Practical Quantum-Safe TLS 1.3 Apache Web Server Setup

Gentle Disclaimer: This article is not for the technically-faint-of-heart. Lots of command-line entries follow the introduction....

I wrote in an earlier post about the threat posed by quantum computers to public-key cryptography. It's likely that well-heeled adversaries, whether private or nation-state, are already using the "harvest traffic now and decrypt it later" strategy, and your encrypted communications, if truly valuable, are likely already being copied and stored by someone, somewhere. That someone is willing to wait until quantum processors scale enough to enable decryption of conventional key-encapsulation and signature algorithms used in TLS. Once these are broken, the underlying symmetric session keys will be ripe for plucking from your recorded encrypted traffic. And that traffic will then be easily decrypted.

The quantum threat increased yet again last month as IBM announced their Eagle series of mass-market quantum processors boasting 127 qubits apiece. According to IBM's road map, only 5-6 years remain until their quantum processors reach the scale necessary to break today's TLS. Thankfully, the folks at NIST have not been sitting idle, and are well on the way to standardizing post-quantum (a.k.a. quantum-safe) encryption algorithms to mitigate the threat. NIST is on its third selection round, having reduced the initial pool of over 60 submissions to just 7 third round finalist algorithms. A final standard for post-quantum cryptography is expected from NIST in 2024, with draft standards due in 2023.

In parallel, the Open Quantum Safe project, has been working on building these algorithms into a fork of OpenSSL, letting hobbyists like myself experiment with deploying web services secured with hybrid quantum-safe and conventional algorithms. These hybrid cipher suites provide strong security* against conventional attacks, as well as potential security* against future quantum attacks, for today's TLS communications. Because of the strong conventional algorithm in the hybrid, data should* remain secure even if the quantum component fails, and vice-versa. *Note: There is a disclaimer on Open Quantum Safe's website that the fork is for research purposes only, and has not been audited as thoroughly as the original software. But if you are really concerned about someone recording your traffic today to decrypt it tomorrow, you should have been deploying this technology yesterday.

In this article, I will show you how to set up a web server running quantum-safe OpenSSL and Apache built against it, capable of accepting TLS 1.3 connections while using a hybrid conventional/quantum-safe signature scheme for authentication and a hybrid key-encapsulation mechanism for the TLS handshake. The algorithms I selected for this example claim to provide Level 5 (the highest) security according to NIST. I chose these algorithms after reviewing performance benchmark results for quantum-safe NIST candidates and looking at what's available in the quantum-safe software forks.

For the conventional components for both key-encapsulation and signature schemes, I chose NIST's P-521 elliptic curve algorithm (some of you may rightfully question whether NIST's curves should be trusted at all, but alas, until we see full support for hybrid Curve448 schemes offered by Open Quantum Safe, we have to settle for NIST's curves if we want hybrid Level 5 security).

For the quantum-safe component of the signature scheme, I chose Falcon1024 - a lattice-based algorithm claiming Level 5 security in the post-quantum world. For the quantum-safe part of the key-encapsulation scheme, I chose FireSABER, another lattice-based claimant to Level 5 security. Both are NIST's round three finalists and stand a good chance to be included in the upcoming standard in 2024.

Below, I will give you the steps required to install the Open Quantum Safe library (liboqs) on an Ubuntu 20.04 LTS VM, and then to build and install the quantum-safe fork of OpenSSL (currently at version 1.1.1l). Next, I will show you how to build and install the latest version of Apache web server using this OpenSSL fork. Next, I will demonstrate creating a root CA certificate and a server authentication certificate using the hybrid classical-quantum signature scheme.

Lastly, I will show you how to deploy the certificate on your web server, and how to set up the server to accept TLS 1.3 connections using the p521_firesaber hybrid key encapsulation scheme for the initial handshake. While the Open Quantum Safe team provides sample Docker images with Apache already compiled and configured against their OpenSSL fork, I want to show you how to do it yourself on a Linux VM of your choice, while customizing the hybrid quantum-safe algorithm parameters to make the encryption offered stronger than what Open Quantum Safe gives in their Docker images out-of-the-box.

For simplicity in this exercise, I used one VM for both client and server. However, you can easily adapt the below instructions to your use case (Linux distros other than Ubuntu, or separate clients and servers) with minimal effort. Please note that with a full-time job and children boisterously running around the house, a bug may have crept into the below steps despite 3 testing/debugging passes. In that case, please reach out and let me know!

So without further ado:

Step 0: Setting up your VM

Download Ubuntu Desktop 20.04.3 and deploy it on a VM in a hypervisor of your choice. For this test I recommend 4 GB of virtual RAM and a 25 GB virtual disk. When you configure your hypervisor, make sure the VM has access to the Internet, as you will need to do a number of apt installs and git pulls. Lastly, when installing Ubuntu, start with a "Minimal Install" configuration in the installer (web browser and standard utilities only) - we don't need any of that extra stuff! Once the machine installs, open a terminal and navigate to your home folder - this is where you will run all the following commands in bold. Make sure to execute them exactly as given and in the exact sequence I give - each line is a complete command line. I have tested this multiple times and it does work. For those of you into Bash scripting, you could adapt the below into a Bash script, with some minimal effort...

#Step 1: Install pre-requisites

sudo apt install cmake gcc libtool libssl-dev make ninja-build git -y

#Step 2: Clone the Open Quantum Safe OpenSSL repository

git clone --branch OQS-OpenSSL_1_1_1-stable https://github.com/open-quantum-safe/openssl.git

#Step 3: Clone, build, and install liboqs

git clone --branch main https://github.com/open-quantum-safe/liboqs.git

cd liboqs

mkdir build && cd build

cmake -GNinja -DCMAKE_INSTALL_PREFIX=~/openssl/oqs ..

ninja

ninja install

#Step 4: Build the quantum safe OpenSSL fork

cd ~/openssl

./Configure no-shared linux-x86_64 -DOQS_DEFAULT_GROUPS=\"p521_kyber1024:p521_kyber90s1024:p521_ntru_hps40961229:p521_ntru_hps4096821:p521_ntru_hrss1373:p521_firesaber:secp521_r1\" -lm

make -j 1

sudo make install

#Step 5: Confirm OpenSSL version

cd ~

openssl/apps/openssl version

# This should return "OpenSSL 1.1.1l 24 Aug 2021, Open Quantum Safe 2021-xx-dev snapshot"

#Step 6: Download, configure, build with OpenSSL, and install, the latest Apache web server

wget https://dlcdn.apache.org/httpd/httpd-2.4.51.tar.gz

tar -xvf httpd-2.4.51.tar.gz

wget https://dlcdn.apache.org/apr/apr-1.7.0.tar.gz

tar -xvf apr-1.7.0.tar.gz

wget https://dlcdn.apache.org/apr/apr-util-1.6.1.tar.gz

tar -xvf apr-util-1.6.1.tar.gz

mv apr-1.7.0 httpd-2.4.51/srclib/apr

mv apr-util-1.6.1 httpd-2.4.51/srclib/apr-util

sudo apt install libpcre3-dev libpcre3

wget https://github.com/libexpat/libexpat/releases/download/R_2_4_1/expat-2.4.1.tar.gz

tar -xvf expat-2.4.1.tar.gz

cd expat-2.4.1

./configure

make

sudo make install

cd ~/httpd-2.4.51

./configure --with-ssl=~/openssl/apps/openssl --with-expat=/usr/local/include

make

sudo make install

cd ~

#Step 7: Build Certificate Authority (CA) key and certificate using p521_falcon1024 (NIST L5 Security Hybrid Quantum-Classical Signature Algorithm Scheme)

openssl/apps/openssl req -x509 -new -newkey p521_falcon1024 -keyout p521_falcon1024_CA.key -out p521_falcon1024_CA.crt -nodes -subj "/CN=oqstest CA" -days 365 -config ~/openssl/apps/openssl.cnf

#Step 8: Generate server's private key and Certificate Signing Request (CSR)

openssl/apps/openssl req -new -newkey p521_falcon1024 -keyout p521_falcon1024_srv.key -out p521_falcon1024_srv.csr -nodes -subj "/CN=localhost" -config ~/openssl/apps/openssl.cnf

#Step 9: Generate server's certificate and sign with CA key

openssl/apps/openssl x509 -req -in p521_falcon1024_srv.csr -out p521_falcon1024_srv.crt -CA p521_falcon1024_CA.crt -CAkey p521_falcon1024_CA.key -CAcreateserial -days 365

#Step 10: Perform a basic test of TLS connectivity using the above certificates

openssl/apps/openssl s_server -cert p521_falcon1024_srv.crt -key p521_falcon1024_srv.key -www -tls1_3

# This starts OpenSSL's basic in-built server running - leave this running and open a second terminal window, where you will execute the following command:

openssl/apps/openssl s_client -groups p521_firesaber -CAfile p521_falcon1024_CA.crt -connect localhost

# Check the output you get from this command. Pay attention to the "peer signature type" and the "Server Temp Key" - both should be showing hybrid quantum-safe algorithms. This is how you will know you did the setup correctly. When done, close this 2nd terminal window, and return to your original terminal window and break the operation of the OpenSSL server by pressing CTRL+C

#Step 11: Download Apache configuration files (httpd.conf and httpd-ssl.conf) using your browser.

# After downloading these to your Downloads folder, move them to the appropriate Apache runtime folders. Please note that these config files are customized to work with the above certificates. Also note that httpd-ssl.conf specifies TLS 1.3 as the protocol, with strong conventional cipher suites selected in addition to the hybrid key encapsulation scheme. You are welcome to customize these in your home lab :)

cd Downloads

sudo mv httpd.conf /usr/local/apache2/conf/httpd.conf

sudo mv httpd-ssl.conf /usr/local/apache2/conf/extra/httpd-ssl.conf

#Step 12: Move the server certificate and key to appropriate Apache folder from your home folder

cd ~

sudo mv p521_falcon1024_srv.crt /usr/local/apache2/conf/p521_falcon1024_srv.crt

sudo mv p521_falcon1024_srv.key /usr/local/apache2/conf/p521_falcon1024_srv.key

#Step 13: Start the Apache server

cd /usr/local/apache2/bin/

sudo ./apachectl -k start

#Step 14: Test the Apache server

cd ~

sudo apt install net-tools

netstat -ant

# You will see from the output here that Apache is listening on tcp port 4433. Don't worry that it says tcp6, as we told Apache to listen via a universal socket, and this just means it listens for both IPv4 and IPv6 connections on this port! This can be tightened to IPv4 by modifying the Listen statement in httpd-ssl.conf and giving an IPv4 IP address before the port. Now let's try to connect to the webserver on port 4433 using our OpenSSL TLS client, and see if it returns the same output we saw in our earlier test, to confirm we have quantum-safe algorithms in place!

openssl/apps/openssl s_client -groups p521_firesaber -CAfile p521_falcon1024_CA.crt -connect localhost:4433

# Congratulations! As in the earlier test using OpenSSL server before, the output confirms you are running Apache on port 4433, accepting TLS 1.3 connections, using the hybrid p521_firesaber TLS handshake, and authenticating with hybrid p521_falcon1024 certificates.

#Step 15: Shut down Apache server

cd /usr/local/apache2/bin/

sudo ./apachectl -k stop

cd ~

############################# END

And that's all there is to it :) In my next post, time and busy life permitting, I will show you how to build Chromium using Open Quantum Safe's fork of BoringSSL, so that it is able to use the p521_firesaber TLS handshake (it can't do so "out-of-the-box" as supplied without customization). Once you have the browser and server, you will be able to establish quantum-safe Level 5 hybrid-encrypted communication between two points...

Your comments and corrections are always welcome :)

-- Igor Barshteyn, December 7, 2021.

Edits:

12-8-21: Fixed Ubuntu LTS version number in introduction section; fixed last paragraph to state that Chromium is built with Google's BoringSSL. Don't hate - it was late :); minor edits to clarify TLS 1.3 version and cipher-suite selections in httpd-ssl.conf, and clarification that what we are building offers stronger security levels than what Open Quantum Safe offers in their Apache Docker image.

12-16-21: Added ALL Level 5 hybrid signature schemes to OpenSSL fork compilation and also to httpd-ssl.conf, as part of testing client setup for an upcoming Part 2 of this article. Tightened TLS cipher suite selections in httpd-ssl.conf to only the 2 most secure cipher suites. The steps in this article will still work to set up the server, with the changes included.