Quantum-resistant Oracle Linux UEK

The Unbreakable Enterprise Kernel (UEK) is a Linux kernel built and supported by Oracle. UEK is well-tested and used to run Oracle's Engineered Systems, Oracle Cloud Infrastructure, and large enterprise deployments. Quantum-resistant (QR) Oracle Linux incorporates hybrid postquantum cryptography, combining state-of-the-art classical encryption algorithms with post-quantum encryption algorithms, provided by the National Institute of Standards and Technology (NIST). QR Oracle Linux accomplishes two objectives: Cloaking network endpoints at the edge and the Oracle Cloud Infrastructure (OCI) interface and increasing resistance to decryption by classical and future quantum computers.

You can use QR Oracle Linux in all applications for which you want to reduce the detectable attack surface or ensure future-safe encryption, particularly for deployments involving government and critical infrastructure assets where operational privacy is paramount. You can deploy QR Oracle Linux in OCI or at the edge, and it provides network interoperability with non-Oracle versions of Linux existing in the same data network.

Quantum computing and QR Oracle Linux

Dozens of billions of dollars are invested worldwide to create an exponential acceleration in quantum computing power. The market is anticipating a cryptographically relevant quantum computer capable of decrypting today’s asymmetric encryption, including Rivest-Shamir-Adleman encryption algorithm (RSA) and Elliptic-Curve Cryptography (ECC) , within minutes or seconds. Through executive orders, directives, the March 2023 U.S. National Security Strategy, and other US guidelines, the US government is driving a national upgrade of network encryption used by critical infrastructure and federal agencies to be resistant to decryption by future quantum computers. The Office of Management and Budget has directed Congress to fund this upgrade beginning with the FY2025 federal budget. 

QR Oracle Linux UEK is powered by Patero CryptoQoR (QoR), incorporating hybrid postquantum cryptography. Hybrid postquantum cryptography hybridizes classic and NIST’s quantum-resistant algorithms into a rotating session key to provide two layers of encryption with perfect forward secrecy. Patero QoR is “crypto agile,” making networks deployed with QR Oracle Linux “future-safe” because they can adopt future quantum-resistant algorithms. These algorithms are certified by NIST without the need to decommission, rip, or replace deployed QR Oracle Linux. QoR is a software-based cryptomodule deployed as an installable image that runs in the kernel space and includes a centralized management system to administer QoR-protected endpoints.

Key features and benefits of QR Oracle Linux UEK

QR Oracle Linux UEK disguises internet-facing network elements and makes data indecipherable. The solution delivers comprehensive protection for cloud, critical infrastructure, federal and department of defense (DoD) networks and includes the following features:

• Cloaking: QR Oracle Linux endpoints only respond to other Patero QoR-protected endpoints. Because they’re unresponsive to unauthenticated network elements, they’re cloaked, preventing discovery by bad actors and resulting in a reduced network attack surface.
• Hybrid: QoR combines classical cryptographic algorithms, such as Advanced Encryption Standard (AES) and RSA, with new, quantum-resistant cryptographic algorithms like hybrid PQC to create a blended cipher. Hybrid PQC ensures that information is always at least as secure as the algorithm and more resistant to decryption. Deploying hybrid PQC thwarts steal now, decrypt later (SNDL) attacks, in which high-value data is siphoned today to be decrypted tomorrow with a future-available quantum computer.
• Crypto-agile: Crypto agility is a flexible system design that enables immediate and optional adoption of new cryptographic schemes without impacting operations. Crypto-agility “future-safes” security architectures as quantum technologies and attack vectors evolve.
• Easily deployable: You can deploy QR UEK on gateways, edge bare metal, and virtual machine (VM) cloud instances. Patero-powered UEK is interoperable with all Patero CryptoQoR modules for x86 or ARM Ubuntu, Red Hat, Debian, and Raspian operating systems. 

Performance

QR Oracle Linux UEK powered by Patero QoR performance has been certified over commercial, open, and transoceanic internet links. Two-core VMs and bare metal servers were deployed in OCI Ashburn, VA, and Frankfurt, Germany. Extensive mono- and bi-directional data transmission tests were conducted to gain a statistically significant measure of impact on throughput, CPU load, and latency between unencrypted and encrypted network performance. Throughput and latency performance is within 1% of unencrypted performance, and CPU load is reduced by 0.4% on bare metal and increased by approximately 1.9% on virtual machines evenly distributed across available cores with encryption enabled.

Figure 1. Network traffic statistic shows QoR encrypted throughput (left) using the internal IP addresses and standard unencrypted traffic using the public IP addresses (right).

Want to know more?

For more information on how to work with Patero, please  contact Crick@Patero.io.

The image can be downloaded from Oracle Cloud Marketplace at https://cloudmarketplace.oracle.com/marketplace/en_US/listing/152194648