Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-2028

Evaluate Readiness Requirements for PQC in Control Planes Components

XMLWordPrintable

    • Future Sustainability
    • None
    • 50% To Do, 50% In Progress, 0% Done
    • Hide

      Feature Status: Green
      Feature Update: Feature team has identified component areas that need to be addressed and is working to create JIRA tickets for each. There are some external items needed to support the PQC and the team is engaging the ART team to understand the delivery of required updates.

      Show
      Feature Status: Green Feature Update: Feature team has identified component areas that need to be addressed and is working to create JIRA tickets for each. There are some external items needed to support the PQC and the team is engaging the ART team to understand the delivery of required updates.
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • None

      Feature Overview

      Evaluate the tasks associated with implementation of Post-Quantum Cryptography (PQC) across OpenShift Control Plane components for planning purposes. 

      Goals

      Thorough understanding of what OpenShift Control Plane components is required to do for integration of PQC ciphers across OpenShift control plane components (e.g. IPsec) for the purposes of roadmap planning of action items in 4.21 and 4.22. 

      Requirements

      • A list of impacted components and features (and team ownership)
      • For each impacted feature, a list of work required and OpenShift release at which it must be completed (starting at 4.21)

      Examples

      Kube API Server (KAS)

      Potential PQC Vulnerabilities:

      • TLS handshake certificates (RSA/ECC)
      • Client certificate authentication
      • Service account token signing
      • Admission webhook certificates

      Potential future work

      • Add PQC algorithms like Kyber to the cipher list / TLS security profile
      • Add PQC encryption types
        ETCD

      Potential PQC Vulnerabilities

      • ETCD cluster peer communication certificates
      • Client authentication certificates
      • Data encryption at rest (if enabled)

      Potential future work

      • Audit current ETCD certificate usage across all components
      • Design PQC certificate rotation strategy for ETCD clusters

       Platform Certificates

      Potential PQC Vulnerabilities 

      • Cluster CA certificates (RSA/ECC)
      • Service serving certificates
      • Kubelet serving certificates
      • Admin kubeconfig certificates

      Potential future work

      • Design hybrid certificate authority supporting both classical and PQC algorithms
      • Implement certificate rotation mechanisms for PQC migration

      Background

      “If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use. This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere.  The goal of post-quantum cryptography (also called quantum-resistant cryptography) is to develop cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks.”

      Source: https://csrc.nist.gov/Projects/post-quantum-cryptography

       

              racedoro@redhat.com Ramon Acedo
              racedoro@redhat.com Ramon Acedo
              None
              Anjali Telang, David Eads, JP Jung, Seth Jennings, Wallace Lewis
              Dean West Dean West
              Kaleemullah Siddiqui Kaleemullah Siddiqui
              Andrea Hoffer Andrea Hoffer
              Kyle Walker Kyle Walker
              David Eads David Eads
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: