Quantum computing is not just a promise for the future, but also a cybersecurity challenge of the present. Although full-scale quantum computers capable of breaking cryptographic algorithms are still under development, we must begin preparing our defenses now. With the release of OpenShift Service Mesh 3.3, Red Hat is among the first to make post-quantum cryptography (PQC) available on enterprise container platforms.

Why is the quantum threat already critical today?

The greatest risk comes from so-called "Harvest Now, Decrypt Later" (HNDL) attacks. In these attacks, attackers record and store encrypted data streams in the hope that they will be able to decrypt them using quantum computers that will become available in the future.

This is particularly dangerous for long-term data (such as medical records, state secrets, or intellectual property), where the value of the data persists for decades. Currently widespread algorithms—such as RSA or elliptic curve cryptography (ECC)—are theoretically vulnerable to quantum-based attacks.

What's New in OpenShift Service Mesh 3.3

OpenShift Service Mesh version 3.3 (which is based on the open-source Istio project) introduces PQC at multiple levels:

1. Hybrid Key Exchange (X25519MLKEM768)

One of the most significant improvements is the implementation of the hybrid key exchange mechanism. This solution combines the traditional, proven X25519 algorithm with the new, quantum-resistant ML-KEM algorithm (formerly known as Kyber).

• Security: If any vulnerabilities were to be discovered in the new PQC algorithm in the future, the connection would remain just as strong as with current classical encryption.

• Compatibility: Enables a gradual transition without compromising the operation of existing systems.

2. Istio Gateway PQC Support

PQC algorithms can now be configured at the service network’s entry points (gateways). This is critical, as external traffic enters the mesh here, meaning that protection against HNDL attacks can begin right at the “gateway.”

3. Platform-level integration and FIPS compliance

Red Hat works closely with the National Institute of Standards and Technology (NIST) to ensure that its implementations comply with the latest standards. PQC support is built on the cryptographic libraries of Red Hat Enterprise Linux (RHEL), which forms the foundation of OpenShift, ensuring consistent protection across the entire stack.

Why is a service mesh key to migration?

The transition to quantum-secure algorithms (crypto-agility) would be extremely difficult if every single application had to be modified individually. Service Mesh offers two main advantages in this regard:

• Transparency for applications: mTLS (mutual TLS) encryption is implemented via sidecar proxies or the CNI layer. The application code remains unchanged; the infrastructure handles the switching of encryption algorithms "behind the scenes."

• Centralized configuration: Security engineers can centrally and declaratively specify which communications between services require quantum-secure protection.

Where to next?

Red Hat emphasizes that the introduction of PQC is not a one-time update, but the start of a longer process. OpenShift Service Mesh 3.3 enables companies to:

1. Take inventory of your critical data and its lifespan.

2. Launch pilot projects to test the performance and compatibility of PQC algorithms.

3. Develop crypto-agility, that is, ensure that their infrastructure is capable of quickly switching algorithms in the event of future threats.

At ULX, we have been working for some time on the enterprise-level implementation of technologies such as Red Hat Service Mesh (Istio), so we are ready to support our clients in implementing these modern technologies and developing their long-term data security strategies.