Post-quantum communication with WSO2 Identity Server 7.0
The rise of quantum computing poses a significant threat to traditional encryption methods, with algorithms like Shor’s capable of rapidly breaking encryption keys. Proactive measures to develop quantum-resistant cryptography standards are essential to safeguard data in the face of quantum threats.
WSO2 Identity Server 7.0 now supports X25519Kyber768Draft00 post-quantum key exchange algorithm for TLS 1.3 communication. This algorthim combines the elliptic curve-based X25519 with the Kyber768 post-quantum key exchange scheme, offering a robust and quantum-resistant solution for securing HTTPS communication.
Let’s talk about how we can enable post-quantum TLS in WSO2 Identity Server 7.0.
Download necessary artifats
- Download WSO2 Identity Server 7.0.0 open-source distribution, and extract the contents to a folder named
<IS_HOME>
. - Download openssl-tls.sh and copy the file to
<IS_HOME>/bin/
. - Download wso2server.sh and replace the file in
<IS_HOME>/bin/
. - Download catalina-server.xml.j2 and replace the file in
<IS_HOME>/repository/resources/conf/templates/repository/conf/tomcat
.
Build native libraries
Since this feature utilizes native libraries from the Open Quantum Safe (OQS) project to enable quantum-secure algorithms, the installation process may vary depending on the operating system. Let’s discuss how to install it on a Linux OS.
- Install the other required build dependencies using the following command.
sudo apt-get install make cmake wget tar gcc
- Navigate to
<IS_HOME>/bin/
folder, and execute the following command:
sh openssl-tls.sh --build_openssl --build_pqclib
For more details, please refer to the official documentation.
Enable post-quantum TLS
Add the following configurations to the <IS_HOME>/repository/conf/deployment.toml
file, and start WSO2 Identity Server.
[transport.https.openssl]
enabled = true
named_groups = "x25519_kyber768:x25519"
[transport.https.sslHostConfig.properties]
protocols="TLSv1+TLSv1.1+TLSv1.2+TLSv1.3"
See everything in action
To see post-quantum communication in action, we will enable post-quantum algorithm support in Google Chrome. Follow the article below for more information.
Afterward, navigate to https://localhost:9443/carbon and you will notice that your WSO2 Identity Server is post-quantum secured now.