Amazon Web Services (AWS) has unveiled its migration plan to post-quantum cryptography (PQC). By publicly sharing this roadmap, AWS sets the stage for industry-wide collaboration and a smoother transition to quantum-resistant security protocols, ensuring customer data is protected in the quantum era.

The migration is structured into four distinct workstreams, each addressing critical aspects of the transition:

1. System Inventory and Migration Planning

AWS's first step involves a comprehensive inventory of existing systems, focusing on where public-key cryptography is used and prioritizing areas at the greatest risk from future quantum computers. The emphasis is on encryption in transit, which secures communications over untrusted networks. By addressing these vulnerabilities now, AWS ensures data shared with its services remains confidential, even in a quantum-capable future.

2. Implementing PQC in Communication Protocols

Public AWS endpoints will adopt hybrid post-quantum key agreements, combining classical cryptography (like Elliptic-Curve Diffie-Hellman) with post-quantum methods. This approach ensures long-term confidentiality for communications between AWS and its customers, supported by AWS’s FIPS-validated cryptographic library (AWS-LC). Key services like Elastic Load Balancing and Amazon API Gateway will integrate these advancements to shield customer workloads from quantum threats.

3. Long-Term Roots of Trust for Cryptographic Signing

AWS will integrate the ML-DSA algorithm into services like AWS Key Management Service (AWS KMS), enabling customers to establish quantum-resistant roots of trust for long-lived use cases. These secure signatures are crucial for systems with extended lifecycles, such as IoT devices and critical infrastructure, ensuring their integrity even decades into the quantum future.

4. Quantum-Resistant Digital Signatures for Authentication

To protect session-based authentication, AWS will work with industry standards groups to enable post-quantum certificates. While challenges in public certificate issuance remain, AWS Private Certificate Authority (Private CA) will offer quantum-resistant certificates for controlled environments. Customers can also leverage AWS’s open-source solutions to adopt PQC for private networking channels.

Link: https://aws.amazon.com/blogs/security/aws-post-quantum-cryptography-migration-plan/

#quantum #cyber #risk #PQC