Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broadcom & Layer7

APIdays_official 115 views 15 slides May 23, 2024
Slide 1
Slide 1 of 15
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15

About This Presentation

Post-Quantum API Security: Preparing your APIs for Q-day
Francois Lascelles, Distinguished Engineer at Broadcom and CTO at Layer7

Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)

------

Check out our conferences at https://www.apidays.global/

Do you want to spons...

Size: 1.72 MB
Language: en
Added: May 23, 2024
Slides: 15 pages

Slide Content

Post-Quantum API Security
Preparing your APIs for Q-day
April 30, 2024
Francois Lascelles
API Security CTO, Broadcom

•Our digital world relies on secure
communications and privacy of data at
rest
–Authentication, authorization, encryption,
integrity
–In the foundation of this security is public key
cryptography
–Using ubiquitous algorithms RSA, EC, …
Understanding the Quantum Threat
Today Q-day
•When quantum computing becomes
available
1
–Using Shor’s algorithm and a few
thousand stable qubits
–You can easily break RSA, EC
–Services relying on these common
standards would be left open to breach,
impersonation, fraud, etc
011010
1
We’ll get back to that

•You won’t need a Quantum computer to protect against a Quantum computer
attack
•Post-quantum crypto (PQC)
•Quantum-resistant
•Compatible with today’s infrastructure
•Standards
–NIST formalizing PQC algos this year (2024)
What is the solution?
Don’t Panic

–Secure connections
–Identity introspection, JWKS
–Data access
–Shared state (KV, counting)
–Microservices
–Client-server
–Access control mechanisms
–Authentication (JWT)
–Subject confirmation (mTLS, signatures)
–Token mediation
API specific exposure
API Secure Connection Points and Access Control Mechanisms Affected
APIClient
Data
Identity
State

Example API exploit: JWT based API access control
Identity
App
+
User
API
Authenticate, get JWT
Call API with JWT
Get JWK
(public key)
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022,
"scope”: ”limited”,
”group”: ”tenant1"
}
I trust the JWT and its
claims because the
signature proves possession
of a private key associated
with the public one
011010
Get JWK
(it’s public)
{
"sub": "1234567890",
"name": "whomever",
"iat": ”whenever",
"scope”: "whatever”,
”group”: ”any_claim"
}
•Apply Shor
•Deduct the private key
•Forge my own tokens
•Claiming anyidentity
•Claiming anypermissions
•Setting anyexpiration
•As many as I want
•Whenever I want
Call API with JWT
Legit JWT Forged JWT

•To counter this threat, token issuer
need to switch to PQC
–Token issuers need to be able to sign
tokens utilizing these new standards
•Resource servers need to be able to
validate those PQC signatures
•The standards that specify JWT
signing need to evolve to
accommodate this
–JWT -> JWS -> JWA
Post-quantum JWT

•Fork Jose4J
–Add Dilithium
•Register PQC provider
–security.provider.xx=BCPQC
•Rebuild L7 Gateway
•Add policy for token creation
•Add policy for token validation
Let’s try it!
PQC JWT POC

It works!

How does Dilithiumperform compared to RSA2048?
Is there a PQC taxto pay?
Not bad
Token size 3.6KB
vs < 1KB

•While the bar is dropping to crack today’s security, quantum computers are getting
stronger, faster
Timeline
When is Q-Day?
2019 Google Sycamore
53 qubits
2022 IBM Osprey
433 qubits
2023 IBM Condor
1121 qubits
203X(?)
1M qubits (?)

Timeline
Working backwards from Q-Day
Q-day
total
remediation
duration
secure-for
period
Deadline to
start PQC
retrofit
•How long it takes to retrofit your
infrastructure
•Harvest now, decrypt later
•How long is a secret going through your
API subject to privacy?
•Intercepting API traffic is in some cases,
an easier target than data at rest

•Some of the most critical targets tend to be large organizations
–Government-managed infrastructure systems
–Large private corporations
•The same organizations can be slow to adapt
•Some environments have very complex multi-layered architectures
•Some legacy infrastructure may lack the required crypto-agility
•You can’t flick the switch for all systems at once
–Therefore, there needs to be a period of overlapping support
–This adds to the scope
Time to retrofit
(In some cases, this will take years)

•See: Quantum-readiness –Migration to post-quantum crypto
–NIST, CISA, NSA
•Assign a team to plan and scope the migration
•Prepare a crypto inventory
–Where and how is crypto used in your organization
•Prioritize
–Most likely or damaging targets
•Discuss with technology providers
–Demand crypto-agility
Establish a quantum-readiness roadmap
Tags
apidays apidays new y ork apisecure quantum computing
Categories
General
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 115
  • Slides 15
  • Age 560 days
Related Slideshows
Pray For The Peace Of Jerusalem and You Will Prosper 22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
Don_t_Waste_Your_Life_God.....powerpoint 26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
35 views
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf 31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
32 views
Fertility awareness methods for women in the society 14
Fertility awareness methods for women in the society
Isaiah47
30 views
Chapter 5 Arithmetic Functions Computer Organisation and Architecture 35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
29 views
syakira bhasa inggris (1) (1).pptx....... 5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
30 views
View More in This Category