It's an exciting year closure for DataPower. We have many important updates that demonstrate how we are continuing to drive this flagship security gateway offering forward.

Our latest release, 10.6.2, introduces a range of exciting features that significantly enhance security and observability, including OpenTelemetry improvements, API security upgrades, and cutting-edge tech previews of FIPS 140-3 and Post-Quantum Cryptography.

Full details of this release can be found in our “What’s New” overview page.

Let’s dive into the highlights.

Post Quantum Cryptography: Future-Proofing Your Security (Technology Preview)

In August 2024, NIST published three approved standards - which include three post-quantum cryptographic algorithms: two of them, ML-KEM and ML-DSA were developed by IBM researchers in collaboration with several industry and academic partners. The third published algorithm, SLH-DSA was co-developed by a researcher who has since joined IBM.

• FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard - ML-KEM (derived from CRYSTALS-Kyber) a key encapsulation mechanism selected for general encryption, such as for accessing secured websites
• FIPS 204, Module-Lattice-Based Digital Signature Standard - ML-DSA (derived from CRYSTALS-Dilithium) a lattice-based algorithm chosen for general-purpose digital signature protocols
• FIPS 205, Stateless Hash-Based Digital Signature Standard - SLH-DSA (derived from SPHINCS+)

For more information, see IBM Research Blog: NIST’s post-quantum cryptography standards are here and IBM-Developed Algorithms Announced as NIST's First Published Post-Quantum Cryptography Standards

We’re thrilled to announce that Post Quantum Cryptography (PQC) marks the first technology preview for DataPower, exclusively available for all our clients. We're introducing support for PQC KEM algorithms in our TLS client and server profiles with the order in increasing security strength and decreasing performance are ML-KEM-512, ML-KEM-768, and ML-KEM-1024. In addition to the three NIST approved algorithms, you can configure TLS profiles that advertise and support hybrid algorithms.

For the TLS client profile, see kem-alg (Technology preview).

For the TLS server profile, see kem-alg (Technology preview).

FIPS 140-3 Support: Raising the Bar for Security Compliance

To maintain security compliance, strict standards must be observed when interacting with government entities or engaging in certain government applications. FIPS 140 (Federal Information Processing Standard) is a set of security requirements for cryptographic modules defined by the National Institute of Standards and Technology (NIST) which a mandatory standard for the protection of sensitive or valuable data within Federal, State, and Local jurisdictions. Commercial applications also widely refer to this level of protection in certain highly regulated industries like financial and healthcare services.

We're excited to announce that our latest release, 10.6.2, now supports FIPS 140-3, the latest iteration of the FIPS 140 series. As the successor to FIPS 140-2, FIPS 140-3 represents a significant milestone in the evolution of cryptographic security, introducing new enhancements to keep pace with the evolving landscape of cryptographic modules. 

This support is available in two levels: hardware and software level security.

FIPS 140-3 Level 3

Security Level 3 requires enhanced physical security to prevent intruders from accessing critical security parameters; at this level the hardware is expected to prevent tampering, and access must be identity based. IBM DataPower Gateway appliances provide a factory-installed optional feature called the hardware security module (HSM). Our HSM-equipped appliances have been updated to support FIPS 140-3, ensuring seamless integration and enhanced security. When a user initializes the HSM, it operates in FIPS 140-3 Level 3 mode.

idg# top;co;show crypto-engine
Crypto Accelerator Type: hsm3
Crypto Accelerator Status: fully operational
Crypto Accelerator FIPS 140-3 Level: 3
Crypto Accelerator FIPS 140-3 Role: user

FIPS 140-3 Level 1 (Technology Preview)

In addition to our hardware-level support, we're also introducing FIPS 140-3 Level 1 support as a technology preview. This feature allows you to change the cryptographic mode to FIPS 140-3. In FIPS 140-3 level 1 mode, DataPower perform cryptographic operations by using a cryptographic software module that is validated to FIPS 140-3 level 1. This feature helps organizations comply with NIST SP800-131A, which mandates the use of longer key lengths and stronger cryptographic algorithms. For more information, see Crypto modes.

idg# co;crypto;crypto-mode-set fips-140-3-l1

OpenTelemetry Enhancements: Better Observability

Our OpenTelemetry integration has been enhanced to support the multi-protocol gateway and web service proxy. Additionally, we've added compression support to the OpenTelemetry exporter, making it easier to manage and monitor your data.

For a multi-protocol gateway, see Configuring OpenTelemetry integration for the multi-protocol gateway.

For a web service proxy, see Configuring OpenTelemetry integration for the web service proxy.

SSH Server Profile Enhancements: More Control and Flexibility

The SSH server profile has been updated to allow you to control which host key algorithms to support. This feature provides more flexibility and control over your SSH connections. When you modify the SSH server profile, you can add which host key algorithm the server supports.

The DataPower SSH server now also supports ECDSA and ED25519 SSH host keys. Overall, ED25519 offers a combination of strong security, efficiency, simplicity, and resistance to emerging threats, making it an excellent choice for securing SSH connections.

• Strong Security: Comparable to 3072-bit RSA key with a shorter 256-bit key
• High Efficiency: Faster than RSA and DSA, ideal for resource-constrained environments
• Small Key Sizes: Shorter keys for faster generation and exchange
• Side-Channel Attack Resistance: Designed to protect against timing and power consumption attacks
• Simplicity: Straightforward implementation reduces risk of errors
• Quantum Resistance: Believed to be resistant to quantum computer attacks
• Open Standard: Widely accepted and compatible across SSH implementations
• Wide Adoption: Supported by many SSH clients and servers
• Forward Secrecy: Can be used with key exchange protocols for secure past SSH sessions

For more information, see Modifying the SSH server profile.

TLS Enhancements: Improved Security and Compatibility

We've added support for TLS 1.3 to secure HTTP/2 connections with the HTTPS handler. Additionally, you can now control whether to require TLS peers to send the close_notify alert on shutdown.

API Security Enhancements: More Secure and Efficient

The API security token manager has been updated to allow you to set the interval to run the cleanup for expired tokens. For more information, see Defining the API security token manager.

We've also improved our OIDC support for API security with additional id_token validation. For more information, see Configuring API Connect as the OAuth provider and see Creating API security requirements.

Conclusion

The 10.6.2 release is packed with features that significantly enhance security and observability, including OpenTelemetry improvements, API security upgrades, and cutting-edge tech previews of FIPS 140-3 and Post-Quantum Cryptography. Try out these new features today and discover how your DataPower is poised to tackle the evolving security landscape in the year ahead.

#DataPowerGateways

#whatsnew

#quantum-safe