# Using hybrid post-quantum TLS with Amazon KMS
Amazon Key Management Service (Amazon KMS) supports a hybrid post-quantum key exchange option for the Transport Layer Security (TLS) network encryption protocol. You can use this TLS option when you connect to Amazon KMS API endpoints. These optional hybrid post-quantum key exchange features are at least as secure as the TLS encryption we use today and are likely to provide additional long-term security benefits. However, they affect latency and throughput compared to the classic key exchange protocols in use today.
The data that you send to Amazon Key Management Service (Amazon KMS) is protected in transit by the encryption provided by a Transport Layer Security (TLS) connection. The classic cipher suites that Amazon KMS supports for TLS sessions make brute force attacks on the key exchange mechanisms infeasible with current technology. However, if large-scale quantum computing becomes practical in the future, the classic cipher suites used in TLS key exchange mechanisms will be susceptible to these attacks. If you’re developing applications that rely on the long-term confidentiality of data passed over a TLS connection, you should consider a plan to migrate to post-quantum cryptography before large-scale quantum computers become available for use. Amazon is working to prepare for this future, and we want you to be well-prepared, too.
To protect data encrypted today against potential future attacks, Amazon is participating with the cryptographic community in the development of quantum-resistant or *post-quantum* algorithms. We've implemented *hybrid* post-quantum key exchange cipher suites in Amazon KMS that combine classic and post-quantum elements to ensure that your TLS connection is at least as strong as it would be with classic cipher suites.
These hybrid cipher suites are available for use on your production workloads in [most Amazon Web Services Regions](#pqtls-regions). However, because the performance characteristics and bandwidth requirements of hybrid cipher suites are different from those of classic key exchange mechanisms, we recommend that you [test them on your Amazon KMS API calls](pqtls-how-to.md#pqtls-testing) under different conditions.
**Feedback**
As always, we welcome your feedback and participation in our open-source repositories. We’d especially like to hear how your infrastructure interacts with this new variant of TLS traffic.
+ To provide feedback on this topic, use the **Feedback** link in the upper right corner of this page.
+ We're developing these hybrid cipher suites in open source in the [https://github.com/aws/s2n-tls](https://github.com/aws/s2n-tls) repository on GitHub. To provide feedback on the usability of the cipher suites, or share novel test conditions or results, [create an issue](https://github.com/aws/s2n-tls/issues) in the s2n-tls repository.
+ We're writing code samples for using hybrid post-quantum TLS with Amazon KMS in the [https://github.com/aws-samples/aws-kms-pq-tls-example](https://github.com/aws-samples/aws-kms-pq-tls-example) GitHub repository. To ask questions or share ideas about configuring your HTTP client or Amazon KMS client to use the hybrid cipher suites, [create an issue](https://github.com/aws-samples/aws-kms-pq-tls-example/issues) in the aws-kms-pq-tls-example repository.
**Supported Amazon Web Services Regions**
Post-quantum TLS for Amazon KMS is available in all Amazon Web Services Regions that Amazon KMS supports.
For a list of Amazon KMS endpoints for each Amazon Web Services Region, see [Amazon Key Management Service endpoints and quotas](https://docs.amazonaws.cn/general/latest/gr/kms.html) in the *Amazon Web Services General Reference*. For information about FIPS endpoints, see [FIPS endpoints](https://docs.amazonaws.cn/general/latest/gr/rande.html#FIPS-endpoints) in the *Amazon Web Services General Reference*.
## About hybrid post-quantum key exchange in TLS
Amazon KMS supports hybrid post-quantum key exchange cipher suites. You can use the Amazon SDK for Java 2.x and Amazon Common Runtime on Linux systems to configure an HTTP client that uses these cipher suites. Then, whenever you connect to an Amazon KMS endpoint with your HTTP client, the hybrid cipher suites are used.
This HTTP client uses [https://github.com/aws/s2n-tls](https://github.com/aws/s2n-tls), which is an open source implementation of the TLS protocol. The hybrid cipher suites that s2n-tls uses are implemented only for key exchange, not for direct data encryption. During *key exchange*, the client and server calculate the key they will use to encrypt and decrypt the data on the wire.
The algorithms that s2n-tls uses are a *hybrid* that combines [Elliptic Curve Diffie-Hellman](https://en.wikipedia.org/wiki/Elliptic-curve_Diffie%E2%80%93Hellman) (ECDH), a classic key exchange algorithm used today in TLS, with [Module-Lattice-Based Key-Encapsulation Mechanism](https://csrc.nist.gov/pubs/fips/203/final) (ML-KEM), a public-key encryption and key-establishment algorithm that the National Institute for Standards and Technology (NIST) [ has designated as its first standard](https://csrc.nist.gov/pubs/fips/203/final) post-quantum key-agreement algorithm. This hybrid uses each of the algorithms independently to generate a key. Then it combines the two keys cryptographically. With s2n-tls, you can [configure an HTTP client](pqtls-how-to.md) to prefer post-quantum TLS, which places ECDH with ML-KEM first in the preference list. Classic key exchange algorithms are included in the preference list to ensure compatibility, but they are lower in the preference order.
## Using hybrid post-quantum TLS with Amazon KMS
You can use hybrid post-quantum TLS for your calls to Amazon KMS. When setting up your HTTP client test environment, be aware of the following information:
**Encryption in Transit**
The hybrid cipher suites in s2n-tls are used only for encryption in transit. They protect your data while it is traveling from your client to the Amazon KMS endpoint. Amazon KMS does not use these cipher suites to encrypt data under Amazon KMS keys.
Instead, when Amazon KMS encrypts your data under KMS keys, it uses symmetric cryptography with 256-bit keys and the Advanced Encryption Standard in Galois Counter Mode (AES-GCM) algorithm, which is already quantum resistant. Theoretical future, large-scale quantum computing attacks on ciphertexts created under 256-bit AES-GCM keys [reduce the effective security of the key to 128 bits](https://www.etsi.org/images/files/ETSIWhitePapers/QuantumSafeWhitepaper.pdf). This security level is sufficient to make brute force attacks on Amazon KMS ciphertexts infeasible.
**Supported Systems**
Use of the hybrid cipher suites in s2n-tls is currently supported only on Linux systems. In addition, these cipher suites are supported only in SDKs that support the Amazon Common Runtime, such as the Amazon SDK for Java 2.x. For an example, see [Configure hybrid post-quantum TLS](pqtls-how-to.md).
**Amazon KMS Endpoints**
Amazon KMS supports hybrid post-quantum TLS on all endpoints including [FIPS 140-3 validated endpoints](https://docs.amazonaws.cn/general/latest/gr/kms.html).
## Learn more about post-quantum TLS in Amazon KMS
For more information about using hybrid post-quantum TLS in Amazon KMS, see the following resources.
+ To learn about post-quantum cryptography at Amazon, including links to blog posts and research papers, see [Post-Quantum Cryptography](https://aws.amazon.com/security/post-quantum-cryptography/).
+ For information about s2n-tls, see [Introducing s2n-tls, a New Open Source TLS Implementation](https://amazonaws-china.com/blogs/security/introducing-s2n-a-new-open-source-tls-implementation/) and [Using s2n-tls](https://github.com/aws/s2n-tls/tree/main/docs/usage-guide).
+ For information about the Amazon Common Runtime HTTP Client, see [Configuring the Amazon CRT-based HTTP client](https://docs.amazonaws.cn/sdk-for-java/latest/developer-guide/http-configuration-crt.html) in the *Amazon SDK for Java 2.x Developer Guide*.
+ For information about the post-quantum cryptography project at the National Institute for Standards and Technology (NIST), see [Post-Quantum Cryptography](https://csrc.nist.gov/Projects/Post-Quantum-Cryptography).
+ For information about NIST post-quantum cryptography standardization, see [Post-Quantum Cryptography Standardization](https://csrc.nist.gov/Projects/post-quantum-cryptography/post-quantum-cryptography-standardization).