baumhof, “We really must combine crypto-agility with post-quantum strategically and call on every enterprise in the world to take this issue seriously.” The quantum revolution is coming whether we are ready or not, so let’s make sure we are ready.