2024-11-26
In this Keymaster episode, Sven Rajala, International PKI Man of Mystery, has invited David Hook, VP of Software Engineering for Bouncy Castle, to explain Key Encapsulation Mechanisms (KEM), which can be used for post-quantum cryptography (PQC).
KEMs are cryptographic primitives used to securely establish a shared secret between two parties, for example in key exchange for authentication in TLS. It is also used to implement proof of possession that is typically required when sending a certificate signing request (CSR).
KEMs establish shared secrets directly, streamlining the process compared to traditional key agreement methods. Migrating to KEMs will require updates in TLS handshakes and PKI operations to accommodate new methods for authentication via key exchange and proof of possession.
Watch the KEYMASTER episode here:
Unlike traditional methods like Diffie-Hellman key exchange or RSA, KEMs generate the shared secret directly as part of their process, without requiring key agreement calculations. This shift brings changes to PKI operations and requires updates in processes like TLS handshakes.
David also highlights the differences between KEMs and traditional approaches when it comes to proof of possession, explaining that KEMs do not support direct signature generation like RSA, necessitating alternative methods to CRSs for proof of possession, such as using CRMF/CMP protocols. The move towards KEMs introduces more steps in certificate issuance and validation, enhancing security but also complexity.
The episode concludes with a nod to the ongoing evolution of cryptographic standards, encouraging developers to stay updated on emerging protocols and practices.
Stay tuned for the next episode!
Read more here: