|
Enable Post-Quantum Pre-Shared Key (PPK)
|
Enable Post-Quantum Pre-Shared Key (PPK)—To
use post-quantum pre-shared keys (PPKs) to create post-quantum VPNs
that resist attacks by quantum computers, enable PPKs and configure
them in VPNs that support IKEv2. PPKs aren't supported for IKEv1.
Enable Post-Quantum Pre-Shared Key (PPK)
is disabled by default.
Negotiation Mode:
PPK KeyID—A name that identifies the
associated PPK. The initiating peer PPK transmits the PPK KeyID to
the responding peer so the responding peer can look up the
associated PPK.
Post-Quantum Pre-shared Key (PPK)—The secret
key, which is associated with its KeyID. The PPK is never
transmitted between peers, so it isn't natively vulnerable to a
Harvest Now, Decrypt Later attack and it isn't vulnerable to Shor's algorithm.
For IKEv2 peers to negotiate using a PPK,
both peers must have the exact same KeyID plus PPK pairs configured
in their IKEv2 Gateways. If an initiator attempts to peer with a
responder that doesn't have the corresponding KeyID plus PPK pair,
the attempt is aborted.
Activate—Shows which PPKs the firewall can
use. You must activate at least one PPK. The firewall randomly
selects a PPK from the activated PPKs to initiate IKEv2 peering with
the responding peer. You activate and deactivate PPKs when you
Add them or when you edit them. In
accordance with RFC 8784, once the firewall selects a PPK, the
firewall uses that PPK for the duration of the IKEv2 gateway's
lifetime, including through IKE rekeys. The firewall excludes
deactivated PPKs from selection.
You can Add up to ten PPK KeyID plus PPK
pairs. In the Add Post-Quantum Pre-shared Key
dialog box:
PPK KeyID—The name that identifies the
PPK Secret (the pre-shared key string). You can use any
string value, such as "PPK_ID1" or "Super_Strong_PPK5". PPK Secret—A string that can range
from 32-128 characters (16-64 bytes). The longer the string,
the stronger the key. The PPK Secret is associated with its
PPK KeyID. You can enter a string of your choosing or you
can have the firewall automatically Generate
Strong PPK.
Configure a string
that is at least 64 characters (32 bytes) in length. The firewall never transmits the PPK between peers, so it
isn't natively vulnerable to a Harvest Now, Decrypt Later
attack, and it isn't vulnerable to Shor's algorithm. Confirm PPK Secret—The PPK Secret
string must exactly match the string you entered in the
PPK Secret field. Activate—Check this box to activate
the PPK for use for IKEv2 peering. New PPKs are activated by
default. Uncheck the box to deactivate a PPK. You can
activate and deactivate PPKs when you
Add them and when you select and
edit them. PPK length (characters)—If you choose
to have the firewall generate a strong PPK Secret for you
instead of typing in a PPK Secret, the field sets the length
of the automatically generated PPK sting. The default is 32
characters (the minimum length) but for best security,
generate strings that are at least 64 characters (32 bytes)
in length. Generate Strong PPK—Click to make the
firewall generate a PPK Secret string of the length
specified in the PPK length
(characters) field. When you let the firewall generate a strong PPK Secret, the
result appears in the Strong PPK
Secret dialog box. Select and copy the
string, then paste the string into the PPK
Secret and Confirm PPK
Secret fields, and save the secret in a
secure location so that you can communicate it to the peer's
administrator to install it on the peer. Copy only the
hexadecimal string, don't copy the "PPK:" that precedes it.
For example, if the generated PPK displays as:
PPK: 2b02b6ea61241c29180998458c2e27a6 only
copy and paste the hexadecimal
string: 2b02b6ea61241c29180998458c2e27a6
Make sure that you guard the
PPK Secret string carefully against exposure. If you need to
communicate the string to another administrator, use a secure
mechanism such as encrypted email. If bad actors obtain the PPK
Secret, they have a better chance of cracking the encryption key
with a quantum computer and Shor's algorithm.
| 