Customer compliance and security during the post-quantum cryptographic migration | AWS Security Blog

For example, using the s2n-tls client built with AWS-LC (which supports the quantum-resistant KEMs), you could try connecting to a Secrets Manager endpoint by using a post-quantum TLS policy (for example, PQ-TLS-1-2-2023-12-15) and observe the PQ hybrid key exchange used in the output, as shown following. To address some of these concerns, the Transport Layer Security (TLS) Protocol Version 1.3 draft (draft-ietf-tls-rfc8446bis), which is the draft update of TLS 1.3 (RFC 8446), introduces text about client and server behavior when choosing key exchange groups and the use of Keyshare values in Section 4.2.8. The TLS Key Share Prediction draft also tries to address the issue by providing DNS as a mechanism for the client to use a proper Keyshare that the server supports. In the example in Figure 1, the client advertises support for PQ-hybrid algorithms with ECDH curve P256 and quantum-resistant ML-KEM-768, ECDH curve P256 and quantum-resistant Kyber-512 Round 3, and classical ECDH with P256. The issue of potentially negotiating a classical key exchange although the client and server support quantum-resistant ones is discussed in the Security Considerations of the TLS Key Share Prediction draft (draft-davidben-tls-key-share-prediction). As another example, if you want to transfer a file over a quantum-resistant SFTP connection with AWS Transfer Family, you would need to configure a PQ cryptography SSH security policy on your AWS File Transfer SFTP endpoint (for example, TransferSecurityPolicy-2024-01) and enable quantum-resistant SSH key exchange in the SFTP client. AWS customers that want to take advantage of new quantum-resistant algorithms introduced in AWS services are expected to enable them on the client side or the server side of a customer-managed endpoint. If the AWS service has added quantum-resistant algorithms, it will honor a client-supported post-quantum key exchange even if that means that the handshake will take an extra round trip and the PQ-hybrid key exchange will include minor processing overhead (ML-KEM is almost performant as ECDH). Although one might assume that the P256+Kyber512 Keyshare could have been used for a quantum-resistant key exchange, the server can pick to negotiate only classical ECDH key exchange with P256, which is not resistant to a CRQC. To confirm that a server endpoint properly prioritizes and enforces the PQ algorithms, you can use an “old” client that sends a PQ-hybrid Keyshare value that the PQ-enabled server does not support. To confirm that a server endpoint properly implements the post-quantum hybrid key exchanges, you can use a modern client that supports the key exchange and connect against the endpoint. This generally allowed for faster TLS 1.3 handshakes that did not require an extra round-trip (HRR), but in the post-quantum scenario described earlier, it would mean the server does not negotiate a quantum-resistant algorithm even though both peers support it. Note that in SSH/SFTP, although the AWS server side will advertise the quantum-resistant schemes as higher priority, the client picks the key exchange algorithm. Figure 2 shows how a server can send a HelloRetryRequest (HRR) to the client in the previous scenario (Figure 1) in order to request the negotiation of quantum-resistant keys by using P256+Kyber512. For example, clients could perform an ECDH key exchange with curve P256 and post-quantum Kyber-768 from NIST’s PQC Project Round 3 (TLS group identifier X25519Kyber768Draft00) when connecting to AWS Certificate Manager (ACM), AWS Key Management Service (AWS KMS), and AWS Secrets Manager. During the migration phase, AWS services will mitigate the risks of these intricacies by prioritizing post-quantum algorithms for customers that advertise support for these algorithms—even if that means a small slowdown in the initial negotiation phase. In the example in Figure 1, the server could have been an early adopter of the post-quantum algorithm and added support for P256+Kyber512 Round 3. AWS services that have already adopted the behavior described in this post include AWS KMS, ACM, and Secrets Manager TLS endpoints, which have been supporting post-quantum hybrid key exchange for a few years already. In the post-quantum transition, we consider clients that advertise support for quantum-resistant key exchange to be clients that take the CRQC risk seriously. The client and server configured a priority for their algorithms of choice and they picked the more appropriate ones from their negotiated prioritized order. Thus, there is a paradigm shift that calls for a decision in the priority vendors should enforce on the client and server configurations regarding the “secure classical” or “secure post-quantum” algorithms. The client and server still do an ECDH key exchange, which gets combined with the KEM shared secret when deriving the symmetric key. This strategy combines the high assurance of a classical key exchange with the quantum-resistance of the proposed post-quantum key exchanges, to help ensure that the handshakes are protected as long as the ECDH or the post-quantum shared secret cannot be broken. Use the client P256 Keyshare to negotiate a classical key exchange, as shown in Figure 1. The AWS KMS and Secrets Manager documentation includes more details for using the AWS SDK to make HTTP API calls over quantum-resistant connections to AWS endpoints that support post-quantum TLS. So, a client that supports PQ cryptography would need to have the PQ algorithms configured with higher priority (as described in the Shared Responsibility Model). The client also sends a Keyshare value for classical ECDH with P256 and for PQ-hybrid P256+MLKEM768. In this blog post, we elaborate how customer compliance and security configuration responsibility will operate in the post-quantum migration of secure connections to the cloud. That will lead the server to request the client by means of an HRR to send a new ClientHello that includes P256+MLKEM768, as shown following.

This Cyber News was published on aws.amazon.com. Publication date: Thu, 03 Oct 2024 16:43:06 +0000


Cyber News related to Customer compliance and security during the post-quantum cryptographic migration | AWS Security Blog

Customer compliance and security during the post-quantum cryptographic migration | AWS Security Blog - For example, using the s2n-tls client built with AWS-LC (which supports the quantum-resistant KEMs), you could try connecting to a Secrets Manager endpoint by using a post-quantum TLS policy (for example, PQ-TLS-1-2-2023-12-15) and observe the PQ ...
2 months ago Aws.amazon.com
Quantum computing: The data security conundrum - One of the biggest challenges of digital technology today is around security systems and data. While this has proven successful, advancements in quantum computing - which utilises quantum mechanics to solve complex problems faster than conventional ...
10 months ago Itsecurityguru.org
GCP to AWS migration: A Comprehensive Guide - Embarking on a GCP to AWS migration journey can be both exciting and challenging. Before we dive into the technical details, let's explore why businesses might consider migrating from GCP to AWS. While GCP offers a range of services, AWS boasts an ...
11 months ago Feeds.dzone.com
IBM Heron Quantum Chip, Quantum System Two - Next generation quantum processor dubbed 'Heron', and the modular IBM Quantum System Two unveiled by Big Blue. IBM has unveiled two new quantum developments, with a new series of utility-scale processors housed within a modular quantum system. At its ...
1 year ago Silicon.co.uk
Quantum computing will enable a safer, more secure world - Today's media narrative around quantum computing's role in cybersecurity is overwhelmingly negative, because quantum computers will render today's encryption standards redundant, leaving much of our data at risk of being decoded. First, it's ...
11 months ago Cybersecurity-insiders.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com
DORA and your quantum-safe cryptography migration - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. New requirements for financial entities in the EU. DORA lays out a set of requirements across ICT risk management, incident ...
10 months ago Securityintelligence.com
Getting your organisation post-quantum ready - While quantum computing is still very much in its early stages, it's important that companies are already thinking about this evolving technology - and more importantly implementing and stress testing much needed solutions suitable for a post-quantum ...
1 year ago Cybersecurity-insiders.com
It's time to bolster defenses for an AI / Quantum Future - The rapid advances we are seeing in emerging technologies like AI, ML and quantum computing will have a devastating impact on organizations not prepared and who have not considered updating existing modes of asymmetric data encryption. Quantum is ...
10 months ago Cybersecurity-insiders.com
Post-Quantum Cryptography Alliance Launches to Advance Post-Quantum Cryptography - PRESS RELEASE. SAN FRANCISCO, Feb. 6, 2024 /PRNewswire/ - The Linux Foundation is excited to announce the launch of the Post-Quantum Cryptography Alliance, an open and collaborative initiative to drive the advancement and adoption of post-quantum ...
10 months ago Darkreading.com
CrowdStrike Demonstrates Cloud Security Leadership at AWS re:Invent - CrowdStrike is honored to be named Partner of the Year for several 2023 Geo and Global AWS Partner Awards at Amazon Web Services re:Invent 2023, where we are participating this year as a Diamond Sponsor. These accomplishments demonstrate our ...
1 year ago Crowdstrike.com
Achieving Continuous Compliance - If you've ever explored regulatory compliance and cybersecurity, you'll understand the importance of continuous compliance in the digital age, where evolving technology and regulations require constant vigilance. This article will cover the ...
1 year ago Feeds.dzone.com
Tech Giants Form Post-Quantum Cryptography Alliance - The Linux Foundation today announced the launch of the Post-Quantum Cryptography Alliance, an initiative to advance and drive the adoption of post-quantum cryptography. Founded by AWS, Cisco, IBM, IntellectEU, Nvidia, QuSecure, SandboxAQ, and the ...
10 months ago Securityweek.com
Safeguard Your Network in a Post-Quantum World - There is an imminent threat to existing cryptography with the advent of quantum computers. A quantum computer works with qubits, which can exist in multiple states simultaneously, based on the quantum mechanical principle of superposition. Thus, a ...
10 months ago Feedpress.me
Shaping the Future of Finance: The Cisco and AWS Collaboration in EMEA - The collaboration between Cisco and Amazon Web Services in the Europe, Middle East, and Africa region-combining each company's market leading strengths-continues to deliver impressive outcomes for our customers, notably within the Financial Services ...
1 year ago Feedpress.me
How Communications Companies Can Prepare for Q-Day - After a grueling eight years of testing, the National Institute of Standards and Technology (NIST) has finalized the first three algorithms that will form the backbone of the world's strategy to counter the potential threats of quantum ...
2 months ago Darkreading.com
What You Need to Know to Embrace the Imminent Quantum Shift for Your Cryptography Future - Cryptography has long been essential in ensuring the protection of data and communication networks. Remaining reliant on outdated cryptographic standards certainly adds to the dangers of compromise. As we usher in an era of cloud-scaling and quantum ...
9 months ago Cyberdefensemagazine.com
Leveraging Automation for Risk Compliance in IT - Organizations often encounter the challenge of managing complex technology ecosystems while ensuring data security, compliance, and risk management. One crucial aspect of this challenge is risk compliance in IT environments, specifically Linux ...
1 year ago Securityboulevard.com
Creating a New Market for Post-Quantum Cryptography - A day in the busy life of any systems integrator includes many actions that revolve around the lifeblood of its business - its customers. Systems integrators help solve evolving customer business challenges, which in turn adds partner value. It's a ...
1 year ago Securityboulevard.com
E-commerce Security: Protecting Customer Data - In today's digital landscape, ensuring the security of customer data in e-commerce is a crucial concern for businesses. Protecting e-commerce data security is a complex task that requires a comprehensive understanding of the challenges faced by ...
10 months ago Securityzap.com
Preparing for Q-Day as NIST nears approval of PQC standards - Q-Day-the day when a cryptographically relevant quantum computer can break most forms of modern encryption-is fast approaching, leaving the complex systems our societies rely on vulnerable to a new wave of cyberattacks. While estimates just a few ...
5 months ago Helpnetsecurity.com
Preparing for Q-Day as NIST nears approval of PQC standards - Q-Day-the day when a cryptographically relevant quantum computer can break most forms of modern encryption-is fast approaching, leaving the complex systems our societies rely on vulnerable to a new wave of cyberattacks. While estimates just a few ...
5 months ago Helpnetsecurity.com
AWS CloudQuarry: Digging for Secrets in Public AMIs - Money, secrets and mass exploitation: This research unveils a quarry of sensitive data stored in public AMIs. As a best practice, AMI creators should not include credentials, including AWS account credentials, in published AMIs. We wanted to scan all ...
7 months ago Packetstormsecurity.com
How to Get PCI Compliance Certification? Steps to Obtain it - To mitigate the risk of such breaches, PCI compliance establishes stringent security protocols. In this blog let's understand how to get PCI Compliance certification. PCI DSS is a security standard for card transactions, which includes detailed ...
7 months ago Securityboulevard.com
Weekly Blog Wrap-Up - Welcome to the TuxCare Weekly Blog Wrap-Up - your go-to resource for the latest insights on cybersecurity strategy, Linux security, and how to simplify the way your organization protects its data and customers. At TuxCare, we understand the ...
11 months ago Securityboulevard.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)