Post-Quantum Keys choice for signing/encryption #40496
ByteAfterlife
started this conversation in
Ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hello Keycloak team!
I'm suggesting the ability for Keycloak admins to use post-quantum cryptography (pqc) algorithms for signing and encrypting tokens in Keycloak. Since quantum computers are starting to be made, a lot of organizations (including ours) are starting to worry about how secure our authentication and federation systems will be in the future.
Right now, Keycloak only lets us use RSA and elliptic curve algorithms for SAML and OIDC tokens, but these won’t be safe once quantum computers are in mass production. It would be amazing if Keycloak could offer some quantum-safe choices so we can start planning our migration and stay ahead of the new technology standards.
The main PQC algorithms I’d love to see supported and would recommend are:
CRYSTALS-Dilithium (ML-DSA): One of the best NIST standard for digital signatures—strong, efficient, and it's already getting a lot of industry attention.
FALCON: Another NIST favorite, with even smaller signatures (though I was informed it’s trickier to implement).
SPHINCS+: A hash-based signature that’s super strong, but the signatures are bigger.
Kyber: The leading post-quantum algorithm for encryption and key exchange.
It would be great if these could be selectable in the Keycloak admin UI, just like we choose RSA or ECDSA now. Ideally, it would also be possible to run in “hybrid” mode (e.g., RSA + Dilithium) while the ecosystem catches up.
Adding these would help a lot of us future-proof our and many others' identity infrastructure and stay safe with new security standards as they start rolling out.
Thanks a bunch for considering this! If you need testers or feedback, I’d be happy to help.
Beta Was this translation helpful? Give feedback.
All reactions