PQC : Why Go with Fortanix DSM

The mitigation measures required can be summed up thus :

• Full enumeration of cryptographic assets within an organization (deployments, keys, dedicated hardware etc.).
• Adoption of cryptographic agility as part of an organization’s security posture (i.e. the rapid adoption and deployment of new ciphers within an organization’s infrastructure).
• Identification of areas within an organization’s infrastructure that will require ‘cordoning off’ and more strictly managed from an access control perspective until the legacy cryptographic components are replaced and/or legacy equipment decommissioned.

In today’s hybrid infrastructures that incorporate both on premises and cloud assets, this is a complex problem with a huge number of moving parts and interdependencies.

Fortanix DSM is a platform combining HSM and KMS functionality that offers multiple features that make it a robust post quantum cryptography solution:

• Already implements LMS algorithm, which is a stateful hash-based signing algorithm (with a strong cluster-based state management).
• Strong authentication, authorization, and quorum-based controls available for PQC.
• Accessible using REST APIs.

Apart from the above, Fortanix DSM is ideal for implementing a PQC transition strategy on multiple levels due to its unique architecture and feature set. The capabilities and features enabling it are as follows:

DSM hardware capabilities

Since Fortanix DSM is built on Intel SGX enclave technology it utilizes off-the-shelf technology to implement its platform, without needing to make use of custom hardware cryptographic accelerator components to improve efficiency for execution of cryptographic transactions. That, in turn, offers the capability for rapid development and inclusion of new algorithms in the product without significant performance impact to the platform due to larger key sizes or unoptimized hardware. Also, almost linear scaling of DSM clusters allows for covering any performance requirements posed by the introduction of post quantum algorithms.

DSM enumeration capabilities

Fortanix DSM offers, as a platform, unique flexibility in the management of a key estate. Its REST API-based architecture, key metadata handling, reporting, and auditing capabilities allow for automated and comprehensive management of a key estate. Reports can be produced that allow for estate enumeration per key type, key deployment and/or key metadata allowing the user to quickly map out the types, purposes and deployment locations of cryptographic keys.

Alongside the above, DSM includes the HSM Gateway feature that allows for direct interfacing with external HSMs (such as nCipher Connect and Luna HSM) to automatically discover and manage the keys stored therein.

The above capabilities allow for the efficient and complete enumeration of cryptographic assets of an organization with great automation capabilities for reporting and auditing.

DSM PQC transition capabilities

In addition to the capability of rapid inclusion of new algorithms to the platform, Fortanix DSM offers a range of advantages for the execution of a PQC transition strategy. It offers a vast range of integration options with almost all major applications, both on premises and in the cloud, functioning as a centralized, single pane of glass ‘command and control’ platform for cryptographic key management and cryptographic services provider, utilizing, apart from its inherent REST API capabilities, a variety of APIs for all commercially significant programming languages. All the above capabilities are offered within a platform whose design and architecture conforms to the zero trust architecture requirements, with inbuilt RBAC controls and mature MFA capabilities.

Significantly, it also offers the capability for executing a ‘crypto proxy’ approach for isolating areas of infrastructure that do not have the capability of adopting the new post quantum cryptography algorithms. This can be implemented with the automation of key wrapping non-PQC keys with PQC keys that can only be unwrapped once reaching the crypto proxy and, in turn, consumed from there. This enables the building of cryptographically isolated areas of an infrastructure as a mitigation strategy until they can be replaced with PQC enabled infrastructure.