Devised by a global team of academics, KEMTLS uses key encapsulation instead of signatures for authentication

KEMTLS: Cloudflare trials new encryption mechanism in anticipation of post-quantum TLS shortcomings

With quantum computing looming on the horizon, Cloudflare says it has been trialing the KEMTLS protocol and plans to use post-quantum cryptography for most internal services by the end of this year.

The Transport Layer Security (TLS) protocol, which currently secures most internet connections, consists of a key exchange authenticated by digital signatures used to encrypt data at transport.

But, says Cloudflare, with the advent of quantum computing, TLS in its current form will be broken. While various new post-quantum cryptography algorithms have been proposed, their parameters are too large to be used for establishing efficient connections on the web.

The National Institute of Standards and Technology (NIST) is currently evaluating potential candidates, but the agency isn’t expected to make its choice until 2023.

What is KEMTLS?

KEMTLS is an alternative to the TLS 1.3 handshake that uses key encapsulation mechanisms (KEMs) instead of signatures for server authentication.

The protocol was unveiled (PDF) in 2020 by Peter Schwabe of the Max Planck Institute for Security and Privacy, Germany; Douglas Stebila of the University of Waterloo, Canada; and Thom Wiggers of Radboud University, Netherlands.

RELATED When TLS hacks you: Security friend becomes a foe

“We have so far tested KEMTLS only in a lab setting,” Schwabe tells The Daily Swig.

“The next step before any large-scale deployment is to run KEMTLS in a small-scale experiment on confined real-world internet infrastructure to get a better understanding of the benefits and potential problems that come with deploying it on larger scale. Such an experiment is precisely what Cloudflare’s plans are about.”

Efficient authentication

“Alternative authentication techniques affect performance, and drop-in replacements are not always possible,” Sofía Celi, cryptography engineer with Cloudflare, tells The Daily Swig.

“However, KEMTLS is more efficient, as less data that needs to be transmitted as part of the connection.

“This does not mean that connections that use KEMTLS will be as efficient and fast as the ones we have today when using TLS 1.3, but it will mean that they will not be catastrophically slow.”

KEMTLS has been devised to replace the aging TLS protocol handshakeKEMTLS offers a post-quantum alternative to the TLS 1.3 handshake

Post-quantum vision

KEMTLS has a similar structure to TLS 1.3 and, like TLS, allows clients to send encrypted data on the third message of the handshake.

“It achieves full post-quantum security for the TLS 1.3 handshake, in the sense that it encrypts the connections and also authenticates them using post-quantum algorithms,” says Celi.

“It is worth noting that post-quantum authentication for the entire connection requires more invasive WebPKI changes.”

Read more of the latest encryption security news

And, says Celi, it achieves full quantum security for the TLS 1.3 handshake as it not only encrypts and secures the connections, but also allows both client and server to be authenticated.

“This means that when using KEMTLS in a world with quantum machines, the connection will be secure and the authenticity properties of it are no worse than vanilla TLS,” she says.

Positive exchange

Cloudflare says it’s currently working to see how efficiently KEMTLS works with regular connections and is prepared to use it once quantum computers arrive.

“The fact that post-quantum signatures [are] likely to be the major contributor to increasing the volume of data exchanged means it makes sense to look for authentication mechanisms that do not rely on signatures,” Professor Alan Woodward of the University of Sussex’s Surrey Centre for Cyber Security tells The Daily Swig.

DEEP DIVE HTTP/3: Everything you need to know about the next-generation web protocol

“It’s already done in some secure messaging apps with end-to-end encryption in the initial key exchange, but they’re not suitable for TLS due to assumptions about who knows about which keys.

“Whether this proves to be the right solution is very much why it’s important that organisations like Cloudflare trial it at scale, and it will at least show the viability of using TLS without signatures using alternative authentication schemes based on key exchange mechanisms.”

YOU MIGHT ALSO LIKE Internet industry group i2Coalition throws weight behind illegal VPN crackdown