#KEYMASTER: Uncovering Hidden Cryptography – How to Gain Full Visibility into Your Security Assets

Modern organizations rely heavily on cryptography to secure applications, networks, and data. Yet many companies still lack a clear inventory of the cryptographic assets running across their infrastructure.

In this #KEYMASTER session, Sven Rajala interviews Dr. Vladimir Soukharev, VP of Cryptography at InfoSec Global (part of Keyfactor), about how organizations can discover, analyze, and manage their cryptographic footprint more effectively.

The conversation highlights a major reality: most companies do not fully understand where or how cryptography is being used within their systems. Without proper visibility, organizations risk vulnerabilities, outages, and compliance issues.

Watch video on YouTube

Below is a summary of the key insights from the discussion.

The Challenge of Cryptographic Asset Discovery

Historically, organizations attempted to catalogue cryptographic assets manually. This approach is highly inefficient and almost guaranteed to miss large portions of the cryptographic footprint.

Manual processes can take months or even years and still result in an incomplete inventory. Instead, a combination of automated discovery methods is necessary. Effective strategies include:

• Network scanning to identify supported protocols and cipher suites
• Endpoint scanning using sensors or agents
• Source code analysis where code access is available
• Binary analysis for applications without accessible source code

Binary analysis is particularly important because organizations often run software from third-party vendors or legacy systems where the source code is unavailable. Hidden cryptographic implementations frequently reside in these binaries.

Detecting Shadow and Unknown Cryptography

One of the biggest risks in enterprise environments is shadow cryptography—cryptographic implementations that teams are unaware of or have not documented.

This often appears in:

• Legacy systems
• Third-party software
• Embedded cryptographic libraries
• Hardcoded implementations inside applications

Binary scanning can reveal unexpected algorithms or cryptographic standards that organizations did not knowingly deploy. In some cases, companies even discover foreign cryptographic algorithms embedded in software components from external vendors.

These discoveries raise important questions about software supply chains, security policies, and compliance requirements.

Turning Cryptographic Data into Risk Insights

Once cryptographic assets are discovered, the next challenge is understanding which issues matter most.

Security teams typically analyze multiple dimensions when evaluating risk:

• Algorithm strength and vulnerabilities
• Location of the asset within the infrastructure
• Criticality of the environment
• Implementation quality
• Key management practices

Correlation between assets is also critical. For example:

• Multiple systems sharing the same key unexpectedly
• Duplicate keys deployed across environments
• Certificates used in several applications without centralized management

These problems are not always cryptographic weaknesses themselves, but are often implementation and operational risks.

Common Cryptographic Misconfigurations

Several issues commonly appear during cryptographic scans:

1. Exposed Private Keys

Private keys stored outside secure keystores represent a serious security flaw—like writing a password on a sticky note.

2. Outdated Algorithms

Weak or deprecated algorithms may still exist in legacy systems.

3. Certificate Management Failures

Expired certificates can cause widespread service outages if organizations cannot quickly locate all instances of the certificate in their environment.

These operational issues can disrupt services even when no security breach has occurred.

Cryptography as a Malware Detection Signal

Interestingly, cryptographic inventory can also support malware threat detection.

Sophisticated attackers often plant malicious code gradually across systems, and these payloads frequently include cryptographic artifacts. By regularly scanning environments and monitoring changes, security teams can detect new cryptographic components appearing unexpectedly.

Sudden cryptographic changes may indicate the early stages of a malware deployment.

Automating Cryptographic Asset Management

Managing cryptography manually is not scalable. Automation and integrations are essential.

Organizations can improve operations by:

• Automatically creating incident tickets (for example in IT service management platforms) when critical vulnerabilities are detected
• Integrating cryptographic tools with PKI systems
• Automating key regeneration and algorithm and libraries replacement
• Enforcing policies across applications

The goal is to embed cryptography management directly into existing operational workflows.

The Importance of Crypto Agility

A major theme in the discussion is crypto agility—the ability to quickly change cryptographic algorithms, keys, or libraries across systems.

Many organizations currently rely on multiple cryptographic libraries due to:

• Different development teams
• Legacy applications
• Open-source dependencies
• Hardcoded cryptography in older codebases

Rather than forcing a single library everywhere, the more practical goal is to build infrastructure that enables rapid cryptographic updates.

Crypto agility allows organizations to:

• Replace vulnerable algorithms quickly
• Prepare for post-quantum cryptography
• Maintain centralized visibility and policy control

The Human Factor: Cryptography Expertise

Tools alone cannot solve cryptographic challenges. Organizations also need internal expertise.

Developers often implement cryptography without deep knowledge of cryptographic security principles. While an algorithm may technically encrypt data, it may still be broken or implemented incorrectly or insecurely.

Having at least a small number of skilled cryptography experts inside an organization helps ensure:

• Proper algorithm selection
• Secure implementation practices
• Effective policy enforcement

Key Takeaways

• Manual cryptographic inventories are ineffective—automated scanning across networks, endpoints, source code, and binaries is essential.
• Shadow cryptography is widespread, especially in third-party software and legacy systems.
• Binary analysis plays a critical role in uncovering hidden cryptographic implementations.
• Risk analysis must consider context, including asset location, key reuse, algorithm strength, and operational dependencies.
• Operational failures like expired certificates can be just as disruptive as security breaches.
• Cryptographic changes can signal malware activity, making regular scans valuable for threat detection.
• Automation and integrations are necessary for scalable cryptographic asset management.
• Crypto agility enables rapid response to vulnerabilities and prepares organizations for future cryptographic shifts such as post-quantum security.
• Human expertise still matters—organizations need cryptography specialists who understand both theory and real-world implementation risks.

Learn more

• #KEYMASTER: Understanding Cryptographic Posture Management and Asset Visibility
• #KEYMASTER: Looking Beyond the CBOM – Building Stronger Cryptographic Posture
• Learn more about Cryptographic Posture Management
• Keyfactor: Bringing Together the Best in Cryptographic Discovery
• NIST – Migration to Post-Quantum Cryptography: Preparation for Considering the Implementation and Adoption of Quantum Safe Cryptography
• NIST – Considerations for Achieving Cryptographic Agility: Strategies and Practices