Becoming Crypto Agile

Cryptography has flourished in the modern times

The history of cryptography starts when generals needed to send secure orders to commanders across the battlefields of 400bc. In our modern IT-era, probably the first milestone was set in 1970s with the creation of the Data Encryption Standard (DES), and DES becoming widely used cryptographic method for public use. DES is an example of a Symmetric-key algorithm that uses the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext.

The later 1970s saw the arrival of asymmetric algorithms and public key cryptography, that uses both a public and a private key to perform inverse operations, such as encryption and decryption. One key is public, and can be shared with anyone, the other is the private key which is kept secret. If the private key is used to encrypt a message, a public key is required for decryption. In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic record used to prove the ownership of a public key.

As IT became universally adopted, it demanded disparate organizations to build standardized secure communications, and the early 1990s saw the emergence of public-key infrastructure (PKI) that defines a set of roles, policies, hardware, software, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. PKI quickly become the most widely used method for the secure transfer of information and, even to this day, underpins virtually all applications that require more rigors of proof to define identity such as e-commerce, internet banking and confidential email.

In the late 1990s, it became clear that the first generation of symmetric algorithms could be broken with enough computing power, but the asymmetric algorithms–such as D-H and RSA–have proven more resilient and have endured to make up the basis of many of the most common secure use cases, such as securing access to internet websites (HTTPS), and Transport Layer Security (TLS) that are widely used in applications such as email, instant messaging, IoT or voice over IP.

Today, the advances in cryptography have brought new techniques, some of which are delightful in what they allow us to achieve, while others pose a threat to most of the currently used implementations. In particular, advances in quantum computing seem to allow so-called brute force attacks against RSA and other algorithms based on hard-to-solve computing problems. Nevertheless, we will implement new classes of algorithms that are resistant to quantum computers.

Our area, applied cryptography, is a discipline that is seldom in the spotlight, but for sure is fundamental to modern communication, collaboration and commerce. You may have heard of bitcoins and blockchains – well, these are just two examples of a very rich field and for what it is worth, I don’t find them the most exciting. There is so much great research done all over the world.

PrimeKey, Keyfactor and Bouncy Castle: Strong partners for the future of crypto agility

The study and application of cryptography has been advanced by many gifted individuals and teams around the world over the last decades. The work carried out by Whitfield Diffie and Martin Hellman laid the foundation for modern public-key cryptography. However, the application of cryptography to reach a mass market has other notable participants – gifted engineers that implement cryptography in usable solutions. In the early 2000s, Tomas Gustavsson, our co-founder, led the team that developed EJBCA – a free, open-source software offering public key infrastructure (PKI) and certificate authority in a single solution. The software development and support are provided by our company PrimeKey – the name was given by yours truly as homage to prime numbers, whose properties were foundational for much of modern cryptography.

EJBCA provided platform independence and scalability using clusters, along with support for most any relevant open crypto standard. In essence – everything was better than other, largely proprietary competing solutions. Within a decade, EJBCA became the most widely used PKI in the world. Based on the growing success of EJBCA, in 2006, PrimeKey launched SignServer, another open-source solution for code signing, document signing, time stamping and Machine-Readable Travel Document (MRTD) such as passports.

Reaching more sophisticated and demanding customers, we decided to work on Common Criteria certification of EJBCA, an endeavor that was finished in 2012. I had an honor to lead the team that achieved this landmark for a small startup as we were back then. Incidentally, the new round of certification was finished in 2021. This certified version of the software was the first to be called the enterprise version. PrimeKey still continues developing and maintaining the community version, but the enterprise version is the basis of the commercial success.

Again, spurred by growth, in 2013 we developed a hardware EJBCA Appliance that included an integrated Hardware Security Module (HSM) aimed at streamlining PKI deployments for larger organizations as well as managed services, Internet of Things (IoT) and today also used in the context of eIDAS qualified Trust Service Providers. Prior to 2013, PrimeKey was purely a software company, but I knew some really talented people whom I persuaded to give up on a good job and start a new adventure; hence PrimeKey Labs was born. The colleagues in Germany created industry-leading innovative products, which I think is the golden standard in its area. In 2017, PrimeKey Labs developed a Secure Execution Hardware solution that combined its encryption expertise into a solution to protect an entire application stack and data, from operating system to virtualization to application from more advanced threats where criminals may have direct access to these racks of servers.

That same year, 2017, we were joined by an entire new team from California, whom I knew for a while and influenced to give up on a good consultancy business and start a new adventure with PrimeKey. As we continue to innovate around PKI and digital signatures, we have also extended the capabilities of EJBCA and SignServer to make it more suitable for deployment utilizing the cloud and as a SaaS service – as well as expanding the breadth and depth of the encryption algorithms its products supported. My colleagues and friends in California were instrumental to this success – today EJBCA is the golden standard in cloud marketplaces.

In the last three years, PrimeKey has rapidly accelerated its position within the market. In 2020, PrimeKey acquired Crypto Workshop, Pty Ltd, which is the commercial side of Bouncy Castle, the world’s most widely used cryptographic library – a library that PrimeKey had also used for many years prior. As you probably can guess, I knew some folks that I consider “jedi of open source and cryptography”, and I popped the question…

Jokes and self-praise aside, The Bouncy Castle Cryptography project was created by Legion of the Bouncy Castle in the late 1990s as a Java library that complements the default Java Cryptographic Extension (JCE). Bouncy Castle contributors developed and implemented a large number of cipher suites and algorithms – many more than the default JCE provided by Sun/Oracle – along with utilities for handling obscure encryption technologies used in legacy systems and scenarios. In 2014, a version of Bouncy Castle was built into the Google Android operating system – and today, literally billions of devices utilize its APIs to carry out fundamental security and encryption process. The acquisition retains and continues the development of Bouncy Castle as a free-to-use library while the FIPS version moves to a commercial model within the PrimeKey portfolio – matching the same Ethos as EJBCA and SignServer products.

Even more so, with Bouncy Castle, PrimeKey has the entire technology stack to implement a security solution. In these days of outages and hijackings of IT systems, our field is ever more important – security of IT supply chains is becoming a priority of decision makers both in industries and governments.

Earlier this year, we announced a merger with Keyfactor, a pioneer in the PKI as-a-Service and certificate lifecycle automation. I knew the founders of Keyfactor, as you already have guessed, but this time the question was in the reverse direction – moving forward the companies will operate under the Keyfactor brand. Looking at all the various aspects of both companies, the product lines, market reach, team capabilities – the merger has created the most comprehensive sets of technologies, tools, libraries, and expertise within our area of the applied cryptography. I can hardly wait to share with you what comes next. The best is yet to come!

Stay tuned for upcoming crypto agility blog posts and more.