Welcome to the 14th edition. Let’s dive into the content…

Bring-Your-Own PQC for TLS Connections

OpenSSL is now post-quantum ready! 🥳

In the latest release (v3.2.0), the OpenSSL team added support for pluggable signature algorithms. This allows third-party providers to implement post-quantum signature algorithms (e.g. Dilithium).

Earlier releases of OpenSSL added support for pluggable key establishment mechanisms (KEMs). This is where algorithms like Kyber would be introduced.
Add these two together and the world's most popular TLS library just became flexible and quantum-ready.

Once these post-quantum algorithms are standardised, we can expect the OpenSSL team to implement them natively in the project. Until then, these recent changes allow for early deployment and testing.

Quantum-Safe, but Mega Risky

Are stateful hash-based signatures a ticking time bomb?

At the recent PKI Consortium PQC conference, NIST acknowledged they had received a lot of strong feedback since stateful signatures were recommended in CNSA 2.0.

As a reminder, CNSA stands for the Commercial National Security Algorithm suite. It lists the recommended cryptographic algorithms to be used by operators of national security systems.

In Sep 2022, the CNSA was updated. It now recommends using stateful hash-based schemes for firmware and software signing. The benefit of these schemes is they are standardised and quantum-safe.

(Yes - some folks may not realise we do have some already standardised quantum-safe algorithms.)

So why are we still concerned? Well, because stateful schemes are very different from normal cryptographic algorithms. With a normal scheme, you generate a key and use it for as long as NIST recommends (typically 1-2 years, depending upon key type and use case).

By contrast, with a stateful scheme, you generate a finite collection of keys that can only be used once. If you ever accidentally use the same key twice, the security collapses and it is trivial to break the key.

It is critical to avoid accidental or malicious alteration of the state. This implies you need to use hardware devices to protect your keys and state information. You will also struggle to back up those devices or make them highly available because it will be near-impossible to synchronise the state between separate systems.

Couple this with the fact that you have a finite number of signatures that you can ever perform, and you've got a brittle, semi-dangerous system.

For this reason, I imagine a lot of vendors will hold off implementing these algorithms and wait for Dilithium and SPHINCS+ to be standardised.

If you decide to go ahead with these algorithms, be careful!

Taking QKD to New Heights

This is cool. Spain is building a geostationary QKD network.

Most plans for satellite QKD networks involve low-earth-orbit (LEO) assets, which move relative to the ground. The challenge for these systems is exchanging enough key material as the satellite zooms over a ground station.

It's much cheaper to fling devices into lower orbits (100-1,000 miles), vs a geostationary orbit (22,300 miles). However, the benefits of geostationary assets could be considerable.

Three equally spaced geostationary satellites can cover almost all of the Earth's surface. And because they are stationary, relative to the Earth, it avoids the need to perform complex tracking from ground stations.

The project is called Caramuel and is led by HISPASAT and supported by a who's who of major Spanish companies. You can read their press release here.

I will be watching this project with interest!

Thank you to Jaime Gómez García, who was kind enough to share this project with me. Banco Santander is one of the participants in the project.