Cryptographic Agility Questions Are you trying to change your application cryptography? Here's some common cases and recommendations. -------------------------------------------------------------------------------- Cryptographic Agility Questions =============================== 1 min read /----------------------------- Table of contents -----------------------------\ | Table of contents | | * Is this encrypted data coming through a query or request parameter? | | * I encrypt the data and the client uses it as a token, but I cannot update | | the client, what can I do? | | * What if this is a database field? | | * What about TLS ciphers? | | * I was using MD5 for passwords, what should I do? | | * What questions should I ask when beginning a migration? | \-----------------------------------------------------------------------------/ Is this encrypted data coming through a query or request parameter? ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Put the new version in a different parameter and only read it with the new code. If the new parameter is populated, do not read the old parameter. Bind the version to the encrypted message with authenticated encryption with associated data [L1] (AEAD) so that only the appropriate decryption function will successfully decrypt it. I encrypt the data and the client uses it as a token, but I cannot update the client, what can I do? ^^^^^^^^^^^^^^^^^^^^^^ See Encrypted token migrations [L2]. What if this is a database field? ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ See Encryption at rest migrations [L3]. What about TLS ciphers? ^^^^^^^^^^^^^^^^^^^^^^^ See TLS Migrations [L4]. I was using MD5 for passwords, what should I do? ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ See Password Migrations [L5]. What questions should I ask when beginning a migration? ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ See General Migration Questions [L6]. -------------------------------------------------------------------------------- [L1]: https://en.wikipedia.org/wiki/Authenticated_encryption [L2]: /topics/encrypted-token-migrations.html [L3]: /topics/encryption-at-rest-migrations.html [L4]: /topics/tls-migrations.html [L5]: /topics/password-migrations.html [L6]: /topics/general-migrations.html