Palo Alto Networks Quantum Safe VPN Supports New NIST Standards and Enables Crypto-Agility
On August 13, the U.S. Government formally announced the standardization of three new encryption algorithms designed to resist the more sophisticated cyberattacks expected with the emergence of quantum computers. These new post-quantum cryptographic (PQC) algorithm standards, and additional PQCs yet to come, will eventually replace the classic encryption methods that have served as a foundational underpinning of modern cybersecurity for decades, but are predicted to become vulnerable within the next 10 years.
We are proud to announce that every Palo Alto Networks Next-Generation Firewall (NGFW) running the latest PAN-OS, supports the three new PQC standard algorithms. In addition, our latest PAN-OS supports several other emerging, nonstandard PQC algorithms, providing our customers with cryptographic agility for future encryption needs.
The recent announcement of the first set of PQC algorithm standards should be celebrated as a significant milestone – the conclusion of a nearly eight-year global collaborative process led by the U.S. National Institute of Standards and Technology (NIST). But, it's also important to recognize the announcement as just the beginning of a new process to advance quantum readiness. The announcement now triggers new U.S. policy deadlines stemming from National Security Memorandum-10: Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems, which requires federal agencies to begin testing and ultimately fully transition to PQCs by 2035.
But, quantum attacks aren’t just an abstract challenge to deal with in the distant future. The risk of “harvest now, decrypt later” attacks (where adversaries steal sensitive encrypted data now to decrypt once quantum computers are available in the future) presents a significant risk for federal agencies and enterprises today.
NIST’s New Post-Quantum Standards and Their Implications for Security
With the NIST algorithm standards issued, renewed attention of thousands of organizations will turn to testing and validating the integrity and interoperability of these new standards within their systems. The global community will continue to learn more about the strengths and weaknesses of the three new PQC standards, which include one key encapsulation mechanism-based algorithm (FIPS 203: ML-KEM) and two digital signature-based algorithms (FIPS 204: ML-DSA; FIPS 205: SLH-DSA). Additional key encapsulation mechanism-based candidate algorithms, such as BIKE, HQC and Classic McEliece, remain under near-term consideration for NIST’s third-round PQC pipeline.
The unfortunate reality is that any one of these algorithms is at risk of being cracked and rendered ineffective, as occurred with several other candidate algorithms on the long road to standardization. We simply won’t know with high confidence which algorithms will be enduringly quantum resistant until they undergo several more years of testing and organizational use.
That uncertainty makes it absolutely imperative for security providers, including Palo Alto Networks, to embrace the principle of cryptographic agility in their product development. In this context, cryptographic agility (or ‘crypto agility’) refers to the ability to seamlessly shift to using different cryptographic algorithms if vulnerabilities are discovered in current algorithms that render them less secure.
Palo Alto Networks Commitment to Crypto-Agility
At Palo Alto Networks, we believe that fully embracing crypto agility means providing product support for both the new NIST standard algorithms and other emerging, nonstandard algorithm candidates.
Our PAN-OS 11.2 Quasar release extends the capabilities of our Quantum Safe VPN and enables the use of multiple PQC algorithms to create quantum-safe hybrid keys.
For example, our Quantum Safe VPN supports the new NIST standard ML-KEM to secure the key exchange from quantum attacks, including the near-term risk of “harvest now, decrypt later” attacks. Adhering to best practices, our customers can now combine ML-KEM with classical key exchanges (e.g., Diffie-Hellman) to create hybrid keys that ensure the highest levels of resistance to both quantum and classical computer attacks. However, if ML-KEM were to be found vulnerable in the future, customers could quickly deselect ML-KEM from the VPN profile and substitute it with another nonstandard PQC KEM, such as BIKE or HQC.
Support for our customers does not stop there. We also provide them with additional flexibility, as relying on the security of the single standardized KEM alone carries inherent risk and limits a customer’s crypto agility. To protect against the potential emergence of any vulnerabilities in the newly standardized ML-KEM key exchange, Palo Alto Networks can also uniquely support additional key exchanges. We’ll support up to seven key changes in IKEv2 with nonstandard PQCs in alignment with RFC 9370.
For customers like federal agencies that must use only NIST standard (FIPS certified) PQCs, PAN-OS provides an alternate form of crypto-agility through RFC 8784 Post-Quantum Preshared Keys (PPKs). PPKs protect against KEM vulnerabilities and add an additional layer of quantum resistance to site-to-site VPNs to stop harvesting attacks.
Palo Alto Networks was also the first to build and release signatures to detect the use of PQCs and their hybrids in an SSL session, which has become especially critical as browsers and applications have started migrating to quantum-safe algorithms. This provides greater organizational visibility into sanctioned and unsanctioned cryptography-suite use in their infrastructure. We support signatures for a broad range of PQCs, including the recently announced NIST standards, as well as nonstandard PQCs emerging in NIST’s round 3 and round 4 pipeline.
And, as the industry adopts ML-KEM, ML-DSA, SHL-DSA and the corresponding hybrid algorithms across browsers and web-services, Palo Alto Networks will also follow the adoption of these standards for SSL/TLS and certificates to continue to provide secure products and services.
As recent U.S. Government actions continue to raise awareness of the importance of quantum readiness, Palo Alto Networks remains committed to being a strategic partner within the global ecosystem. That’s why we’re a proud partner of NIST’s Migration to Post-Quantum Cryptography project, testing PQC interoperability with multiple industry peers. That commitment is why we’ve released educational materials, like our CISO’s Guide to Quantum Security video series, to help organizations better understand the risk and how to advance their own quantum readiness. And, it's why we’ll continue to push innovations across our entire product suite to provide our customers with greater levels of assurance and flexibility to remain quantum secure.