How to Begin Implementing Quantum-Safe Zero Trust Security for Cyber-Physical Systems with OpenZiti?

Hello OpenZiti community,

I'm starting a project focused on designing and testing a zero-trust cybersecurity solution for cyber-physical systems (CPS) using OpenZiti, with an emphasis on post-quantum cryptography. Here’s a quick breakdown of my project’s main goals:

1. Implementing Post-Quantum Cryptography: Integrate post-quantum algorithms (using libraries like LibOQS, PQ Crypto fork of OpenSSL, etc.) within OpenZiti to secure CPS against potential quantum-enabled threats.

2. Zero Trust Networking in CPS Context: Apply zero trust principles, especially within cyber-physical systems, and evaluate OpenZiti’s capabilities (ZTNA, ZTHA, ZTTA) to fortify this setup.

3. Hybrid Cryptography: I’m also looking to explore hybrid cryptographic methods, combining classical and post-quantum security to hedge against uncertainties with newer algorithms.

Could anyone guide me on the following points?

• Integration Recommendations: What are the best practices for integrating OpenZiti with post-quantum cryptographic libraries? Any challenges or limitations I should anticipate?

• Controller and Edge Router Configurations: Are there configuration tips specific to zero trust applications in CPS or post-quantum security implementations within OpenZiti’s architecture?

• Documentation and Resources: Any documentation, case studies, or previous projects that focus on zero trust in CPS using OpenZiti would be invaluable. Also, if anyone has insights into configuring OpenZiti for cyber-physical systems, I'd greatly appreciate your input.

Thank you for any guidance or resources you can offer!

Hi @nise,

Are you looking to build a system leveraging OpenZiti with post-quantum crypto, or are you looking to add post-quantum crypto into OpenZiti itself? I see from your post "Integrate post-quantum algorithms ... within OpenZiti" which makes me think you're trying to fork/modify OpenZiti? Assuming that's the case, you'll want to spend time in the c sdk GitHub - openziti/ziti-sdk-c: A C-based sdk for delivering secure applications over a Ziti Network where libsodium is used and within the go stuff GitHub - openziti/secretstream: Implementation of libsodium's secretstream in Go

You can always tunnel anything you wish over OpenZiti though, so if you're making your own app, you can run whatever encryption you wish over the OpenZiti overlay. I'm just not entirely sure which way you're heading.

None come to my mind. You could enforce TLS 1.3, I suppose, but that's not really relevant to post-quantum since I believe it's considered equally vulnerable as TLS 1.2.

@PhilipGriffiths - you have any links worth sharing on this?

A couple of things occur to me beyond your comments. As said, would be really useful to understand the goal and requirements more.

Myself, I am happy to jump on a quick call if it helps.

• The OpenZiti implementation of BYFE - Bring Your Favorite Engine - GitHub - openziti/tlsuv: TLS and HTTP(s) client library for libuv) - is crypto agile. So that could be a good place to start too. If allows for using OpenSSL for the hop-by-hop encryption. When I last looked it was v3.0, I am pretty sure 3.2 supports post-quantum cryptography (PQC) signature algorithms and key establishment mechanisms
• This was a different discourse conversation on BYOE - How adopted is the BYFE concept?
• I have spoken to people in the community who wanted to test Ziti with cryptosystem dilithium2+p-256... I don't know the status but could check in

Thank you for the clarification! Yes, my goal is to modify OpenZiti itself to embed post-quantum cryptographic algorithms, effectively building in a layer of quantum-safe security directly within the OpenZiti framework.

Thanks again for the guidance