Cryptographic Agility
What is Cryptographic Agility?
Cryptographic AgilityThe property of a system that lets it replace cryptographic algorithms, parameters, or keys quickly and safely when threats or standards change.
Cryptographic agility, or crypto agility, is the design discipline of building systems so algorithms, key sizes, certificate types, and protocols can be upgraded without rewriting application code or breaking interoperability. It is achieved through algorithm identifiers and negotiation (as in TLS cipher suites and JOSE alg parameters), abstraction layers like PKCS#11 and KMS interfaces, configurable cryptographic libraries, automated certificate lifecycle (ACME), and inventories of where cryptography is used. Agility became critical with deprecations of SHA-1, RSA-1024, and 3DES, and is now a prerequisite for the migration to post-quantum cryptography mandated by NIST and national authorities. Lack of agility creates years-long retrofits when an algorithm is suddenly broken.
● Examples
- 01
A TLS server able to roll out hybrid X25519+ML-KEM key exchange purely through configuration.
- 02
A code-signing pipeline that swaps RSA-PSS for ML-DSA after a vendor update.
● Frequently asked questions
What is Cryptographic Agility?
The property of a system that lets it replace cryptographic algorithms, parameters, or keys quickly and safely when threats or standards change. It belongs to the Cryptography category of cybersecurity.
What does Cryptographic Agility mean?
The property of a system that lets it replace cryptographic algorithms, parameters, or keys quickly and safely when threats or standards change.
How does Cryptographic Agility work?
Cryptographic agility, or crypto agility, is the design discipline of building systems so algorithms, key sizes, certificate types, and protocols can be upgraded without rewriting application code or breaking interoperability. It is achieved through algorithm identifiers and negotiation (as in TLS cipher suites and JOSE alg parameters), abstraction layers like PKCS#11 and KMS interfaces, configurable cryptographic libraries, automated certificate lifecycle (ACME), and inventories of where cryptography is used. Agility became critical with deprecations of SHA-1, RSA-1024, and 3DES, and is now a prerequisite for the migration to post-quantum cryptography mandated by NIST and national authorities. Lack of agility creates years-long retrofits when an algorithm is suddenly broken.
How do you defend against Cryptographic Agility?
Defences for Cryptographic Agility typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Cryptographic Agility?
Common alternative names include: Algorithm agility, Crypto-agility.
● Related terms
- cryptography№ 846
Post-Quantum Cryptography
Classical cryptographic algorithms designed to remain secure against attacks by both classical and large-scale quantum computers.
- cryptography№ 465
Harvest Now, Decrypt Later
An attack strategy where adversaries record encrypted traffic today to decrypt it once cryptographically relevant quantum computers become available.
- cryptography№ 589
Key Rotation
The periodic replacement of cryptographic keys with new ones to limit the volume of data protected by any single key and contain the impact of compromise.
- cryptography№ 246
Cryptographic Erasure
Rendering encrypted data unrecoverable by securely destroying the encryption keys instead of overwriting the storage media itself.
- network-security№ 1159
TLS (Transport Layer Security)
The IETF-standardized cryptographic protocol that provides confidentiality, integrity, and authentication for traffic between two networked applications.