Manual Chapter :
Integrating PQC on the client-side
Applies To:
Show Versions
Integrating PQC on the client-side
About PQC
PQC (Post-Quantum Cryptography) is a new method of cryptography that develops algorithms resistant to quantum computer attacks. These algorithms rely on mathematical problems that remain hard to solve even for quantum computers.
Popular encryption methods, such as RSA, ECC (Elliptic Curve Cryptography), and Diffie-Hellman, are designed around solving very hard mathematical problems. These problems are almost impossible for traditional computers to solve within a reasonable time. However, with the emergence of
Quantum Computers
, the situation has changed. Quantum Computers can solve these problems in a fraction of the time using algorithms like Shor’s algorithm
, making current encryption methods obsolete and insecure
.One of the serious threats today is
“Harvest Now, Decrypt Later”
attacks. This means that even if your data seems secure now, it might be vulnerable in the future. To address this, PQC ensures that even if someone steals encrypted data, they won’t be able to decrypt it – now or in the future.To reduce the risks of the new age, BIG-IP now supports the Hybrid X25519_Kyber768 key exchange in TLS 1.3 on the client-side, improving security against future quantum-based threats. This new DH curve protects encrypted data from "Harvest Now, Decrypt Later" attacks by integrating post-quantum cryptographic resilience. You can now implement quantum-safe encryption while maintaining compatibility with existing security protocols. This implementation of PQC algorithms is designed to make it easier for organizations to test, integrate, and prototype quantum-safe cryptographic systems
Important
PQC implementation is compatible only with the TLS 1.3 protocol
.Configuration X25519KYBER768 through GUI
Configure X25519KYBER768 through Cipher Rules
Follow the below steps, to create a Cipher Rule:
- On theMaintab, expandLocal Traffic. Go toCiphersand selectRules.
- Click theCreatebutton.
- In theNamefield, type a name for the new cipher rule.
- Select any of the suites fromCipher Suitesfield's provided list. Use "ALL" or "DEFAULT" to list all the available suites. for example, DEFAULT
- In the DH Groups entry, add "X25519KYBER768" for PQC ciphers or you can use "DEFAULT:" to list the available groups. Example: "DEFAULT:X25519KYBER768".
- For theSignature Algorithmsfield, select an algorithm. Example, DEFAULT.
- Click theFinishedbutton.
Configure X25519KYBER768 through Cipher Group
Use the cipher rules to create cipher groups, follow the below steps:
- On theMaintab, expandLocal Traffic.
- Go toCiphersand selectGroups.Click theCreatebutton.
- Provide the details in theGeneralsection. Select the rule created in the above step fromGroup Creation > Available Rules.
- Add the created rule to "Allow the following list" or "Restrict the Allowed list to the following" in theGroup Detailssection.
- All the other details,such aswill be reflected in theDH Group, Signature Algorithms,andCipher Suites,Group Auditsection as per the selected rule.
- Click theFinishedbutton.
Configure X25519KYBER768 through Client-SSL profile
To add the cipher group to a Client SSL profile, follow the below steps:
- Go toProfile > SSL > Client.
- Select any existing profile or create a new one, and set theConfigurationvalue toAdvanced.
- Go toCiphers,and select theCipher Groupradio button. Select the created group to enable the created Ciphers group for the client SSL profile.
Configuration X25519KYBER768 through TMSH
Configure X25519KYBER768 through Cipher Rules
Use the below commands to create cipher rules
- SSH into the BIG-IP system and log in with admin credentials. Typetmshto enter the Traffic Management Shell.
- Create the ltm cipher rule using the following commands:root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create ltm cipher rule TMSH_PQC cipher DEFAULT dh-groups DEFAULT:X25519KYBER768 signature-algorithms DEFAULT
- To list or view the basic details of the created cipher rule use the below command:root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm cipher rule TMSH_PQC ltm cipher rule TMSH_PQC { cipher DEFAULT dh-groups DEFAULT:X25519KYBER768 signature-algorithms DEFAULT }
- To view the complete details of the created cipher rule use the below command:root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# show ltm cipher rule TMSH_PQC -------------------- Ltm::Cipher::Rule -------------------- Name TMSH_PQC Cipher Suites ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES128-GCM-SHA256/DTLS1.2:ECDHE-RSA-AES128-CBC-SHA/TLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.1:ECDHE-RSA-AES128-CBC-SHA/DTLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.2:ECDHE-RSA-AES128-CBC-SHA/DTLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:ECDHE-RSA-AES128-SHA256/DTLS1.2:ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-RSA-AES256-GCM-SHA384/DTLS1.2:ECDHE-RSA-AES256-CBC-SHA/TLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.1:ECDHE-RSA-AES256-CBC-SHA/DTLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.2:ECDHE-RSA-AES256-CBC-SHA/DTLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:ECDHE-RSA-AES256-SHA384/DTLS1.2:AES128-GCM-SHA256/TLS1.2:AES128-GCM-SHA256/DTLS1.2:AES128-SHA/TLS1.0:AES128-SHA/TLS1.1:AES128-SHA/TLS1.2:AES128-SHA/DTLS1.2:AES128-SHA/DTLS1.0:AES128-SHA256/TLS1.2:AES128-SHA256/DTLS1.2:AES256-GCM-SHA384/TLS1.2:AES256-GCM-SHA384/DTLS1.2:AES256-SHA/TLS1.0:AES256-SHA/TLS1.1:AES256-SHA/TLS1.2:AES256-SHA/DTLS1.2:AES256-SHA/DTLS1.0:AES256-SHA256/TLS1.2:AES256-SHA256/DTLS1.2:CAMELLIA128-SHA/TLS1.0:CAMELLIA128-SHA/TLS1.1:CAMELLIA128-SHA/TLS1.2:CAMELLIA128-SHA/DTLS1.2:CAMELLIA256-SHA/TLS1.0:CAMELLIA256-SHA/TLS1.1:CAMELLIA256-SHA/TLS1.2:CAMELLIA256-SHA/DTLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/DTLS1.2:ECDHE-ECDSA-AES128-CCM/TLS1.2:ECDHE-ECDSA-AES128-CCM/DTLS1.2:ECDHE-ECDSA-AES128-CCM8/TLS1.2:ECDHE-ECDSA-AES128-CCM8/DTLS1.2:ECDHE-ECDSA-AES128-SHA/TLS1.0:ECDHE-ECDSA-AES128-SHA/TLS1.1:ECDHE-ECDSA-AES128-SHA/TLS1.2:ECDHE-ECDSA-AES128-SHA/DTLS1.2:ECDHE-ECDSA-AES128-SHA256/TLS1.2:ECDHE-ECDSA-AES128-SHA256/DTLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/DTLS1.2:ECDHE-ECDSA-AES256-CCM/TLS1.2:ECDHE-ECDSA-AES256-CCM/DTLS1.2:ECDHE-ECDSA-AES256-CCM8/TLS1.2:ECDHE-ECDSA-AES256-CCM8/DTLS1.2:ECDHE-ECDSA-AES256-SHA/TLS1.0:ECDHE-ECDSA-AES256-SHA/TLS1.1:ECDHE-ECDSA-AES256-SHA/TLS1.2:ECDHE-ECDSA-AES256-SHA/DTLS1.2:ECDHE-ECDSA-AES256-SHA384/TLS1.2:ECDHE-ECDSA-AES256-SHA384/DTLS1.2:DHE-RSA-AES128-GCM-SHA256/TLS1.2:DHE-RSA-AES128-GCM-SHA256/DTLS1.2:DHE-RSA-AES128-SHA/TLS1.0:DHE-RSA-AES128-SHA/TLS1.1:DHE-RSA-AES128-SHA/TLS1.2:DHE-RSA-AES128-SHA/DTLS1.2:DHE-RSA-AES128-SHA/DTLS1.0:DHE-RSA-AES128-SHA256/TLS1.2:DHE-RSA-AES128-SHA256/DTLS1.2:DHE-RSA-AES256-GCM-SHA384/TLS1.2:DHE-RSA-AES256-GCM-SHA384/DTLS1.2:DHE-RSA-AES256-SHA/TLS1.0:DHE-RSA-AES256-SHA/TLS1.1:DHE-RSA-AES256-SHA/TLS1.2:DHE-RSA-AES256-SHA/DTLS1.2:DHE-RSA-AES256-SHA/DTLS1.0:DHE-RSA-AES256-SHA256/TLS1.2:DHE-RSA-AES256-SHA256/DTLS1.2:DHE-RSA-CAMELLIA128-SHA/TLS1.0:DHE-RSA-CAMELLIA128-SHA/TLS1.1:DHE-RSA-CAMELLIA128-SHA/TLS1.2:DHE-RSA-CAMELLIA128-SHA/DTLS1.2:DHE-RSA-CAMELLIA256-SHA/TLS1.0:DHE-RSA-CAMELLIA256-SHA/TLS1.1:DHE-RSA-CAMELLIA256-SHA/TLS1.2:DHE-RSA-CAMELLIA256-SHA/DTLS1.2:TLS13-AES128-GCM-SHA256/TLS1.3:TLS13-AES256-GCM-SHA384/TLS1.3 DH-Groups DEFAULT:X25519KYBER768 Signature Algorithms DEFAULT
Configure X25519KYBER768 through Cipher Group
Use the cipher rules to create cipher groups, follow the below steps:
- SSH into the BIG-IP system and log in with admin credentials. Typetmshto enter the Traffic Management Shell.
- Create the ltm cipher group using the following commands:root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos) # create ltm cipher group TMSH_PQC allow add { TMSH_PQC }
- To list or view the basic details of the created cipher group use the below command:root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm cipher group TMSH_PQC ltm cipher group TMSH_PQC { allow { TMSH_PQC { } } }
- To view the complete details of the created cipher rule use the below command:root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# show ltm cipher group TMSH_PQC --------------------------- Ltm::Cipher::Group --------------------------- Name TMSH_PQC Cipher Result ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES128-GCM-SHA256/DTLS1.2:ECDHE-RSA-AES128-CBC-SHA/TLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.1:ECDHE-RSA-AES128-CBC-SHA/DTLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.2:ECDHE-RSA-AES128-CBC-SHA/DTLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:ECDHE-RSA-AES128-SHA256/DTLS1.2:ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-RSA-AES256-GCM-SHA384/DTLS1.2:ECDHE-RSA-AES256-CBC-SHA/TLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.1:ECDHE-RSA-AES256-CBC-SHA/DTLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.2:ECDHE-RSA-AES256-CBC-SHA/DTLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:ECDHE-RSA-AES256-SHA384/DTLS1.2:AES128-GCM-SHA256/TLS1.2:AES128-GCM-SHA256/DTLS1.2:AES128-SHA/TLS1.0:AES128-SHA/TLS1.1:AES128-SHA/TLS1.2:AES128-SHA/DTLS1.2:AES128-SHA/DTLS1.0:AES128-SHA256/TLS1.2:AES128-SHA256/DTLS1.2:AES256-GCM-SHA384/TLS1.2:AES256-GCM-SHA384/DTLS1.2:AES256-SHA/TLS1.0:AES256-SHA/TLS1.1:AES256-SHA/TLS1.2:AES256-SHA/DTLS1.2:AES256-SHA/DTLS1.0:AES256-SHA256/TLS1.2:AES256-SHA256/DTLS1.2:CAMELLIA128-SHA/TLS1.0:CAMELLIA128-SHA/TLS1.1:CAMELLIA128-SHA/TLS1.2:CAMELLIA128-SHA/DTLS1.2:CAMELLIA256-SHA/TLS1.0:CAMELLIA256-SHA/TLS1.1:CAMELLIA256-SHA/TLS1.2:CAMELLIA256-SHA/DTLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/DTLS1.2:ECDHE-ECDSA-AES128-CCM/TLS1.2:ECDHE-ECDSA-AES128-CCM/DTLS1.2:ECDHE-ECDSA-AES128-CCM8/TLS1.2:ECDHE-ECDSA-AES128-CCM8/DTLS1.2:ECDHE-ECDSA-AES128-SHA/TLS1.0:ECDHE-ECDSA-AES128-SHA/TLS1.1:ECDHE-ECDSA-AES128-SHA/TLS1.2:ECDHE-ECDSA-AES128-SHA/DTLS1.2:ECDHE-ECDSA-AES128-SHA256/TLS1.2:ECDHE-ECDSA-AES128-SHA256/DTLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/DTLS1.2:ECDHE-ECDSA-AES256-CCM/TLS1.2:ECDHE-ECDSA-AES256-CCM/DTLS1.2:ECDHE-ECDSA-AES256-CCM8/TLS1.2:ECDHE-ECDSA-AES256-CCM8/DTLS1.2:ECDHE-ECDSA-AES256-SHA/TLS1.0:ECDHE-ECDSA-AES256-SHA/TLS1.1:ECDHE-ECDSA-AES256-SHA/TLS1.2:ECDHE-ECDSA-AES256-SHA/DTLS1.2:ECDHE-ECDSA-AES256-SHA384/TLS1.2:ECDHE-ECDSA-AES256-SHA384/DTLS1.2:DHE-RSA-AES128-GCM-SHA256/TLS1.2:DHE-RSA-AES128-GCM-SHA256/DTLS1.2:DHE-RSA-AES128-SHA/TLS1.0:DHE-RSA-AES128-SHA/TLS1.1:DHE-RSA-AES128-SHA/TLS1.2:DHE-RSA-AES128-SHA/DTLS1.2:DHE-RSA-AES128-SHA/DTLS1.0:DHE-RSA-AES128-SHA256/TLS1.2:DHE-RSA-AES128-SHA256/DTLS1.2:DHE-RSA-AES256-GCM-SHA384/TLS1.2:DHE-RSA-AES256-GCM-SHA384/DTLS1.2:DHE-RSA-AES256-SHA/TLS1.0:DHE-RSA-AES256-SHA/TLS1.1:DHE-RSA-AES256-SHA/TLS1.2:DHE-RSA-AES256-SHA/DTLS1.2:DHE-RSA-AES256-SHA/DTLS1.0:DHE-RSA-AES256-SHA256/TLS1.2:DHE-RSA-AES256-SHA256/DTLS1.2:DHE-RSA-CAMELLIA128-SHA/TLS1.0:DHE-RSA-CAMELLIA128-SHA/TLS1.1:DHE-RSA-CAMELLIA128-SHA/TLS1.2:DHE-RSA-CAMELLIA128-SHA/DTLS1.2:DHE-RSA-CAMELLIA256-SHA/TLS1.0:DHE-RSA-CAMELLIA256-SHA/TLS1.1:DHE-RSA-CAMELLIA256-SHA/TLS1.2:DHE-RSA-CAMELLIA256-SHA/DTLS1.2:TLS13-AES128-GCM-SHA256/TLS1.3:TLS13-AES256-GCM-SHA384/TLS1.3 DH-Groups Result P256:X25519:P384:FFDHE2048:FFDHE3072:FFDHE4096:X25519KYBER768 Signature Algorithms Result RSA-PKCS1-SHA256:RSA-PSS-SHA256:ECDSA-SHA256:RSA-PKCS1-SHA384:RSA-PSS-SHA384:ECDSA-SHA384:RSA-PKCS1-SHA512:RSA-PSS-SHA512:ECDSA-SHA512 root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)#
Configure X25519KYBER768 through Client-SSL Profile
Follow the below commands to add the cipher group to a Client SSL profile
- SSH into the BIG-IP system and log in with admin credentials. Typetmshto enter the Traffic Management Shell.
- Create the Client-SSL profile using the following command:root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create ltm profile client-ssl TMSH_PQC cipher-group TMSH_PQC options ciphers none
- To list or view the basic details of the created ltm client-ssl profile use the below command:root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm profile client-ssl TMSH_PQC ltm profile client-ssl TMSH_PQC { app-service none cert-key-chain { default { cert default.crt key default.key } } cipher-group TMSH_PQC ciphers none inherit-ca-certkeychain true inherit-certkeychain true options }
