NetScaler - Testing new Post-Quantum Cryptography (PQC)

Reading Time: 3 minutes

Table of Contents

Overview

In the recent released NetScaler Firmware 14.1 51.72 they’ve added first Support for the new NIST standard (hybrid) Post-Quantum Cryptography Key Exchange (PQC KX).

Let’s have a first look on how to configure the usage of PQC KX and what that means for Clients / Browsers, accessing services via NetScaler.

If you’re interested in the technical design on how PQC works in detail, checkout the Blog-Series (Part 1-3) from Steven Wright here. Highly recommended!

Configuration

To enable PQC KX, edit your SSL Frontend Profile and change the ECC Curve bindings.

First, unbind all P_ECC Curves – in my SSL Profile these four P_ECC Curves are bound:

Now, we have two options.

Option 1 – Enforcement of PQC on your Services, but without “legacy” support (For example Safari or other mobile browsers aren’t supporting PQC at the moment, which will result in a Connection-Reset)

For that, just bind the X25519_MLKEM768 ECC Curve, this will force PQC:

Option 2 – Enabling PQC with Fallback. Browsers who are supporting PQC as of now (For example Google Chrome, Mozilla Firefox and Microsoft Edge) will automatically prefer and use MLKEM Key-Exchange. Other Browsers who don’t, will do a fallback for example to P-256 (Safari). This will guarantee no service disruption / failures.

For that, just use the “ALL” ECC bindings – this will include X25519_MLKEM768 automatically at the top (preferred) and with a fallback to the belows ECC’s:

What’s with Ciphers? Well, there are no own or specific cipher. Just use the latest most secure TLS 1.3 and 1.2 Cipher in the same SSL-Profile like you did before.

Testing

Now as we’ve configured PQC – how to check if the latest key exchange is used? The easiest way as of now is the browser itself via Devtools -> Privacy and security.

Here’s an example of a simple Content Switch https page in my Lab, connected from my Client with MS-Edge. The Key exchange is happening with X25519MLKEM768, which indicates PQC:

Summary

A great move from NetScaler to start that early giving first testing options to the future default of SSL / TLS Security. Next would be a load-testing – how is PQC working with the resources of NetScaler (CPU, RAM, SSL-Chips (on Hardware))

Post Views: 162

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

NetScaler – Testing new Post-Quantum Cryptography (PQC)

Overview

Configuration

Testing

Summary

Leave a Reply Cancel reply