"Securing the Internet against future threats shouldn't be a complex burden. Since 2017, we've been doing the heavy lifting to bake post-quantum standards directly into the fabric of our network. By bringing this protection to our entire SASE platform, we're making post-quantum security the default-no hardware upgrades, no complex configurations, and no added cost."
"Cloudflare's approach follows draft-ietf-ipsecme-ikev2-mlkem, which standardizes post-quantum key exchange for IPsec in the same way TLS has. The hybrid setup runs ML-KEM in parallel with classical Diffie-Hellman. Think of it as belt-and-suspenders security: ML-KEM handles quantum threats, Diffie-Hellman covers classical attacks."
"The company brings hybrid Module-Lattice-based Key-Encapsulation Mechanism (ML-KEM) to Cloudflare IPsec and the Cloudflare One Appliance, wrapping up what Cloudflare calls the "post-quantum SASE equation" allowing organizations to finally lock down private network traffic end-to-end against "harvest now, decrypt later" attacks."
Cloudflare deployed a standardized post-quantum approach to IPsec using hybrid Module-Lattice-based Key-Encapsulation Mechanism (ML-KEM) technology. This advancement protects private network traffic against "harvest now, decrypt later" attacks where adversaries collect encrypted data today for decryption once quantum computers become sufficiently powerful. The implementation combines ML-KEM with classical Diffie-Hellman in parallel, providing dual protection against both quantum and classical threats. This solution completes Cloudflare's post-quantum SASE platform, making quantum-resistant security the default across their network infrastructure. The move aligns with NIST's 2030 deadline for transitioning away from RSA and Elliptic Curve Cryptography, supported by security agencies including Germany's BSI and the UK's NCSC.
#post-quantum-cryptography #ipsec-security #ml-kem-encryption #nist-2030-deadline #quantum-resistant-standards
Read at InfoQ
Unable to calculate read time
Collection
[
|
...
]