Post-quantum Crypto and VPNs
Every time you make a secure connection over the internet – to your bank, to Facebook, or nearly anywhere online – cryptography is what keeps that communication secure. Some of that cryptography is based upon mathematical problems known to be solvable by a quantum computer. As the scientists working on quantum computers continue to make progress, cryptographers are at work as well, developing new post-quantum cryptosystems based upon mathematical problems which we believe are resistant to quantum attacks.
When it comes time, migrating all network traffic, including communications from services and applications, to new post-quantum cryptography will be a time-consuming and lengthy process. Fortunately, we have some time. Even the most optimistic estimates are that it will be five or more years before a sufficiently powerful and stable quantum computer capable of breaking today’s public-key cryptography is running.
As we and other research teams around the world work to develop new cryptosystems, we are testing how candidates work with real-world protocols and applications. One of the most important scenarios for post-quantum crypto is VPNs.
VPNs establish a secure link between two points on the internet and allow applications to run inside them as if they were on the same network. In the future, when post-quantum cryptosystems have been vetted by efforts like the NIST Post-Quantum Project, VPNs that are protected by post-quantum cryptography can be rapidly deployed to protect existing applications, until the applications themselves can be updated to use the new algorithms natively.
Post-quantum Crypto VPN Software
This project takes a fork of the OpenVPN software and combines it with post-quantum cryptography. In this way, we can test these algorithms with VPNs, evaluating functionality and performance of the quantum resistant cryptography. Because this project is experimental, it should not be used to protect sensitive data or communications at this time. Further cryptanalysis and research must first be done over the next few years to determine which algorithms are truly post-quantum safe.
In the current release, traffic is only protected from attack by a quantum computer when the traffic passes through the VPN tunnel between the client and the server.
Figure 1: Traffic between the Client and Server 1 has post-quantum protection, because Server 1 is on the same trusted network as the VPN Server. Traffic between the Client and Server 2 does not have post-quantum crypto protection.
After traffic exits the VPN server, communication staying within a organization’s own internal network or a trusted cloud provider is protected. When working with this software, construct your test application architecture to ensure this is the case. Should traffic go out onto the public internet, as in the above diagram to Server 2, it will only be protected by classical cryptography and would again be vulnerable to attack by a quantum computer.
For more information on how to download and use this software, as well as the source code and build instructions, please see our project page at GitHub. Binary releases can be found on the GitHub releases page.
More information on post-quantum cryptography can be found on the overall post-quantum cryptography project page.
Talk to us
Please file bug reports, feature requests, and other issues with the code on the GitHub issues tracker. For contributions via pull requests, please see the section on Contributing on the GitHub project page.
Please send other feedback, questions, and comments to us at firstname.lastname@example.org – we’d like to hear from you!