Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Quantum Vulnerability Assessment

Quantum Vulnerability Assessment

Section titled “Quantum Vulnerability Assessment”

5 automated security scanners

Symmetric Key Strength Evaluation

Section titled “Symmetric Key Strength Evaluation”

Purpose: The Symmetric Key Strength Evaluation Scanner is designed to identify and assess cryptographic key strengths in various systems, focusing on ensuring that keys used for symmetric encryption are at least 256 bits long. This scanner also evaluates the security of AES implementations by checking for secure modes and padding schemes, aiming to prevent vulnerabilities associated with weak encryption practices.

What It Detects:

  • Sub-256 Bit Key Usage: Identifies instances where cryptographic keys shorter than 256 bits are used, particularly in configurations labeled as “128-bit AES” or “192-bit AES.”
  • AES Implementation Strength: Evaluates the strength of AES implementations by detecting insecure configurations such as Electronic Codebook (ECB) mode, which is susceptible to various attacks.
  • Policy Compliance Indicators: Searches for security policy documents that outline key management practices and compliance with standards like SOC 2 or ISO 27001.
  • Maturity Indicators: Identifies mentions of penetration testing and vulnerability assessments in the context of cryptographic standard compliance.

Inputs Required:

  • domain (string): The primary domain to analyze, such as “acme.com,” which helps in identifying relevant security documents and policies.
  • company_name (string): The company name, like “Acme Corporation,” used for searching within the codebase or policy statements to detect potential weak encryption practices.

Business Impact: Ensuring that cryptographic keys are at least 256 bits long is crucial for maintaining a secure and robust security posture against modern cryptographic threats. Weak key lengths can lead to vulnerabilities exploited by attackers, potentially compromising sensitive data and business operations.

Risk Levels:

  • Critical: Identifies instances of sub-256 bit keys in use or the widespread usage of insecure ECB mode for encryption.
  • High: Detects configurations where AES is used with less than 256 bits, indicating a significant risk to data security.
  • Medium: Indicates potential compliance issues with standards like SOC 2 and ISO 27001, though direct violations are not present but indicates areas for improvement in policy adherence.
  • Low: Informal findings related to the absence of weak key usage or insecure configurations that do not pose immediate risks but suggest ongoing vigilance in cryptographic security practices.
  • Info: Provides general information about the presence of AES implementations and compliance documentation, useful for understanding baseline cryptographic capabilities without significant concerns.

Example Findings:

  1. A system uses a 128-bit AES key, which is below recommended standards for strong encryption.
  2. An application employs ECB mode exclusively for encryption, making it vulnerable to certain types of attacks.

Cryptographic Protocol Adaptability

Section titled “Cryptographic Protocol Adaptability”

Purpose: The Cryptographic Protocol Adaptability Scanner evaluates a company’s readiness against emerging quantum threats by assessing its cryptographic protocol upgradability and version negotiation capabilities. This tool identifies whether the company’s security documentation, policies, and public information reflect an understanding and implementation of protocols that can withstand quantum attacks.

What It Detects:

  • Quantum-Resistant Protocol Indicators: The scanner searches for mentions of post-quantum cryptography (PQC) algorithms, identifies references to NIST standardization efforts in PQC, and checks for adoption of hybrid cryptographic systems combining classical and quantum-resistant algorithms.
  • Version Negotiation Capabilities: It detects support for TLS 1.3 or higher, which includes forward secrecy and improved security features, as well as protocol version negotiation mechanisms that allow clients and servers to agree on the highest mutually supported secure protocol version.
  • Security Policy References: The scanner looks for explicit mentions of cryptographic protocols in security policies and identifies references to compliance with standards like NIST SP 800-57, which provide guidelines for cryptographic key management and protocol selection.
  • Trust Center Information: It checks trust center pages for information on cryptographic practices and future-proofing strategies, as well as detailed explanations regarding how the company plans to transition to quantum-resistant protocols.
  • Compliance Certifications: The scanner searches for certifications that indicate adherence to standards supporting quantum-resistant cryptography, such as ISO/IEC 27001 with relevant extensions, and identifies any compliance statements related to cryptographic protocol version negotiation and future-proofing measures.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”)

Business Impact: This scanner is crucial for assessing the long-term security posture of a company against potential quantum computing threats, ensuring that their cryptographic protocols remain robust and adaptable as computational power advances.

Risk Levels:

  • Critical: The presence of critical findings includes explicit mentions of PQC algorithms not aligned with NIST standards or lack of support for TLS 1.3. These conditions pose a high risk to the company’s security, potentially leading to significant vulnerabilities and compliance issues.
  • High: High severity risks are identified through inadequate protocol version negotiation mechanisms in public documents or missing references to future-proofing strategies in trust center pages. This could lead to reduced confidence in the company’s ability to adapt to quantum threats.
  • Medium: Medium risk findings involve incomplete or ambiguous mentions of cryptographic protocols and lack of clear compliance with standards like NIST SP 800-57, which may still be considered acceptable but indicates a need for improvement.
  • Low: Low severity risks pertain to minor inconsistencies in protocol references or missing details about future adaptations, generally indicating a good baseline but potential room for enhancement.
  • Info: Informational findings are those that provide basic insights into the company’s approach to cryptographic protocols without significant impact on security posture.

Example Findings:

  • The company mentions “post-quantum cryptography” in its policies without specifying which NIST standard it aligns with, indicating a potential gap in alignment and future-proofing strategies.
  • TLS version negotiation is only mentioned vaguely in the privacy policy, lacking specific details about support for TLS 1.3 or higher that could affect user trust and security.

RSA Key Length Risk Analysis

Section titled “RSA Key Length Risk Analysis”

Purpose: The RSA Key Length Risk Analysis Scanner is designed to identify and assess the vulnerability of RSA keys with lengths of 1024, 2048, and 3072 bits in long-lived systems against potential threats from quantum computing. It evaluates key lifetimes relative to anticipated quantum computing timelines to flag potential security risks.

What It Detects:

  • RSA Key Length Detection: Identifies the presence of RSA keys with lengths of 1024, 2048, and 3072 bits within SSL/TLS certificates.
  • Key Lifetime Evaluation: Assesses the duration for which these keys are expected to be in use against the backdrop of quantum computing advancements.
  • Security Policy Review: Searches company documentation and public policy pages for guidelines on key management practices, including rotation and lifecycle management, with a focus on quantum readiness.
  • Trust Center Information Analysis: Extracts cryptographic standards and key management details from trust center pages to ensure compliance with best practices in key length selection.
  • Compliance Certification Verification: Reviews compliance certifications for requirements related to cryptographic strength and resistance to quantum attacks, highlighting discrepancies between stated policies and actual key lengths.

Inputs Required:

  • domain (string): The primary domain of the system under analysis, such as “acme.com,” which is used to fetch SSL/TLS certificate information and search for relevant policy documents.
  • company_name (string): The name of the company, e.g., “Acme Corporation,” which helps in querying specific company sites for detailed security policies and compliance details.

Business Impact: This scanner is crucial as it directly impacts the cryptographic posture of an organization by identifying systems potentially vulnerable to quantum computing threats. Understanding and addressing these risks can significantly enhance the overall security posture against potential future quantum attacks on RSA keys.

Risk Levels:

  • Critical: Identifies systems with legacy RSA keys (1024, 2048, or 3072 bits) that are expected to remain in use beyond the estimated timeline for when quantum computers can break them.
  • High: Detects RSA keys within SSL/TLS certificates that do not meet modern security standards and could be vulnerable if deployed in critical systems.
  • Medium: Indicates the presence of RSA keys with lengths between 1024 and 3072 bits but does not reach the threshold for immediate action, suggesting a need for review and potential remediation.
  • Low: Finds instances where RSA keys are managed according to best practices or where no legacy keys are detected, representing minimal risk under current conditions.
  • Info: Provides informational findings on systems that do not use RSA keys or have keys within acceptable length ranges without immediate concerns.

If specific risk levels are not detailed in the README, they can be inferred based on the purpose and severity of the identified issues.

Example Findings:

  1. A company is using an RSA key pair with a 2048-bit length that is expected to remain valid beyond the typical quantum computing timeline for breaking such keys. This could pose a critical risk if not addressed promptly.
  2. An organization has SSL/TLS certificates containing 1024-bit RSA keys, which are considered vulnerable and should be replaced according to security best practices.

ECC Algorithm Exposure

Section titled “ECC Algorithm Exposure”

Purpose: The ECC Algorithm Exposure Scanner is designed to identify and assess the usage of vulnerable elliptic curve cryptography (ECC) algorithms within a company’s security documentation, public policy pages, trust center information, and compliance certifications. This tool aims to detect potential cryptographic weaknesses associated with insecure implementations or deprecated curves that are susceptible to quantum computing threats.

What It Detects:

  • Vulnerable Curve Usage: The scanner identifies specific ECC curves known to be vulnerable or deprecated, such as secp256k1, and detects their usage without proper justification or mitigation strategies.
  • Quantum-Susceptible Implementations: It flags cryptographic implementations that do not account for quantum computing threats, including algorithms and protocols that are considered insecure against quantum attacks like RSA with small key sizes.
  • Policy Indicators: The scanner searches for security policies related to cryptographic standards and practices, ensuring the presence of policies addressing ECC usage and quantum resistance.
  • Maturity Indicators: It checks compliance certifications like SOC 2 or ISO 27001 for cryptographic controls and identifies penetration testing or vulnerability assessment reports that cover cryptographic implementations.
  • Trust Center Information: The scanner analyzes trust center pages to ensure transparency regarding cryptographic practices, including clear communication of cryptographic standards and protocols.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”)

Business Impact: This scanner is crucial as it helps organizations proactively identify and mitigate the risks associated with outdated or vulnerable cryptographic algorithms, ensuring compliance with security best practices and protecting against potential threats from quantum computing advancements.

Risk Levels:

  • Critical: The scanner identifies critical vulnerabilities in ECC usage or implementation that pose immediate risk to security.
  • High: High-risk implementations or policies that require urgent attention for remediation.
  • Medium: Implementations or policies that may not meet current security standards but do not immediately compromise the system’s integrity.
  • Low: Informal mentions or minor issues that are generally non-critical but still need to be addressed in future improvements.
  • Info: General information about cryptographic practices without immediate risk.

If specific risk levels are not defined in the README, these inferred levels reflect the severity of potential vulnerabilities and compliance gaps.

Example Findings:

  1. “Detected usage of secp256k1 curve without adequate security justification.”
  2. “Found RSA 1024 implementation that is quantum-susceptible and insecure against future attacks.”

Hash Function Quantum Resilience

Section titled “Hash Function Quantum Resilience”

Purpose: The Hash Function Quantum Resilience Scanner is designed to identify and report on the usage of SHA-1 and MD5 hash functions within a company’s security documentation and public policy pages. This scanner aims to highlight potential vulnerabilities associated with quantum attacks and susceptibility to hash collisions, ensuring that the company’s cryptographic practices align with current standards.

What It Detects:

  • SHA-1 Usage Detection: Identifies occurrences of “sha-1” in security policies, incident response plans, and other relevant documents. The scanner also checks for mentions of SHA-1 in code snippets or configuration files to identify potential vulnerabilities.
  • MD5 Usage Detection: Identifies occurrences of “md5” in security policies, incident response plans, and other relevant documents. This includes checking for mentions of MD5 in code snippets or configuration files to assess susceptibility to hash collisions.
  • Hash Collision Susceptibility: Detects patterns indicating the use of weak hash functions that are susceptible to collisions (e.g., SHA-1, MD5). The scanner also identifies recommendations or practices that do not align with current cryptographic standards.
  • Policy Review for Deprecated Hash Functions: Reviews security policies and compliance certifications for mentions of deprecated hash functions. Ensures adherence to best practices regarding the use of secure hash functions (e.g., SHA-256, SHA-3).
  • Trust Center Information Analysis: Analyzes trust center information for any references to weak or deprecated hash functions. Ensures that the company’s public-facing security posture aligns with current cryptographic standards.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com) - This input is essential for searching and analyzing the company’s site to gather relevant documentation and policies.
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”) - This helps in identifying specific mentions within documents related to the company’s name.

Business Impact: Identifying and addressing the use of SHA-1 and MD5 hash functions is crucial as these algorithms are susceptible to quantum attacks, posing significant risks to cryptographic security. Adhering to modern standards such as SHA-256 and SHA-3 helps mitigate these risks and maintain a secure digital environment for transactions and data protection.

Risk Levels:

  • Critical: The scanner identifies active use of SHA-1 or MD5 in critical documents, which could lead to immediate security vulnerabilities and compliance issues.
  • High: Use of these hash functions in high-risk areas such as incident response plans poses significant risks that must be addressed promptly to prevent potential breaches.
  • Medium: While less severe than critical or high, medium risk findings still indicate a need for review and possible remediation to align with current cryptographic standards.
  • Low: Informal mentions of deprecated hash functions in non-critical documents may not pose immediate security risks but are indicative of outdated practices that should be addressed as part of an overall modernization effort.

Example Findings:

  1. The company’s privacy policy contains multiple references to the MD5 hash function, which is now considered insecure and susceptible to collisions. This finding would warrant further investigation and potential replacement with a more robust cryptographic method.
  2. A software development document uses SHA-1 for digital signatures, which could be vulnerable to quantum attacks. The scanner flagged this as a critical issue requiring immediate attention to update the signature algorithm to align with current security best practices.