Protecting against an ever-increasing threat landscape, including the threat quantum computing poses to security, requires flexibility so that you can make changes at the cryptographic level quickly and without affecting your product’s current certifications.
The ISARA Catalyst™ TLS Testbed expands on TLS 1.2 to include agility in the form of hybrid key establishment, supported by a selection of ready-to-use classic and quantum-safe hybrid cipher suites allowing you to begin your migration to quantum-safe security today.
“By 2021, organizations with crypto-agility plans in place will suffer
60% fewer cryptographically related security breaches
and application failures than organizations without a plan.”
Gartner, “Better Safe Than Sorry: Preparing for Crypto-Agility”,
Mark Horvath, David Anthony Mahdi, 30 March 2017
Agile key-establishment mechanism allows for the hybridization of two or more key establishment mechanisms using the embedded ISARA Radiate Crypto Library. It’s lightweight, fast, and low consumption—perfect for embedded devices, yet scalable for use in networks and servers.
Provably as secure as classic ciphersuites, with long term security provided by quantum-safe cryptography, enabling a risk-free migration. Implements a selection of standards-compliant hybridized classical and quantum-safe cipher suites using the NIST-recommend hybrid approach.
Provides agile TLS 1.2 support using a curated list of classic ciphersuites ensuring full backward compatibility, as well as a selection of ready-to-use classic-quantum-safe hybrid cryptography.
No, hybrid key establishment will not affect your current cryptographic compliance policies. We use the NIST-recommend hybrid approach to maintain the security of classic cipher suites while integrating the strength of quantum-safe cipher suites.
A direct quote from the NIST Post-Quantum Cryptography FAQs page states that “assuming one of the components of the hybrid mode in question is a NIST-approved cryptographic primitive, such hybrid modes can be approved for use for key establishment or digital signatures.”
Read the full FAQ answer on the NIST, Post-Quantum Cryptography FAQs page under “Transition and Migration”
TLS 1.3 is a recently standardized version of TLS and is not widely supported yet. Future versions of ISARA Catalyst will support it. Currently, TLS 1.2 is the most supported version of TLS, allowing most TLS protocol users to take advantage of the testbed today.
The ISARA Catalyst TLS Testbed offers a smart, curated selection of classic and classic-quantum-safe hybrid cypher suites. The classic cipher suites are currently the most secure and widely supported, allowing for backward compatibility with legacy systems. Classic-quantum-safe hybrid cipher suites are based on the Diffie-Hellman variation of two of the most promising, yet mathematically unrelated, NIST submissions for key-exchange. The Diffie-Hellman variations were chosen to allow for a simple hybridization with classic Elliptic Curve Diffie-Hellman. Future versions of ISARA Catalyst TLS Testbed will include hybrid cipher suites based on the most promising NIST, Key Encapsulation Mechanisms (KEMs) and support quantum-safe ISARA Catalyst™ Agile Digital Certificate Technology.