AWS – AWS Transfer Family announces ML-KEM quantum-resistant key exchange for SFTP

AWS Transfer Family now supports ML- KEM (FIPS-203), a post-quantum algorithm standardized by the National Institute of Standards and Technology (NIST), for SFTP file transfers. Quantum-resistant public-key exchange helps protect transfers of data files that require long-term confidentiality against “harvest now, decrypt later“ threats. In such scenarios, an adversary may be recording present day traffic for decrypting once cryptanalytically relevant quantum computers become available.

AWS Transfer Family offers fully managed support for the transfer of files over SFTP, AS2, FTPS, FTP, and web browser-based transfers directly into and out of AWS storage services. With this launch, you can now use post-quantum (PQ) hybrid security policies that combine classical Elliptic Curve Diffie-Hellman with quantum-resistant ML-KEM key exchanges between your AWS Transfer Family SFTP endpoints and clients like OpenSSH, Putty, and JSch that support PQ algorithms. When using a PQ hybrid policy, your Transfer Family SFTP server preserves the standard connection options supported by most clients today, while leveraging the most secure PQ connection options with clients that support quantum-resistant key exchange.

ML-KEM quantum-resistant key exchange for SFTP file transfers is supported in all AWS Regions where AWS Transfer Family is available. Older PQ key exchange methods which included ML-KEM’s pre-standardized version (Kyber), introduced in AWS Transfer in 2023, will be removed from existing policies and no longer be included in the new PQ policy. To learn more about using PQ security policies to enable quantum-resistant key exchange, visit our documentation.
 

Read More for the details.