XQ’s Zero Trust Data Supports M-23-02 Migration to Post Quantum Cryptography (PQC)

The purpose of this document is to illustrate how XQ’s Zero Trust Data Protection assists the government’s migration to post quantum cryptography.

Table of Contents

1. CISA's Post-Quantum Cryptography (PQC) Initiative Announcement

2. Promoting U.S. Leadership in Quantum Computing and Mitigating Risks to Cryptographic Systems

3. PQC Status: Initial Algorithms Approved, Now Working On Implementation

4. Role of XQ’s Zero Trust Data Security Platform in Adopting OMB 20-03

5. PQC Migration

6. Security Benefits of Quantum Secure Messaging

The initiative aims to unify efforts and ensure preparedness against quantum threats, guiding organizations through the transition to PQC and aligning with broader federal cybersecurity directives.

Establishment and Purpose

• Date of Announcement: July 6, 2022

• Objective: To address threats posed by quantum computing and support the transition to post-quantum cryptography (PQC).

Support and Recommendations

• Target Groups: Critical infrastructure and government network owners and operators.

Audit and Compliance

• OMB Memorandum: Issued on November 18, requiring agencies to audit systems vulnerable to cryptanalytically relevant quantum computers (CRQCs) by May 4, 2023.

• National Security Memorandum: Aligns with President Biden's directive for agencies to begin the multi-year process of migrating to quantum-resistant cryptography.

Implementing PQC Is Critical To Protecting America From Foreign Cyberattacks

NSM-10 sets a structured approach for U.S. federal agencies to transition to PQC, ensuring the security of cryptographic systems against future quantum threats.

Overview

• Federal agencies are transitioning to a Zero Trust architecture, emphasizing strong encryption.

• NSM-10 addresses the threat of cryptanalytically relevant quantum computers (CRQC) and the need for post-quantum cryptography (PQC).

• Agencies must prepare for future quantum threats, even as current data might be vulnerable to future decryption.

Over the past few years, NIST has completed extensive computer modeling of multiple Post Quantum Cryptography (PQC) algorithms and is moving to the next implementation step.  Organizations face two main challenges with PQC implementation:

1. Even though NIST has tested the algorithms, the source code is relatively new and vulnerable to Malware and Side Channel Attacks.  Subsequently, there will be multiple software updates until the US Government tests validate the robustness of software.

2. Integrating PQC into applications is difficult as they are spread across multiple sites, legacy servers, and new cloud services. NIST does not focus on implementation, which is the responsibility of Federal Agencies and Regulated Enterprises.

Role of XQ’s Zero Trust Data Security Platform in Adopting OMB 20-03

OMB 20-03 (attached) defines a process model for new PQC algorithms, from validation to certification to deployment. XQ’s role is to provide a toolset for the contractors/integrators doing the work to run specific algorithms, facilitate the integration of these algorithms into applications via our API, and use the algorithms for email, file, and data transfer protection.  

XQ Value: XQ helps Contractors and System Integrators embedding PQC security into applications

Similarly, NIST  1838 concerns the requirement to get new post-quantum cryptography (PQC) algorithms certified. XQ can be used by companies developing code and needing a test platform to certify their code, and/or XQ can be used by agencies to deploy certified algorithms.

XQ Value: XQ enables Contractors and System Integrators to easily update PQC software across multiple sites.

XQ Support For PQC: Ability To Change Software And Application Integration

XQ has a Zero Trust Data platform that provides Federal Agencies a strategy to implement PQC by:

1. XQ enables Agencies to update PQC software as changes are made without redeploying the solution. More importantly, multiple PQC algorithms can run simultaneously.

2. XQ supports agent, gateway, and server implementations, greatly streamlining the deployment of a PQC solution. A single platform can support multiple apps deployed over mixed infrastructure.

XQ Supports PQC Adoption:

XQ is the first commercial Zero Trust Data solution as defined by the DoD November 2022 strategy document. Data is encrypted at the edge and objects are uniquely tagged, enabling precise policy based access control and compliance with emerging privacy laws.

The XQ platform emerges as a game-changer, offering a seamless transition between data types, IP modalities, and physical infrastructures. Its innovative approach involves micro-segmenting data at the edge, ensuring security through encapsulation and a unique key tied to data rights management. This key travels with the data, unlocking a world of possibilities for dynamic and secure information transfer.

Crypto Agile:

XQ seeds each generated key for each data microsegment with quantum entropy. This feature strengthens key resiliency. Additionally XQ customers can utilize any entropy source they desire. These keys are then stored remotely on an XQ validation server.

XQ then can dynamically change which algorithm is used to encrypt each data object. These algorithms include currently approved and future algorithms including:

1. Kyber - ML-KEM (FIPS 203)

2. Dilithium - ML-DSA (FIPS 204)

3. SPHINCS+ - SLH-DSA (FIPS 205)

4. Falcon - FN-DSA

DLP through RBAC and ABAC:

XQ automates and binds encryption, DLP, and Data Access Control to the data itself, enabling real-time identification and mitigation of a breach.

XQ technology enables you to apply DLP attribute and role-based policies at the data object level and dynamically change access when data is no longer in your physical possession.

XQ manages DLP across all platforms on which your data is hosted and protects against data exfiltration (ransomware double extortion) and insider threats (network admins, etc.).

Zero Trust Data applies role-based access control (RBAC), and Attribute-based access control (ABAC) applied to PQC encrypted data adds a necessary external control channel.

XQ Zero Trust Data + PQC = DoD Objective:

XQ is the only patented, commercially available platform meeting the DoD's Zero Trust Data design goals of addressing Data Protection, Catalog Risk Assessment, DoD Governance, and Portability in a single protocol.

XQ Message offers Zero Trust Data encryption-as-a-service that lets organizations eliminate security gaps in any data journey. The XQ Zero Trust Data service can be hosted internally for US Government applications, creating a Zero Trust Enclave that will appear completely black to external observers. 

To help prioritize, it is important to understand that there is a big difference in the difficulty, impact, and urgency of the post-quantum migration for the different kinds of cryptography required to create secure connections. In fact, for most organizations there will be two post-quantum migrations: key agreement and signatures / certificates.

1. First migration: Key Agreement (KEM)

   Symmetric ciphers are not enough on their own. How do I know which key to use when visiting a website for the first time? The browser can’t just send a random key, as everyone listening in would also see that key. You’d think it’s impossible, but there is some clever math to solve this so that the browser and server can agree on a shared key. Such a scheme is called a key agreement mechanism and is performed in the TLS handshake. Today, almost all traffic is secured with X25519, a Diffie–Hellman-style key agreement, but its security is completely broken by Shor’s algorithm on a quantum computer. Thus, any communication secured today with Diffie–Hellman, when stored, can be decrypted in the future by a quantum computer.

   
   

2. Second migration: Signatures / Certificates

The key agreement allows for a secure agreement on a key, but there is a big gap: we do not know with whom we agreed on the key. If we only do key agreement, an attacker in the middle can make separate key agreement with the browser and server and re-encrypt any exchanged messages. To prevent this, we need one final ingredient: authentication. XQ authenticates each transaction with new credentials.

Post Quantum Cryptography (PQC), which offers an unprecedented level of security and transparency, has the potential to impact consumer trust in everyday communications significantly.

Here's how:

1. Enhanced Security: PQC integrates counter measures to quantum based code breaking to ensure the security of communication channels. Unlike traditional encryption methods, which could potentially be compromised by advancements in computing power or algorithms, quantum encryption offers theoretically unbreakable security. This enhanced security can lead to greater trust among consumers, knowing their communications are protected from eavesdropping and hacking attempts.

2. Privacy Assurance: With quantum-secured messaging, consumers can have greater confidence in the privacy of their conversations. This assurance is especially important in today's digital age, where widespread concerns about data breaches and privacy violations exist. Knowing that their messages are encrypted using quantum-resistant techniques can reassure consumers that their personal and sensitive information remains confidential.

3. Trust in Technology Providers: Companies that offer PQC messaging solutions are likely to gain trust and credibility among consumers. These providers demonstrate their commitment to protecting user data and ensuring secure communications by adopting advanced encryption technologies. As a result, consumers may prefer to engage with businesses and platforms that prioritize security and privacy, ultimately strengthening trust in the digital ecosystem.

4. Market Differentiation: PQC messaging can be a competitive advantage for businesses looking to differentiate themselves in the market. Companies implementing such technologies early on can position themselves as leaders in security and innovation, attracting customers who prioritize privacy and security in their communications.

5. Regulatory Compliance: As data privacy and security regulations continue to evolve, PQC messaging could become a requirement for compliance in certain industries or regions. Businesses that proactively adopt these technologies mitigate the risk of regulatory penalties and demonstrate their commitment to upholding the highest standards of security and privacy.

Overall, PQC messaging has the potential to significantly bolster trust in everyday communications by offering unparalleled security, privacy assurance, and confidence in technology providers. As these technologies become more accessible and widespread, they will fundamentally transform how we communicate and interact in the digital world.

As the DoD and the U.S. Government migration to PQC encryption, platforms such as XQ facilitate a smooth and flexible transition at a greater speed and with lowered costs. Cost effective PQC compliance lays with XQ!