Migration of cryptographic algorithms for cybersecurity
Horizontal standards for security requirements
European public-key infrastructure profile
Vertical standards for security requirements
What does the work you will carry out for the CYBERSTAND SSP consist of?
“Migration of cryptographic algorithms for cybersecurity” is an approved project. Cryptographic algorithms are important for cyber security for communication protocols and for certificates as defined by ITU-T X.509. Currently used asymmetric cryptographic algorithms will be broken by future quantum computers. Asymmetric cryptographic are used for digital signature and for generation of symmetric kyes to be used e.g., for encryption. A next generation algorithms have been developed or are under development. Migration to such algorithms results in substantial logistic problems and puts requirement on how cybersecurity functions are established.
What is the expected result and impact of this activity?
The EU needs a common approach for how migration of cryptographic algorithm is done in a smooth way over some period and where interoperability is maintained during that period. While the migration guide is developed primarily for the power industry, it is generally applicable to all IT communication areas and to public-key infrastructure.
Which aspects of the Cyber Resilience Act (CRA) standardisation are you focusing on?
The “Draft standardisation request to European Standards Organisations in support of Union policy on cybersecurity requirements for products with digital elements” in Annex I lists 41 standard requirement items. Implementation of cryptographic algorithms are covering several of these items. As cryptographic algorithms together with public-key infrastructure is the basis for cybersecurity, most of the items are covered in some way or another. The most important items are:
Item 5 on protection against unauthorized access – use of digital signatures.
Item 6 on confidentiality – use of encryption.
Item 7 on integrity – use of digital signatures and message authentication codes (MACs).
Item 16 on identity management, authentication, and access control – use of digital signature and attribute certificates.
Item 24 on public-key infrastructure and certificates – use of digital signature and public-key algorithms.
What does the work you will carry out for the CYBERSTAND SSP consist of?
SSP 07-209, European public-key infrastructure profile. Such a profile can be translated into requirement on PKI software and therefore an input to the CRA standardisation request #24.
What is the expected result and impact of this activity?
The expected result is a specification on the requirements on the PKI software, which implies software requirements on software for certification authorities (CAs), which is the part of PKI that issues public-key certificates. Requirements could be a modular approach that allows pluck-in of cryptographic algorithm and pluck-in of support of public-key certificate extensions. inclusion of support for the cryptographic algorithm migration capabilities specified in Re. ITU-T X.509| ISO/IEC 9594-8. Another important aspect would be testability.
Which aspects of the Cyber Resilience Act (CRA) standardisation are you focusing on?
The focus is on the standardisation request #24 addressing requirements on public-key infrastructure software. The project will be carried within ETSI TC CYBER-EUSR being an ITU-T liaison officer into that group. Much of the activities will be contribution into that group including taking on editorship as needed.
