Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Apidays New York 2024 - Post-Quantum API Securi...

Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broadcom & Layer7

Post-Quantum API Security: Preparing your APIs for Q-day
Francois Lascelles, Distinguished Engineer at Broadcom and CTO at Layer7

Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays

May 14, 2024
Tweet

Video

More Decks by apidays

Other Decks in Technology

Transcript

  1. Post-Quantum API Security Preparing your APIs for Q-day April 30,

    2024 Francois Lascelles API Security CTO, Broadcom
  2. • Our digital world relies on secure communications and privacy

    of data at rest – Authentication, authorization, encryption, integrity – In the foundation of this security is public key cryptography – Using ubiquitous algorithms RSA, EC, … Understanding the Quantum Threat Today Q-day • When quantum computing becomes available1 – Using Shor’s algorithm and a few thousand stable qubits – You can easily break RSA, EC – Services relying on these common standards would be left open to breach, impersonation, fraud, etc 011010 1 We’ll get back to that
  3. • You won’t need a Quantum computer to protect against

    a Quantum computer attack • Post-quantum crypto (PQC) • Quantum-resistant • Compatible with today’s infrastructure • Standards – NIST formalizing PQC algos this year (2024) What is the solution? Don’t Panic
  4. – Secure connections – Identity introspection, JWKS – Data access

    – Shared state (KV, counting) – Microservices – Client-server – Access control mechanisms – Authentication (JWT) – Subject confirmation (mTLS, signatures) – Token mediation API specific exposure API Secure Connection Points and Access Control Mechanisms Affected API Client Data Identity State
  5. Example API exploit: JWT based API access control Identity App

    + User API Authenticate, get JWT Call API with JWT Get JWK (public key) { "sub": "1234567890", "name": "John Doe", "iat": 1516239022, "scope”: ”limited”, ”group”: ”tenant1" } I trust the JWT and its claims because the signature proves possession of a private key associated with the public one 011010 Get JWK (it’s public) { "sub": "1234567890", "name": "whomever", "iat": ”whenever", "scope”: "whatever”, ”group”: ”any_claim" } • Apply Shor • Deduct the private key • Forge my own tokens • Claiming any identity • Claiming any permissions • Setting any expiration • As many as I want • Whenever I want Call API with JWT Legit JWT Forged JWT
  6. • To counter this threat, token issuer need to switch

    to PQC – Token issuers need to be able to sign tokens utilizing these new standards • Resource servers need to be able to validate those PQC signatures • The standards that specify JWT signing need to evolve to accommodate this – JWT -> JWS -> JWA Post-quantum JWT
  7. • Fork Jose4J – Add Dilithium • Register PQC provider

    – security.provider.xx=BCPQC • Rebuild L7 Gateway • Add policy for token creation • Add policy for token validation Let’s try it! PQC JWT POC
  8. How does Dilithium perform compared to RSA2048? Is there a

    PQC tax to pay? Not bad Token size 3.6KB vs < 1KB
  9. • While the bar is dropping to crack today’s security,

    quantum computers are getting stronger, faster Timeline When is Q-Day?  2019 Google Sycamore 53 qubits  2022 IBM Osprey 433 qubits  2023 IBM Condor 1121 qubits  203X (?) 1M qubits (?)
  10. Timeline Working backwards from Q-Day Q-day total remediation duration secure-for

    period Deadline to start PQC retrofit • How long it takes to retrofit your infrastructure • Harvest now, decrypt later • How long is a secret going through your API subject to privacy? • Intercepting API traffic is in some cases, an easier target than data at rest
  11. • Some of the most critical targets tend to be

    large organizations – Government-managed infrastructure systems – Large private corporations • The same organizations can be slow to adapt • Some environments have very complex multi-layered architectures • Some legacy infrastructure may lack the required crypto-agility • You can’t flick the switch for all systems at once – Therefore, there needs to be a period of overlapping support – This adds to the scope Time to retrofit (In some cases, this will take years)
  12. • See: Quantum-readiness – Migration to post-quantum crypto – NIST,

    CISA, NSA • Assign a team to plan and scope the migration • Prepare a crypto inventory – Where and how is crypto used in your organization • Prioritize – Most likely or damaging targets • Discuss with technology providers – Demand crypto-agility Establish a quantum-readiness roadmap