You Can't Migrate What You Can't See: Discovering Real Post-Quantum Crypto

Okay, thanks a lot. So, I would like to thank everybody who is watching and also the Bside Charlotte uh committee for inviting us or letting us come here and talk to you today. Uh today's talk is about postquantum cryptography. The title is you can't migrate what you can't see. Uh and of course um uh you may know about quantum computing, you may know a lot about quantum computing, you may know a little, you may know nothing, you may have heard of postquantum uh cryptography. Uh if I were to ask you what encryption algorithms, cipher suites, and so forth were used by the programs you use every day, uh if I ask most people, their eyes glaze over and

they say, uh I don't know. And uh it's that kind of thing that we're trying to get at today. And uh I'm Joe Wilson. Uh I am an ameritus professor at the University of Florida. Uh I have u worked I worked there for 41 years. I have a number of uh different uh GIA certifications that I've held over the past in in uh penetration testing, reverse engineering, um uh forensic sc forensic uh uh science and and uh what I'm here today as is the co-founder and CEO of Cubid AC to talk about these things. >> All right. So, I'm an Survidab. I have a PhD in computer science from University of Florida and I'm here as a co-founder

and CTO of Cubit AC. >> Right. So what is it that we're protecting and who are we protecting it from when we do cryptography? Well, crypto cryptography is essential when you send data across the internet. It's uh the gigantic fire brigade of the world where yeah I give my packet to somebody and they give it to somebody else. uh routers, ISPs, cloud providers, Wi-Fi access points, everybody along the way can read those messages. They can tamper with them. They can possibly impersonate you. So these three problems, cryptography solves them all to some extent. So what does cryptography guarantee? It doesn't guarantee the entire uh security triad of it doesn't guarantee availability, but if you do it right, it guarantees

confidentiality because only the intended recipient and the uh and the generator of a message can read that. Everybody else sees just random stuff. And this is done with encryption. Um, integrity is guaranteed because if you tamper with a message in transit, if you have a a message authenticity code, then this is detectable. Uh, so what you receive is exactly what was sent. And that uses cryptographic hashing. Uh, authentication. Uh, this helps you prove who you are and helps you prove that who you're talking to is who they say they are, if they're doing it right. uh this this essentially uh uh this is really uh you know the most important part for most people. They

want to make sure that when they're talking to their bank, they're actually uh talking to their bank and then their bank wants to know it's them. So this typically uses public key cryptography like Ryves and then and uh elliptic curve uh cryptography and depends on uh certificates. Uh so cryptography is nearly ubiquitous. You see it almost everywhere. Neo uh it's in uh every HTTPS website which is almost every website you visit. The uh TLS is enabled on most of those and it authenticates a server with certificates. All of these things happen. Um if you use SSH, every server you log into uh you uh employ RSA and ECDSA to uh exchange uh keys and to

to create those keys with the diffy helmet algorithm and and every deployment, every git push, every uh system admin action across the network depends on this. And if they are not actually encrypted properly, they're unsafe. And if you use a message messaging app like Signal, every private message is encrypted end to end. Uh so only the sender and the recipient can see what's going on. Uh if they're doing it right, then uh then even Signal can't read your messages. Uh the attacker's goal of course is to break all this to make your confidentiality disappear to uh make sure that they can read every message you have uh pretend to be you and and quantum computing threatens to

make all of these three things trivial. So cryptography isn't just some feature that you turned turn on. It's the foundation of every secure system that exists and if you remove it every network becomes an open book. >> Okay. So everything securing our network today rests on three hard math problems. RSA relies on the fact that multiplying two giant prime numbers is fast. But reversing that finding the two prime num primes from just the product would take a classical computer longer than the age of the universe. That asymmetry is your security. So ECC which is other one works similarly. You hop along a mathematical curve and the final point is your public key. Reversing that hop

count is uh computationally infeasible even with a 256 bit key size that is far smaller than RSA 2048. The third one is Deffy Helman solves a different problem. How do two parties agree on shared secret without ever transmitting it? Every site mixes a private secret into a shared value, swaps results and both arrive at the same answer. Any person who is sitting and listening who captures everything cannot reverse the math. Uh the fourth one AES is different. No hard math puzzle just astronomically large due to the power of 256 possible keys. Here is the most important thing to take away from this slide. These are not weak algorithms. They have resisted attack for decades. They are

mathematically strong against classical computers. Quantum does not break the implementation. It makes the underlying hard problem easy to solve. This is what we are up against. >> So what is a quantum computer anyway? Some of you may find this uh uh to be uh uh relatively well known to you. Others will not be familiar with it. Uh this comes really from quantum physics and it's not an electrical engineering uh based computer. So classical computers exploit electricity transistors to do computation. Quantum computers exploit behavior of sub subatomic particles. And the computation method is entirely different. It's not just some kind of faster chip. Richard Fineman introduced this idea in a paper in 1982. uh he uh

said look classical computers can't really efficiently simulate quantum systems because there's too much computation to do if you want to really represent chemistry materials and physics problems you really need a quantum computer so this was his goal to actually simulate these systems the cryptography threat was identified later in fact in 1994 when Peter Shore not came up with this idea of a cryptographic algorithm to factor numbers. And Shore discovered that a quantum computer, if it existed and had enough bits, could factor extremely large integers exponentially faster than any classical algorithm. It could essentially turn an exponential problem into a polomial problem if you're familiar with that idea. And RSA's core assumption is that it takes exponential

time to do this. So all of a sudden RSA now has an expiration date. The expiration date is when the quantum computers get big enough. So Fineman in ' 82 said nature isn't classical. Damn it. And if you want to make a simulation of nature, you better make it quantum mechanical. That's happening now. The quantum me quantum computers are good at some things, not good at other things, right? What are they good at? They're really great at factoring large integers. And this breaks shores algorithms. uh they are really good at uh this the discrete logarithm problem and that breaks uh ECC and diffy helman they're really good at unstructured weak s uh unstructured searches uh using

grover's algorithm and that weakens AES and SHA uh hashes. So there are other things you can do uh to support chemistry simulations, drug discovery, material science, all those kinds of things as well. The things we're worried about are these first three Quantum computers are not in particular not a faster laptop. They're not going to run your OS. They're not going to, you know, help you uh, you know, get a faster phone. They're not some kind of general purpose computing speed up. They only outperform classical computers on a narrow set of types of problems that can be implemented in a certain way. So there's no magic going on here. They're uh the computers that are being built

today are extremely expensive. They operate at temperatures near absolute zero. There's work to try to uh overcome that. It's in the its infancy. Uh so this is not a replacement for classical computers. It's a different kind of machine entirely, but it's one that's really going to make your day bad if you want to have encryption using RSA and elliptical curves. >> All right. So this brings us to a question. So what is quantum computer made of? Let's start with the atom of all computing, the bit. A classical bit is a light switch on and off one and zero. This that is it. Every email, every TLS handshake, every encrypted file is billions of these switches

flipping really really fast. A cubit is different. A cubit can be zero, one or hold on to this both at the same time. Uh this is this is called superposition. Think of a coin spinning in the air. It is neither heads nor tails yet. It is both until it lands. A cubit is like that coin. It only picks a value when you measure it. This is not a metaphor. It is verified measurable quantum physics. Now, here is where it gets important. Three classical bits can hold one of eight possible values at a time, but only one at a time. Three cubits hold all eight values simultaneously. Each cubit you add does not add computing power. It doubles it. 300

cubits give you more simultaneous state than there are atoms in the universe. A quantum computer does not go faster. It changes the shape of the problem. Instead of running through a a maze one path at a time, it explore every path at once. Now remember what RSA relies on and ask what happens when a computer can explore every possible factor uh simultaneously. >> So there are really three properties that make quantum computers powerful. This superposition that anog talked about uh you can think of this as uh every cubit is in two states at once. It's really not in two states at once. It's not in any state. it has possibilities to be in either state. Uh

but once you measure it then it's in one state and as as Anorex said this is not just some idea it's actually the way these machines work. U the second is entanglement and this is uh interesting because uh you can get cubits that are entangled that measuring one will determine the state of the other instantaneously. Einstein called this spooky action at a distance. You may have heard of this idea of, you know, separating two entangled bits far across the universe to do faster than light speeded communication. Oh, this is wonderful uh uh theory and wonderful things to think about. But entanglement makes a difference in a quantum computer. So this lets cubits cooperate and this multiplies the computing power

in the algorithms as a result of that. So you can think of this as being like two dice. Anarchog has one dice. He rolls it somewhere in India. I roll mine somewhere in Florida. Uh they're entangled in such a way that the opposite sides show up. Uh one of us rolls the dice, the other dice, it magically uh ends up not magically but actually ends up in the in the right state. So the third of these is interference. And this is not a property of the systems per se. It's a property of the algorithms. Quantum algorithms are designed so that they will generate a sequence of results that amplify paths or patterns that lead that are

associated with correct answers to the problem such as find the factors of this number. So we will run this algorithm and it will amplify the patterns that correspond to the correct number over and over and over again and it will cancel the paths or patterns that are associated with wrong answers. So this extracts this useful result which seems like uh chaos of superposition. So without having this uh this method you really don't have quantum computing per se. This is how the method works through this uh interference. And you can think of this like noise cancelling headphones. That is the sound wave comes into the microphone at the headphone and the headphone immediately produ produces a cancelling wave that will cause that

wave to be essentially flat. So there's no sound. The same kind of thing happens for wrong paths or patterns in a quantum algorithm. So super position explores all the paths. entanglement links the cubits together as a team and interference leads us to the right answers and pulls them from the noise. And all of these are aimed in in an adversaries computer at factoring your uh your uh uh RSA um your large uh prime or large uh multiplication two prime numbers factoring it into the uh uh into the individual primes so that you can decrypt messages. >> All right. So here's the question. how powerful uh these quantum computers are today. Well, reality check because I

know some of you are thinking this is all theoretical, right? Quantum computers are not actually a threat yet. Well, you're correct. IBM's best production chips are 133 to 156 cubits. Google's Willow chip announced in December 2024 has 105 cubits. These are research tools, not weapons yet. But here is what matters about Willow. It is not the cubit count. Willow was the first chip to demonstrate below threshold error correction. As they added more cubits, error rates went down instead of up. This is a 30-year unsolved problem in the field. It provides large fall tolerant machines can actually be built. On the resource side, in 2019 it was estimated you would need 20 million cubits to break RSA

2048. In May 2025, a Google researcher published a preprint showing that number drops to under 1 million. That is a 20 times reduction in one paper. Uh it shows the trend. The bar keeps falling towards what is buildable. Nobody knows exactly when Q day is going to arrive. uh right I'm like we all ask this question that oh when is the going to be the Q day uh some say 2030 uh the window is 2035 as per NES uh some say 2040 or beyond but PQC migration takes will take at least 5 to 10 years or if not 5 to seven years NES has already set the 20 to 35 deadline if you're waiting for the headline that says quantum

computers breaks RSA before you start you're already behind So what is it that Shores and Grover's algorithms do? I I'll just briefly go over this and not get into extremely detailed math. I I would lose myself actually if I did that. But uh Shor's algorithm uses quantum 4A transforms which essentially is for a transform is a a super uses a superposition of waves. It uses this to find the period of a mathematical function in particular that has modular behavior in polomial time. Normally this would take exponential time. Uh you'd have to search all of the possibilities. Here you can do them all simultaneously. RSA and ECC both rely on problems that are instances of this sort

of uh computation and classical computers need exponential time to do this. Quantum computer does it in polomial time. So this hard problem stops being hard. It's uh now it's not no longer uh non it's no longer np hard. It's polomial. So if you want to factor a 2048 bit number uh which RSA would depend on uh as its uh for its secrecy uh from from the public key uh classical computer will take billions of years to do that. had a quantum computer hours to weeks perhaps depending on how many cubits you have. Well, if you have enough cubits uh and the security assumption essentially completely disappears. You're no longer secure. uh ECC uh the smaller keys that they use

that essentially uh are 256 bits those fall before the 2048 bit RSA key because u shore scales with the key size not with the security level uh in any sense and for diffy helman shores also can solve the discrete logarithm problem that diffy helman uses for the exchange of information that leads to the TLS uh keys. So TLS and SSH key exchange is compromised by this. Grover's algorithm is a little bit different. It gives quadratic speed up. And this essentially takes turns the problem of searching in an unsorted space having n elements in it into a square root of n uh problem instead of a an order n time. So you won't expect that you'll have to search on average

through half of these things uh to find them. you you'll expect instead that half of the square root of n is how far you have to search. And if you apply this to symmetric cryptography like as it's like having every key although it's actually more than having every key getting even smaller so it's not really catastrophic but the key size assumptions have to change. So if you're using AES 128, all of a sudden you're less than 64bit secure uh rather than 128 bits. AS 256, Shaw 256, all of these problems become easier to solve, right? So you need to use larger and larger keys. The real important asymmetry is that shores provides this exponential speed up. There's no algorithm level

mitigation for it if you're using that approach. it's it is uh vulnerable. Uh if you look at Grover's Grover's um algorithm, the u problems that you have are manageable by increasing the key sizes. So these these methods as u and and similar methods they survive but they become a little harder. So shores breaks every protocol. AS-256 survives. Uh but only if the key exchange that sets it up isn't quantum vulnerable. Because the reason AES is used in transmissions is because it's more efficient to do this over a long stream communication than to try to use public key cryptography for every uh block that is that is uh sent. As a result, a cryptographic key exchange happens to

identify and share the AES symmetric key. So if that exchange is insecure, the problem's still insecure. All right. So harvest now decrypt later. The threat is present tense. Everything we covered so far has been theoretical. Here is where it gets real. Nation state uh adversaries are not waiting for QA to start attacking. They are collecting your encrypted traffic right now. Not to read it today. They cannot right. But uh know that what is unreadable today will be readable on Qday. The data is worth less to them right now. It becomes priceless later. The attack is intercept, store and wait. This is not speculation. In 2018, Canadian internet traffic to South Korea was rerouted through China. In 2019, a similar

interception hit European mobile traffic. In 2020, uh traffic from Google, Amazon, Facebook, and over 200 other networks were redirected through Russia. These are consistent with large scale harvest now decrypt later collection operation. We never we may never know for certain uh what was captured. So the question is who is at most risk? Anyone whose data needs to stay secret for years uh like government and defense, healthcare, uh financial services, R&D, medical records from 2024 could be readable in 2032. uh a diplomatic cable sent today could be decrypted before the situation situation it described has resolved and the industry is not ready. Uh a 2025 survey found 75% of business are concerned about harvest now decrypt

later. Uh only 23% have a strategy to address it. As of early 2024, only 3% of the HTTPS traffic used postquantum uh algorithms though that is climbing faster. U of course thanks to like companies like you know who are who are taking initiative. U the bottom line is you do not need to wait for a quantum computer to be evicted. You only need to have data worth storing today. you're eligible uh you're already in that window. So the National Institute for Standards has created uh some standards for postquantum cryptography already. Uh in 2004 and August 2004 they finalized three particular postquantum algorithms uh after a long international competition and these are available to deploy now. Uh FIPS 203 is MLKM the

module lattice based key encapsulation mechanism uh formerly known as Crystal Kyber uh for those who care. Uh it replaces effectively RSA key exchange and ECDHS ECDH and uh Diffy Helman. So you use this for exchanging TLS keys for VIPN session setup for getting key agreement in any protocol that needs it and it's a near drop in replacement for uh ECDH and TLS 1.3 uses small keys fast operation uh it is the primary basis for encryption migration today and it's already deployed by cloud fair uh cloudflare uh chrome firefox and signal fips 204 four uh modulatus uh digital signature algorithm crystals dialium. Wow. Uh replaces RSA signatures and ECDSADSA and you use this for TLS certificates,

code signing, JWD tokens, document signing and it is also a drop in replacement. It's a little bit larger than RSA. It's uh uh clearly more quantum resistant uh and it's the primary standard for authentication. uh SLHDSA is a digital another digital signature algorithm and this is uh what you would use for uh root uh certificate authorities, firmware signing and long live certificates and critical infrastructure. Uh so it's a a conservative backup for MLDDSA um and it's slower and uses larger signatures. But if lattis cryptography is ever broken then this will still be secure. Uh so the uh 203 and 204 are based on on lattice uh uh methods. So um if you look at the NIST IR850 uh 8547

deadline uh it says these quantum vulnerable algorithms uh RSA ECCDH they need to be deprecated from all NIST standards by 2035. they are pinning it at 2035. Uh the EU is also looking at 2030 and 2035 uh time frames for uh for this as well. And so high-risisk systems have to transition earlier than this. Federal agencies are required to have new classified systems use only postquantum safe methods by 2027. >> All right. So before we talk about the hybrid uh TLS before uh we need to make sure everyone understand what TLS version they are running and why it matters. Uh TLS 1.2 was released in 2008. It still runs on 70 to 80% of the servers. The problem is

it supports RSA key exchange uh static keys with no forward secur. Uh if your TLS 1.2 to session is harvested today. Your server key is ever compromised. Every past session can be decrypted. Uh it allows dozens of cypher suites including broken ones like RC4, Shia one, 3es and the handshake uh is sent largely in plain text exposing metadata about every connection. Now that was TLS 1.2 for you. uh in TLS 1.3 u it fixed all of that in 2018 uh RSC key exchange is completely removed forward secrecy is mandatory for every single connection each session gets a unique ephemeral key that is discarded after use uh compromising the server key cannot decry past traffic the cyphere suite list

drops from dozen to just five modern uh options and the the handshake is encrypted And it is definitely 30 to 50 times faster. So one round trip instead of two. Now NIS has mandated like of course like you know you need TLS 1.3. You cannot just use 1.2 and think about migration. You need to have 1.3 because TLS 1.3 support support for all federal systems from January 2024. Uh the the NSA has issued guidelines saying 1.2 2 should only be used with careful selector cipher suites. But here's the thing, every TLS 1.3 with ECDHE is not quantum safe. ECDHE is still broken by short algorithm. Forward secrecy limits the blast radius, but it does not eliminate

harvest now decrypt later exposure. full quantum uh safety you for full quantum safety you need uh next uh for the the next slide right so let's look at TLS 1.3 uh just vanilla TLS 1.3 uh sorry 1.2 uh vanilla 1.3 and uh 1.3 with hybrid PQC uh if you look at TLS uh we'll look at uh all the elements here so for key exchange TLS A1.2 2 is dead after uh quantum computing uh after Qday uh key exchange will be okay uh for TLS 1.3 and uh it will be even better for uh uh 1.3 with MLKM uh for forward secrecy broken uh after Qday and 1.2 two it's also broken today uh if you have exponential time to

solve the problem uh in 1.3 forward secrecy is man mandatory every session key is unique and uh in forward in 1.3 with hybrid PQC it's mandatory and the ephemeral keys are also quantum safe so if they are captured you're still you're still uh uh good uh as to quantum safety of TLS communications under 1.2. No way. Uh, shores algorithm breaks the RSA key exchange in TLS 1.3. ECDHA DHE is broken by shores in uh 1.3 with hybrid PQC. We're safe. Uh, for harvest now decrypt later TLS uh risk is extremely high. H&DL risk is is smaller, but forward secrecy limits that damage. In H&DL, the risk is uh completely eliminated. uh the handshake uh improves uh with each

change in in uh in TLS. Uh the adoption is really small right now for 1.3 with hybrid PQC about 38% of traffic in 2025 according to Cloudflare. Um the uh migration away from uh from TLS 1.2 is absolutely critical. It is your number one priority. uh 1.3 is a good start but you really need to use MLKM and you need to deploy that now. So the handshake runs both uh classical ECC and MLKM for key exchange simultaneously. Uh both shared secrets are combined to derive the session key. Uh so an attacker has to break both of those to compromise a session uh either qu classical or quantum and that means you get quantum safety today without

dropping backward compatibility. And this is already deployed as I say by Cloudflare Chrome Firefox Edge Signal, and Apple. So you're good to go today if you if you migrate to this. All right. So before we talk about our uh demo and before we talk about our tool, uh I know we all have been waiting for that all this time. So let's talk let's talk about like you know under the hood how this tool works. Uh so the tool runs a six-stage pipeline. Each stage feeds directly into the next. You start with nothing but a domain name. You all you need is just a domain name and by the end you have a complete cryptography bill of materials. So in the stage one

uh is subdomain discovery using subfinder. Uh pulling from passive sources across the internet. Uh stage two resolves these subdomains with DNSX. Anything that doesn't resolve to a live host gets dropped here. uh stage three probes HTTP and HTTPS across all relevant ports using HTTPX. Uh so we are not assuming everything is on 443. So basically the idea and the third step is if I run any of the web services I want to differentiate which one runs HTTPS and one which one run HTTP. Now the stage four is where the cryptograph crypto analysis actually happens. uh our open SSL scanner checks the TLS version, cipher suites, key exchange algorithms and certificate details. I mean like you know all the

good good stuff. Uh the stage five runs a parallel SSS scan. Now this stage five is if you actually wants the SSH uh all this information uh you you can pro you can ask the tool to do it for you. If you don't want, all you need is TLS and all that good stuff, you can just uh skip this one, right? That's the uh our stage five. And stage six ties it all together into a cryptography bill of materials. And in the end, when the tool finishes the scan, you will get a crypto bomb JSON file with every finding mapped together into its nest uh PQC replacement. All right. So, the tool flags four category of findings. uh it

will tell you if you are using 1.3 1.2 and if even worse unlike if you're using one 1.0 01.1 that's even bad but the tool will tell you that uh it will tell you the RSA key exchange all the cipher suites the encryption you're using your certificates how long uh how long when is it due uh is it in good state bad state things like that okay uh now what it does is like then it later maps all these encryptions into the nest guidelines you know if you're using say RSA what what you need to migrate to things like that and what should be the timeline according to the nest and what we also have a scoring system. uh what

we have done is like when we will run this whole scanner it gives you a two kinds of scoring system. One is what we call uh system scoring the whole system uh scoring system. uh what uh so like you know it will combine the your certificate health and it will combine your TLS and if you did SSH it will combine all of these and based on that based on that it will give you a score out of 100 that how is your whole security is working and then we have fully dedicated PQC scoring system which will be all about where you are right now and what you need to migrate to get a better score okay and that we will see

in a live demo right Uh >> do you want me to stop the share so you can share the >> Yes, Dr. Wilson. Let me just tell about this. All right. So a few things I missed. Uh with our tool, you don't have to worry about like you know finding all this go and to go to internet install anything and now that when you run this tool it will find what are the dependencies that are missing and it will ask you if you want to install if you just say yes it will install everything for you. Second thing I'm like we did make sure that uh we do have some minimum versions that is completely

working. So if you are missing some versions in that case it will tell you hey you are these versions are missing and then if you want to upgrade we will do it for you. So it is basically one-stop shop you come here you run the domain and it will do all the job. Now like I was telling you in the past slide that you uh if you just run do give me this just the domain this tool it runs port 443 that's the very basics uh not basic very basic thing you can do with with this tool right you don't want to know your port uh HTTP or port 80 all I want to know is how my port 443 is doing

right now one thing to remember here is some of the servers are are slow Right? They do respond like after 90 seconds the handshake takes 120 seconds. Right? So for that we do have this time thing that uh because in our basic like you know if we just run the basic scan the time is set to 10 seconds because of course you when you run bigger uh infrastructures you you don't have time to wait for that long right but if you want you can increase the seconds but say from 30 seconds 80 seconds and if still the handshake doesn't happen it will write a a file where those domains that be missed out because of timeout

you can go and check as well right and then the third version is if you do just d- all it will do everything for you it will do uh uh your TLS it will do SSH uh of course we are thinking about uh adding VPNs right now but uh that we will not demonstrate because uh well we are more focused on the web and the SSH for uh for this demonstration

So now I'm going to share my screen. >> Okay. >> Uh okay. Share. So show my screen. Oh, okay. Uh I guess I need to share again. Okay. >> Sure. Okay. >> So, >> inception. >> All right. All right. So, uh where the first question is where I can get this uh where I can get this uh tool. All you all you have to do is uh you go to well just a sec. uh you go to the uh our website you go to AC scanner uh and you can just download directly from here feed your give your information uh uh and this is just for us to know like you know who has requested it uh that's it

uh once you do that you download and then you come back to the dashboard you upload your JSON here and you will get all the information so now let's once you download the tool It will have all these files that we talked about. It has doc and things that readme file if you need more in-depth knowledge about the tool. Uh all you have to do like I said I'm just going to run a very basic command right now. I will do uh sh uh

just a sec. Uh okay. So, I'm going to do sh >> We see your browser. >> Yeah. Oh, you Oh, you're seeing my brow. Okay. Yes. Oh,

so I need to I guess share present something else. Chrome tab entire screen. Okay. All right. Can you see my screen now? >> Yes, we see it. Okay. So, uh as you can see u when you do when you download the tool, you have all these files present in that uh zip file. Uh uh it has readme file. You can read in depth about the tool and all that stuff. Uh what to run it? Uh the very easy command is do you do sh you do scan.sh whatever domain. I'm going to scan my domain right now. So I will say cubitac.com and since I'm not doing web I'm just doing the basic command it will just run

port 443. So uh like you can see it will check all the dependencies right now. Uh clearly one of my tool is outdated which I was not expecting because I was testing doing testing on something else. Uh uh okay let me uh so if you just do say no okay it's not going to do it let me see if I can it will it will take time uh I'm sorry Dr. Can you is there any way you can do this? >> Oh, I I cannot do it. >> I have not I have not uh I do not have it up right now. >> So, let me see how let me see if I can see.

>> Go ahead. Give it give it a shot. >> Yeah. Well, I'm sorry up. I was testing all this on my different computer and uh >> I completely forgot. But well, you can keep >> people get the entire experience. They get to see exactly what happens. >> Yeah. So, >> do you have do you have a a saved JSON uh >> that you can upload to the uh to the uh dashboard? >> Yes, I think so. Yeah. Let me see. >> You can do that. >> Oh. Uh >> you have no bill materials. >> I don't I don't have it. But guess what? I'm going to get uh we also have a GitHub. So let's just grab from the

GitHub

because GitHub uh has example files. So what I'm going to do is

All right. So if I see that I see here that if I go to AC scanner so you you here you can see we have cubit.com that's what happens when you scan the whole thing and you make you get a folder and if I go to qid.com here you will see I did it did run uh on >> you got nothing in there >> right so well guess what I'm like we just going to upload that for now. Uh >> okay. Do you want me to share and uh we'll just continue with the presentation. I'll do the live demo. >> Yeah. Yeah. Yeah. >> Okay. Uh stop your share and I'll do it. >> Yeah.

>> One moment.

Okay. So I think uh you were about to talk about this slide. >> Yes. So we have to show it on the dashboard how how it looks like right? >> Uh do you you don't we don't have the dashboard though do we? >> We do have JSON file. So when we upload it to the dashboard it will work. >> Okay. Uh I think we you didn't have the JSON file there. Uh so just go ahead and go with this uh slide. We'll just talk this and uh people can see the demo live. All right. So, of course, like if our if we I had all this everything figured out. This is how it looks like

when you run it. It will check it will check how many subdomains are there and how out of those subdomains how many of them are live and out of those how many are running the web services uh which is like either is it is uh port 443 or different combinations that we have and then if you say if you skipped SSH it will tell you hey you skipped SSH we are just doing HTTPS and the uh sebum will be generated u well I do Dr. I do have the JSON file. So, let me just >> Do you want me to stop sharing then? Okay. You want to share quickly? Yeah, you can share quickly. That'd be great.

>> Okay. So, I do have I do have that. So, I'm just >> let me just see where I am. Okay. So, I'm in document up. I will just go to document AC scanner. AC scan. This is what I downloaded. Okay. So, I have this date all. Okay. So when you are here you go to cbomb you take this you open and here you go you have but clearly uh we are not ready for post uh quantum cryptography it says zero but yes this is how it looks like if you go to https post uh see like you know how it found all the domain and subdomains what version we are running what ciphers uh

we are was negotiated uh what was the key key exchange and of course the certificate like you How long is valid? If it's not ready, it will tell you uh it's not quant postquantum cryptography ready. And what is the risk? Risk is high. Of course, like if you run more like you can select it the you can do the filtering from here. Uh you can if you want just the vulnerable one, you can click here. It will if it's safe, it will show it here. If you do all, it will show you all. Now I did run during this scan, I did run the HTTP. So that's why it tells me the HTTP as well. I'm

running port on port 80, but everything gets redirected to HTTPS. And here it also tells you the server and the server version I'm running. Uh now if you go to TLS certificate it tells you uh for for the domain and subdomains uh what who is the subject who is the issuer what curve was used uh what was what is the hash for the certificate uh the expiry date and is the certificate valid or not we don't have SSH information here because of course I didn't do SSH it was just about web now this is the main tab if you come here it will tell you everything about quantum You can clearly see the priority is critical because uh

you can see you have to deploy the hybrid PQC. So I'm using 1.3 I have to go to hybrid PQC and I have to migrate the certificate as well. Right? So there are two things and it it will tell you what effort it needs uh to make it fully postquantum cryptography ready. U clearly it tells you your encryption your encryption is not ready. your certificate also not ready for both of my domain and subdomain. Now here the scoring system we have a scoring system uh it just tells you that uh since both are not ready score you get the score of 100 that means it's critical uh as per us you should you should migrate real like

this year by the end of next year as per the nest of course there's a deadline it tells you all that reference all the good stuff you know here it gives you more information about you know uh is it related to quantum is it related to network what is the problem. You get all these information all just by one scan you know. Uh so everything you you can see here everything is here and like I was telling you during the my presentation this is the security health of the overall network and this is the PQC ready version. I have zero because I'm not ready yet. And we also give you top uh recommendation what needs to be done.

Uh if you come here to the recommendation tab it give you all the recommendations. All right. Uh, Dr. Wiz, >> stop that share. I'll go ahead. Can you stop share? Oh, yeah. >> Sorry. Oh, stop sharing. Yes. >> Okay. Uh, I am trying to find my share link and I do not see a link to share. This is great. So, >> I can't find the share link on here. >> In the bottom, it says share screen. Oh, >> yeah, I know. It's uh I have a It's now magically missing.

Do you want me to pull the slides? >> If you can share the last two slides. >> Yeah. All right. So, >> that'd be great because I I actually cannot share. >> Yeah. >> So, I >> Okay. Well, actually, this is the that's that's the slide we need right now. >> Yeah. >> No, move forward. One more. >> Oh, yes. Here. >> Yeah. Right. So uh how do you prioritize your PQC mig migration? First, fix your H&DL exposure. Uh second, fix your authentication chain. Third, fix the manageable risks. You can move to you can run the ACDI scanner that we have right now. Fix your RSA key exchange. Replace it with quantum safe exchange. Enable TLS 1.3 and move to MLKM 768. and

then uh inventory your certificates and get postquantum ones. And finally, so what is the what is the uh takeaway? Uh last slide here is that oh >> is that what you thought you couldn't see now you can see it. You can migrate it. The threats present today because of HNDL. The standards are ready today because NIST has made it easy for you and the path is clear. Uh, download our scanner. Scan yourself. Improve your security. The end.