Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broadcom & Layer7

apidays
PRO
May 14, 2024
Video
Technology
0
12

Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broadcom & Layer7

Post-Quantum API Security: Preparing your APIs for Q-day
Francois Lascelles, Distinguished Engineer at Broadcom and CTO at Layer7

Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays
PRO

May 14, 2024
Tweet

Video

More Decks by apidays

See All by apidays
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security Challenges by Eli Arkush, Akamai
apidays
PRO
0
9
Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finnlines and Grimaldi Lines by Vesa Vähämaa, Finnlines
apidays
PRO
0
6
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hanna Sillanpaa, Abloy
apidays
PRO
0
6
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
apidays
PRO
0
10
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Testing with K6 by Ayush Goyal, Grafana Labs
apidays
PRO
0
7
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli Kilpeläinen, Betolar
apidays
PRO
0
6
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovský, Thermo Fisher Scientific
apidays
PRO
0
11
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giraldo, ING
apidays
PRO
0
9
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring Them Together by Merja Kajava, Aavista Oy
apidays
PRO
0
6

Other Decks in Technology

See All in Technology
プロダクト拡大フェーズでプロダクト検証サイクル効率化を目指す過程で見えたもの / Streamlining Product Validation in Growth Phase
kakehashi
2
350
MySQLのリリースモデルの変更点と最新アップデート / MySQLNewReleaseModel
yoshiakiyamasaki
2
280
サイボウズのOSPO
sat
PRO
3
180
日本発24時間グローバルイベント"JAWS PANKRATION 2024"の紹介
yoshimi0227
1
150
Kotlinらしいコードを書こう - Convert Java File to Kotlin File のあとにやること / What to do after Convert Java File to Kotlin File
yanzm
0
1.6k
やさしいITを目指すために
ishity__
0
290
みんなに役立つ「テスト」を学んでみよう!(20140105版)
mizunori
1
110
リモートワーク時代の守護神 PHP開発者のためのセキュリティ強化術
pyama86
2
710
OODAふりかえり 何って…ただ毎スプリント、違うふりかえり手法を採用してるだけだが? / Retrospectives with OODA
kakehashi
11
2.4k
まずはパネル「Table」を使い倒してみよう@GrafanaMeetupJapan#2
rinchoku
1
130
例外設計について考えて Kotlin(Spring Boot&Arrow)で実践する/thinking exception design and implementation by kotlin
msksgm
3
1.6k
超アナログ中心な印刷会社で「エンジニアリング」を見直す
logica0419
4
150

Featured

See All Featured
The Pragmatic Product Professional
lauravandoore
28
6k
Build your cross-platform service in a week with App Engine
jlugia
227
17k
The Illustrated Children's Guide to Kubernetes
chrisshort
35
47k
Being A Developer After 40
akosma
68
580k
How GitHub Uses GitHub to Build GitHub
holman
471
290k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
228
16k
Pencils Down: Stop Designing & Start Developing
hursman
117
11k
Principles of Awesome APIs and How to Build Them.
keavy
122
16k
Practical Orchestrator
shlominoach
184
9.9k
Debugging Ruby Performance
tmm1
70
11k
Atom: Resistance is Futile
akmur
260
25k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
42
4.6k

Transcript

  1. Post-Quantum API Security Preparing your APIs for Q-day April 30,

    2024 Francois Lascelles API Security CTO, Broadcom
  2. None

  3. • Our digital world relies on secure communications and privacy

    of data at rest – Authentication, authorization, encryption, integrity – In the foundation of this security is public key cryptography – Using ubiquitous algorithms RSA, EC, … Understanding the Quantum Threat Today Q-day • When quantum computing becomes available1 – Using Shor’s algorithm and a few thousand stable qubits – You can easily break RSA, EC – Services relying on these common standards would be left open to breach, impersonation, fraud, etc 011010 1 We’ll get back to that

  4. • You won’t need a Quantum computer to protect against

    a Quantum computer attack • Post-quantum crypto (PQC) • Quantum-resistant • Compatible with today’s infrastructure • Standards – NIST formalizing PQC algos this year (2024) What is the solution? Don’t Panic

  5. – Secure connections – Identity introspection, JWKS – Data access

    – Shared state (KV, counting) – Microservices – Client-server – Access control mechanisms – Authentication (JWT) – Subject confirmation (mTLS, signatures) – Token mediation API specific exposure API Secure Connection Points and Access Control Mechanisms Affected API Client Data Identity State

  6. Example API exploit: JWT based API access control Identity App

    + User API Authenticate, get JWT Call API with JWT Get JWK (public key) { "sub": "1234567890", "name": "John Doe", "iat": 1516239022, "scope”: ”limited”, ”group”: ”tenant1" } I trust the JWT and its claims because the signature proves possession of a private key associated with the public one 011010 Get JWK (it’s public) { "sub": "1234567890", "name": "whomever", "iat": ”whenever", "scope”: "whatever”, ”group”: ”any_claim" } • Apply Shor • Deduct the private key • Forge my own tokens • Claiming any identity • Claiming any permissions • Setting any expiration • As many as I want • Whenever I want Call API with JWT Legit JWT Forged JWT

  7. • To counter this threat, token issuer need to switch

    to PQC – Token issuers need to be able to sign tokens utilizing these new standards • Resource servers need to be able to validate those PQC signatures • The standards that specify JWT signing need to evolve to accommodate this – JWT -> JWS -> JWA Post-quantum JWT

  8. • Fork Jose4J – Add Dilithium • Register PQC provider

    – security.provider.xx=BCPQC • Rebuild L7 Gateway • Add policy for token creation • Add policy for token validation Let’s try it! PQC JWT POC

  9. It works!

  10. How does Dilithium perform compared to RSA2048? Is there a

    PQC tax to pay? Not bad Token size 3.6KB vs < 1KB

  11. • While the bar is dropping to crack today’s security,

    quantum computers are getting stronger, faster Timeline When is Q-Day?  2019 Google Sycamore 53 qubits  2022 IBM Osprey 433 qubits  2023 IBM Condor 1121 qubits  203X (?) 1M qubits (?)

  12. Timeline Working backwards from Q-Day Q-day total remediation duration secure-for

    period Deadline to start PQC retrofit • How long it takes to retrofit your infrastructure • Harvest now, decrypt later • How long is a secret going through your API subject to privacy? • Intercepting API traffic is in some cases, an easier target than data at rest

  13. • Some of the most critical targets tend to be

    large organizations – Government-managed infrastructure systems – Large private corporations • The same organizations can be slow to adapt • Some environments have very complex multi-layered architectures • Some legacy infrastructure may lack the required crypto-agility • You can’t flick the switch for all systems at once – Therefore, there needs to be a period of overlapping support – This adds to the scope Time to retrofit (In some cases, this will take years)

  14. • See: Quantum-readiness – Migration to post-quantum crypto – NIST,

    CISA, NSA • Assign a team to plan and scope the migration • Prepare a crypto inventory – Where and how is crypto used in your organization • Prioritize – Most likely or damaging targets • Discuss with technology providers – Demand crypto-agility Establish a quantum-readiness roadmap
  15. None