Ambit Client is an enterprise VPN that combines post-quantum cryptography (PQC) with networking improvements to mitigate both the cryptographic security impacts of quantum computing and the operational friction commonly induced by cryptographic security products.

Ambit Client defeats Harvest-Now-Decrypt-Later (HNDL) attacks through the use of PQC that is compliant with the Federal Information Processing Standard (FIPS) 140-3 and Commercial National Security Algorithm Suite (CNSA) 2.0 standards. When using Ambit Client, all information leaving an endpoint (e.g., workstation, laptop, mobile device) is fully encrypted with PQC. While bad actors may be able to capture information, they will not be able to decrypt, use, or derive value from it. As a result, Ambit Client creates future-proofing for a post-quantum world.

Underlying these capabilities is an innovative cryptographic protocol, MaxKyber®, that enables rapid, modular replacement of classical cryptographic primitives anticipated to be vulnerable to quantum computers with secure PQC algorithms within a framework extensible to currently ubiquitous network protocols (e.g., Transport Layer Security (TLS), IPSec IKEv2) as well as the generation of a product suite supporting all aspects of connected business operations.

Think of Ambit Client as an armored car to transport your data. It needs quantum-resistant armor and a powerful engine to move large payloads of data safely and quickly. The MaxKyber® protocol plays the roles of the armor and the engine. MaxKyber® was designed to meet a number of technical challenges impacting PQC implementation, including:

1. Making the new PQC algorithms functionally useful by packaging them in a modular manner such that they could be readily integrated into any product requiring the secure exchange of information across a potentially insecure channel. Think of it like putting the engine and armor into a different type of car. This includes VPNs, such as Ambit Client VPN, and also networking and connectivity tools like software defined networks (SDN), browsers, and cloud services.

2. Ensuring that common features such as in-session key rotation were provided in a manner consistent with PQC cryptographic standards and CNSA 2.0.  For example, the ML-KEM standard is silent on the issue of key rotation, which is a standard part of legacy cryptographic protocols like Internet Key Exchange, v.2 (IKEv2).

3. Ensuring the provision of a robust, post-quantum analog to the key establishment capabilities provided by classical cryptographic protocols such as the elliptical curve Diffie-Hellman key agreement protocol (ECDH) that was faithful to PQC standards and the requirements specified in CNSA 2.0.

4. Ensuring compatibility with existing networking standards and implementations. For example, PQC algorithms often run into issues with Maximum Transmission Unit (MTU) limitations. This constraint becomes of singular importance when mobile and Internet-of-Things (IoT) networks are considered.

5. Solving the key distribution problem between peers in a manner consistent with CNSA 2.0 without exposing a shared secret (e.g., a cryptographic key) to the risks of transit across an insecure channel.

The MaxKyber® protocol is implemented as a modular package that is portable to TLS and IPSec IKEv2, thus offering a short path to rapid, prolific PQC adoption.

According to the highest global standard, CNSA 2.0, using one, two, or even three CNSA 2.0 or NIST-compliant algorithms is not enough for a VPN to be considered quantum-resistant. In order to do so, four key cryptographic components must use algorithms defined by CNSA 2.0:
‍
1.      Authentication
2.     Key Exchange
3.     Bulk Encryption (AEAD)
4.     Hashing

If just one of those components is not compliant with CNSA 2.0, the entire product cannot be considered quantum resistant by virtue of the CNSA 2.0 standard.

Businesses can ask their VPN providers if they use the Diffie-Hellman Key Exchange, hybrid cryptography, or elliptic-curve cryptography. If the vendor answers “yes” to any of those questions, then according to CNSA 2.0 their VPN is not quantum-resistant and any data transiting through the VPN does not meet the highest standard for protection against HNDL.

Ambit Client, however, completely uses exclusively CNSA 2.0 algorithms (NIST Level 5) across all four key components, and truly meets the highest bar for quantum-resistance.

Despite the emergence of stable, viable quantum computing platforms not being expected until close to the end of the decade (near to 2030), quantum computing is already having an indirect impact on asymmetric cryptography. Governments and malicious actors around the world are currently engaging in what is known as Harvest-Now-Decrypt-Later (HNDL) attacks. HNDL attacks are premised on a combination of the following ideas:

1. Information transiting the internet is routinely protected with asymmetric cryptographic algorithms that cannot be broken with classical computers today

2. Quantum computing will be able to break these asymmetric algorithms

3. While much of the information that transits the internet loses value quickly over time, a large, significant part of the information retains value over long periods

4. Seemingly innocuous information transiting the internet from many sources can be mosaicked to create valuable sensitive information

As a result, global actors are currently copying and storing everything that transits the internet and are doing so today.

The SaaS version of Ambit Client enables account setup and installation on endpoint devices in minutes.  If an on-premises configuration is selected, server installation, configuration, and subsequent device installation are typically completed in half a day or less. Endpoint installation follows standard platform patterns.  Windows, Mac, iOS, and Android are supported.

Ambit Client is designed for a low/no burden adoption experience. Operation requires minimal expertise or training, and the application itself is initialized with a single click.  Ambit Client can be configured to automatically activate on startup, and maintains protection even after network interruptions.  

DOWNLOAD LINK TO WHITE PAPER
‍
DOWNLOAD LINK TO CRYPTOGRAPHY FAQ

DOWNLOAD LINK TO CNSA 2.0 MANDATE

DOWNLOAD LINK TO CNSA 2.0 FAQ

If you are a customer, please see the Welcome Email we sent you.