skip to content
Decrypt LOL

Get Cyber-Smart in Just 5 Minutes a Week

Decrypt delivers quick and insightful updates on cybersecurity. No spam, no data sharing—just the info you need to stay secure.

Read the latest edition
AWS-LC FIPS 3.0 Introduces Post-Quantum Cryptography Features

AWS-LC FIPS 3.0 Introduces Post-Quantum Cryptography Features

/ 3 min read

stories , aws , cryptography , post-quantum security , fips 140-3 , ml-kem

Quick take - Amazon Web Services (AWS) has introduced AWS-LC FIPS 3.0, the first open-source cryptographic module to support post-quantum algorithms, enhancing security protocols and compliance for organizations under federal regulations.

Fast Facts

  • AWS-LC FIPS 3.0 is the first open-source cryptographic module to support post-quantum algorithms, specifically the Module Lattice-Based Key Encapsulation Mechanism (ML-KEM).
  • The module enhances data confidentiality against quantum threats and allows for a hybrid key exchange approach by combining traditional protocols with ML-KEM.
  • AWS-LC FIPS 3.0 includes performance improvements such as faster RSA signatures, EdDSA signing with Ed25519, and the integration of the SHA-3 hashing function.
  • Organizations under federal compliance frameworks can now utilize FIPS-validated cryptographic modules, ensuring adherence to regulations like FedRAMP and HIPAA.
  • Users are advised to adopt hybrid key exchange strategies and recommended parameter sets to avoid vulnerabilities and maximize performance in their implementations.

AWS-LC FIPS 3.0: A Leap Forward in Post-Quantum Cryptography

Amazon Web Services (AWS) has taken a significant step in advancing cryptographic security with the introduction of AWS-LC FIPS 3.0, now part of the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP). This development marks a milestone as AWS-LC becomes the first open-source cryptographic module to incorporate post-quantum algorithms, specifically the Module Lattice-Based Key Encapsulation Mechanism (ML-KEM). This advancement not only strengthens security protocols but also ensures compliance for organizations operating under federal regulations.

Enhancing Security Against Quantum Threats

The validation of AWS-LC FIPS 3.0 brings critical features designed to bolster data confidentiality against emerging quantum threats. With the first FIPS 140-3 certificate obtained for AWS-LC-FIPS 1.0 in October 2023, organizations now have the capability to integrate ML-KEM for key encapsulation. This facilitates a hybrid key exchange approach, combining traditional protocols like Elliptic Curve Diffie-Hellman (ECDH) with ML-KEM, thereby enhancing security against both current and future cyber threats.

To optimize ML-KEM implementation, AWS-LC recommends specific parameter sets: ML-KEM-768 for general use and ML-KEM-1024 for applications requiring heightened security. For transport layer security, users are encouraged to integrate AWS-LC with the open-source TLS implementation, s2n-tls, which supports hybrid key exchange for TLS 1.3.

Performance Improvements and New Features

AWS-LC FIPS 3.0 also introduces performance enhancements, including faster RSA signatures and the efficient EdDSA signing algorithm based on the Ed25519 curve. The integration of the SHA-3 hashing function further enhances the security and performance of cryptographic operations, particularly in digital signatures. These improvements are crucial for maintaining robust security while ensuring efficient application performance.

Implications for Compliance and Security

The introduction of AWS-LC FIPS 3.0 with post-quantum algorithms represents a proactive approach to future-proofing cryptographic standards. Organizations subject to federal compliance frameworks—such as FedRAMP, FISMA, and HIPAA—can now utilize FIPS-validated cryptographic modules while ensuring adherence to regulatory requirements.

However, users must be cautious when implementing AWS-LC FIPS 3.0. Neglecting a hybrid key exchange strategy or ignoring parameter set recommendations can expose systems to vulnerabilities. Additionally, overlooking FIPS compliance may lead to regulatory challenges.

Tools and Resources for Implementation

To aid in implementation, several tools and resources are recommended. The SHA-3 cryptographic hash function is essential for secure hashing operations. CPython can be used to integrate cryptographic functionalities within Python applications, while rustls provides FIPS-compliant TLS support in Rust applications. These resources empower developers to create secure and compliant cryptographic solutions in environments requiring stringent federal standards.

AWS-LC FIPS 3.0’s introduction of post-quantum cryptography sets a new benchmark for open-source cryptographic modules. It underscores the importance of evolving security measures in a landscape increasingly influenced by quantum computing advancements. As organizations navigate these changes, understanding and implementing these new standards will be crucial in maintaining robust security postures in an ever-evolving threat landscape.

References
{entry.data.source.title}
AWS-LC FIPS 3.0: First cryptographic library to include ML-KEM in FIPS 140-3 validation | Amazon Web Services

Check out what's latest

Meta-UAD: New Scheme for Network Traffic Anomaly Detection
Meta-UAD: New Scheme for Network Traffic Anomaly Detection
FlowID Framework Enhances Network Traffic Detection Capabilities
FlowID Framework Enhances Network Traffic Detection Capabilities
Trusted Machine Learning Models Enhance Data Privacy Solutions
Trusted Machine Learning Models Enhance Data Privacy Solutions