Navaneeth Rameshan

As a part of the Quantum-Safe Cloud and Systems group at IBM Research, Zurich, I work on applied security focusing on key/secrets management, PKI, HSM’s and securing applications against threats from a quantum computer. Hands-on with contributions to IBM cloud Key Protect, Hyper Protect Crypto Service, Secrets Manager and IBM Kubernetes Service.

Work Summary:

• Enabled Quantum Safe (Q-Safe) support in different frameworks, and components. Specifically, Q-Safe TLS in Postgres, Java based Netty, Java gRPC, Envoy, a full implementation of a Q-Safe service mesh for OpenShift clusters, and a Q-Safe PKI implementation in Hashicorp Vault

• Led the design and implementation of a private PKI with different Crypto backends for IBM cloud Secrets manager with support for HPCS, Thales and Marvell HSM’s

• Led the design and implementation of certificate life cycle management using the ACME protocol with asynchronous issuance and automated renewal.

  • This work is deployed and available via IBM Cloud Secrets Manager

• Co-led the implementation and delivered TLS handshake termination using Hyper Protect Crypto Service (HPCS). TLS establishment is transparently intercepted by a custom implementation of openssl engine that forwards signature requests to the HSM holding the private key, enabling TLS termination without the risk of exposing long term private keys.

  • This is integrated into IBM cloud Hyper Protect Crypto Service, and IBM cloud Openshift

• Co-led the design and led the implementation of a performant and scalable middleware for Hardware Security Modules (HSM). These additions increased the throughput for key operations by 3x - 10x, and latency by a factor of 50.

  • Currently deployed in all regions of IBM Cloud Key Protect

• Contributed to the enablement of the first Hyper Protect Crypto service (HPCS) demo at THINK-2018, and was the key enabling factor to ramp the HPCS product offering in IBM Cloud