Post-quantum communication with WSO2 Identity Server 7.0

The rise of quantum computing poses a significant threat to traditional encryption methods, with algorithms like Shor’s capable of rapidly breaking encryption keys. Proactive measures to develop quantum-resistant cryptography standards are essential to safeguard data in the face of quantum threats.

Quantum Computing: The Demise of Traditional Cryptography

WSO2 Identity Server 7.0 now supports X25519Kyber768Draft00 post-quantum key exchange algorithm for TLS 1.3 communication. This algorthim combines the elliptic curve-based X25519 with the Kyber768 post-quantum key exchange scheme, offering a robust and quantum-resistant solution for securing HTTPS communication.

X25519Kyber768 Post-Quantum Key Exchange for HTTPS Communication

Let’s talk about how we can enable post-quantum TLS in WSO2 Identity Server 7.0.

Download necessary artifats

• Download WSO2 Identity Server 7.0.0 open-source distribution, and extract the contents to a folder named <IS_HOME>.
• Download openssl-tls.sh and copy the file to <IS_HOME>/bin/.
• Download wso2server.sh and replace the file in <IS_HOME>/bin/.
• Download catalina-server.xml.j2 and replace the file in <IS_HOME>/repository/resources/conf/templates/repository/conf/tomcat.

Build native libraries

Since this feature utilizes native libraries from the Open Quantum Safe (OQS) project to enable quantum-secure algorithms, the installation process may vary depending on the operating system. Let’s discuss how to install it on a Linux OS.

• Install the other required build dependencies using the following command.

sudo apt-get install make cmake wget tar gcc

• Navigate to <IS_HOME>/bin/ folder, and execute the following command:

sh openssl-tls.sh --build_openssl --build_pqclib

For more details, please refer to the official documentation.

Enable post-quantum TLS

Add the following configurations to the <IS_HOME>/repository/conf/deployment.toml file, and start WSO2 Identity Server.

[transport.https.openssl]
enabled = true
named_groups = "x25519_kyber768:x25519"

[transport.https.sslHostConfig.properties]
protocols="TLSv1+TLSv1.1+TLSv1.2+TLSv1.3"

See everything in action

To see post-quantum communication in action, we will enable post-quantum algorithm support in Google Chrome. Follow the article below for more information.

X25519Kyber768: Post-Quantum Hybrid Algorithm Supported by Google Chrome

Afterward, navigate to https://localhost:9443/carbon and you will notice that your WSO2 Identity Server is post-quantum secured now.