Protecting Apps on IBM Cloud with Quantum-Safe Cryptography

3 min read

Quantum computing promises to solve complex problems even the world’s most powerful supercomputers cannot solve today.

At the same time, as highlighted by the World Economic Forum in this article, “the power of quantum computers creates an unprecedented threat to the security of our data through its potential to break the cryptography that underpins our digital ecosystem.”

When large-scale quantum computers are available, they pose a potential risk that they will be able to break the systems that are built on public-key cryptography that are currently in use. To protect against this risk, IBM has developed a clear strategic agenda that includes the research, development, and standardization of core quantum-safe cryptography algorithms in open projects such as CRYSTALS and Open Quantum Safe.

One of the most popular and widely used public-key cryptography systems is Transport Layer Security (TLS), which is used to protect data sent over the network. While TLS connections today are well suited to protect access to cloud applications via the Internet, any attacker able to access the network traffic could store it and potentially decrypt it in the future when quantum computers are available. This can be done by decrypting the phase of the TLS connection establishment where the two parties agree on a session key through a key exchange. Specifically, to mitigate the risk from breaking the encrypted data sent over TLS, quantum-safe-crypto (QSC) key exchange mechanisms (KEM) like KYBER could be used during the session key establishment of a TLS connection.

Protect your cloud native apps on IBM Cloud from quantum risk

IBM Cloud has market-leading data protection capabilities that help protect data-at-rest using a Keep Your Own Key (KYOK) key management solution with IBM Cloud Hyper Protect Crypto Services, data-in-use using confidential computing capabilities with IBM Cloud Data Shield and IBM Cloud Hyper Protect services, and data-in-transit where TLS connections can be offloaded to Hyper Protect Crypto services.

Extending this security leadership to address threats of the future, IBM Cloud is enabling QSC support in TLS connections to cloud native applications. When cloud native containerized applications run on Red Hat OpenShift on IBM Cloud or IBM Cloud Kubernetes Service, TLS connections are handled by an HAproxy router in Red Hat OpenShift deployments, and by an ingress controller in Kubernetes deployments.

To enable these apps with QSC protected access to clusters in the IBM Cloud, IBM has implemented a custom ingress controller for IBM Cloud Kubernetes Service and a custom router for Red Hat OpenShift on IBM Cloud (managed OpenShift). With these technologies, clients can access their clusters benefiting from QSC-protected TLS session key establishment, while not having to do any code change to their application logic.

With these technologies, clients can access their clusters benefiting from QSC-protected TLS session key establishment, while not having to do any code change to their application logic.

The custom ingress controller for IBM Cloud Kubernetes Service and custom router for Red Hat OpenShift are terminating TLSv1.3 connections from a QSC-enabled application client and feature full backward compatibility for non-QSC operation. This approach enables network connections to use QSC KEM algorithms for session key establishment and also offer the possibility to use hybrid QSC/non-QSC session key establishment. This hybrid mode of QSC enablement in TLS offers a way to prepare for the future and take a staged transition to QSC operation.

Note: IBM allows you to bring your own ingress controller, but IBM does not provide support for your ingress deployment. QSC integration is currently a technology preview with further offering integration and support to follow.

How can I get started?

To get started with quantum-safe cryptography for cloud native apps on IBM Cloud, you can refer to this page for details about the deployment pattern, technology implementation, and configuration details. 

We are also applying QSC support to protect the TLS communication with IBM Key Protect key management services. With this support, the encryption key lifecycle operations and APIs can be protected against quantum risk. You can get more details about this QSC support in Key Protect.

With these new quantum-safe cryptography capabilities, combined with the comprehensive set of data security capabilities already available, IBM Cloud provides a rich set of industry leading data security options, while providing the best developer experience in building and managing cloud native applications.

Be the first to hear about news, product updates, and innovation from IBM Cloud