← All talks

BSidesCharm 2026 - You Can’t Migrate What You Can’t See: Discovering Real Post-Quantum Crypto

BSides Charm 202654:0733 viewsPublished 2026-06Watch on YouTube ↗
Speakers
Tags
About this talk
Post-quantum cryptography is often framed as a future problem, but harvest-now-decrypt-later attacks and long-lived cryptographic assets mean organizations are exposed today. This talk presents a discovery-first approach using Asset and Cryptographic Discovery and Inventory (ACDI), demonstrating an open-source scanner that maps cryptography across TLS, SSH, and certificates. The speakers show how findings align with NIST's PQC standards (ML-KEM, ML-DSA, SLH-DSA) to prioritize migration and adopt hybrid cryptography incrementally.
Show original YouTube description
Post-quantum cryptography (PQC) is often discussed as a future problem, but organizations are already exposed today due to long-lived cryptographic assets and the risk of “harvest now, decrypt later.” While many systems claim PQC readiness, few teams can answer a basic question: where is cryptography actually used, and which systems are still vulnerable? This talk introduces a practical, discovery-first approach to PQC using Asset and Cryptographic Discovery and Inventory (ACDI). We demonstrate an open-source scanner that identifies cryptography across common services such as TLS and SSH, analyzes certificates and key algorithms, and highlights post-quantum-relevant weaknesses caused by legacy protocols or long-lived trust assets. We then show how these findings map to NIST’s PQC standards and enable teams to prioritize migration, adopt hybrid cryptography, and reduce risk incrementally. The session avoids heavy mathematics and focuses on actionable visibility and migration strategies. Anurag Swarnim Yadav Anurag Swarnim Yadav is a security researcher currently working on QubitAC, a platform focused on cryptographic discovery, inventory, and post-quantum cryptography (PQC) readiness. He holds a Ph.D. in Computer Science from the University of Florida, where his research centered on machine-learning–driven vulnerability detection and automated program repair. Joseph N. Wilson Joseph N. Wilson is a co-founder of QubitAC and an emeritus faculty member at the University of Florida who received his PhD in Computer Science from the University of Virginia. During his 41 year academic career, he carried out a wide variety of research projects and authored over 150 publications concerning topics including cybersecurity, machine learning, landmine detection and remediation, and computer vision. In addition to his academic work, Dr. Wilson has been a GIAC certified network and web application penetration tester as well as a malware and forensic analyst. His current work is aimed at helping organizations and people improve both their computational and communications security and privacy. He received the General Ronald W. Yates Award for Excellence in Technology Transfer for work leading to successful landmine and IED detection systems employed by US military support forces in Afghanistan.
Show transcript [en]

I forgot my sunglasses. Um, thanks to our talk. Thank you to the uh Besides Charm uh committee. Thanks to all of the sponsors. Sponsors are great. And thank you to all the people who are here to listen to this talk. I hope this is uh I hope you leave happier than when you uh got here. And I hope it's not because you're leaving our talk that you're happy. But uh this is you can't migrate what you can't see. We're talking about postquantum cryptography. Uh by way of introduction very briefly, I'm Joe Wilson. and I'm a a longtime uh academic who uh worked at the University of Florida for more years than I want to admit. I've uh worked in uh machine

learning, uh cyber security, uh programming languages, all kinds of stuff. I could never find the thing that I was really interested and now we're looking at postquantum cryptography and >> yeah, so I'm an u I have a PhD in computer science and I'm the co-founder and CTO of Cubid AC. >> Yeah. and I am the uh CEO and president of of Cubidac and we're here to talk to you about a number of things. Now, before I get started, how many people uh here uh like to raise their hands when speakers ask ridiculous questions on stage and Yeah. Okay. Thank you. Yeah. Well, I'm not going to do that. I know that there are plenty of people here who

are experts in quantum computing. Uh there are probably people from APL and the Maryland Procurement Office and other places who know a lot more about this than I do. Actually I you know I'm not an expert in quantum uh mechanics or even really in quantum cryptography but we're going to tell you about this problem about uh the origins of it about the mechanisms to uh to address the problem and and how you can help solve this problem for yourself and perhaps your organization or whoever else you might be working with. And uh so what is it we're protecting and why and who are we protecting it from? uh cryptography is essential to everything we're doing

on the internet nowadays. If it hadn't been for RSA and uh the you know the that algorithm we would not be doing uh uh business on the internet today safely. Uh but the primary things that you're really looking at you know there's the security triad or the hexad whatever you want to talk about but there are three things that uh that cryptography really buys you. One is that uh if you want confidentiality then you can communicate messages uh securely on the internet with if you're doing cryptography right relatively securely on the internet without uh having those messages intercepted. Uh the second thing is you you'll have integrity of your messages because there are digital signature algorithms that use

cryptography that guarantee that the message you send is the one that you're saying you sent. And uh the other thing is authentication. You don't want people to be able to uh pretend that they're you so that they can do whatever it is that you could do on on their own behalf rather than yours. Right? So cryptography free is nearly ubiquitous and you'll find for example it's in every website you get to pretty much nowadays if you're doing it right. Uh via HTTPS and TLS uh you'll find this in SSH and RDP if you're doing it right as well. uh every server you log into, you're going to you're going to have uh cryptographic uh information uh

transmitted, your commands, the results of those commands and so forth. Also, every private message that you send, whether it's over signal or some other mechanism, if you're doing it right, those are encrypted with uh some mechanism that provides uh security that uh that people cannot listen uh from end to end. And um the attacker wants to break all three of these things of or some attackers want to break one or two or all three of these things. And uh so cryptography isn't some feature that you turn on and off. It's absolutely essential to everything you're doing. >> All right. So before I start uh any cryptographers here? No. Okay. So great. U let's start with

the basic then. Uh in cryptography basically cryptography is based on three math hard problems. The first one is RSA is basically uh you take two giant prime numbers you multiply you get a product but then if I want to find those two prime numbers it's hard right that's your RSA the second the second me and third is bas based on discrete uh logarithm problems the first one is the curve what happens is like if Alice and Bob wants to uh do the secrets exchange uh in the this curve u what happens is you ask Alice was going to ask his system that hey generate me a number and on the curve there's already a standard

G you take those many number of hops on the curve and you will end up getting a public key and you share that public key uh with Bob's going to do the same thing Bob is going to end up uh with a public key they exchange and then in the end l is going to take the Bob's public key uh multiply with the what it has and they both will end up be having the same secret uh exchange right uh that's your elliptic curve the third one is defy alman kind of same concept the only difference here is the maths uh in this one the alis the Alice and Bob first is going to agree on something called

generator and a prime number once they do that uh what Ellis is going to do is Ellis is going to have a secret key it's going to take the generator multiply that number of times take take a mod of that P and we'll end up getting some number. Same thing Bob is going to do. They share the product and in the end same concept Alis will take the product uh take the secret number multiply that that number of times take them out and they will end up getting the same secret. So this is the basic of cryptography and the fourth one is AES. With AES it's basically the computation is hard and the hardness depends on the

key size. As you go bigger on the key size uh you get more security. So again the first three is basically to do the first exchange and when they do the handshake uh then the it gets converted to AES >> and all that's great. Uh but uh the uh issue is that we now have these wonderful quantum computers that are being built and uh let's talk about those for just a minute before we get to the uh the meat of this uh issue. Right? So quantum computers are really uh born out of quantum physics. Uh this is the typical computer you use uh uses uh at classical physics. It uses electronic components and and electrical

engineering devices. Quantum computers don't do that. There are five or six different uh techniques that they employ but these all employ uh physics properties at extremely small scale. And Richard Feman and 81 gave a talk in ' 82 it was published he introduced this idea of quantum computers. He said if you know these systems that we want to talk about these chemical systems these physical systems they're so huge you can't compute the the simulations of them on a classical computer. You need something better. We really need a quantum computer to do this. So he pos this posited this idea of having quantum computers and u so the issue here is that um that uh Peter Shore when the

cryptography problem wasn't thought of in 1982 in terms of quantum computing but Peter Shore in ' 94 developed this cute little algorithm to factor numbers really quickly and uh this this is at the core of uh interdicting or getting underneath uh RSA and and other methods Because if you can factor numbers very quickly, if you can factor numbers in polomial time and as opposed to exponential time, take that n out of the exponent and put it down in the uh in the uh uh factors, then you can break these codes in days rather than in years with the appropriate size computer. Right? Uh so right so what are quantum computers good at? One thing they're good at factoring

large numbers. That's Shor's algorithm. Another thing the discrete logarithm problem this uh gets uh in the way of ECC uh elliptic curve cryptography and the diffy helman exchange uh also uh unstructured search which is implemented with a a technique known as Grover's algorithm that reduces the security of AES but not as as dramatically as the reductions in security of short of of RSA and elliptic curves. Uh there are other things you can do with quantum computers that don't really have anything to do with uh security today at least. Uh right. So quantum computers are also not a lot of things. They're not some kind of faster laptop that you're going to have. They're not good

at general purpose uh computing speed up. They're not going to implement an operating system. They're not some kind of magic. But uh so it's not a replacement for a classical computer. But what it's going to do is it's going to make cryptography extremely difficult if you use these older algorithms, ancient algorithms from just you know the last 20 years. >> All right. So whenever you're going to talk to anybody who's going to talk about uh quantum computers, you will hear the word cubit. Um so how in classical we have this bits in quantum we have cubit. So the main thing you have to understand here is like we all know about bit right is zeros and ones.

It's just like bunch of numbers flipping al together whether it's email or anything else. Um but with classical thing it's only going to be either zeros and ones at a time with cubid it can be both. So it's more like you toss a coin in the air. It can be heads and tail until you measure it. And you will see in the uh next slide when I say what I mean by measure but understand this that it can have both the state at the same time unless you go and try to find the answer. So that is your cubit for you and then why does it matter? So if you take three bits you will have eight

values but you can have only one value at a time with cubit you can have all eight values together and like I said once you go there and measure you will get one u but that's bit and classic bit and cubit for you >> right so there are really three properties about quantum uh physics or quantum computing and quantum algorithms that make this powerful in terms of being able to carry out the computations that will break these codes, right? Uh one is the superp position uh that Anna just talked about. Uh you can think of this as uh both states being held simultaneously with different probabilities. The uh the probability issue is what led Einstein to say, "Oh,

God doesn't play dice with the universe and argue that uh quantum physics couldn't be right." And Nellis Bor said uh you know stop telling God what to do and quantum physics really is right. So you know that it's uh this superp position allows states to be uh more general than the state of a bit in a uh in a typical computer. It's not really that it's a completely different kind of computing. It is that uh classical computing is a special case of quantum computing. So it generalizes what we have to this extremely powerful approach. The second thing is entanglement. This is where essentially two cubits can be entangled so that measuring one of them when these superp

position states are measured they collapse to an actual value bit 0 or one uh measuring one cubit of an entangled pair will determine the value of another. This entanglement allows this uh what Einstein called spooky action in a distance. And you know maybe it's not going to get you faster than light speeded communication but it does uh let you defi define algorithms that are extremely powerful. And uh the third property and this is not a property of quantum physics but it's a property of the algorithms like Shor's algorithm is uh this idea of interference. The u the uh shores algorithm we'll talk about this in a moment. The uh analog here or the analogy is to noise cancelling

headphones where uh a sound will come in it's a sound wave and I will get the opposite wave to cancel out that soundwave so I don't hear that noise. Right? The same kind of thing happens in these algorithms where correct answers will multiply together their essentially their wave states and incorrect answers uh or uh possibilities will cancel those out. So these three properties of superposition and sorry to hold the mic out up into the air of superposition and entanglement and interference work together to make uh quantum computers extremely quantum algorithms extremely powerful. All right. So now these are the numbers. Uh the main question is like how far are we from this uh the attack we're going to talk

about? What is this present status? Uh so right now there is two companies IBM and Google uh leading this space. Uh here if you see the numbers Google in 2019 said they have 53 cubits and when I say all these numbers right now understand these are physical cubits. U in quantum you will hear a lot of people talking about hey I have 53 cubits or I have one logical cubit. So the difference is like when you put together all these physical cubits uh bunch of cluster physical cubits together then you say it as how many logical cubits I have. So these are physical cubits what I'm going to talk about right now. So Google started in 2019 I have 53 cubits

IBM 127 1836. The thing you need to understand here is Google uh in 2024 even though their number of cubits are less compared to IBM which is 105 they were able to prove and they were able to achieve something called fall tolerant and what I mean by fall tolerant is these physical these physical cubits are inherently uh are subset are basically cannot handle u the distraction from outside. So when somebody said that oh it's fall tolerant that means they're able to correct that errors and still able to give you a better answer or better result when you go and measure it. So they are able to uh basically avoid the error at the same time correct it. So that's what it means

by fall tolerant. So these two companies have diff different strategy. Google is saying I'm going to have less cubit on a board but then I want to make sure these are fall tolerant. IBM is like you know what I'm just going to keep having more cubits. I want to see how many cubits I have on fit can fit on a one board and we have all these codes and then we will apply the error code later. So more physical cubit doesn't mean that they are doing a better job but less also doesn't mean that they're doing better job. They just have a different strategy of doing this. U so yeah now coming back to the point in 20 in 2012 we had it was

like oh we need 1 billion cubits to break RSA and then 2019 it's 20 millions and 8 hours of computation in 2025 it's now 1 million and one week of computation what you need to understand is it's 13 years and in that 13 years we went from 1 million uh 1 billion to 1 million that's how we are moving fast u so and Now earlier you like if you would have talked to somebody last year they would have said oh you know what it's it's going to come in 2035 or 2030 but Google's new uh estimate is 2029 so as we as we make progress we are getting there >> uh also I' I'd point out that some of

you may have heard about uh the result from project 11 uh Gian Carlo uh the algorithm it was shown uh essentially In LA last September, IBM uh was able to break a six-bit uh elliptical curve uh uh cryptographer uh cryptographic scheme. Uh yesterday it was announced that a 15bit EC uh uh cryptography uh method was broken. Uh that's a more than doubling in the last seven months. And if you uh if you expand that out uh although Google has said that Qday when uh when these curves intersect of how fast how many cubits do you need to uh break RSA 2048 and how uh what the number of cubits are available in machine although uh Google said this will probably happen

in 2029. If you do the math it looks like maybe that could happen for elliptical curves in 2028. So uh that means Diffy Helman is no longer any good in 2028. Uh I'm not trying to stoke fear but I'm just saying that as the algorithms get better and the machines get better, Qday gets closer and closer. Uh so why are these algorithms breaking today's cryptography in the first place? Okay. So uh just and this is uh very brief and I'm not going to get into details. You know, I knew about Shor's algorithm uh really detailed a lot a while back and it's like yeah I kind of get it anyway. So uh the uh issue the

element the the techniques that's used by shores algorithm uses uh uh quant quantum forier transforms on on modular factors that essentially employs a property that if you collect together all these modular factors then these waves that are represented the 4 transform will interfere uh in values that do not correspond to in places that do not corresp respond to the factors and will uh reinforce themselves to correspond with the factors. So that's what gets at RSA's the RSA factoring problem uh is solved by that approach. the um uh elliptic curve uh um and ECDSA the digital signature algorithm uh they uh employ the um uh as a as uh the uh uh they they employ another method that is

also broken uh by Shor's algorithm. Diffy Helman on the other hand also uses the curves and is broken by Shor's algorithm. If you look at Grover's algorithm, Grover's algorithm is this uh unstructured search problem uh that does attack AES effectively uh reducing the amount of time to do this to be able to solve or to be able to break an AES key uh by essentially a uh the square root of the uh key size. which means that effectively if you are currently using AES1 128 and feel that that's uh secure you probably ought to use AES1 256. So it effectively reduces the key size by half. Um the um uh the this asymmetry between uh Shor's algorithm and uh

Grover's algorithm is this Shor's algorithm breaks the underlying mathematics. Grover's algorithm just makes the math a little bit easier. So uh Shor's algorithm gives a dramatic increase. Griffith's algorithm is just an incremental uh just an incremental increase. Right? All right. So now here's the point. Why are we talking about this? Uh we're talking about this because there is something called harvest not decry later attack. Okay. So it's H&DL. Uh and this is all about like you know right now we all think oh yeah I'm talking to Bob and everything is encrypted. Nobody's listening. But if I'm collecting all this encrypted traffic right now and the whole point is like when the quantum computer are going to come I can break

those keys and I it will be all converted into plain text. So everything what we think right now is like as all encrypted nobody's listening or can see it trust me 2029 people can do it. So this is the attack that everybody's concerned about any company you talk to any like and uh why so the second question is like what are the companies should be concerned about any companies that want that has to keep their record uh say for 10 10 15 years like you know hospitals, banks, government agencies like you know they want to keep their their uh the all this encrypted thing not being stolen and at the same time not being decrypted. So they should be

more concerned. It's not you and me doing Instagram. It's more like hey I want to keep this record safe. So second thing is like people think that oh it's right now it's happening but maybe it's it has been happening from years like you know if you see at their real incidents in 2016 Canadian internet traffic internet traffic to South Korea rerouted through China. We don't know what they were doing. Did they actually collect the data or not? In 20 2019, same thing. European cell phone traffic intercepted in similar rerouting uh incident. So these things has been happening for years, but now it's a concern. So now as per the industry survey, 75% people, yeah, they do they're concerned, they

acknowledge and 23% have a strategy. But in terms of the traffic, in terms of like can we actually uh save ourselves from harvest not decrypt later attack only 3% actually uses PQC uh in early 2024 and now it's 38% by March 2025 because companies like Cloudfare they are coming to the picture they are and Google they're coming to the picture and they're rolling out these uh hybrid encryption >> right so we know that RSA is going to be a problem. We know that defy home exchange is going to be a problem. Uh well, all hope is lost, right? Well, not all hope is lost. Uh NIST has been working on this problem for quite a while. And

there are now there's been a long process of uh of candidate algorithms that has centered on three primary algorithms that NIST is proposing and has is requiring in in various or that the government is requiring in various places for uh federal agencies. uh that is uh uh MLKM uh which is FIPS 203 which is the uh modules lattice uh key uh encapsulation method with this is effectively as a drop-in replacement for RSA. does what RSA does for us today. And um the uh second of these is uh MLDDSA which is the modules lattice. And the modules lattice approach by the way it depends on uh it depends on a a um the um a method that is not broken

currently and will not uh is not expected to be broken uh soon by quantum computers. MLDDSA is used uh for as a digital signature algorithm. So that uh gives you the uh so the first gives you the uh effectively the uh the uh confidentiality and and this gives you the integrity and the first also gives you uh authentication uh uh security and uh FIPS 20 uh FIPS 205 is uh SLHDSA uh which is an alternative uh hashing approach for digital signatures that does not use uh the modules lattice just in case the modules lattice approach is broken by quantum uh by new quantum algorithms that we haven't identified yet. And the the idea here is that one

would use uh SLHDSA for things that ex need to be extremely secure for an extremely long period of time. uh things like uh uh root certificates of uh and and uh and other longive data that you want to be able to verify the um uh the nature of. Right? These methods are available today. They're implemented. Uh there is also uh if you uh get the most recent version of uh SSH it uses uh the uh um was it the uh strum the uh st well anyway it uses an alternate method uh that uh that is not MLKM but TLS 1.2 2 uh is essentially uh it was outdated in 2018 by TLS 1.3 when that was released. It was it was

effectively uh uh should have been decommissioned but you know it takes a long time to decommission things. I I guess uh it just takes a long it just takes a while. Uh if you look at TS TLS 1.2 this legacy approach is being used a lot. TLS 1.3 by itself improves on TLS 1.2. to but it doesn't uh provide postquantum safe uh safe communication unless you're actually using the hybrid postquantum cryptography approaches that are supported by TLS 1.3 and uh current versions in of OpenSSL. So the elements that we're looking at are key exchange the key exchange in TLS 1.2 is RSA uh 2048 and that's going to be completely dead. uh the key exchange in TLS 1.3

will be uh ECDHE that uh and and that's also not quantum safe. Um in TLS 1.3 with hybrid PQC it uses uh X25519 uh which is an elliptic curve approach and uh MLKM 768 which is this modules lattice postquantum approach. It uses both of these so that both have to be used in tandem to uh to provide the uh communication. Um you have to break both classical and quantum uh cryptography to break that. Uh for forward secrecy, forward secrecy is essentially if somebody captures this message later, will they be able to find my the key that was used for the message? Right? If that key is stored, then forward sequency is not provided. If that key is

ephemeral and is not stored in the communication in any way, then that's better. TLS 1.3 uses ephemeral exchange and it gets rid of that problem. Uh, however, you can still attack that uh that uh that forward secrecy. Uh it just takes longer. the um uh TLS TLS 1.3 with postquantum uh it's it's uh mandatory and you're going to use uh if you're using quantum uh safe cryptography you're you're good uh and by the way we're sorry these are are like eye charts uh you can we have a QR code at the end so you can get these slides we want to have all the information available so you can use it uh on your for your uh purposes the um next thing

which ones are quantum safe really only TLS 1.3 with postquantum cryptography. Uh which of these uh things provide uh HNDL uh security? Uh TLS 1.2 does not. TLS 1.3 gets a little bit better with forward secrecy. Uh TLS 1.3 with uh hybrid PQC is HNDL safe if both the client and server are using the postquantum encryption mechanism. Of course, if you roll back to earlier versions, if your clients are using uh TLS 1.3, most people will downgrade and and communicate. So, you may have a server that that provides uh the capability for postquantum uh cryptography, but your clients aren't using it. This is important issue by the way. Uh so, in terms of uh roundtrip uh

roundtrip uh time on handshake, it's it's better than it used to be. uh in terms of adoption uh 99% of people can can use uh TLS 1.2. 70% uh theoretically are on TLS 1.3. Uh about 38% of sites have adopted postquantum cryptography. However, our uh our analysis of different uh sites uh that we've looked at varies u you know that's a reasonable number perhaps a little high. Um and finally uh you know what what is the story in terms of what you should do with these? If you're using TLS 1.2, you should definitely migrate away from it. If you're using 1.3, you should definitely put uh postquantum uh cryptography in there. You should use the hybrid PQC. And if you're already uh

using uh the what we recommend is is the right thing to do. Uh you're doing pretty well. So uh you know this is already supported by cloudflare chrome uh uh signal firefox edge a bunch of people do it. All right so a lot of theory right uh so one thing I just want to add what Joe was talking about is TLS if you want to actually do the migration you can do on TLS 1.2 2 1.3 is the backbone. So you need to have TLS 1.3 to even do the migration. Okay. So now to do the migration the very first thing you want to do is you want to figure out where exactly my cryptography is sitting in my

enterprise. Okay. Uh so the very first thing you want to do is like you give me a domain. I'm going to find all the subdomains your company has. And let me tell you this this is we are this is all active scanning. There is nothing passive right now. So anyone from outside can do this what we are doing here. U so again you give me a give me a domain I'm going to find all the subdomain and then once you find this of course like some of them might not even respond right because we are taking the outside database. So we what you what we do is like we check whether these are active or not. Once they are active we

want and for this for today's demo we are just doing web servers. Uh so we want to see whether they are running a web servers or not and if they are running the web servers are they doing HTTP or HTTPS. Uh once you do that if you are running the HTTPS you want to figure out what kind of ciphers what kind of encryptions uh is being done between the client and the server and then of course like you can do SSH we're not demoing today but you can still do it with this tool. Now things to remember again if you find TLS 1.2 you can't migrate you have to first do TLS 1.3 and then only you can because that's

the backbone right so things this tool is going to tell you is that hey you're using TLS 1.2 to with these ciphers with these encryptions and like you know if you're using RSA what kind of size you're using uh it will tell you uh things to replace not to replace and it will map it to the nest what NIST is asking you to do so if you see X25519 plus MLK that's where you want to be but is that the is that the reality we'll talk about that so once you install like these the this tool can be installed on OS s uh Linux, we support all that stuff. Uh all you got to do is just run and take all you

need is domain name. That's it. That's all you need. And then it will do the job for you. Uh right now, like I said, if you want to do web, we cover like four or five different ports, the common ports 80, 443, things like that. Uh if you want to do if you do SSH, we cover the common ones. And if you just want to check 443, which is HTTPS, you can still you can do that. Now uh like I said this is how it's going to look like when you run it will tell you how many subdomains you have found how many are active u how many are running web services and if it's https

how many are active and responding and then in the end it will generate a beautiful uh cbomb for you. So now I'm going to show you show you the demo. Uh if you actually install and run it >> well and brings that up. I want to mention a couple things. One is this is a a free open source tool. You can use this. It's there were there are people who will sell you uh you know the the right to have them run a tool like this on your system. But it's not magic. It's not secret sauce. It's it's there. The hard part is is figuring out what to do after that's available. Uh is that it's

not showing up because uh you have the uh we have the uh we got to stop the presentation. Oh yeah, we'll have to stop the slideshow. Ah, we got nothing now. Why are we seeing nothing? Very strange. We start the slideshow again. We see something. We see that

I see nothing. Okay, stop that. Our display is magically not duplicated.

Duplicate.

All right. So, yeah, all like I said, I'm just going to run the script. I'm going to give my company's name. I'm going to do the web. Uh, what it does is like it's going to, if you don't have all these packages, it will ask you if you want to install. And if you say yes, it's going to install for you. So, you don't have to worry about the packages. Uh, it's going to find the subdomain. Yeah, we only have two right now, which is ww.cubid.com and the cubid.com

and then finally it generates a Cbomb. And by the way, the cryptographic bill of materials, the seabbomb is is a really important uh element of this entire process. It's much more much more than just a spreadsheet that identifies some things. It it has information that attributes where the uh where the intelligence was taken from exactly what represented the information that was characterized and uh NIST identifies what kinds of information needs to go into that. So uh you you can scan and do something else, but if you don't have a CE bomb, you don't have all the information you need. And what this is doing is going back to our site to a uh to a dashboard that's

available. If you use our dashboard, it uses resources on your local machine. We aren't able to grab the C bombs that you use. If you want to use this dashboard, you know, if you rip it off here, here you see like, you know, we we found to total four H uh four uh endpoints, which is two HTTP, two HTTPS. Uh it will tell you everything here like, you know, what we found. Uh it will give you the recommendation what you needs it needs to be done if the port yes oh you oh you I'm so sorry yeah so all I'm just trying to explain here is like when you run this when you come to

the dashboard it will tell you uh that if it's running HTTPS if it's running HTTP and if it's HTTP is the port open or not it is redirecting you will see all that so I go to HTTPS I can see I'm using this cipher I'm using this particular curve uh Uh you can see it will tell you hey it's vulnerable because I'm using still using elliptical curve. Uh otherwise it says PQ safe here in HTTP you can see that it's telling me that everything is being redirected but the port is open. Uh it's telling you about the certificates here that oh my certificates are fine what what uh curve I'm using. This tab basically tells you

how much ready you are. Clearly when we were recording this we were not ready. Uh it here just tells you if your key is uh PQC safe and if assert is PQC safe or not. If not it will we have this scoring system that will tell you how fast you should do it. As you keep migrating these numbers will go up and tell you you have completed the process. Uh again the variable these things gives you much more detail about like hey what are the warnings? Is your certificate misconfigured? Is certificate expired? All these information you need to understand certificate expired itself is a big problem. And when you run this, you will have all this information here.

So let's get this back up. Going to take me a second to get to the right side. Sorry about that.

Right

there. Come on. Back. Back. Back. Back. Back. Okay.

Unable to go home. >> Okay. So, yeah. So, what we did was like now Before coming here, we ran 50 public facing companies headquartered in Maryland. So we wanted to know like how these companies are uh taking care of this quantum thing. What you see here is like we found 2,938 HTTP active endpoints. Uh 80 85% of them is running TLS 1.3 which is good. 14.88 is still using TLS 1.2. And like I said, you can't do the migration unless you run TS 1.3. Now this is the important number when I say that oh out of these uh these many endpoints 43.5% is using hybrid. What I mean by here is that yes companies have rolled out these things

but if a client is not running hybrid this means nothing. It means 0%. Because if I downgrade myself and servers are letting you do it clearly I can still I'm still under attack I can still do harvest not decree later attack but these numbers are important when both sites are using uh postquantum cryptography thing then yeah because this is what you see and then we found out that 55 certificates were expired these may were host mismatch now this is in terms of the industry uh of those 50 top companies clearly you can see that the ones we should care about is healthcare Healthcare is only 32%, they are ready for this. Uh other thing is energy

sector there was only just one company that's why it says two end points but yeah they they all have they have rolled out the postquantum thing. Yeah one moment. All right. So how do you prioritize uh the things that you need to do if you want to take care of this problem? Uh as Anorak said, the first thing is uh you want to get rid of H anddL exposure. You don't want people to be able to grab this stuff. So you want to look at your long live data. The you want to be able to upgrade your external facing uh communications so that you're using TLS uh 1.3. You want to migrate from TLS 1.2

to definitely to 1.3 with uh you know, no question with postquantum uh uh cryptographic approaches. the uh X25519 and MLKM uh and you want to reenrypt data for future confidentiality as well. The uh second thing is you really want to fix the authentication chain as well. the it's uh there are uh only a few uh only a few uh organizations that are providing uh certificates that are encrypted using postquantum or that are um that are that use postquantum encryption for the certificates and also for the digital signatures. So this is something that you can't take care of yourself unless you want to roll your own cert but uh it it's coming right and you want to upgrade all those code

signing certificates clearly you know you saw that there was a problem with uh with uh expired certificates or uh host certificate mismatches that happens life goes on and taking care of that is obviously important as well um and then uh you want to fix the manageable risk and deal with uh upgrading AES uh to a uh more secure version if you're only using 128. Uh there's no reason not to use AES 256. There's no reason not to do all of these uh things except for all the reasons that everybody has not to do all those things. Oh, the code's working fine now. The hackers are all in it now. Why should we upgrade anything, right?

But that's not going to reallyo work work too well. Um so it's clear that hybrid cryptography is your safe incremental path. it's it's the right way to go. And cryptographic agility in design is is something you want to try to design for change in your organization. Uh if you're doing software development, that's uh that's a a more complicated problem. If you're just trying to provide services and and uh uh communicate securely then the important thing is you uh design you design your uh use of technology in such a way that you don't uh you don't break your uh your entire business model when you have to upgrade uh whatever the mechanism of implementing TLS is. So

three things you can do this week. One thing you can do is you can download our AC scanner, the ACDI scanner that's free and open source. You can use it, feel free. Uh you can use our our dashboard as well. Like I say, your data stays on your machine. It doesn't go to our machine when you use our dashboard. Uh you can enable it. You can this week if you if it's possible, you want to enable TLS 1.3 everywhere. I did talk to a person who said, "My large organiza, my large insurance organization did not want to implement TLS 1.3 for quite a while because it was too secure. We couldn't man in the middle all the

communications to make sure that nothing bad was going out." And I said, "Well, if you if you're if you're finding it, then it's too late. So, go ahead and do it." But there are there are impediments to wanting to do this on the parts of of uh various uh corporations. They see risk in a different way and I understand that. But if you want to do it right, you're going to enable TLS 1.3 and you're going to u migrate to hybrid PQC. Uh the final uh thing is you want to inventory your uh your certificates and you want to flag RSC key exchange. All these things are great, but the important thing is you can migrate these

things because you can see them right now. You can see it. You can do this if you use any ACDI tool. Uh you can pay a lot for it or you can use this free one. Uh and the adversaries are harvesting traffic today. You don't need to move all of the internet traffic from Canada or America to do HNDL. You just need to be somewhere in the middle maybe on a you know somewhere in the middle uh capturing the traffic that's passing anyway exactly the way it's passing in those packets today. All the information is there for HNDL. Right. the NIST FIPS 203 204 205 they're here they work it's great just do it right uh you want to

inventory with acid okay it's ACDI sorry and uh so you can go to our uh to our website find the ACC uh find the AC scanner and if you're a QR code lover that will take you to a copy of this talk that's a PDF copy of this talk that is uh sitting in a fileshare directory on our website uh please don't hack us uh you know it's all it's all good okay >> so I just want to add one thing. Uh what what now we are doing is like like I said we are only supporting web services and SSH but we are constantly working on this tool and the goal is to add more

like email stuff. So if you subscribes to us you we will let you know that hey we have added this and you can do more inventory. So and the good part is like it's all open source everything stays in your computer. You're not giving data to anybody. So that's the good part. Yes. Okay. What was that?

>> That was part of your show. I cannot answer that question right now. >> Yes. >> You mentioned curious.

Yeah,

>> that that's That's a really good question and it's a hard question. Unfortunately, uh if you're not using a PQC uh method and it is dependent on public keys, there's just nothing you can do. You know, if you're not and I know that sounds like a terrible answer, right? But I I don't know of any way to to avoid that problem. If the public key is available, I'm going to be able to break it if it's RSA, right? If Diffy Helman exchange happens, uh I'm going to be able to uh capture and and it's using EC cryptography. I'm going to be able to capture the AES key that's used for the uh the session key and and that that

will be broken if as long as you uh don't provide uh for as long as you don't provide forward secrecy, right? So uh if you're not at TLS 1.3, forward secrecy is hopeless. That's the probably that's the thing that can be done easiest and and every system that you buy today and every system that's been made since 2018 can support TLS 1.3. So mom and dad can use TLS 1.3 even if they aren't using uh postquantum uh hybrid uh uh encryption on TLS 1.3. I I just don't know any way to do it with TLS 1.2. And also I just want to add one more thing when we talk about forward secrecy what I mean what we mean is like you know if

you don't have forward secrecy enabled that means that if I can get if I can decrypt that one particular if I can figure out your public and private key I can decrypt everything in the previous thing that you have done with proper secrecy it's just going to be that one particular session so that's that's why TLS 1.3 is important so and that's one way to do it >> so yeah I I don't know I don't know if that really answered your question. >> I could maybe rephrase it. >> Yeah, I I'm I mean I don't know what else to do though. Is from a client perspective

>> right now that right that is a question that that uh I I can't tell you you know it it's going to depend from platform to platform all the platforms do right now every platform being released now does support TLS 1.3 yes >> and and they all do support uh PQC for for TLS if it's if you're using the most recent open SSL. So that's a little harder. It's easy to get TLS 1.3 and and uh yeah as as to exactly how to disable 1.2 other than not make making sure it's not installed, right? Uh I don't that's a a good question. So thank you.

Yeah, he's asking about Cabbomb compatibility. >> Oh, I'm sorry. Yeah, >> I think it is. It is. >> So, we have endeavored to ensure that it is okay. I I don't know that there's a uh that there's a verification suite for that. I'm I need to check that. So, thank you for asking that question. Yes.

Yes. >> Yeah, you can you can identify that information. The seabbomb that we produce right now does not reflect that information. But that's we were talking about that just yesterday and was like yeah we need to provide that information. >> The thing is like what do you see right now? By the way, that question was about that question was about uh uh uh reflecting downgrade of uh downgrade uh uh opportunities in the seabbomb uh for services. Yeah. >> And what you see right now in the dashboard is the uh the exchange that's being done between the client and the server, right? That's why you see as just the TLS 1.3 a classical encryption. But if your client is ready, you will

see the hybrid one. And now talking about like can you download? Yes, you can downgrade. That's the answer. Yeah, >> but there is no way to uh >> and and so the the thing to do and and of course we're we're attempting to communicate with PQC hybrid because we want to make sure that's available, right? So we need to then the what you would want to do is double check those hybrid uh uh connections to see what their uh lowest uh uh security uh exchange mechanism is. >> Yes.

uh you're talking about the servers server version. >> So for the HTTP it is doing it and technically when it's doing for HTTP you can do it for HTTPS as well. It's just on the dashboard we are not showing it. Uh for the HTTP you can for the HTTP you can see that we have a column that says the version. >> So yes that's one way to figure out can I attack the system or not? Yes. I'm sorry. >> Yes. >> Yeah. Could you explain to me how my data would be secured when >> uh you're it's it's not leaving your your data is not your CBOM is not leaving your uh oh wait so like when

when you are running the scanner you're running on your computer it generates a seabbump on and stays on your computer the dashboard is all about that how can I see it in a more beautiful way that's all so you come to the dashboard you upload and you see everything >> so so you have JSA that's uh loading a file running on your machine. >> Okay. >> We're not >> we're not running that on our server. We don't we don't we don't want to uh mine crypto for people on our server, right? You understand? >> Yeah. It's it's running on your local machine. Yeah. >> Yes. >> Yes.

So wait so first question you're talking you're asking that is the tool again sorry

>> so he's asking if it's the ACDI scans the entire codebase >> we're not running the code we're not doing the code base we are just doing that uh when you're trying to connect to that uh particular server what exchange is being done and what certificate is being provided by the server and what that certificate is using in terms of kernel. >> Yeah, this is essentially a tool that you could use that it it does it it connects to the service. It identifies from the service connection what the capabilities are. It doesn't look at the codebase and know what the code is. >> Yes, >> it shows you search the DNS but also subets. It it searches uh uh all subnets

in the DNS that are publicly public. >> You you could target subnets. Yeah, you could target you can write whatever host name you want. >> Yes. >> Use as many dots as you want, right? Yes. >> I have a question also clarify. It does check for downgrade capabilities. >> It does not check for downgrade capabilities today. And then but then the thing is like when you downgrade from TS 1.3 to 1.3 to 1.2 the header actually sends a sentintel saying that downgrade. So, >> so what we can do is like we can use that and put it in the dashboard like hey if you actually doing that survey is letting you know that hey I do support

1.3 but you doing

thank you very

[ feedback ]