Posted On: Mar 16, 2022

Connections to AWS Key Management Service (AWS KMS) and AWS Certificate Manager (ACM) now make use of hybrid post-quantum key establishment for transport layer security (SSL/TLS). These hybrid post-quantum TLS configurations use key encapsulation mechanisms (KEMs) from Round 3 of the NIST Post-Quantum Cryptography (PQC) selection process. This allows you to measure the potential performance impact of PQC algorithms ahead of a formal standardization announcement. You can also benefit from the longer-term confidentiality afforded by hybrid post-quantum TLS. 

The three PQC KEMs offered are Kyber, BIKE, and SIKE. Hybrid post-quantum TLS combines a classical key agreement, such as ECDHE, with one of these KEMs. The result is that your TLS connections inherit the security properties of both the classical and post-quantum key exchanges. 

Hybrid post-quantum TLS for connecting to AWS KMS and ACM is available in all public AWS Regions. These hybrid post-quantum TLS ciphers perform an additional post-quantum key exchange during the TLS handshake while connecting to the service, and do not alter any service APIs. No changes to the types of certificates supported by ACM are being made at this time. 

To get started, refer to the documentation and this sample Java project which shows how to use the new hybrid post-quantum TLS configuration.

Updated: July 21, 2022 to clarify that the post-quantum functionality is specific to the connections to AWS KMS and ACM.