creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 05:34:55 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/performing-post-quantum-cryptography-migration/references/api-reference.md
T

256 lines
8.6 KiB
Markdown
Raw Blame History

# API Reference: Post-Quantum Cryptography Migration
## NIST PQC Standards Summary
### FIPS 203 -- ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism)
Formerly CRYSTALS-Kyber. Primary standard for key exchange and encryption.
**Security Levels:**
| Parameter Set | NIST Level | Public Key | Ciphertext | Shared Secret |
|---------------|-----------|------------|------------|---------------|
| ML-KEM-512 | Level 1 | 800 B | 768 B | 32 B |
| ML-KEM-768 | Level 3 | 1,184 B | 1,088 B | 32 B |
| ML-KEM-1024 | Level 5 | 1,568 B | 1,568 B | 32 B |
**Operations:**
- `KeyGen() -> (ek, dk)` -- Generate encapsulation/decapsulation key pair
- `Encaps(ek) -> (K, c)` -- Encapsulate: produce shared secret K and ciphertext c
- `Decaps(dk, c) -> K` -- Decapsulate: recover shared secret K from ciphertext
**Python (mlkem library):**
```python
from mlkem.ml_kem import ML_KEM
ml_kem = ML_KEM(768) # ML-KEM-768
ek, dk = ml_kem.key_gen()
shared_secret, ciphertext = ml_kem.encaps(ek)
recovered_secret = ml_kem.decaps(dk, ciphertext)
assert shared_secret == recovered_secret
```
**OpenSSL 3.5+ (native):**
```bash
# Generate ML-KEM-768 key pair
openssl genpkey -algorithm mlkem768 -out mlkem768_key.pem
# Display key details
openssl pkey -in mlkem768_key.pem -text -noout
# Extract public key
openssl pkey -in mlkem768_key.pem -pubout -out mlkem768_pub.pem
```
### FIPS 204 -- ML-DSA (Module-Lattice-Based Digital Signature Algorithm)
Formerly CRYSTALS-Dilithium. Primary standard for digital signatures.
**Security Levels:**
| Parameter Set | NIST Level | Public Key | Secret Key | Signature |
|---------------|-----------|------------|------------|-----------|
| ML-DSA-44 | Level 2 | 1,312 B | 2,560 B | 2,420 B |
| ML-DSA-65 | Level 3 | 1,952 B | 4,032 B | 3,293 B |
| ML-DSA-87 | Level 5 | 2,592 B | 4,896 B | 4,595 B |
**Operations:**
- `KeyGen() -> (pk, sk)` -- Generate signing/verification key pair
- `Sign(sk, M) -> sigma` -- Sign message M with secret key
- `Verify(pk, M, sigma) -> bool` -- Verify signature on message
**OpenSSL 3.5+ (native):**
```bash
# Generate ML-DSA-65 key pair
openssl genpkey -algorithm mldsa65 -out mldsa65_key.pem
# Extract public key
openssl pkey -in mldsa65_key.pem -pubout -out mldsa65_pub.pem
# Sign a file
openssl dgst -sign mldsa65_key.pem -out signature.bin message.txt
# Verify signature
openssl dgst -verify mldsa65_pub.pem -signature signature.bin message.txt
```
### FIPS 205 -- SLH-DSA (Stateless Hash-Based Digital Signature Algorithm)
Formerly SPHINCS+. Backup signature standard using conservative hash-based approach.
**Parameter Sets (SHA2 variants):**
| Parameter Set | NIST Level | Public Key | Signature (fast) | Signature (small) |
|---------------|-----------|------------|------------------|-------------------|
| SLH-DSA-128 | Level 1 | 32 B | 17,088 B | 7,856 B |
| SLH-DSA-192 | Level 3 | 48 B | 35,664 B | 16,224 B |
| SLH-DSA-256 | Level 5 | 64 B | 49,856 B | 29,792 B |
**Variants:** Each level has fast (f) and small (s) variants with SHA2 or SHAKE hash.
## Hybrid TLS Configuration
### X25519MLKEM768 Key Exchange
The hybrid key exchange combines classical X25519 ECDH with ML-KEM-768 post-quantum
KEM. Both must be broken for the handshake to be compromised.
**Apache httpd:**
```apache
# httpd.conf or ssl.conf
SSLEngine on
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLOpenSSLConfCmd Curves X25519MLKEM768:X25519:prime256v1
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
```
**NGINX:**
```nginx
server {
listen 443 ssl;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ecdh_curve X25519MLKEM768:X25519:prime256v1;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/private/server.key;
}
```
**Verification:**
```bash
# Test hybrid TLS connection
openssl s_client -connect server.example.com:443 -groups X25519MLKEM768
# Verify negotiated group
# Look for "Server Temp Key: X25519MLKEM768" in output
```
## oqs-provider for OpenSSL 3.0+
### Installation
```bash
# Clone and build oqs-provider
git clone https://github.com/open-quantum-safe/oqs-provider.git
cd oqs-provider
mkdir build && cd build
cmake -DCMAKE_INSTALL_PREFIX=/usr/local ..
make -j$(nproc)
sudo make install
```
### Configuration
```ini
# /etc/ssl/openssl-oqs.cnf
openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
ssl_conf = ssl_sect
[provider_sect]
default = default_sect
oqsprovider = oqsprovider_sect
[default_sect]
activate = 1
[oqsprovider_sect]
activate = 1
module = /usr/lib/oqs-provider/oqsprovider.so
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Groups = x25519_mlkem768:X25519:P-256:P-384
MinProtocol = TLSv1.2
```
### Usage
```bash
# Set environment variable
export OPENSSL_CONF=/etc/ssl/openssl-oqs.cnf
# List available PQC algorithms
openssl list -kem-algorithms | grep -i ml
openssl list -signature-algorithms | grep -i ml
# Generate PQC key pair
openssl genpkey -algorithm mlkem768 -out key.pem
# Test hybrid TLS
openssl s_client -connect server:443 -groups x25519_mlkem768
```
## Cryptographic Inventory Scanning
### NIST SP 1800-38 Discovery Architecture
```
+------------------+ +------------------+ +------------------+
| Source Code Scan | --> | | --> | Risk Assessment |
+------------------+ | Central Analysis | +------------------+
+------------------+ | Engine | |
| Binary Analysis | -->| (Normalization | +------------------+
+------------------+ | & Correlation) | | Migration |
+------------------+ | | | Prioritization |
| Network Traffic | -->| | +------------------+
+------------------+ +------------------+
+------------------+
| Certificate Scan | -->
+------------------+
```
### Discovery Domains
| Domain | What to Scan | Tools |
|--------|-------------|-------|
| CI/CD Pipeline | Source code, build configs, dependencies | SCA tools, Semgrep |
| Operational Systems | Running services, installed libraries, key stores | NIST SP 1800-38B tools |
| Network Services | TLS endpoints, VPN configs, IPsec tunnels | This agent, sslyze, testssl |
| Certificates | CA chains, code signing certs, TLS certificates | cert-manager, openssl |
## Quantum-Vulnerable Algorithm Reference
| Algorithm | NIST Status (IR 8547) | Quantum Threat | Replacement |
|-----------|-----------------------|----------------|-------------|
| RSA (all sizes) | Deprecated 2030, removed 2035 | Shor's algorithm | ML-KEM (encryption), ML-DSA (signing) |
| ECDH / ECDHE | Deprecated 2030, removed 2035 | Shor's algorithm | ML-KEM / X25519MLKEM768 hybrid |
| ECDSA | Deprecated 2030, removed 2035 | Shor's algorithm | ML-DSA |
| DSA | Already deprecated | Shor's algorithm | ML-DSA |
| DH / DHE | Deprecated 2030, removed 2035 | Shor's algorithm | ML-KEM |
| AES-128 | Acceptable with caveat | Grover's halves to 64-bit | AES-256 |
| AES-256 | Quantum-safe | Grover's reduces to 128-bit | No change needed |
| SHA-256 | Quantum-safe | Grover's reduces to 128-bit | No change needed |
| SHA-3 | Quantum-safe | Grover's reduces to 128-bit | No change needed |
## MITRE ATT&CK Relevance
| Technique | ID | PQC Relevance |
|-----------|----|---------------|
| Adversary-in-the-Middle | T1557 | Quantum computers can break key exchange in recorded sessions |
| Encrypted Channel | T1573 | Harvest-now-decrypt-later targets encrypted C2 traffic |
| Steal Application Access Token | T1528 | Quantum computers can forge digital signatures |
| Forge Web Credentials | T1606 | Quantum computers can break certificate private keys |
## References
- NIST PQC Project: https://csrc.nist.gov/projects/post-quantum-cryptography
- FIPS 203 Final: https://csrc.nist.gov/pubs/fips/203/final
- FIPS 204 Final: https://csrc.nist.gov/pubs/fips/204/final
- FIPS 205 Final: https://csrc.nist.gov/pubs/fips/205/final
- NIST IR 8547 (Transition Timeline): https://csrc.nist.gov/pubs/ir/8547/ipd
- NIST SP 1800-38 (Migration Guide): https://www.nccoe.nist.gov/crypto-agility-considerations-migrating-post-quantum-cryptographic-algorithms
- CISA PQC Strategy: https://www.cisa.gov/sites/default/files/2024-09/Strategy-for-Migrating-to-Automated-PQC-Discovery-and-Inventory-Tools.pdf
- Open Quantum Safe: https://openquantumsafe.org/
- oqs-provider GitHub: https://github.com/open-quantum-safe/oqs-provider
- OQS TLS Applications: https://openquantumsafe.org/applications/tls.html
- IETF Hybrid Design Draft: https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/
- kyber-py (Python ML-KEM): https://github.com/GiacomoPope/kyber-py
- ml-kem (Python FIPS 203): https://github.com/AntonKueltz/ml-kem
- CycloneDX Crypto BOM: https://cyclonedx.org/use-cases/cryptographic-key/
Reference in New Issue View Git Blame Copy Permalink