Post-Quantum Cryptography (PQC)

Edit online

Configuring IBM Verify Identity Access to use Post-Quantum Cryptography.

Quantum computing poses a risk to classical cryptographic algorithms. Widely adopted public key cryptography standards are expected to become vulnerable within the next several years. In response to this emerging threat, the U.S. National Institute of Standards and Technology (NIST) has evaluated and selected several quantum-resistant algorithms for various use cases. These algorithms are collectively referred to as post-quantum cryptography (PQC).

For more information about Post-Quantum Cryptography, see Security in the quantum computing era.

PQC is configured separately for each component of IBM Verify Identity Access.

Reverse Proxy

  • TLS Connections

    The reverse proxy uses PQC as part of the TLS 1.3 key agreement. PQC can be configured independently for connections between clients and the reverse proxy, and for connections between the reverse proxy and junctioned servers.

    The following table shows the PQC configuration entries for various connection types:
    Table 1. PQC Configuration
    Connection Type Configuration Entries
    Reverse Proxy Listen Sockets [ssl] ssl-key-agreement
    Reverse Proxy Junction Connection [junction] ssl-key-agreement and [junction:<jct-id>] ssl-key-agreement
    Global Sign-on Service Connection [junction] ssl-key-agreement
    ICAP Server Connection [junction] ssl-key-agreement
    OAuth Introspection Endpoint Connection [junction] ssl-key-agreement
    OAuth Token Endpoint Connection [junction] ssl-key-agreement
    OIDC RP Connection [junction] ssl-key-agreement
    Password Callout Server Connection [junction] ssl-key-agreement
    Distributed Session Cache Server Connection [dsess-cluster] ssl-key-agreement
    Redis Server Connection [redis-server:<server-name>] ssl-key-agreement
    Federation Runtime Server Connections [tfim-cluster:<cluster>] ssl-key-agreement
    IBM Security Identity Manager Server Connection [itim] ssl-key-agreement

    For more information about PQC configuration between clients and the reverse proxy, see ssl-key-agreement in the [ssl] stanza.

    For more information about PQC configuration between the reverse proxy and servers, see ssl-key-agreement in the [junction] stanza and [junction:<jct-id>] stanza.

  • Logging

    The reverse proxy can log the supported group negotiated for key agreement between the client and the reverse proxy as part of the request log. This can identify whether PQC was used for the connection and, if so, which type of PQC.

    For more information about request log configuration to include the supported group, see request-log-format in the [logging] stanza.

    For more information about determining which supported groups use PQC, see Table 1. Supported Group Properties in ssl-extension-supported-groups.

Distributed Session Cache

The distributed session cache uses PQC as part of the TLS 1.3 key agreement. When TLS is enabled for the distributed session cache, PQC can be configured through the local management interface (LMI).For more information about how to configure PQC for the Distributed Session Cache, see Session cache reference and Managing Distributed Session Cache in Containers.