It's 2058. A quantum computer is just another decade away. Still, you curse Cloudflare
Assuming this Kyber TLS stuff works as expected
Cloudflare is the first major internet infrastructure provider to support post-quantum cryptography for all customers, which, in theory, should protect data if quantum computing ever manages to break today's encryption technologies.
Starting today all websites and APIs served through Cloudflare support post-quantum TLS based on the Kyber hybrid key agreement. Specifically, the new beta service supports the X25519Kyber512Draft00 and X25519Kyber768Draft00 key agreements using TLS identifiers 0xfe30 and 0xfe31, respectively.
The service is free, and it's on by default — so no need for customers to opt in. It's a hybrid key agreement in that it combines X25519, which is used in TLS 1.3 but still vulnerable to future quantum attacks, and the new, post-quantym Kyber512 and Kyber768.
"That means that even if Kyber turns out to be insecure, the connection remains as secure as X25519," Cloudflare researchers Bas Westerbaan and Cefan Daniel Rubin explained.
Kyber, so far, is the only key agreement that the US National Institute of Standards and Technology (NIST) has officially selected for standardization. NIST plans to finalize this standardization in 2024, and there may be new standards to come.
This, in part, is why Cloudflare is only offering this as a beta service: Kyber will likely change in backwards-incompatible ways before it's finalized, and the integration with TLS hasn't been finalized by the TLS working group, either.
In their blog post, Westerbaan and Rubin pledged to post updates on Cloudflare's post-quantum key agreement support on pq.cloudflareresearch.com and announce it on the IETF PQC mailing list.
Carry on up the Kyber
While quantum computers' ability to crack classic cryptography is still years away — from 15 to 40 years [PDF] in the future to possibly never, depending on who you believe — when and if these machines become powerful enough to decrypt anything on the Internet they will be able to expose state secrets in seconds.
Some infosec and technology consultants have warned that China and others are stealing data now to decrypt later, when quantum computing matures enough to do so.
However, as Cloudflare's researchers outline, deploying post-quantum cryptography comes with risks, too. For starters, it's brand-new cryptography, and sometimes new things that haven't been tested for years break. Case in point: the roll-out of TLS 1.3, which didn't go as smoothly as planned.
"Even though the protocols used to secure the Internet are designed to allow smooth transitions like this, in reality there is a lot of buggy code out there: trying to create a post-quantum secure connection might fail for many reasons — for example a middlebox being confused about the larger post-quantum keys and other reasons we have yet to observe because these post-quantum key agreements are brand new," Westerbaan and Rubin said.
"It's because of these issues that we feel it is important to deploy post-quantum cryptography early, so that together with browsers and other clients we can find and work around these issues," they added.
- Actual quantum computers don't exist yet. The cryptography to defeat them may already be here
- Post-quantum crypto cracked in an hour with one core of an ancient Xeon
- Protecting data now as the quantum era approaches
- NSA: We 'don't know when or even if' a quantum computer will ever be able to break today's public-key encryption
By deploying well ahead of 2024, Cloudflare and others should have sufficient time to work out any kinks and protect data from quantum attacks, we're told.
Gartner's Mark Horvath, a senior director with the analyst firm, said the move is a "big help" to the industry, "and a great step forward for moving toward a quantum-safe future."
"Post-quantum encryption is expected to have a huge impact on infrastructure, operations and data security over the next decade, and testing protocols like TLS at realistic speeds and volumes helps the industry move forward in a smooth way," Horvath told The Register.
"While dual-signed certificates and other support for post-quantum operations have been introduced occasionally in the past, it's only now that the NIST contest is reaching the standardization phase that we have real tools to work with on issues like protocols that have a huge future impact." ®