Advancing Quantum-Ready Security: PQC FIPS standards, interoperability, and API enhancements in BC 1.77

Updates to PQC FIPS standards and interoperability testing

Updating PQC FIPS standards and ensuring interoperability testing is crucial in our ongoing quantum-ready journey. As a Bouncy Castle user, you now have the opportunity to experiment both internally and with others. This release specifically addresses the second issue, increasing the likelihood of successful interoperability.

Recent publications of FIPS PUB 203, FIPS PUB 204, and FIPS PUB 205 drafts have prompted BC Java 1.77 to update PQC algorithms—Kyber, Dilithium, and SPHINCS+—in alignment with these draft standards.

Furthermore, the public key certificates generated in this update underwent validation in collaboration with various vendors during the IETF PQC Certificate Hackathon. This process confirms that the BC based implementations will indeed interoperate seamlessly with other vendors. The success of any public key and certificate implementation hinges on its ability to interoperate effectively.

Resolving supported groups extension issues with DTLS

To enhance compliance for users of DTLS, BC 1.77 has resolved issues surrounding the supported groups extension. The DTLS API now exhibits fully compliant behavior when the supported groups extension is utilized. This improvement significantly reduces unexpected challenges during the debugging of DTLS connections.

Adapting the TLS/DTLS API for compatibility with modern PKCS#11 providers

For HSM (Hardware Security Module) users leveraging TLS/DTL APIs, the transition to newer PKCS#11 providers is apparent, with the adoption of a new naming convention for RSA PSS based signature algorithms and the discontinuation of the old one. In response, BC 1.77 has adapted the TLS/DTLS API to support providers offering RSA PSS signatures using the updated "RSAPSS" algorithm naming convention, in addition to the older "withMGF1" designation. This should ensure seamless integration with the evolving landscape of HSM technologies.

Read more and download:

Release notes for BC 1.77 Java  

Link for download BC 1.77 Java

Set up your first quantum-ready PKI. Create your ML-DSA (Dilithium) Root CAs, Issuing CAs, and end entities for code signing. Then, sign data in SignServer. You can find all the tutorial videos and how-to guides you need here.