Post Quantum Cryptography to Origin

📘

This behavior is in Limited Availability. To enable it, contact your Akamai account team.

To protect your data and address the privacy and security goals, Akamai uses Post Quantum Cryptography (PQC) to protect TLS communications. We align with the industry standard and offer one of the most widely used hybrid key exchange algorithm utilizing ML-KEM.

How it works

The Post Quantum Cryptography to Origin behavior allows you to enable Post Quantum Cryptography (PQC) key exchanges with your origin. We recommend enabling PQC for enhanced security, however you can disable PQC if you observe very high TLS handshake latency or if your origin either presents errors with larger PQC client hellos or has a faulty PQC implementation.

  • The behavior is only compatible with the Media Service Live, NetStorage and the Custom origins.
  • To use Post Quantum Cryptography to Origin, your Origin certificate needs to support transport layer security (TLS) version 1.3. It applies only to Enhanced TLS hostnames. Standard TLS hostnames in your property won't be affected by this change.
  • The multiple instances of the behavior can exist in the same configuration with a last-match-win approach.
  • The behavior could be placed in the default rule to change the property behavior or under a particular match.
  • When you enable FIPS, it disables PQC G2O.

Persistent Connections

Changing the value of Post Quantum Cryptography to Origin doesn’t impact existing Persistent Connections (PCONNs). Existing PCONNs opened without PQC key exchanges will not be closed and requests will continue to use it.

The PCONN key isn’t changed as part of the enablement. After enabling the behavior, new connections offer PQC key exchange. The opened PCONN will be used for subsequent requests even if the origin chose not to negotiate a PQC key exchange.

Features

  • Enabling or disabling PQC under a match doesn’t cause Akamai Edge Server to close existing PCONNs.
  • Open PCONNs will continue to be used.
  • An origin could simultaneously have both PCONNs that performed PQC key exchange and PCONNs that didn't.
  • A PCONN may be chosen that doesn’t match the PQC status from a match.
  • If no PCONN is available, the match’s PQC status will be honored.

Given the rules above, a property may set PQC off in the default rule and enable PQC under a match for the path /foo. A request to /foo will only open a PQC PCONN if there are no existing PCONNs. The recommendation is to add this behavior in the same place as the Origin Server behavior.