ABSTRACT
Change is inevitable. As businesses adopted commercial
cryptography as an important tool in protecting informa-
tion, they transitioned from either reliance solely on phy-
sical security measures or, more often, reliance on no
intentional protection to either a proprietary cryptographic
process (e.g., PGP) or the, then newly established, federal
cryptographic standard: Data Encryption Standard (DES).
Cryptography, however, always includes a balancing of
efficient use with effective security. This means that cryp-
tographic techniques that provide computational efficiency
sufficient to permit operational use in a commercial setting
will degrade in security effectiveness as computational power
increases (a corollary to Moore’s law). Cryptographic
protocols and algorithms may also fall prey to advances
in mathematics and cryptanalysis. Specific implementa-
tions believed secure when originally deployed may fail
because of technological obsolesces of hardware or soft-
ware components on which they depended. New technol-
ogies may permit previously infeasible attacks. Regardless
of the specific reason, organizations will find it necessary
to transition from one cryptographic security solution to
another at some point in their existence.