ABSTRACT
Change is inevitable. As businesses adopted commercial cryptography as an important tool in protecting
information, they transitioned from either reliance solely on physical security measures or, more often,
reliance on no intentional protection to either a proprietary cryptographic process (e.g., PGP) or the, then
newly established, federal cryptographic standard: Data Encryption Standard (DES). Cryptography,
however, always includes a balancing of efficient use with effective security. This means that cryptographic
techniques that provide computational efficiency sufficient to permit operational use in a commercial
settingwill degrade in security effectiveness as computational power increases (a corollary toMoore’s Law).
Cryptographic protocols and algorithms may also fall prey to advances in mathematics and cryptanalysis.
Specific implementations believed secure when originally deployed may fail because of technological
obsolesces of hardware or software components on which they depended. New technologies may permit
previously infeasible attacks. Regardless of the specific reason, organizations will find it necessary to
transition from one cryptographic security solution to another at some point in their existence.