Podcast | Inventorying your Cryptography to Prepare for PQC - with InfoSec Global

Konstantinos Karagiannis: One of the first steps toward crypto-agility is gathering an inventory of the cryptography used in your organisation. Find out how to accomplish this, and monitor future changes on a dashboard, in this episode of The Post-Quantum World. I’m your host, Konstantinos Karagiannis. I lead Quantum Computing Services at Protiviti, where we’re helping companies prepare for the benefits and threats of this exploding field. I hope you’ll join each episode as we explore the technology and business impacts of this post-quantum era.

Our guest today is the vice president of cryptographic research and development at InfoSec Global, or ISG. Vladimir Soukharev, welcome to the show.

Vladimir Soukharev: Hello, and thank you.

Konstantinos Karagiannis: Tell our listeners about your background and how you found your way to quantum.

Vladimir Soukharev: I’m a cryptographer by training. I got my education from the University of Waterloo — did my bachelor’s, master’s and Ph.D. there. I was heavily focusing in all the areas of cryptography, but my thesis was specifically around post-quantum cryptography. Ever since then, I’ve been working in the industry after getting my Ph.D. and focusing a lot on post-quantum crypto, as well as working on standards, working on NCCoE, NIST initiatives, Quantum-Safe Canada and a number of other initiatives happening around the world. I’ve been in the generic cryptographic space as well — a big focus on the entire post-quantum field.

Konstantinos Karagiannis: We talk about post-quantum cryptography a lot, and I could safely say this is the first time we had someone whose actual degree was in that specifically. Most people seem to find their way to it, but you started that way. We have the right guest on for this topic. Let’s talk about ISG and how you brought that expertise there, and what the company does.

Vladimir Soukharev: We solve a lot of cryptographic problems. Among those is the post-quantum problem. It’s the fuel to solve a lot of other cryptographic problems, which are long overdue. We look at cryptography as the whole lifecycle management because the way cryptography has been managed for the past 30, 40 years, it’s no longer applicable to the upcoming quantum-safe era we’re entering at the current moment. We’re trying to revolutionise, to look at it differently and be able to change cryptography on the fly and be able to manage it.

Managing includes two major aspects: It’s being able to detect cryptography, have the inventory of your cryptography. That’s what our agile stack analytics tool does. The second part is our agile stack agility tool. That’s the tool that lets you switch cryptography right on the fly.

What happens with today’s upcoming standards for post-quantum is that we know there are some schemes that were already standardised, some are in the process of being standardised, some are in parallel tracks of being standardised. It’s a much more complicated environment that we are yet to see and experience in the future. That’s why a lot of things that were done in cryptography before were very static and they’re no longer applicable, or they’re going to be very difficult to apply to the upcoming era. Therefore, we’re trying to solve this much larger problem, which has received a lot of attention because of how complicated the post-quantum transition is going to be.

Konstantinos Karagiannis: The post-quantum transition is going to be on everyone’s mind starting this year, with NIST coming out with the new standards. But like you were saying, you do a lot more than just inventory. That’s only a little piece of it. There is an actual tool. It’s called AgileSec, and it has different tiers and different functions.

Vladimir Soukharev: There are two major tools that work together, but they can be seen independently. The first tool is the one you mentioned — the one that does inventory. Today, a lot of cryptography is mismanaged. It’s all over the place — generations of developers going through the ecosystem. You need to have the view of cryptography and apply it to post-quantum. You can look at things that are classically vulnerable and that are quantumly vulnerable. The tool even lets you look at algorithms being discovered, how vulnerable they are in terms of quantum threat, and look at how many logical qubits are needed to break certain algorithms.

Of course, today, from the theoretical point of view, we don’t have a large enough quantum computer yet, but there’s a lot of crypto-analysis done in that regard. The tool is able to discover your cryptographic inventory, going down to binaries, going to source code, going to various aspects of it, and being able to give you the inventory, what you have. From that point, you can see, what is secure today? What is going to be quantum-vulnerable? What is compliant? What is not compliant? That’s the number one step. It’s the visibility.

The second tool is actually being able to manage cryptography. What happens when you change cryptography? What happens if you need to manage multiple cryptographic standards? For instance, we know that even in a post-quantum world, what NIST has standardised so far and what, for example, the German BSI has standardised, these are very different algorithms. They’ve selected different algorithms for their standards. Let’s say, if you’re a company that is operating over multiple countries, how do you stay compliant with multiple countries at the same time? There’s a component of being able to transition from one cryptography to another. There’s a point of being able to support multiple global standards around the world.

When you find vulnerabilities, how do you change cryptography quickly? There are a lot of things where cryptography needs to be much more agile, and this is where agility comes into play. We’re able to decouple crypto from the applications. Then your applications would become independent of cryptography. They’re starting to talk in a crypto-agnostic way.

On the other side, you can dynamically plug in various cryptographic providers, which can be coming from us or can be coming from you or any other third party. You’re not obliged to use what is coming from us. Maybe the provider doesn’t exist today yet. That’s the cryptographic agility tool, which dynamically lets you manage and change your cryptography on the fly.

Konstantinos Karagiannis: To install this, I’m assuming, there’s a server running something, and then some agents that are reporting locally and then scanning of packets in motion. Can you help us visualise what that looks like?

Vladimir Soukharev: For the first tool, for the analytics part, you would install it centrally, and then you would deploy so-called sensors. They’re not as invasive as agents. They only need the read-only access. We also have multiple integrations. Let’s say, if the customer doesn’t want to use our sensor, they can leverage CrowdStrike or Tanium sensors to collect the data for our tool. Then the reverse-engineering is happening of the findings that are being collected. That’s for this tool.

The agility tool is able to — this is a little bit more on the developer side. Think of it in terms of, let’s say you have a crypto-agnostic library and you are making specific cryptographic calls today, but now you want to start making crypto-agnostic calls. You need to do this one crypto-library replacement, except you’re replacing for something generic that has a dynamic way of plugging other cryptographic libraries you want to use and unplug them without changing your application. On one side, if you’re doing a pure agility migration, you would have to do this onetime change.

But there are other ways, using the cryptography-as-a-service idea, but internally to your organisation, or there’s other approaches as well — using it as a proxy. But then you get double encryption. There are various options — it depends on the customer needs we offer.

Konstantinos Karagiannis: This will run full-time. Some of the benefits are, like you said, you might need different standards for different customers, different countries. This lets you keep track of that all along. Earlier, you also mentioned things that might not have anything to do with quantum: you might find out that you’re running SSL-1 or something awful like that, and we didn’t even know that was present. Do you get, then, some ability to track progress toward a goal of agility? Is there some reporting that can be pulled whenever needed?

Vladimir Soukharev: This is a combination of the two tools working together. One would actually detect and find, all of a sudden, you’re using MD5, which should not be being used for many years now. Unfortunately — I’m not even talking about SHA-1; SHA-1s are all over the place still — but even MD5s, we find plenty of those. One thing is to be able to find it and detect it while it’s there. Then, if you’re agile, you would be able to replace it quickly.

If you’re not crypto-agile at that point, then of course you have to go through the task of doing the actual cryptographic replacement. We know, in a traditional approach to cryptography, how much effort it took organisations to migrate from SHA-1 to SHA-2 — just one simple algorithm. I’m talking, again, in mathematical, cryptographic terms, but from an engineering point of view, that was an enormous task to do.

Konstantinos Karagiannis: How does this work with the developer code? In a company, if you’re writing your own programmes, does it go into an internal GitHub or something and look at what was used to write each programme?

Vladimir Soukharev: For the analytics tool, it pretty much goes anywhere you point it in terms of inside your environment. It can be GitHub. It can be anything. The thing is that it does the scannings I mentioned — not just the source code but also the binaries. Let’s say you have third-party applications in your environment. We would be able to discover cryptography inside those. You might not have source code, and it’s difficult to even see what’s inside of it, but we’re still able to detect cryptographic artifacts. To mention what we mean by cryptography, people think it’s only certificates, but it’s certificates, keys, key stores, algorithms, libraries — all the aspects of cryptography you could think of and look at from multiple angles.

Konstantinos Karagiannis: You could do an export from key management to get the information. This isn’t a noisy tool. If someone hears something like this, it’s running, they might start to panic for a moment. But in reality, if you run Nessus, you’re doing something a thousand times more noisy than this tool would be in any given moment.

Vladimir Soukharev: The overhead is quite minimal, and there are other options. If, let’s say, you worry about these things, you might run it from, say, after 5 p.m. and until 9 a.m. You can set up things like that. It’s very flexible in terms of how and when you run it. Plus, the tool doesn’t need to run 24/7. You would do maybe weekly scans or maybe monthly scans. It depends on which environment you’re scanning or what the company policies are, etc.

Konstantinos Karagiannis: The third-party point you brought up is important — when you’re doing an agility assessment in general about how a company’s posture is in this space. Often, they don’t know what their third party’s plans are for post-quantum cryptography. It’s good to point out what’s being used now that they might not even be aware of. And then, of course, you have to do the legwork of talking to all these vendors and saying, “What are you going to do tomorrow? What are you planning on doing in the future?”

Vladimir Soukharev: Exactly. Even if you’ve already submitted your requirements to third-party vendors, saying, “I want you to support such and such algorithms that should be quantum-resistant,” etc., you can use the tool to scan them after you get the updated version to make sure it has what you requested. Otherwise, you don’t have a way to see properly that they’ve implemented what you wanted them to have in there. Maybe they implemented the wrong country algorithm. Let’s say you’re a U.S. company and they’ve included, by mistake, German standards inside those ones, and you’d say, “Hold on a second. This brings me out of compliance.” Maybe it’s secure from a quantum-resistance point of view, but there’s also a compliance aspect to it.

Konstantinos Karagiannis: That’s a basic — “Trust, but verify.” In my case, I like to think of it as “Don’t trust, so verify.” How does this interact or coexist with other security software? You already hinted that we can get data from other end points. Can you talk more about integration? Some people do have dashboard fatigue and things like that.

Vladimir Soukharev: The tool itself is very integratable. One thing is that the tool looks at the core of security, which is cryptography. We don’t do other security checks, because there are a lot of other vendors out there. We’re not there to compete. But everybody looks at cryptography as a black box, and our tool says, “Don’t be scared of that block box. We’re going to help you look what’s inside of it.” It’s essential because if cryptography is broken, all the security — how many layers of security you’re putting on top of it — they’re going to be not that effective in terms of protecting your data.

There are a number of integrations. They’re happening on both sides. On the collection side, the tool is self-contained. You can collect the data using native sensors. You can report the data using a native dashboard. But let’s say you have, as I already mentioned, Tanium, CrowdStrike, other sensors, already in your environment. You can leverage them to collect the data. It’s not the same data they collect for themselves. They collect more data for our tool. That’s why we need an extra step of integration. It’s not just, “Let’s take that data they’re reporting and analyse it. They don’t collect enough data for our tool. So we do an integration to leverage those sensors to collect enough data for our tool to be able to analyse and bring you something valuable.

Then there is integration on the other side. One example I can bring up is that you can have your own custom dashboard, but you could also have other tools take that information and create something actionable for the organisation.

For instance, we have integration that once the tool does a report, there’s a ServiceNow ticket that can be created for your dev team or security operations team — whoever is responsible for that area — and then that ticket appears and then you can start taking care of it. You don’t even need to look at our tool. It runs there implicitly, and then, all of a sudden, you get your ServiceNow tickets. You’re able to start taking actions in the same flow as the organisation is used to. We have a number of other integrations available. Again, as I mentioned, the API is very degradable. If the integration is not listed, it’s most likely we can quite easily add it.

Konstantinos Karagiannis: I was first interested in this tool as a model that you didn’t design it for. I just wanted it as a quick and dirty go in with it, install it, run it in a customer site while we’re doing a whole post-quantum audit and assessment deal, and then be able to show the technical inventory. But the more I started looking into it, there are a lot of benefits to having it live there and having it monitor and track what’s going on and evolve as part of your infrastructure. That’s how we want to use it. 
Of course, we can’t talk about details, but we’re going to be working on a project with a customer together where we’re doing something like that: there’s the tool, and then there’s all that other stuff my company brings, so it blends in. But I did want to ask you: More recently, IBM was taking an approach on doing these kinds of audits with the tool, and they came up with the cryptographic bill of materials and that whole approach. Did you ever get a chance to directly benchmark this against that, or, anecdotally, could you comment on how it might differ?

Vladimir Soukharev: One thing to say about IBM is I’m very thankful to them for creating that term CBOM, because before, we did not have that. It’s great that they’ve coined that term, and this works great because we’re all about cryptography, and having CBOM is great at this point. They do have tools that actually do the scanning.

But their tool is very niche-oriented, in a sense. From what I can see, it does a certain level of discovery. But our tool, because we’re coming from a purely cryptographic point of view, we go deeper in terms of what cryptographic artifacts we’re able to discover and how much we can report on them and recommendations and even just our database of matching all these cryptographic standards coming from all over the world and the latest crypto-analysis related to those ones. We’re trying to focus much more deeply on the cryptographic expertise within that tool and how much the tool is able to discover. To a certain extent, you can think of it as an enhancement for any CBOM tool available out there.

Konstantinos Karagiannis: That makes sense. I was happy to see it too because when they were bringing it up at their last big gathering, when they also announced their newest processors, it was fun to see the audience be exposed to this concept. You could tell it was new to so many people there. It’s shocking to me that it was new to anyone in this industry, but it was, this idea of the need to understand what these ciphers are and where they live. What are your thoughts in general, if we step away from the tool on where PQC is headed this year and beyond. Obviously, you could talk about the importance of this year, with NIST and everything, and then where we go from there?

Vladimir Soukharev: Well, I’ll start a year before: 2023 was a very stage-setting year for the whole PQC migration. We’ve seen NIST finally provide FIPS standards like FIPS 203, 204, 205, which are going to be finalised within a few weeks, according to their timelines. But in 2022, we saw “Here’s the standard, but we don’t have the standard written yet, but these are the schemes that are being standardised.” We finally got the official documents. A lot of organisations, they no longer can say, “We’re waiting for NIST.” NIST already provided the documentation.

Another thing is, the NCCoE PQC migration project that has been going on for a few years, and there were quite substantial reports released in December, and one of them is specifically on cryptographic discovery. The other one’s on cryptographic interoperability of classical and post-quantum schemes. A lot of things were set stage.

Then there are a number of government memos like the memo that came out last year. But now I can see that the stage is very well set. The tools have been discussed, a number of tools have been published that can be used. Everybody realises that although a CRQC — a cryptographic reliable quantum computer — might not be available today, everybody realises this is a multiyear transition. Since we finally set the stage and we have the standards — maybe it’s partial standards; we don’t have the full set of standards, but we might never have the full set, and it might always be changing — the migration step number one by NCCoE recommendations has been set.

This year, we have all the tools, and we can see there’s a lot of interest right now in starting the whole migration and making sure we start on time so we are done on time when CRQC appears. If CRQC appears, say, two years from now, 90% of organisations are going to be already too late, even if they start today. Hopefully, we have enough time until CRQC is here. It’s time to finally start taking first steps, because a lot of organisations have been trying to understand the problem. I can see the evolution over the years. Five years ago, everybody was, like, “I know there’s going to be this quantum problem, which I’ll probably look at later.” Finally, over 2023, we’re there — everybody realised it’s going to be a problem, but we have no idea what to do. That year has set the stage quite well.

In 2024, I can see that pretty much any industrial-research conferences you look at, post-quantum is one of the topics. One way or another, that is being included. I don’t think there’s a single conference now that doesn’t include that topic. Now we can see a lot of government initiatives that are talking about it and telling that there should be actions taken. Even if you look at the CNSA 2.0 standard, it has specific dates, and I believe the earliest date is something around 2030, which is only six years away. This means we should have started probably a year ago to meet that deadline. Therefore, 2024 is vital to start to make sure we’re not too late for the upcoming threat.

Another thing to look at is “harvest now, encrypt later” attacks, because we understand that the information we send today is already quantum-vulnerable if somebody is recording it. If that information needs to stay safe for more than five years, we technically lost it already because somebody might have recorded and they’re just waiting to get their hands on a large enough quantum computer.

Konstantinos Karagiannis: Harvest now, encrypt later. That’s one of the biggest issues — that ties in with Mostow’s theorem. How long is the shelf life of a secret. In some industries — that’s a long time. In healthcare, the lifetime of a secret is a lifetime. It’s already too late for that information. The best we could do is start the migration.

You’ve written a lot of papers on post-quantum cryptography, obviously, based on what your degree is in — new types of ECC digital signatures. Are you doing any pure research now, whether it’s related to future versions of ISG’s software or not?

Vladimir Soukharev: Yes, we are doing research. It’s more oriented to something we can apply quite fast in terms of the need for the industry today. There are a few research projects, and it always comes to, let’s figure out what’s useful and what we can research. But we are keeping that part, because to stay innovative, you always need to research and stay a bit of ahead of even sometimes what is needed. You’re just trying to foresee what will be needed, and let’s research that. Then, by the time it’s mature enough, we can include that to be part of the product.

There are smaller research steps that are constantly ongoing, and then there are larger ones we’re looking at to make sure we are able to prepare ourselves for the future. A number of things we’re talking about, six, seven years ago, everybody thought it was crazy. You guys are talking about these things. Now, you can see this terminology.

Even cryptography and agility, everybody thought it was crazy back in 2016. Now, every time you talk about cryptography and modernisation around cryptography, the word agility comes into play 95% of the time. We’re looking at it from engineering perspectives, from mathematical perspectives and from what is going be the user-friendly perspective as well. That’s important because sometimes, if your tool is great, but nobody can understand it or can use it, that’s a problem as well, because you want the tool to be usable, and that’s another area of research.

Konstantinos Karagiannis: Right now, in the U.S., at least, the big feeling is that the federal agencies are going to be forced to do this first and then everyone else is going to follow. Regulators are going to imitate and copy-and-paste and do the same idea. How do you find it working with government agencies right now? How is that different from the private sector?

Vladimir Soukharev: I like what happened over the course of last year. Government agencies started talking way more about it. They’re starting to search for solutions. They have very interesting enthusiasts who are understanding the problem. They’re trying to look for it.

Of course, the government side is, all these processes are slower than the private sector because the private sector seems to be able to move faster because there are fewer regulations they need to follow. They’ve got a more available path they can take in terms of trying to adapt new technology. But the way the government has changed over the course of last year makes me very happy because there seems to be a lot of progress and a lot more interest. Before, it was, like, “Let’s listen in to what’s available out there.” Now it feels more like, “What is available out there? Can you help us? Tell us, how can we solve these problems?”

Konstantinos Karagiannis: I was impressed that part of the roadmap for the White House memorandum is to pull in what they call the 12 key companies — the cloud providers, a few major financials — and try and influence the industry. The other thing I’m seeing, though, is, a lot of companies are waiting for some consortium to have a vote in this — some financials, midsize or so, they’re, like, “We’ll get around to it when some governing body or some group decides this is the best way to go,” and they’re waiting to follow along. Every once in a while, I give thought to, how can I influence some consortium to speed up the process here so people aren’t left in the lurch? Do you have any thoughts on how we can get the consortiums to light a fire?

Vladimir Soukharev: There are multiple consortiums that are being formed. For example, you can see the financial sector trying to develop a quantum risk assessment model. You can see, for example, Quantum Industry Canada trying to bring organisations together, but they’re trying to look at it from multiple angles — from quantum computing as well as post-quantum cryptography, as well as quantum cryptography. There are multiple meanings for quantum that are almost independent. They’re trying to bring it together so we can see consortiums being formed.

You’re right that a number of organisations are waiting for something to tell them, while other ones I can see taking a very proactive approach. They are part of that consortium. But if they have the bandwidth to move forward without waiting for the consortium, I’m quite happy to see a number of organisations that are still moving forward, participating in the consortium at the same time, but at the same time, the consortium is falling back a bit. When there are multiple players involved, it takes longer to come to a consensus versus when you’re trying to work on your own in terms, and you have the bandwidth in terms of your engineers, your finances, etc., to start solving the problem.

But what’s interesting is, those players that are ahead, I can see them coming back to the consortium and bringing it back to them, saying, “You know what? We’ve done this. This works. Let’s include that as part of the consortium.” It feels like those players are becoming the stronger players among the consortium, which have more influence. That’s a good turnaround of those ones that are trying to move forward.

Konstantinos Karagiannis: I love to see that too. I love when a customer wants us to do a white paper with them or something to help influence everyone else. I hope to see a lot more of that this year. That’s why I wanted to make sure to have you come on and talk about this tool and how important it is to helping this process this year. We have a lot of important work to get to, don’t we?

Vladimir Soukharev: A lot of work. I always say that the upcoming cryptographic change that is going to be happening in the world, it’s huge, but we don’t even understand how huge it is. It’s going to be the biggest one in history. That’s one thing we understand — we understand it’s going to be big — but we’re yet to experience how big it will be.

Konstantinos Karagiannis: I agree. That’s a good point to leave on. It’s going to be seismic, and I guess we should be excited that we’re so actively involved in it this year. 
To everyone listening, if you want to take a look at the tool for an enterprise installation, there’s a 30-day free trial that could be set up if you want to see how that works. You could check out the show notes, where I have links to all that. Vladimir, thanks for coming on, and I’ll be seeing your face in the projects we’re going to be working on, so I’ll see you soon.

Vladimir Soukharev: I’m looking forward to it. Thank you very much.

Konstantinos Karagiannis: Now it’s time for Coherence, the quantum executive summary, where I take a moment to highlight some of the business impacts we discussed today in case things got too nerdy at times. Let’s recap.

InfoSec Global provides software solutions to the post-quantum cryptography challenges facing all businesses this year and beyond. Their AgileSec platform can encode repos — both source code and binaries — and audit ciphers on servers and in packets in motion on your network. It accomplishes this with scanning and using read-only sensors or agents on hosts. Other supported sensors already on your network can be used too, such as CrowdStrike.

In addition to building this inventory, the software provides a dashboard where you can see your environment and identify both post-quantum risks and more near-term ones. You can then track remediation steps, including what standards you’re trying to meet. For example, you might have geographic profiles that differ for U.S. and European locations, or you may have to accommodate customers or third parties with different standards than yours. Using this tool in combination with a full audit of your cryptographic infrastructure policies and procedures will prepare you for the years of remediation ahead as we all seek to become post-quantum-ready. There’s a 30-day free trial in the link in the show notes if you want to check out AgileSec.

That does it for this episode. Thanks to Vladimir Soukharev for joining to discuss InfoSec Global, and thank you for listening. If you enjoyed the show, please subscribe to Protiviti’s The Post-Quantum World and leave a review to help others find us. Be sure to follow me on all socials @KonstantHacker. You’ll find links there to what we’re doing in Quantum Computing Services at Protiviti. You can also DM me questions or suggestions for what you’d like to hear on the show. I’ll be gathering those and, hopefully, doing an AMA episode soon. For more information on our quantum services, check out Protiviti.com, or follow Protiviti Tech on Twitter and LinkedIn. Until next time, be kind, and stay quantum-curious.