Certified: The CISSP Prepcast

Welcome to The Bare Metal Cyber CISSP Prepcast. This series helps you prepare for the ISC squared CISSP exam with focused explanations and practical context.
In this episode, we’re exploring the Cryptographic Lifecycle—specifically focusing on Algorithms, their Strength, and the concept of Obsolescence. Cryptography is not a one-time implementation. It is an evolving system of tools, standards, and techniques that must be continuously evaluated to ensure long-term effectiveness. The choices you make today—about algorithms, key lengths, and cryptographic protocols—must account for tomorrow’s threats, standards, and attack capabilities.
As a future Certified Information Systems Security Professional, understanding how cryptography changes over time—and how to manage those changes across your organization—is essential. Whether you are responsible for selecting secure algorithms, rotating keys, upgrading software libraries, or planning for quantum-safe cryptography, your decisions will directly affect the integrity and confidentiality of critical systems and data.
Let’s begin with a high-level view of the cryptographic lifecycle. This lifecycle includes the selection, deployment, operation, review, and eventual retirement or replacement of cryptographic solutions. Each phase must be managed carefully, with proper documentation, testing, and controls, to ensure that cryptographic protections remain effective throughout their intended lifespan.
When we talk about lifecycle management in this context, we’re referring to more than just keys and certificates. We are also managing the algorithms themselves, their implementations, their interoperability with systems, and their ability to meet compliance and performance requirements.
Effective lifecycle management prevents the quiet decay of cryptographic protections. Without it, outdated algorithms may remain in use long after they are known to be vulnerable. Poorly managed keys may be used far beyond their intended lifespan. And systems relying on legacy cryptographic libraries may be silently exposing data to unnecessary risk.
When lifecycle practices are strong, the opposite occurs. Systems are proactively reviewed. Weaknesses are addressed early. Migration plans are in place. Teams know when to update, how to update, and what controls must be verified during each stage of the lifecycle.
Let’s now turn to the first critical stage: selecting cryptographic algorithms. This step requires careful thought. You must select algorithms that align with your organization’s security goals, compliance requirements, performance constraints, and expected lifespan.
Some of the most commonly used cryptographic algorithms include the Advanced Encryption Standard, often referred to as A E S, for symmetric encryption; the Rivest-Shamir-Adleman algorithm, known as R S A, for asymmetric encryption and digital signatures; Elliptic Curve Cryptography, or E C C, for high-efficiency key exchange and encryption; and Secure Hash Algorithm Two-Fifty-Six, also known as S H A Two-Fifty-Six, for hashing operations.
Each of these algorithms has different characteristics. For example, A E S is fast and efficient, and is ideal for encrypting large amounts of data. R S A supports secure key exchange and digital signatures but requires larger key sizes to maintain equivalent strength. E C C provides strong encryption with shorter keys, making it more suitable for mobile or resource-constrained devices. S H A Two-Fifty-Six is widely used for ensuring data integrity in digital signatures and file verification.
Algorithm selection must be based on current security strength and anticipated longevity. You should consider the key length required, the computational complexity of the algorithm, its approval by standards organizations such as N I S T, and its compatibility with the systems in your environment.
It is also important to consider compliance requirements. Regulatory frameworks such as P C I D S S, HIPAA, and F I P S often mandate specific algorithms or prohibit deprecated ones. Failing to comply with these standards can result in penalties, failed audits, or compromised security.
Regular algorithm reviews are part of good lifecycle management. Just because an algorithm is approved today does not mean it will remain secure next year. Threats evolve. New attack methods emerge. Computing power increases. Algorithms must be revisited periodically to ensure they remain fit for purpose.
Now let’s talk about cryptographic strength. This term refers to how resistant an algorithm is to being broken or bypassed using brute force, cryptanalysis, or other attack methods.
Strength is determined by a few key factors. The first is key length. In general, longer keys provide more combinations and therefore greater resistance to brute force attacks. For example, a one hundred twenty-eight bit key has significantly fewer possible combinations than a two hundred fifty-six bit key.
The second factor is algorithmic complexity. Some algorithms are inherently more secure because they use advanced mathematics, modular arithmetic, or elliptic curves. Others may be less secure due to weaknesses in their design or history of successful attacks.
The third factor is implementation quality. Even a strong algorithm can become weak if implemented poorly—such as through improper padding, insecure random number generation, or inadequate input validation.
Organizations must evaluate strength continuously. This includes staying informed of cryptographic research, monitoring for published vulnerabilities, and ensuring that software libraries are up to date. It also includes adapting to advances in computing. For example, as quantum computing becomes more practical, certain algorithms—particularly those used in asymmetric encryption—may become vulnerable.
Stronger algorithms support better data protection and make it easier to maintain compliance. But strength alone is not enough. The algorithms must be integrated correctly and maintained throughout their lifecycle.
For more cyber-related content and books, please visit cyberauthor dot me. You'll find best-selling books, training tools, and resources tailored specifically for cybersecurity professionals. You can also explore additional Prepcast episodes and CISSP certification materials at Bare Metal Cyber dot com.
Now let’s examine a critical challenge in lifecycle management—cryptographic obsolescence. Obsolescence occurs when an algorithm is no longer considered secure, has been officially deprecated, or can no longer meet regulatory requirements.
There are many examples of this. The M D Five algorithm, once widely used for hashing, is now considered broken due to collision attacks. The S H A One algorithm has also been phased out for similar reasons. The original Data Encryption Standard, known as D E S, was replaced by Triple D E S, and later by A E S, due to its short key length. Even older R S A key lengths—such as one thousand twenty-four bits—are no longer recommended.
When cryptographic solutions become obsolete, they must be replaced. This requires more than just flipping a switch. You need a migration plan. That plan should include identifying all affected systems, preparing new cryptographic modules, performing compatibility tests, and updating documentation.
Communication with stakeholders is essential. End users, application owners, compliance officers, and business leaders must understand the timing, impact, and rationale for the change. If done carelessly, a cryptographic upgrade can break interoperability, disrupt services, or reduce performance.
Migration procedures should include rollback capabilities and should follow change management protocols. Testing must confirm that the new implementation preserves confidentiality, integrity, authentication, and availability.
The longer obsolete algorithms remain in place, the greater the exposure. Attackers actively search for environments using outdated cryptography, and automated tools can easily identify weak certificate chains, insecure hash functions, or legacy protocols.
Let’s close with continuous improvement in cryptographic lifecycle management. This is not a static process. It must be informed by ongoing security assessments, industry developments, regulatory changes, and internal audit findings.
Start by reviewing lifecycle documentation regularly. Update cryptographic policies to reflect new algorithm recommendations, deprecations, and risk assessments. Include input from cryptographers, security architects, software engineers, and compliance professionals.
Use incident analyses to identify where cryptographic controls failed or performed inadequately. Was an expired certificate missed? Was a weak algorithm still enabled on a public-facing service? Use those lessons to refine your practices and strengthen your controls.
Schedule regular cryptographic audits. These should include key inventory checks, algorithm usage reports, certificate expiration tracking, and implementation reviews. Tools can help automate these processes and generate actionable insights.
Ensure cross-functional collaboration. Security teams must work with developers, operations staff, legal advisors, and auditors to maintain a coherent cryptographic strategy. Each group brings valuable perspective and ensures that cryptography is applied consistently.
Continue training. Keep your teams informed of the latest developments in cryptographic standards, tools, libraries, and threats. Encourage certifications, workshops, and simulations that improve hands-on skills and strategic thinking.
Be proactive. Plan for the adoption of post-quantum algorithms. Monitor emerging standards from N I S T and other governing bodies. Consider how changes in privacy laws, cloud infrastructure, and data localization might influence cryptographic decisions. Build an architecture that can adapt—not just survive.
Thank you for tuning into the CISSP Prepcast by Bare Metal Cyber. Visit baremetalcyber.com for additional episodes, comprehensive CISSP study resources, and personalized certification support. Enhance your understanding of Cryptographic Lifecycle Management, and we'll consistently support your journey toward CISSP certification success.