Adding experimental support for X25519Kyber768 to dns4all.eu

Experimenting with post-quantum cryptography in the DNS

Concept for quantum encryption in the form of a neon-colored digitized padlock in a futuristic environment.

SIDN Labs is experimenting with post-quantum cryptography (PQC) to protect the DNS from future attacks using quantum computers. Although current quantum computers do not seem to be capable of breaking existing cryptography, it is likely that more advanced quantum computers will be able to do that sometime in the future. We therefore decided that it would be sensible to evaluate standardised and proposed PQC algorithms in different parts of the DNS.

Since Google has added support for X25519Kyber768 to the TLS implementations of their Chrome and Chromium browsers, we ran an experiment to see whether it is feasible to support that mechanism on our DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) servers.

Protecting TLS

Currently, most of the data you transmit on the internet is protected using TLS. TLS uses shared secrets that are established (between client and server) using the Elliptic Curve Diffie–Hellman (ECDH) protocol. ECDH can use different functions for curves, for example the widely used X25519. X25519 and other Diffie-Hellman functions based on the discrete logarithm problem are vulnerable to future quantum attacks.

Although such quantum attacks remain far in the future, experts are already developing new cryptographic protocols to protect your data in the future when the attacks do become feasible. Since post-quantum cryptography mechanisms are relatively new, they are still being extensively tested and their security properties are still being reviewed, such as in the NIST challenges. Therefore, there is a chance that such an algorithm will be broken or declared insecure during the review phase. This makes their use in production systems less attractive.

However, by using a hybrid method such as X25519Kyber768, an attacker needs to defeat both Kyber768 and X25519 to obtain the secret key and to eavesdrop on further traffic. The idea behind hybrid methods is that if the (relatively untested) Kyber768 key exchange mechanism is broken in the future, the shared secret will still be protected by the state-of-the-art X25519 function. The hybrid approach should protect your data against current eavesdropping and future decryption attacks without sacrificing security.

A detailed description of how TLS is protected by the X25519Kyber768 algorithm can be found in two excellent Cloudflareblogs.

Enhancing dns4all.eu with X25519Kyber768

Our anycast testbed and the dns4all.eu DoH and DoT resolvers are now among the first resolvers that support X25519Kyber768. DoH and DoT already prevent eavesdroppers from monitoring your DNS traffic, and X25519Kyber768 adds security against 'Harvest now, decrypt later' attacks.

Our resolvers rely on the experimental liboqs library and oqsprovider for OpenSSL 3.0 (and higher) to add support for X25519Kyber768 to our resolvers.

Enabling X25519Kyber768 in your browser and using dns4all.eu as the resolver

If you want to experiment with using a DNS resolver that supports X25519Kyber768, you can do so in a Chromium-based browser by configuring the browser to use our DNS resolver. You can do that as follows. In your Chromium-based browser, go to chrome://flags/ and make sure #enable-tls13-kyber is enabled. At the time of writing, the option is available in browsers based on Chromium 115, such as the latest Google Chrome and Brave and Opera. However, we could not yet find X25519Kyber768 support in Safari or Microsoft Edge.

Dns4all.eu is an experimental DNS resolver provided on our anycast testbed; we do not log personal data. To configure dns4all.eu as the DNS provider in Chromium, go to Settings -> Privacy and security -> Security -> Use secure DNS, then select Customised and enter https://doh.dns4all.eu/dns-query in the field below. Note that on other Chromium-based browsers this setting could be in a different place.

To verify that the connection is secured, you can open the security tab of the developer tools when visiting https://doh.dns4all.eu/, as shown below, and look for X25519Kyber768Draft00.

Screenshot of dns4all.eu

Conclusion

As SIDN Labs keeps experimenting with PQC algorithms, more blogs will follow that share our experiences with applying PQC to other parts of the DNS. If you are interested in more information or in collaborating on PQC in DNS, you can contact us on sidnlabs@sidn.nl.