Cloudflare IPsec Now Supports Post-Quantum Encryption

Cloudflare has announced the general availability of post-quantum encryption for its IPsec product, a WAN Network-as-a-Service that connects data centers, branch offices, and cloud VPCs to Cloudflare's global IP Anycast network. This move aims to protect against "harvest-now-decrypt-later" attacks, where an adversary collects data today and decrypts it later using powerful quantum computers.

Technical Details

Cloudflare IPsec now uses the hybrid ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) algorithm, which combines classical Diffie-Hellman and post-quantum security in a single, standards-compliant handshake. This implementation is based on the IETF draft for hybrid ML-KEM (FIPS 203) and has been successfully tested for interoperability with branch connectors from Fortinet and Cisco.

Practical Implications

Developers can now start protecting their wide-area networks (WANs) against harvest-now-decrypt-later attacks using hardware they already have. This is a significant step forward in post-quantum security, especially as Q-Day approaches faster than expected. By using Cloudflare IPsec with post-quantum encryption, organizations can ensure the security of their network traffic and protect against potential quantum computer attacks.

Key Takeaways

• Cloudflare IPsec now supports post-quantum encryption using hybrid ML-KEM.
• This implementation has been tested for interoperability with branch connectors from Fortinet and Cisco.
• Developers can start protecting their WANs against harvest-now-decrypt-later attacks using hardware they already have.
• This move aims to protect against potential quantum computer attacks as Q-Day approaches faster than expected.