Blog

Categories:
1. 6. 2026
Security Cryptography
Lifecycles and cryptography, part 3

Life cycles and cryptography

We subconsciously suspect connections with the age of equipment, its reliability and general security. On the other hand, it is difficult to imagine the above problem in the field of cryptography and to accept these development impacts. I was wondering how it is even possible to consider the mentioned life cycles, what impact they have on security, or what relationships there are between the life cycles of cryptography and other applications or services. The goal is to understand the motivations to maintain the current solution, the impacts of extension on technological debt and to what extent the approach using cryptoagility can solve the mentioned problems. This article series tries to summarize the causes that hinder regular and, most importantly, rapid change of cryptography, as well as to provide an overview of the reasons. If we know the reasons for these problems, we are able to consider them and make appropriate decisions.


Motivation for cryptography management

The first thing that comes to mind when thinking about encryption? Data is encrypted to ensure confidentiality. This is based on the CIA security triad (Confidentiality, Integrity, Availability). But ensuring confidentiality does not solve the motivation for cryptography management. This is influenced by the following reasons.

  • Minimizing costs. Migrating cryptography from one algorithm to another is expensive, and implementation or architectural problems can occur due to ignorance. Unfortunately, protecting against these costs leads to legacy compatibility, creating cryptographic debt.
  • Minimizing risks. As in the previous point, migrating cryptography creates risks. The same as using outdated cryptography. Algorithms that are too new and too old may have weaknesses or side effects, so the effort is to use only those that have been tested. Unfortunately, inappropriate risk management usually leads to reputational or legal problems. It is affected by threats and is affected by possible attacks.
  • Performance of algorithms and their latency, which affects their usability. Any cryptography, whether it is encryption, ensuring integrity or authenticity, leads to limitations. These limitations can be of a technical or economic nature, they affect operation and influence decisions about the transition. I want to address this issue in a separate article, it is a completely specific problem.
  • Compliance, i.e. compliance with standards. Paradoxically, at present, regulations can be a stronger reason than the technical reasons themselves. Examples include CRA, DORA, eIDAS2, PSD2, HIPAA, NIS2, PCI-DSS, PSD2 … and others

Just like with outdated technologies, where technological or security debt arises, a similar situation also occurs with cryptography. Unfortunately, it is also often overlooked and neglected. The strongest motive is, or rather should be, the elimination of cryptographic debt. The longer the migration is postponed, the faster the risk grows and the more expensive the transition is. The biggest risk is therefore not weak cryptography. The first is clinging to old technologies, i.e. stagnation. This increases risk and, in fact, costs. Therefore, the only applicable solution for cryptography management is cryptoagility. From a technological point of view, this means designing systems with a separation of algorithms from logic, using abstract layers (separation of libraries) and other necessary extensions, including policy management.


Cryptography Life Cycle

Estimates of the cryptography life cycle can be based on data on past algorithms and their success. This means the time of deployment, the length of support in standards and cryptographic libraries. Unfortunately, it is very difficult to estimate future. For this reason, it is more of a description of the current situation than a general rule, and unfortunately, there is little data available to find regular patterns. The lifetimes given in the table correspond to the largest, practically usable keys for the algorithms. However, this value is gradually increasing, currently for symmetric algorithms it is 256b and for asymmetric ones like RSA it is 3072b.

Unfortunately, other unpleasant influences come into play. When the need for migration of cryptographic algorithms increases, it is usually at a time when the cryptographic debt also gradually increases. The replacement of algorithms and protocols currently takes between 10 and 15 years. And not only in the case of the end of moral, but also in the case of the end of technical life. This is a time interval beyond which reason remains. Conjuring up backward compatibility, unwillingness of customers to migrate or insufficient support from manufacturers then increases the risks to absurd values. Despite all this available information, it is still possible to find in risk matrices for technically outdated protocols or algorithms with a "low" or "low to medium" risk rating. In such a case, this is a gross underestimation of the situation.

AreaTechnical LifespanMoral LifespanSupportMotivation
Symmetric Algorithms20-40 Years15-30 Years20-50 YearsBalance Between Migration Costs and Risk of Compromise
Asymmetric Algorithms10-30 Years10-20 Years10-40 YearsBalance Between Migration Costs and Risk of Compromise
Hash functions20-40 years15-20 years10-40 yearsBalance between migration costs and risk of compromise

To further complicate the problem, it is also necessary to consider the behavior of attackers. Due to developments in artificial intelligence, which support the speed of programming, the time required to create exploits is getting shorter every year. These tools are also becoming more complicated and allow for significantly greater possibilities for abuse. By 2026, the time to create such a tool should be less than one day (already surpassed). Next year, the time is estimated to be less than 1 hour. At this rate, next year, with the same trend, the time could be less than 10 minutes. In contrast, the interval between replacing cryptographic algorithms of 10 to 15 years is completely incredible. The transition to cryptography resistant to quantum computers is supposed to increase data security. New algorithms are being created for this purpose. They require deep knowledge of mathematics to understand their functionality, and this is where the last group of problems lies. First, there is the implementation problem, requiring the programmer to understand the principles of the algorithm and its limitations. Otherwise, the implementation is likely to suffer from problems that can lead to impacts on the confidentiality and integrity of the data. Today, the biggest problem is not the algorithm, but its implementation. Another, more hidden problem is the development of mathematics. The fact that we currently do not know the methods of attack against these algorithms does not exclude the possibility of finding a new vulnerability. The probability is low, but the possibility is still there. And owners must be prepared for the problems mentioned.


Cryptographic debt and what to do about it?

What does cryptographic debt actually mean? It is a situation where the updating of protocols, algorithms and other components of the system lags behind reality. That is, there is no management of the life cycles of cryptographic algorithms and key material. There is a lack of knowledge of the dependencies between components, or there is a lack of overview of components, i.e. insufficient inventory. Therefore, any reaction to changes is slow, measurable in months or years. The reason for the emergence of this debt is usually the costs of migration. This requires costs associated with assessing the situation, deciding on the extent of the impacts, all of which are added together with the costs of the change itself. The paradox of migration is a situation where the most frequent reason for postponing the decision on change is the requirement for backward compatibility with clients. After all, the client always pays for the operation of the organization. But in this situation, we actually do not protect all the clients, because we would not have to protect some of them. This is directly contrary to the principles of security. Insufficient updating of protocols and algorithms creates a larger "attack surface", an environment rich in targets. That is, it accepts a larger range of threats, reduced support and, under certain conditions, completely insufficient configuration options. The icing on the cake of the whole problem is the subsequent, almost exponential increase in migration costs. This can so-called concrete the organization in a non-updatable state.

However, insufficient development also brings a problem with knowledge. In such an environment, these usually fall behind reality. This is the extent of adequate knowledge among both responsible persons and users. The reason is simple. Using outdated algorithms that have limited ways of verifying the confidentiality, integrity and authenticity of data is not only a threat to the ability to protect data. It is also a threat to the development of knowledge, which threatens further evolution in the same way as a lack of finances. Insufficient knowledge leads to wrong decisions. And wrong decisions can cause the withdrawal of funds in the form of fines and penalties, or the loss of orders. In such a case, limited funds will become even thinner, or cash flow will be limited.

Eliminating this type of technological debt requires not only knowledge and considerable effort, but also corresponding financial costs. Since these are repetitive activities, it is advisable to support them with internal rules. However, the rules must be based on asset management and their monitoring. If the organization has visibility of individual components, knows their current configuration, and requires corresponding standardized sets of reports (Bill of Materials), costs can be significantly reduced thanks to simplified management.

A condition for the above approach is also a "polite" approach by manufacturers to cryptography. It should be separated by an abstract layer, completely independent of the system logic. Cryptographic modules should be easily interchangeable and should have standardized descriptions (CBOMCryptography Bill of Materials). Replacing support modules or changing the configuration should not be a job that takes several months or years, it should be a matter of minutes.

In addition to the above conditions, it is also necessary to address the issue of management in the organization. That is, who is responsible for migration, who bears the risk of technological debt, what roles are needed for this (cryptologist, architect, etc.) and what processes cover these changes. At the same time, it is appropriate to define a crypto policy that defines the life cycle of algorithms. The life cycle of key material and its security classification must also be described. This is therefore a certain formalization of procedures, which makes sense mainly in the case of larger organizations.


To be continued next time

The continuation of the life cycles will address the measurement of cryptographic debt and the implications for managing and servicing this debt. This overview does not cover the life cycle of cryptographic material, nor the issue of migrating to quantum-resistant cryptography. These topics are covered in other articles.


References:

  1. Microsoft Product Lifecycle
    Resource:https://www.microsoft.com/
  2. Windows 10 Home and Pro Lifecycle
    Resource:https://www.microsoft.com/
  3. Red Hat Enterprise Linux Life Cycle
    Resource:https://redhat.com/
  4. Ubuntu Release Cycle
    Resource:https://ubuntu.com/
  5. International Energy Agency – Data Centres and Data Transmission Networks report
    Resource:https://www.iea.org/
  6. HP Enterprise Support Services
    Resource:https://www.hp.com/
  7. Dell End-of-Life Documents
    Resource:https://www.dell.com/
  8. Fujitsu Hardware Maintenance Services
    Resource:https://www.fujitsu.com/
  9. Fujitsu Maintenance Policy
    Resource:https://global.fujitsu/
  10. Lenovo Support Portal
    Resource:https://support.lenovo.com/
  11. ENISA – Good Practices for Security of IoT and Smart Infrastructures
    Resource:https://www.enisa.europa.eu/
  12. Consumer Reports – délka bezpečnostní podpory smart zařízení
    Resource:https://www.consumerreports.org/
  13. UNECE Vehicle Regulations – kyberbezpečnost a software update management vozidel
    Resource:https://unece.org/
  14. NASA – Thermal Design and Thermal Behaviour Reliability Principles
    Resource:https://www.nasa.gov/
  15. Our World in Data – Technological Progress and Computing Power Trends
    Resource:https://ourworldindata.org/
  16. NIST Cybersecurity Framework 2.0
    Resource:https://www.nist.gov/
  17. Key Management - NIST SP 800-57 a NIST SP 800-131
    Resource:https://www.nist.gov/
  18. NIST SP 800-61 Computer Security Incident Handling Guide
    Resource:https://www.nist.gov/
  19. NIST IR 8547 - Migration to Post-Quantum Cryptography
    Resource:https://www.nist.gov/
  20. Software-Defined Cryptography: A Design Feature of Cryptographic Agility
    Resource:https://eprint.iacr.org/
  21. RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
    Resource:https://www.rfc-editor.org/
  22. CA Browser Forum - Baseline Requirements
    Resource:https://cabforum.org/
  23. OWASP SAMM stream B - Secret Management
    Resource:https://owaspsamm.org/
  24. NIST Post-Quantum Cryptography Project – standardizace postkvantové kryptografie
    Resource:https://csrc.nist.gov/
  25. AXELOS ITIL – framework pro IT service management a lifecycle služeb
    Resource:https://www.axelos.com/
  26. ISACA COBIT – governance framework pro enterprise IT
    Resource:https://www.isaca.org/
  27. ISO/IEC 27001 – standard systému řízení bezpečnosti informací (ISMS)
    Resource:https://www.iso.org/
  28. ISO 55001 – Asset Management Systems standard
    Resource:https://www.iso.org/
  29. ISO/IEC 15288 – Systems and Software Engineering Lifecycle Processes
    Resource:https://www.iso.org/

Autor článku:

Jan Dušátko
Jan Dušátko

Jan Dušátko has been working with computers and computer security for almost a quarter of a century. In the field of cryptography, he has cooperated with leading experts such as Vlastimil Klíma or Tomáš Rosa. Currently he works as a security consultant, his main focus is on topics related to cryptography, security, e-mail communication and Linux systems.

Podobné články

Sharing files with SMB protocol and cryptography
16. 9. 2024
Sharing files with SMB protocol and cryptography
Sharing files with NFS protocol and cryptography
17. 9. 2024
Sharing files with NFS protocol and cryptography
Quantum computer resistant algorithms
27. 9. 2024
Quantum computer resistant algorithms
Storing password with Crypt interface
8. 10. 2024
Storing password with Crypt interface
logo

Your learning platform for cryptography
and security.

Jan Dušátko
info@cryptosession.cz
+420 602 427 840

Pod Harfou 938/58
190 00, Praha 9

IČ: 43479766
DIČ: CZ 7208253041

Bank no.:
0360576337/0300

© 2026 Cryptosession.cz Design: Lukáš Kejha, Development: Karel Tropp

1. Introductory Provisions

1.1. These General Terms and Conditions are, unless otherwise agreed in writing in the contract, an integral part of all contracts relating to training organised or provided by the trainer, Jan Dušátko, IČ 434 797 66, DIČ 7208253041, with location Pod Harfou 938/58, Praha 9 (next as a „lector“).
1.2. The contracting parties in the general terms and conditions are meant to be the trainer and the ordering party, where the ordering party may also be the mediator of the contractual relationship.
1.3. Issues that are not regulated by these terms and conditions are dealt with according to the Czech Civil Code, i.e. Act No.89/2012 Coll.
1.4. All potential disputes will be resolved according to the law of the Czech Republic.

2. Creation of a contract by signing up for a course

2.1. Application means unilateral action of the client addressed to the trainer through a data box with identification euxesuf, e-mailu with address register@cryptosession.cz or register@cryptosession.info, internet pages cryptosession.cz, cryptosession.info or contact phone +420 602 427 840.
2.2. By submitting the application, the Client agrees with these General Terms and Conditions and declares that he has become acquainted with them.
2.3. The application is deemed to have been received at the time of confirmation (within 2 working days by default) by the trainer or intermediary. This confirmation is sent to the data box or to the contact e-mail.
2.4. The standard time for registration is no later than 14 working days before the educational event, unless otherwise stated. In the case of a natural non-business person, the order must be at least 28 working days before the educational event.
2.5. More than one participant can be registered for one application.
2.6. If there are more than 10 participants from one Client, it is possible to arrange for training at the place of residence of the intermediary or the Client.
2.7. Applications are received and processed in the order in which they have been received by the Provider. The Provider immediately informs the Client of all facts. These are the filling of capacity, too low number of participants, or any other serious reason, such as a lecturer's illness or force majeure. In this case, the Client will be offered a new term or participation in another educational event. In the event that the ordering party does not agree to move or participate in another educational event offered, the provider will refund the participation fee. The lack of participants is notified to the ordering party at least 14 days before the start of the planned term.
2.8. The contract between the provider and the ordering party arises by sending a confirmation from the provider to the ordering party.
2.9. The contract may be changed or cancelled only if the legal prerequisites are met and only in writing.

3. Termination of the contract by cancellation of the application

3.1. The application may be cancelled by the ordering party via e-mail or via a data mailbox.
3.2. The customer has the right to cancel his or her application for the course 14 days before the course takes place without any fees. If the period is shorter, the subsequent change takes place. In the interval of 7-13 days, an administrative fee of 10% is charged, cancellation of participation in a shorter interval than 7 days then a fee of 25%. In case of cancellation of the application or order by the customer, the possibility of the customer's participation in an alternative period without any additional fee is offered. The right to cancel the application expires with the implementation of the ordered training.
3.3. In case of cancellation of the application by the trainer, the ordering party is entitled to a full refund for the unrealized action.
3.4. The ordering party has the right to request an alternative date or an alternative training. In such case, the ordering party will be informed about all open courses. The alternative date cannot be enforced or enforced, it depends on the current availability of the course. If the alternative training is for a lower price, the ordering party will pay the difference. If the alternative training is for a lower price, the trainer will return the difference in the training prices to the ordering party.

4. Price and payment terms

4.1. By sending the application, the ordering party accepts the contract price (hereinafter referred to as the participation fee) indicated for the course.
4.2. In case of multiple participants registered with one application, a discount is possible.
4.3. The participation fee must be paid into the bank account of the company held with the company Komerční banka č. 78-7768770207/0100, IBAN:CZ5301000000787768770207, BIC:KOMBCZPPXXX. When making the payment, a variable symbol must be provided, which is indicated on the invoice sent to the client by the trainer.
4.4. The participation fee includes the provider's costs, including the training materials. The provider is a VAT payer.
4.5. The client is obliged to pay the participation fee within 14 working days of receipt of the invoice, unless otherwise stated by a separate contract.
4.6. If the person enrolled does not attend the training and no other agreement has been made, his or her absence is considered a cancellation application at an interval of less than 7 days, i.e. the trainer is entitled to a reward of 25% of the course price. The overpayment is returned within 14 days to the sender's payment account from which the funds were sent. Payment to another account number is not possible.
4.7. An invoice will be issued by the trainer no later than 5 working days from the beginning of the training, which will be sent by e-mail or data box as agreed.

5. Training conditions

5.1. The trainer is obliged to inform the client 14 days in advance of the location and time of the training, including the start and end dates of the daily programme.
5.2. If the client is not a student of the course, he is obliged to ensure the distribution of this information to the end participants. The trainer is not responsible for failure to comply with these terms and conditions.
5.2. By default, the training takes place from 9 a.m. to 5 p.m. at a predetermined location.
5.3. The trainer can be available from 8 a.m. to 9 a.m. and then from 17 a.m. to 6 p.m. for questions from the participants, according to the current terms and conditions.
5.4. At the end of the training, the certificate of absorption is handed over to the end users.
5.5. At the end of the training, the end users evaluate the trainer's approach and are asked to comment on the evaluation of his presentation, the manner of presentation and the significance of the information provided.

6. Complaints

6.1. If the participant is grossly dissatisfied with the course, the trainer is informed of this information.
6.2. The reasons for dissatisfaction are recorded in the minutes in two copies on the same day. One is handed over to the client and one is held by the trainer.
6.3. A statement on the complaint will be submitted by e-mail within two weeks. A solution will then be agreed within one week.
6.4. The customer's dissatisfaction may be a reason for discontinuing further cooperation, or financial compensation up to the price of the training, after deduction of costs.

7. Copyright of the provided materials

7.1. The training materials provided by the trainer in the course of the training meet the characteristics of a copyrighted work in accordance with Czech Act No 121/2000 Coll.
7.2. None of the training materials or any part thereof may be further processed, reproduced, distributed or used for further presentations or training in any way without the prior written consent of the trainer.

8. Liability

8.1. The trainer does not assume responsibility for any shortcomings in the services of any third party that he uses in the training.
8.2. The trainer does not assume responsibility for injuries, damages and losses incurred by the participants in the training events or caused by the participants. Such costs, caused by the above circumstances, shall be borne exclusively by the participant in the training event.

9. Validity of the Terms

9.1 These General Terms and Conditions shall be valid and effective from 1 October 2024.

Consent to the collection and processing of personal data

According to Regulation (EU) No 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as "the Regulation"), the processor xxx (hereinafter referred to as "the Controller") processes personal data. Individual personal data that are part of the processing during specific activities at this web presentation and in the course of trade are also broken down.
Although the collection of data is ubiquitous, the operation of this website is based on the right to privacy of each user. For this reason, the collection of information about users takes place to the extent absolutely necessary and only if the user decides to contact the operator. We consider any further collection and processing of data unethical.

Information about the records of access to the web presentation

This website does not collect any cookies. The site does not use any analytical scripts of third parties (social networks, cloud providers). For these reasons, an option is also offered for displaying the map in the form of a link, where the primary source is OpenStreet and alternatives then the frequently used Maps of Seznam, a.s., or Google Maps of Google LLC Inc. The use of any of these sources is entirely at the discretion of the users of this site. The administrator is not responsible for the collection of data carried out by these companies, does not provide them with data about users and does not cooperate on the collection of data.
Logging of access takes place only at the system level, the reason being the identification of any technical or security problems. Other reasons are overview access statistics. No specific data is collected or monitored in this area and all access records are deleted after three months.

Information about contacting the operator of the site

The form for contacting the operator of the site (administrator) contains the following personal data: name, surname, e-mail. These data are intended only for this communication, corresponding to the address of the user and are kept for the time necessary to fulfil the purpose, up to a maximum of one year, unless the user determines otherwise.

Information about the order form

In case of an interest in the order form, the form contains more data, i.e. name, surname, e-mail and contact details for the organisation. These data are intended only for this communication, corresponding to the address of the user and are kept for one year, unless the user determines otherwise. In the event that a business relationship is concluded on the basis of this order, only the information required by Czech law on the basis of business relations (company name and address, bank account number, type of course and its price) will continue to be kept by the administrator.

Information about the course completion document

Within the course, a course completion document is issued by the processor. This document contains the following data: student's name and surname, the name and date of the course completion and the employer's name. The information is subsequently used for the creation of a linear hash tree (non-modifiable record). This database contains only information about the provided names and company names, which may or may not correspond to reality and is maintained by the processor for possible re-issuance or verification of the document's issuance.

Rights of the personal data subject

The customer or visitor of this website has the possibility to request information about the processing of personal data, the right to request access to personal data, or the right to request the correction or deletion of any data held about him. In the case of deletion, this requirement cannot be fulfilled only if it is not data strictly necessary in the course of business. The customer or visitor of this website also has the right to obtain explanations regarding the processing of his personal data if he finds out or believes that the processing is carried out in violation of the protection of his private and personal life or in violation of applicable legislation, and the right to request removal of the resulting situation and to ensure the correction.
Furthermore, the customer/visitor of this website may request restriction of processing or object to the processing of personal data and has the right to withdraw his/her consent to the processing of personal data at any time in writing, without prejudice to the lawfulness of their processing prior to such withdrawal. For this purpose, the contact e-mail address support@cryptosession.cz is used.
The customer/visitor has the right to file a complaint against the processing of personal data with the supervisory authority, which is the Office for Personal Data Protection.