Migration of cryptographic algorithms for cybersecurity
Horizontal standards for security requirements
What does the work you will carry out for the CYBERSTAND SSP consist of?
“Migration of cryptographic algorithms for cybersecurity” is an approved project. Cryptographic algorithms are important for cyber security for communication protocols and for certificates as defined by ITU-T X.509. Currently used asymmetric cryptographic algorithms will be broken by future quantum computers. Asymmetric cryptographic are used for digital signature and for generation of symmetric kyes to be used e.g., for encryption. A next generation algorithms have been developed or are under development. Migration to such algorithms results in substantial logistic problems and puts requirement on how cybersecurity functions are established.
What is the expected result and impact of this activity?
The EU needs a common approach for how migration of cryptographic algorithm is done in a smooth way over some period and where interoperability is maintained during that period. While the migration guide is developed primarily for the power industry, it is generally applicable to all IT communication areas and to public-key infrastructure.
Which aspects of the Cyber Resilience Act (CRA) standardisation are you focusing on?
The “Draft standardisation request to European Standards Organisations in support of Union policy on cybersecurity requirements for products with digital elements” in Annex I lists 41 standard requirement items. Implementation of cryptographic algorithms are covering several of these items. As cryptographic algorithms together with public-key infrastructure is the basis for cybersecurity, most of the items are covered in some way or another. The most important items are:
Item 5 on protection against unauthorized access – use of digital signatures.
Item 6 on confidentiality – use of encryption.
Item 7 on integrity – use of digital signatures and message authentication codes (MACs).
Item 16 on identity management, authentication, and access control – use of digital signature and attribute certificates.
Item 24 on public-key infrastructure and certificates – use of digital signature and public-key algorithms.
