A week ago, SafeLogic was honored to attend, sponsor, exhibit, and speak at the International Cryptographic Module Conference (ICMC) 2024 in San Jose, CA. ICMC is an annual conference that attracts members of the cryptography ecosystem, including cryptographic software providers, certification laboratories, government representatives (e.g., NIST), end users of cryptographic modules, academics, cryptographers, and others. And this year, there was certainly plenty to discuss with all the unprecedented changes happening in the cryptography world!
This was my third ICMC conference since I took on the CEO role at SafeLogic in late 2021. It is an exciting time indeed to run a company that is a leading provider of cryptography software during a period of such profound change in an industry that is impacting the entire digital ecosystem. From migration from FIPS 140-2 to FIPS 140-3, to the migration to Post Quantum Cryptography (PQC) that was catalyzed by NIST’s August 13th, 2024 announcement that it has officially standardized three PQC algorithms, the winds of change are indeed upon us.
We are currently in the heart of the hurricane season here in the United States. As I was soaking in all the great information presented at ICMC, I could not help but draw some parallels with what is happening now in the world of cryptography, except that we seem to have three simultaneous storms. Two focus on companies selling products to the US Government, and then one monster storm impacts the entire digital world that relies on cryptography.
The first of the two storms impacting companies selling products to the US Government, specifically those whose cryptography has to comply with FIPS 140 standards, is the migration from FIPS 140-2 to FIPS 140-3. Here at SafeLogic, we have previously written much about the complexity of this migration and why it can be such a big lift for organizations that do not have the right cryptographic software partner to shepherd them through this transition. It was pretty clear at ICMC that the industry is really feeling the heat of this transition now with all the challenges that it brings. SafeLogic is honored to have its CryptoComply software recently granted FIPS 140-3 certification, and with that, being able to ensure a seamless migration for its customers to the new standard. We were also honored to be awarded our FIPS 140-3 certificate by NIST during the ICMC show!
The second of the two storms impacting companies that fall in the above category is the need to prepare for more stringent requirements around entropy source validation. If you think of a cryptosystem, three elements must come together correctly. First, the cryptographic algorithms need to be secure. Second, the implementation has to be secure. And third, the key material has to be truly random. How good this randomness (also called entropy) is will be very much dependent on the process that generates that entropy, whether in hardware or software. Entropy will also depend on the Operating Environment (OE) that generates it.
And so, NIST is working to introduce additional requirements for Entropy Source Validation (ESV) to ensure that submitted cryptographic modules also have strong entropy claims before being granted FIPS 140 validation. These more stringent entropy requirements will no doubt represent a challenge for many organizations due to the extensive expertise needed to design and then validate an entropy source. Here at SafeLogic, we have been working on our own entropy sources to be well-positioned to support our customers once the new NIST requirements hit.
And finally, we have the big storm impacting the entire digital ecosystem – the need to migrate all our Public Key Infrastructure (PKI) to Post Quantum Cryptography (PQC). It is undeniable that the topic of PQC has been getting increasingly pronounced at each ICMC, culminating this year with the recent standardization announcement of PQC algorithms by NIST. I was honored to have been invited to the White House on August 13th, where this announcement was made. It was a special moment, given all the fantastic work that NIST had done over seven-plus years to run a global competition from which it selected the standards.
Now, it is clear that the hard work truly begins, as Gartner is predicting that before the end of this decade, our PKI will be vulnerable to Cryptanalytically Relevant Quantum Computers (CRQCs). In this area, SafeLogic has been hard at work on its own PQC implementations, for which it is currently running an Early Access Program (EAP). We are also proud to participate in NIST’s NCCoE Migration to Post-Quantum Cryptography project and lead the PQC Risk Management and Prioritization workstream, which consists of consortium members who are leading companies in this space. This migration will truly take a village because we have not yet seen anything even remotely at this scale in the world of cryptography.
Any one of these storms would have been a significant event. However, with all three happening simultaneously, ensuring that your organization has an experienced cryptographic software partner assisting you through these changes is crucial. Just as you would not climb Everest, K2, and Lhotse without a sherpa, you should not address these three major cryptographic transitions without an experienced cryptographic software partner.