Zurück zur Startseite

Cryptographic Updates in Practice: Experiences, Processes, and Challenges

Published April 6, 2026 · Reading time approx. 6 minutes

Dr. Alexander Krause
Dr. Alexander Krause IT Security Consultant & Researcher at CISPA Helmholtz Center for Information Security

Cryptographic algorithms don't age gracefully. New attacks surface, standards get deprecated, regulations shift. Yet many development teams delay cryptographic updates for months or years. An interview study with 21 experienced software developers reveals why — and what needs to change.

The study was presented at USENIX Security 2025. Participants had between 3 and 40 years of professional experience. This isn't theory — it's hard-won knowledge from production systems.

What triggers a cryptographic update?

Few updates start proactively. External events set them in motion: a vulnerability goes public, a library reaches end of life, an audit flags outdated algorithms. Some teams only learn about issues from customers or business partners.

Regulatory pressure matters too. Standards like PCI DSS or government mandates force the switch to stronger algorithms — often with rigid deadlines that ignore technical complexity.

Proactive monitoring? Rare. Most interviewees described a reactive pattern. Teams act when external pressure leaves no other choice.

Six phases of a cryptographic update

The interviews reveal a recurring pattern. Cryptographic updates pass through six phases — though almost no team has formalized this process:

  1. Trigger: Something makes the update necessary (vulnerability, audit, regulation, library end-of-life).
  2. Objectives: What exactly needs to happen? Algorithm swap, key length increase, library migration?
  3. Planning: Map dependencies, clarify backward compatibility, set timelines.
  4. Implementation: The actual code changes — often far more work than anticipated.
  5. Quality assurance: Testing, reviews, validating cryptographic correctness.
  6. Rollout: Staged deployment, monitoring, fallback strategies.

Sounds straightforward. It isn't.

What are the 13 challenges that complicate cryptographic updates?

The study identifies 13 distinct challenges that complicate cryptographic updates. Three stand out.

Backward compatibility

The most prevalent problem by far. Swapping a cryptographic algorithm means ensuring that existing data, interfaces, and communication partners still work. Encrypted databases, signed documents, API connections to third parties — everything has to be considered at once.

One developer put it bluntly: you're not just replacing an algorithm. You're replacing an entire ecosystem.

Lack of cryptographic expertise

Even developers with decades of experience admitted to feeling uncertain about cryptographic decisions. The subject matter is deeply specialized. Which AES mode is appropriate? When is a key exchange protocol vulnerable? What are the security implications of choosing a particular curve?

The result: developers fall back on library defaults, copy code snippets from the internet, or ask colleagues who aren't crypto experts either. Mistakes propagate for years.

Poor documentation

Migration guides are missing or outdated. Libraries document their APIs but rarely explain the concrete migration path from a deprecated algorithm to a current one. Which parameters change? What pitfalls exist during the transition? These questions often go unanswered.

Further challenges

Beyond the top three, interviewees also reported:

  • Difficulty testing cryptographic correctness
  • Dependencies on third-party libraries and their update cycles
  • Internal resistance — why change something that works?
  • Coordination across distributed teams and organizational boundaries
  • Missing tooling for automated detection of outdated algorithms

Timelines: days to decades

The range is staggering. Simple library updates take days. Large-scale algorithm migrations in legacy systems can stretch across years. One participant described a migration project that ran for over a decade.

Duration depends on factors often outside the development team's control: number of affected systems, willingness of external partners to cooperate, available resources, regulatory transition periods.

Post-quantum cryptography: the next big disruption

Quantum computers will break asymmetric cryptographic schemes like RSA and ECC. Nobody knows exactly when — but migration needs to start now. NIST finalized its first post-quantum standards in 2024. Organizations face a daunting question: how do you migrate millions of lines of code to algorithms that almost nobody understands yet?

Interviewees rated the PQC transition as significantly harder than any previous cryptographic update. The new algorithms have different key sizes, different performance profiles, different memory and bandwidth requirements. Existing protocols and interfaces weren't designed for them.

If you're still running SHA-1 in production, ask yourself how realistic a timely PQC migration will be.

What systemic gaps exist in the industry?

The study reveals a pattern: cryptographic updates get treated like any other software change. There are no specialized processes, no systematic inventory of cryptographic dependencies, no formalized decision-making for algorithm selection.

What's missing:

  • Crypto inventory: Most organizations don't know which cryptographic algorithms are deployed where. Without this visibility, targeted migration is impossible.
  • Crypto agility: Software should be built so that cryptographic algorithms can be swapped without touching the entire codebase. In practice, that's rarely the case.
  • Clear ownership: Who makes cryptographic decisions? Often no one explicitly — responsibility diffuses.

What organizations should do now

The study offers concrete recommendations for development teams, standards bodies, and researchers. For organizations, three action areas emerge:

Conduct an inventory. Identify every cryptographic algorithm, library, and key across your systems. Document dependencies and communication partners. Without this inventory, any migration lacks a foundation.

Embed crypto agility as an architectural principle. Abstract cryptographic operations behind well-defined interfaces. When the next algorithm swap comes — and it will — it shouldn't require changes throughout the entire codebase.

Build or buy expertise. Cryptography demands specialized knowledge that most development teams lack. Internal training, external audits, or specialized consulting can close this gap.

This article is an AI-generated summary of the scientific publication "That's my perspective from 30 years of doing this: An Interview Study on Practices, Experiences, and Challenges of Updating Cryptographic Code" (USENIX Security 2025). The content has been editorially reviewed.

Want to future-proof your cryptographic implementations? Contact me for consulting, whether you need an inventory assessment or PQC migration planning.