A naukri.com initiative
Amazon
1M
112
Image Credit: Amazon
Customer compliance and security during the post-quantum cryptographic migration
- Amazon Web Services has started to introduce quantum-resistant key exchange in transport protocols used by customers for long-term confidentiality. In this transition, AWS will prioritize quantum-resistant algorithms over classical ones, even if that means the introduction of a small delay to the connection. Customers must configure or use clients that negotiate the algorithms they prefer and trust when connecting to AWS services. AWS operators are responsible for enabling priority for modern algorithms in connections to their services.
- Post-quantum cryptography involves introducing post-quantum hybrid key exchanges in protocols like TLS 1.3 or SSH/SFTP, thus AWS is in the process of migrating to post-quantum cryptography in network connections to its services. New cryptographic algorithms are designed to protect against a future cryptanalytically relevant quantum computer (CRQC) which could threaten the algorithms we use today.
- Figure 1 shows how a client sends a Keyshare value for classical ECDH with P256, and a PQ-hybrid P256+MLKEM768. Now let’s say that the server supports ECDH curve P256 and PQ-hybrid P256+Kyber512, but not P256+MLKEM768. If the server does not support ML-KEM, it would select classical ECDH key exchange with P256. In these cases where the clients and servers don’t deploy the same algorithms, a connection won’t fail, but the connection will use classical-only algorithms.
- During the migration phase, AWS services will prioritize PQ hybrid algorithms for customers that advertise support for these algorithms, even if that means a small slowdown in the initial negotiation phase. While in the post-quantum migration phase, customers who choose to enable quantum-resistance have made a choice which shows that they consider the CRQC risk as important. AWS will honor the customer’s choice, assuming that quantum resistance is supported on the server side.
- Technical details for developers are provided, such as how to verify post-quantum key exchanges, how to transfer a file over a quantum-resistant SFTP connection with AWS Transfer Family and more. AWS customers are expected to enable new quantum-resistant algorithms introduced in AWS services on the client side or the server side of the customer-managed endpoint.
- Cryptographic migrations can introduce intricacies to cryptographic negotiations between clients and servers. During the migration phase, AWS services will mitigate the risks of these intricacies by prioritizing post-quantum algorithms for customers that advertise support for these algorithms. AWS customers are responsible for enabling quantum-resistant algorithms or having these algorithms enabled by default in their applications that connect to AWS.
- The Shared Responsibility Model can help relieve the customer’s operational burden as AWS operates manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.
- Customers must use clients that enable algorithms and negotiate cryptographic ciphers when connecting to AWS. It is the responsibility of the customer to configure or use clients that only negotiate the algorithms the customer prefers and trusts when connecting. AWS provides Customer Compliance Guides (CCGs) to support customers, partners, and auditors understand how compliance requirements map to AWS service security recommendations.
- Incidents like the SolarWinds hack, in which attackers compromised the company’s Orion monitoring tool in to penetrate sensitive government agencies and organizations, illustrated the role that external suppliers can play, and the importance of guarding the supply-chain against sophisticated cyber attacks.
- If you have feedback or questions about this post, submit comments in the Comments section or contact AWS Support. AWS PQC efforts are open and transparent, for more details, refer to our PQC page.
Read Full Article
6 Likes
For uninterrupted reading, download the app