Applied Cryptography

Cryptography uses mathematical functions to transform data and prevent it from being read or tampered with by unauthorized parties. Nearly every computing and communications device uses cryptographic technologies to protect the confidentiality and integrity of information that is communicated and/or stored. However, the protection provided by cryptography is only as strong as its weakest link. Any shortcomings in algorithm selection and implementation, and in implementation testing, integration, and operation can be detrimental to achieving the expected security outcomes.

NIST’s National Cybersecurity Center of Excellence (NCCoE) Applied Cryptography program is bridging the gap between the development of fundamental cryptographic algorithms and their use in commercial off-the-shelf technology. The NCCoE has initiated several projects focused on cryptographic application challenges, such as adopting new cryptographic algorithms, managing cryptographic keys and certificates, automating cryptographic module testing, and implementing cryptography.

Learn more about the challenge and importance of applied cryptography to your organization. We invite you to participate in the Applied Cryptography community of interest at applied-crypto@nist.gov.

The following are brief descriptions of the initial projects in the program.

Migration to Post-Quantum Cryptography

From time to time, a cryptographic weakness or dependencies on newer technologies necessitate replacing a legacy cryptographic algorithm. Algorithm replacement can be extremely disruptive and often takes decades to complete. Continued progress in quantum computing foreshadows a particularly disruptive cryptographic transition. Development of post-quantum public-key cryptographic standards is progressing well, but migration to new algorithms is unlikely to be completed for decades. The NCCoE is helping accelerate this migration. Learn more about this project. You can also attend a workshop to inform development of a demonstration project showcasing tools to assist in migrations.

TLS Server Certificate Management

The security of web transactions and many other communications relies on the Transport Layer Security (TLS) cryptographic protocol. Servers use their certificates with TLS to verify their identity to client devices and to protect the communications between the servers and those client devices. Unfortunately, managing these certificates can be quite complex. Despite the mission-critical nature of TLS server certificates, many organizations lack well-defined policies and processes for effectively managing the certificates. Many do not leverage available technology and automation to the extent needed to manage the large and growing numbers of certificates. The NCCoE, in collaboration with industry partners, has developed a practice guide Special Publication 1800-16, Securing Web Transactions: Transport Layer Security (TLS) Certificate Management. Learn more about this project.

Challenges with Compliance, Operations, and Security with Encrypted Protocols, in Particular TLS 1.3

Enterprises use encryption—a cryptographic technique—to protect data transmission and storage. While encryption protects data confidentiality and integrity, it also reduces the organization’s visibility into the data. The NCCoE initiated a project to address challenges to compliance, operations, and security with modern encrypted protocols, and TLS 1.3 in particular. Learn more about this project. You are also invited to attend an upcoming workshop where industry subject matter experts and practitioners present their views.

Automation of the NIST Cryptographic Module Validation Program (CMVP)

NIST established the Cryptographic Module Validation Program (CMVP) to ensure that hardware and software cryptographic implementations met standard security requirements. Since its start, the number and complexity of modules to be validated has increased steadily and now outstrips available human resources for product vendors, labs, and validators. This limits product options for many organizations required to use validated cryptography, especially federal agencies. NIST has started a broad effort to modernize and automate its cryptographic validation programs. Learn more about this project. Inform the development of a project description and plan for a solution demonstration for CMVP automation at the invitational workshop.