In the fast-evolving landscape of quantum security, the advent of quantum computing poses both promise and peril. One of the most concerning, immediate threats is the concept of a “Harvest Now, Decrypt Later” attack which has garnered significant attention from experts worldwide. Cybersecurity leaders, including the National Institute of Standards and Technology (NIST), believe adversaries and nation-states are likely harvesting and holding on to data until they can successfully decrypt it later with quantum computers.
One of the easiest ways to protect against Harvest Now, Decrypt Later attacks is by implementing the IETF RFC 8784 standard for IPsec VPN security.
What is RFC 8784?
IETF RFC 8784 “Mixing Preshared Keys in Internet Key Exchange Protocol Version 2 (IKEv2) for Post-quantum Security” is a mechanism to create IKEv2 IPsec VPN connections that are resistant to quantum attacks. This is accomplished by adding Post-quantum Preshared Keys (PPKs) using an out of band mechanism to each peer of the VPN session. The PPKs are then “mixed” with the classic key material from the Diffie-Hellman (DH) key exchange process. The PPK itself is never transmitted over the VPN connection – only the Key ID of the PPK is specified to identify the correct PPK to use in key establishment. PPK mixing provides hardened security for the key exchange in two ways:
- If the core key exchange process was compromised – by a quantum computer using Shor’s algorithm, or any other unforeseen attack – the additional PPK component that is mixed in will still ensure the subsequent encryption remains secure.
- An adversary, or man in the middle, listening on the connection to execute a “Harvest now, decrypt later” attack will only be able to harvest the classic DH key material and the PPK Key ID, but not the PPK itself. Without the PPK component, the adversary will not be able to reconstruct the key and decrypt the data.
RFC 8784 is an existing multi-vendor standard that is recommended by government agencies, including NIAP, the NSA, and the German Federal Office for Information Security. It is independent of the NIST PQC approval timelines and can be implemented today with no additional network resources consumed or significant latency added. Once commercial example is Palo Alto Networks PAN-OS 11.1, which supports RFC 8784 as a part of of its IKEv2 configuration NGFW.
Introducing the QiSpace SEQUR™ PPK Generator
A PPK should be a strong, random secret not subject to a dictionary attack and 32 Bytes / 256 bits of entropy to meet the NIST Category 5 security level. PPKs that are created algorithmically are, by definition, not truly random and can be subject to machine learning-based attacks and varying levels of quality depending on the underlying device operating system.
The QiSpace™ SEQUR PPK Generator provides an easy-to-use web interface to create the strong, high entropy PPKs from Quantropi’s hardware-based Quantum Random Number Generators and can be used to configure any IPSec VPN that supports the IETF RFC 8784 standard to be quantum-secure.
Quantum-secure your IPSEC VPN in 3 easy steps.
Install: Download the QiSpace SEQUR PPK Generator browser extension.
Chrome
Edge
Firefox
Get Token: Fill out the online request form and receive your QiSpace SEQUR PPK Generator security Token.
Configure: Activate the QiSpace SEQUR PPK Generator in your browser and add PPKs to each IPsec VPN peer.
Download Now to Quantum-Secure your VPN – TODAY.
