Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-2028

Evaluate Readiness Requirements for PQC in Control Planes Components

XMLWordPrintable

    • Future Sustainability
    • OCPSTRAT-2321Support Post Quantum Cryptography 2026 requirements in OCP
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • None

      Feature Overview

      Evaluate the tasks associated with implementation of Post-Quantum Cryptography (PQC) across OpenShift Control Plane components for planning purposes. 

      Goals

      Thorough understanding of what OpenShift Control Plane components is required to do for integration of PQC ciphers across OpenShift control plane components (e.g. IPsec) for the purposes of roadmap planning of action items in 4.21 and 4.22. 

      Requirements

      • A list of impacted components and features (and team ownership)
      • For each impacted feature, a list of work required and OpenShift release at which it must be completed (starting at 4.21)

      Examples

      Kube API Server (KAS)

      Potential PQC Vulnerabilities:

      • TLS handshake certificates (RSA/ECC)
      • Client certificate authentication
      • Service account token signing
      • Admission webhook certificates

      Potential future work

      • Add PQC algorithms like Kyber to the cipher list / TLS security profile
      • Add PQC encryption types
        ETCD

      Potential PQC Vulnerabilities

      • ETCD cluster peer communication certificates
      • Client authentication certificates
      • Data encryption at rest (if enabled)

      Potential future work

      • Audit current ETCD certificate usage across all components
      • Design PQC certificate rotation strategy for ETCD clusters

       Platform Certificates

      Potential PQC Vulnerabilities 

      • Cluster CA certificates (RSA/ECC)
      • Service serving certificates
      • Kubelet serving certificates
      • Admin kubeconfig certificates

      Potential future work

      • Design hybrid certificate authority supporting both classical and PQC algorithms
      • Implement certificate rotation mechanisms for PQC migration

      Background

      “If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use. This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere.  The goal of post-quantum cryptography (also called quantum-resistant cryptography) is to develop cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks.”

      Source: https://csrc.nist.gov/Projects/post-quantum-cryptography

       

              racedoro@redhat.com Ramon Acedo
              racedoro@redhat.com Ramon Acedo
              None
              Anjali Telang, David Eads, JP Jung, Seth Jennings, Wallace Lewis
              None
              None
              None
              None
              David Eads David Eads
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: