Quantum Safe Key Exchange
|
|
Important - This feature supports only Security Gateways R82 and higher. |
Introduction
In modern cyber security environments, ensuring the robustness of key exchanges in Internet Key Exchange version 2 (IKEv2) is critical for maintaining secure communications.
This section introduces two important enhancements to IKEv2 that strengthen its resilience:
IKEv2 Intermediate Exchange (RFC-9242)
This enhancement introduces an additional exchange that can utilize the existing IKE fragmentation mechanism, which helps prevent IP fragmentation of large IKE messages.
This is particularly valuable when longer key exchange methods are employed, as it cannot be used in the initial IKEv2 exchange.
IKEv2 Multiple Key Exchanges (RFC-9370)
With this enhancement, IKEv2 can perform multiple key exchanges with the use of different cryptographic algorithms, including Post-Quantum algorithms.
The security of the entire exchange is designed to be at least as strong as the most secure algorithm employed, to ensure that even if one method is compromised, the overall key exchange remains protected.
These enhancements are critical in improving IKEv2 performance and security, especially in environments where large key exchanges and Post-Quantum Cryptography (PQC) are being adopted.
Configuring Quantum Safe Key Exchange in SmartConsole
Procedure
-
In SmartConsole
Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click the Objects menu > Object Explorer (or press the CTRL+E keys). -
From the left navigation tree, click VPN Communities.
-
Double-click an existing VPN Community
A named collection of VPN domains, each protected by a VPN gateway. object (or create a new object).The VPN Community object window opens and shows the Gateways page.
-
From the navigation tree, click Encryption.
-
Select the checkbox Quantum Safe Key Exchange.
Note - When you select this checkbox, the VPN Community object uses the default profile.
To change the default profile settings, you must use Management API. See Configuring Quantum Safe Key Exchange with Management API.
-
Configure other required settings in this VPN Community object.
-
Click OK.
-
Install the Access Control Policy on all Security Gateways that participate in this VPN Community.
Configuring Quantum Safe Key Exchange with Management API
Management API Reference
Refer to one of these Management API References > Chapter "VPN":
-
Offline Management API Reference on the Management Server
Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.R82 and higher at this URL (must enable this access as described in sk174606):https://<IP Address of Management Server>/api_docs/#introductionExample:
https://192.168.3.57/api_docs/#introduction
Procedure
-
If it is necessary to change the default profile settings for Quantum Safe Key Exchange, then create the required Multiple Exchanges Proposal object.
In the Management API Reference, refer to the Chapter "VPN" > Section "Multiple Key Exchanges":
add multiple-key-exchanges -
Configure IKE parameters in the VPN Community.
In the Management API Reference, refer to the Chapter "VPN".
-
For a Meshed VPN Community, refer to the Section "VPN Community Meshed":
add vpn-community-meshedset vpn-community-meshed -
For a Star VPN Community, refer to the Section "VPN Community Star":
add vpn-community-starset vpn-community-star
Required API Parameters:
IKE Phase
Parameter
Sub-Parameter
IKE Phase 1
ike-phase-1-
multiple-key-exchanges -
use-multiple-key-exchanges
IKE Phase 2
ike-phase-2-
multiple-key-exchanges -
use-multiple-key-exchanges
-
-
Install the Access Control Policy on all Security Gateways that participate in this VPN Community.
In the Management API Reference, refer to the Chapter "Policy".
verify-policyinstall-policy