TLS and Post-Quantum Cryptography: Securing Communications Today and Tomorrow

Thursday June 1, 2023

# intel. XIPHERA

#### Mark Frost

FPGA Security and 5G Technical Marketing Manager, Intel Corporation

#### **Kimmo Järvinen**

Co-founder and Chief Technical Officer, Xiphera Ltd.

#### So what is TLS?

**Transport Layer Security** (**TLS**) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

in 2018)

•





#### How does it work?

- Client Server protocol
  - Client requests a secure connection from the server
- Two layers: TLS Record and TLS Handshake. The former defines the message structures, the latter defines how client and server establish a secure session
- Handshake
  - Cipher selection
  - Server authentication (client authentication is also supported)
    - Typically done with digital certificates PKI
  - Session key exchange symmetric crypto
- Record
  - Application data records protected for confidentiality and integrity/authenticity
  - Nowadays most typically uses AES-GCM (but also other ciphers supported)

#### TLS Use Cases – acceleration with FPGA

- NVMe<sup>™</sup> over Fabrics (NVMe-oF<sup>™</sup>) : TCP or RoCE
  - Using a <u>transport protocol</u> over a network to connect remote NVMe devices, contrary to regular NVMe where physical NVMe devices are connected to a <u>PCIe bus</u> either directly or over a <u>PCIe</u> <u>switch</u> to a PCIe bus.
  - FPGA used to accelerate the TCP stack, with TLS on top
- Protecting streaming content
  - Content Service Provided (CSP)
  - Medical
  - Banking
  - Government
  - FPGA accelerates TLS encrypt function (server side)
- High speed Wireline Packet Sniffer
  - End point example

### TLS and Intel FPGA ?

## Intel has a wide range of FPGAs suitable for TLS implementations





#### Intel FPGA : Securing your IP and your Data



Agilex FPGAs help secure your design and data from the ground up Protect your IP Secure Device Manager in all family members Secure key vault for TLS



## How Does Post-Quantum Cryptography Affect the TLS Protocol?

Kimmo Järvinen

CTO, Co-founder, Xiphera Ltd.

Jun. 1, 2023

### **TLS I.3 Handshake**



### **TLS I.3 Handshake**







### **Quantum Targets**









## The Imminent Quantum Threat

Alte

- Quantum computers of cryptographic significance do not (probably) exist today!
  - Record today, break tomorrow
- TLS authentication cannot be broken retroactively
- TLS key exchange can be broken retroactively
  - But, each session must be attacked separately!
- Key exchange must be protected today if the communication must remain confidential for decades

## Why Hybrid Systems?

- We cannot fully trust that the new PQC schemes are secure
  - **Example:** NIST finalist Rainbow and Round 4 candidate SIKE were broken!
- Many recommend using a hybrid system
  - ANSSI (France) recommends it at least until
    2030
- Elliptic curves will not go away for a long time!





## Hybrid Key Exchange





# **PQ-TLS** Proposal

- An internet draft proposes a way to use **hybrid key** exchange in TLS 1.3
- Rather than having two separate "group" and "key share" fields in Client/ServerHello, there is only one; For example,
  - "group": secp384r1\_kyber768
  - "key share": Concatenation of secp384r1 key share and kyber768 key share
  - Concatenation of secp384r1 and kyber768 key shares
    fed into TLS KDF
- The internet draft suggest four hybrid groups, targeted for various use cases



### **TLS I.3 Handshake**



**PQ-TLS I.3 Handshake** 



## Xiphera's TLS and PQC Offering

### **Transport Layer Security**

- Product family extensions announced today (June 1, 2023)
- IP cores for both server and client sides
- Implements the whole TLS 1.3
  - Including TLS handshake and session key management
  - Fast performance and high security
- Learn more: <u>xiphera.com/tls.php</u>

### xQlave® – Post-Quantum Cryptography

- Product family of efficient implementations of PQC algorithms
- Currently offering
  - CRYSTALS-Kyber (KEM)
  - CRYSTALS-Dilithium (digital signature)
- Learn more: xiphera.com/pqc.php

entity signifiants portlicis; in std\_foote, the id logic digest out std logic vector(data width t downto 01); end entity xip3034h; 1, ses : as ass, busy, etr. Rag as err, fleg, ready as 

logic, digest, out std logic, vector(data, width-Ldownto 0). ); and antity zip3034h;

Share men was was all hour link all

ett value

ectorizata, width-1 downto-0); din valid dmente 0); din valid - in std\_logic; last - in std\_logic; bytes\_valid - in std\_logic, vector(3 dmente 0); request

vectoridate width I downto 01 // 20d entity sip2014h;

#### bare, relation? downto 0); request data , out atd, logic Thank you!

work, use work my package all.

www.xiphera.com

Ser orgeneration

kimmo.jarvinen@xiphera.com mark.frost@intel.com

ready data put as are data but ready as

PEACE OF MIND IN A DANGEROUS WORLD

library work, and work my package all

the afformer remembering std all library work by antikage all entry and 3034h is port - cik ; en a

win trates wated , in and logic measured downto 0); request data , out std. logic; arr , out std. lo 

as ass ready, data out

entity xipblidan is portlicik; in std fogic, fat i in std

No. cik. fat

were di. ... edd antity sig 2034h.

the work broad, ave fint

an aes, busy, etc. Mag an erc. Hag, ready an

td\_togic; digest - and std\_togic\_vector(data\_width\_t downto 0)); and antity xip3034h; i\_aas : aos\_port\_map ( clk

Cryptography **Under the Hood** will continue in September!

And but the Monthly of Street, Sugar and and the

Contract of the second

logic, vestorideta, widthill downlo b), din logic, last : in std. logic, bytes, van

stand login, diseast, out and logis, vector(data, width-1 downto 0) 1; and antity sigd034h.

More info coming soon.

www.xiphera.com

- FREED VICE

all and the second

kimmo.jarvinen@xiphera.com mark.frost@intel.com

as set ready data put as set data out; ready ca



### References

 IETF: Hybrid key exchange in TLS 1.3 ( <u>https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/06/</u>)

