Tech Deep Dives VMware Explore 2022

Cryptographic Agility: A Deep Dive

At VMware Explore this year, we demonstrated what we believe to be the world’s first quantum-safe, multi-cloud application.

This application uses a new set of public key cryptographic algorithms known as Post Quantum Cryptography (PQC) to secure all its communications from the potential future threat of quantum computers. To make the transition to PQC possible, VMware developed Project Newcastle, a policy-based framework enabling and orchestrating cryptographic transition in modern applications.

Key Takeaways:

  • The transition to PQC is not just another cryptography standards refresh. Rather, a new set of challenges every enterprise will have to navigate.
  • Project Newcastle enables policy-driven application cryptography reconfiguration in an orchestrated way.
  • VMware is partnering with Entrust to enable crypto-agile certificate lifecycle operations in Project Newcastle.

The Big Picture

The transition to quantum-safe algorithms is an ongoing story of new cryptographic standards. While the industry has utilized RSA and ECDSA (Elliptic Curve Digital Signature Algorithm) as “Swiss Army Knives” of public key cryptography for decades, disruption is ahead. The major transition to new public key algorithms that are quantum-safe represents a whole new game of trade-offs — processing speed, key sizes, message sizes, and more.

To navigate these changes, we need a new set of mechanisms called cryptographic agility. Cryptographic agility allows us to make major changes in cryptography algorithms and libraries in a controlled and flexible manner. These robust, crypto-agility systems will address the need for policy configuration and orchestration across larger units of compute infrastructure, while also supporting backwards compatibility.

Last year at VMworld, we called out the upcoming challenges with transitioning applications and infrastructure to support PQC. We also demonstrated how an application could become crypto-agile by utilizing a proxy-based approach. This year, we’ve enhanced our crypto-agility capabilities. For example, we can now use policies to automate and govern an application’s cryptographic configuration.

Policy-driven Cryptography Configuration

Today’s applications cannot be reconfigured easily without enterprise-grade crypto-agility mechanisms. Developers often, and with limited security expertise, are responsible for configuring applications to comply with the moving target of cryptographic standards. From an enterprise operations point of view, it’s rare for any company to have complete visibility into its global cryptographic footprint. That changes with Project Newcastle.

Integrated with Tanzu Service Mesh, Project Newcastle gives users greater insight into the cryptography in their applications. But that’s not all — as a platform for cryptographic agility, Project Newcastle automates the process of reconfiguring an application’s cryptography to comply with user-defined policies and industry standards.

Entrust Partnership

We’re excited to share a big step toward enterprise-grade crypto agility with our partner Entrust. Entrust already supports full certificate lifecycle management and is actively working on Post Quantum Cryptography support and crypto-agility mechanisms. While the cryptography algorithms and libraries we all use to secure applications are important, it doesn’t represent the whole story when it comes to cryptographic agility. This is why our partnership with Entrust is essential, securing the operational use of an application’s cryptographic assets like certificates and keys.

With Entrust + Project Newcastle, your cryptographic policies can automate and manage the full life cycle of cryptography operations in an agile way.

Demonstration Walkthrough

The application shown below is deployed on two different clusters in two different clouds, GCP and AWS.

Visibility isn’t the only benefit. This year, we demonstrated how creating a new cryptography policy can enable this entire application to support Post Quantum Cryptography across both cloud providers.

Here’s how it works:

Step 1

The policy we’re going to create to transition this application needs to be scoped. It can be applied to individual services, custom service groupings, or even specific APIs. We target the entire application for this demonstration by selecting the entire Global Namespace (GNS).

Step 2

We define the specification for our policy. Project Newcastle gives two options:

  1. A custom policy to select specific details like allowable cipher suites, TLS protocol versions, implementation libraries, and more. These specification options can be saved for later use as templates that may be imported at this step.

While appropriate for advanced users who need a custom policy, these details aren’t for everyone.

  1. Less sophisticated users who need a policy that ‘just works’, can select VMware’s recommended policy and augment it based on their compliance needs like FIPS 140-3 or quantum safety. Project Newcastle’s policy engine will then suggest a cryptographic specification that complies with each standard selected.

Step 3

We now need to configure a certificate authority. VMware is working with Entrust to dynamically provision certificates meeting cryptographic policy requirements. We then select the appropriate CA based on our deployment trust model. The Entrust PKI Service supports PQC certificates, allowing us to demonstrate the entire lifecycle of a transition to quantum safety in this demonstration.

Step 4

Decide when the policy should come into effect. Policies, when created, may be activated immediately, saved in an inactive state, or incorporated into another workflow.

Step 5

Review the outcome of Project Newcastle’s policy engine. In this case, as we only want to trial PQC support, our policy is backward compatible with older ciphers like RSA, ECDSA, and ECDHE. These details look great.

Activating this policy authorizes Project Newcastle to reconfigure each of Project Newcastle’s cryptography providers to comply with the policy we just defined. This dynamically configures our application to support PQC between clouds. We can see that this cross-cloud connection supports the new NIST draft standards for authentication and key exchange.

Audit and Compliance

Introducing cryptographic agility into our applications carries some inherent risk. That’s why Project Newcastle has attestation built in — to mitigate the risk of supply chain attacks. Not only does it attest to the cryptographic state of each application and service, but we can also use Project Newcastle to generate detailed reports about this application’s compliance status at any point in its lifetime!

What’s next

While Project Newcastle is in technical preview, we’re in discussion with stakeholders across the industry and would love to hear from customers like you. If you’re interested in Project Newcastle, want to become a design partner, or learn more, contact us at

Want to go deeper on Post-Quantum Cryptography? You can read more about the PQC migration challenge and cryptographic agility in these other blogs:


Leave a Reply

Your email address will not be published. Required fields are marked *