Enterprise security teams are increasingly aware of post-quantum cryptography (PQC), which is actively being standardized by the National Institute of Standards and Technology (NIST). At some point, PQC protection from the threat of scaled quantum computers will become a regulatory requirement, rather than a fuzzy future concern on a long to-do list.
But how will an enterprise get to the deployment finish line in the PQC challenge, when it is common to have hundreds — even thousands — of software applications and services that will require migration?
To say that this process will be complicated is a vast understatement. Many enterprises purchase most (or all) of their software from external vendors. Each supplier will need to manage the changes and make the resulting configuration options available to customers. One would expect a great deal of diversity in rates of migration and readiness across vendors. Working with so many individual suppliers will be daunting, to say the least. No doubt, there will be applications that will be slow (or impossible) to migrate because of underlying legacy components.
For enterprises that develop applications and services for in-house and customer use, development teams will have to examine the technical challenges and put the work on the development roadmap. It won’t take long, however, before exploratory work reveals dependency challenges, such as the availability of PQC libraries, open source components, component services (e.g., databases), systems software, and domain-specific standards specifications. Significant changes in PQC key sizes, memory and computation requirements, and communication patterns will also complicate implementation. Yet another thing to navigate will be hybrid configurations that combine cryptographic algorithms — something few software stacks are designed to accommodate.
What would help at the outset is a framework for cryptographic agility that is somehow decoupled from individual applications and can be deployed in advance of the software industry’s heavy lift of migrating myriad applications to PQC standards. Such a scheme could reel in the crypto migration challenges to a single software domain on behalf of many other applications and provide early quantum safety before established solutions can be worked out and deployed more widely.
Considering proxies as a solution
One way approach to PQC migration — and cryptographic agility more broadly — would be to use proxies. In the context of distributed applications, proxies introduce an intermediary node between two communication endpoints. In particular, our interest is in reverse proxies, which are often installed on an enterprise network at the demilitarized zone (DMZ) or at a cloud tenant edge, to manage incoming client connections to backend application services. Reverse proxies are used for a variety of functions, including load balancing, content caching and translation, application firewalls, authentication, authorization, and compression. In this case, we are interested in Transport Layer Security (TLS) termination and the opportunity to modify the cryptographic algorithms used in secure communications over the Internet.
An illustrative case study is VMware’s Unified Access Gateway (UAG), a specialized reverse-proxy virtual appliance deployed in a cloud tenant network or enterprise DMZ network in a standalone or load-balanced configuration. It is typically Internet-facing and manages authentication and authorization of incoming TLS connections to securely access VMware Horizon desktops and applications, as well as other enterprise resources. UAG runs on VMware vSphere, Amazon AWS EC2, Microsoft Azure, and Google Cloud GCE. The uses for UAG are too numerous to list but include both cloud-based services (such as access to virtual desktops and published apps, web applications, content repositories, and email) and edge-based services (such as secure content gateways, VPN services, web reverse proxying, identity bridging, and Horizon-based applications).
A key customer requirement for UAG is compliant configurations for regulatory standards-based deployments. Some of the most important include PCI DSS 3.2.1, HIPAA, NIAP/CSfC, FedRAMP, and NIST SP800-52. Such standards dictate permissible TLS versions (1.2 and/or 1.3), cipher suites (public key, symmetric key, cryptographic hash), acceptable elliptic curves, OCSP Stapling, and specific TLS options. UAG customers often test compliance with third-party tools, such as ImmuniWeb and Qualys/SSLLabs, and have come to expect an “A+” rating.
A key problem in UAG support for PQC is the large number of backend applications that would require migration. Another key challenge is preparing for the migration in a way that facilitates subsequent changes (in case NIST standards are later revised). Another key requirement is that changes to cryptographic algorithms should not require rebuilding the application. This ensures rapid uptake of security patches and ongoing configuration changes. Finally, if possible, the solution should avoid major refactorization of UAG as a stable software architecture.
With a single proxy component, we can enable quantum-safe cryptography across public networks on behalf of the many backend applications communicating through UAG. The proxy component may be designed to support an extensive range of cryptographic algorithm configurations and the use of libraries not supported by the underlying services. Meanwhile, communication between services can continue to use existing cryptography capabilities, since communications take place behind a firewall.
A UAG case study in cryptographic agility
UAG’s architecture includes a large number of backend components. As seen in Figure 2, many of these services are managed by the edge service manager (ESManager). In front of these components is HAProxy, which offers forwarding features after server name indication (SNI) header inspection — for example, TCP 443 port sharing.
Our exploratory prototype of cryptographic-agile UAG leverages HAProxy’s ability to segment secure communication by terminating TLS at the proxy and then using a second TLS connection to each backend service. This creates a single implementation and configuration point for cryptographic agility. A key insight here is that quantum safety is needed across the Internet path between a client device and UAG, but not necessarily between UAG and a backend service communicating within the same private network.
Reconfiguration of HAProxy allows for rapid changes in supported TLS ciphers and other parameters. Furthermore, by storing pre-compiled cryptographic library modules — each configured to use different cryptography — the UAG team can easily change cryptographic implementations. Supporting new cryptography only requires updating one component.
Our work on quantum safety for UAG makes use of the Open Quantum Safe (OQS) implementation of PQC candidate standards. OQS is an open source project pioneered by the University of Waterloo and industry collaborators. It is intended to make NIST PQC implementations available for experimentation and testing. In particular, liboqs provides a C library that integrates PQC with various protocols and applications, including OpenSSL.
For more on our crypto-agile implementation of UAG, see a short preview of our VMworld 2021 session and read the associated blog.
Proxies are a powerful approach to enabling cryptographic agility (including quantum safety) for myriad supplier applications and services. By decoupling cryptographic configuration from individual applications, it offers the following advantages:
- Facilitating early PQC support for a large number of applications that may otherwise be slow to migrate as a collective
- Serving as a central point of enterprise cryptography configuration and management
- Providing a way to quickly address vulnerability remediation and/or ongoing PQC standards changes
- Addressing cryptographic agility at scale within sizable enterprise infrastructures
Our experimentation with the Unified Access Gateway, as part of VMware’s Horizon software suite, has provided a testing ground for cryptographic agility and PQC migration within a widely adopted VMware product. The reverse proxy architecture supports cryptographic library extensibility and the ability for enterprise customers (and VMware itself) to create standards-compliant configurations that are scalable for many backend enterprise applications.