The SafeLogic Blog

SafeLogic, Inc., a premier provider of cryptographic software solutions, announced today an Early Access Program (EAP) for the company’s newest product, CryptoComply PQ TLS.  SafeLogic’s aim with this product is to help organizations in their Post-Quantum Cryptography (PQC) migration journey by enabling them to secure quantum-vulnerable TLS connections in a streamlined and crypto-agile way.

CryptoComply PQ TLS supports seven key capabilities SafeLogic believes will be essential for organizations as they pursue quantum resiliency:

Drop-In Replacement for OpenSSL 3.x Based TLS 1.3 Implementations

CryptoComply PQ TLS is a drop-in replacement for OpenSSL 3. x-based TLS 1.3 implementations, which are some of the most common TLS implementations in use today. With CryptoComply PQ TLS, TLS communications that use this technology stack can be made quantum-resilient in minutes.

Three Operating Modes Ensure Broad Interoperability

CryptoComply PQ TLS can operate in three modes:  classical only, PQ/classical hybrid, and pure PQ.  As organizations migrate to PQC, not all endpoints will migrate at the same pace.  CryptoComply PQ TLS will negotiate with existing endpoints to find a common set of cryptographic algorithms to use to ensure interoperability in accordance with established security policy. It automatically uses classical-only mode to communicate with endpoints that are not yet PQ-enabled.  The other two modes can be used when both sides support PQ-enabled TLS. 

Pure PQ Mode Enables Quantum-Resilient TLS Now

Organizations controlling both sides of the TLS connection can use CryptoComply PQ TLS in each endpoint to implement quantum resilience.  In addition, CryptoComply PQ TLS Pure PQ mode works with other quantum-resilient endpoints.  For example, SafeLogic has demonstrated a CryptoComply PQ TLS endpoint supporting PQ-enabled TLS with Apache and Nginx web servers.

Hybrid Mode Enables Defense in Depth and FIPS 140-3 Compliance

Organizations may choose the hybrid mode for reasons such as defense in depth or a desire to achieve quantum readiness while also maintaining FIPS 140 compliance. To achieve the latter in hybrid mode, CryptoComply PQ TLSleverages SafeLogic’s FIPS 140-3 validated implementations of classical algorithms. This ability to satisfy both PQC and FIPS 140 requirements is key for most products destined for the public sector, where FIPS 140-validated cryptography is required to protect federal data in transit.

Superior Performance

Performance was a key design and implementation consideration for CryptoComply PQ TLS. A pure PQ TLS handshake is 20% faster than one using classical cryptography, while hybrid mode only adds roughly 15% overhead to a classical TLS handshake.

Commercial Grade Implementation of NIST Standard ML-KEM (FIPS 203)

CryptoComply PQ TLS uses SafeLogic’s implementation of ML-KEM (FIPS 203) to add quantum resilience to the TLS handshake. A robust commercial-grade implementation of ML-KEM was a key prerequisite, as many of the existing (e.g., open-source) implementations of the ML-KEM algorithm were not production-ready code. SafeLogic is currently working to secure NIST Cryptographic Algorithm Validation Program (CAVP) certification for its ML-KEM implementation.

Policy-Driven Crypto-Agility:

CryptoComply PQ TLS takes policy policy-driven approach to crypto-agility.  DevSecOps teams can follow mandates from compliance and security to declaratively configure allowed algorithms as part of a security policy.  CryptoComply PQ TLS will then follow that defined policy at runtime, with no code changes needed to software at any of the endpoints. 

“Organizations starting their PQC migration journeys are often faced with the challenge of prioritizing these migration efforts.  Focusing on securing TLS connections is often low-hanging fruit that offers the largest bang for the buck to protect data in transit from harvest now decrypt later (HNDL) types of attacks.  With CryptoComply PQ TLS, securing these quantum vulnerable TLS connections can be done quickly without requiring broader infrastructure changes,” said Evgeny Gervis, SafeLogic CEO.

Earlier this year, at the RSA conference, SafeLogic announced an Early Access Program (EAP) for its next-generation CryptoComply module, which supports all the PQC algorithms recently standardized by NIST.  SafeLogic has also been collaborating with NIST and other leading organizations as part of NIST’s National Cybersecurity Center of Excellence (NCCoE) PQC initiative, where it leads the PQC Risk Management and Migration Prioritization workstream.

Existing SafeLogic customers are welcome to participate in the CryptoComply PQ TLS EAP and test the new software at no cost. For more information, they should contact their existing SafeLogic representative or sales@safelogic.com.