Post-Quantum Security

5 automated security scanners

Post-Quantum Algorithm Evaluation

Purpose: The Post-Quantum Algorithm Evaluation Scanner is designed to assess and report on the selection and implementation of post-quantum cryptographic algorithms within a given domain. This tool aims to identify vulnerabilities related to algorithm choice, outdated TLS versions, weak cipher suites, and inadequate security headers, all critical for ensuring resilience against potential quantum computing threats.

What It Detects:

Algorithm Selection Patterns: The scanner detects the usage of deprecated or non-post-quantum algorithms such as RSA and ECC, as well as identifies the presence of recognized post-quantum algorithms like Kyber and Dilithium.
Security Header Analysis: It checks for the presence and strength of security headers including Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options.
TLS/SSL Configuration Issues: The scanner identifies outdated TLS versions (e.g., TLSv1.0, TLSv1.1) and detects weak cipher suites including RC4, DES, and MD5.
DNS Record Security: It analyzes DNS records such as TXT, MX, NS, CAA, and DMARC for security best practices and verifies SPF record configurations to prevent email address spoofing.
API and Port Vulnerabilities: The scanner scans common ports (e.g., 80, 443) for open services and potential vulnerabilities in APIs, particularly regarding proper authentication and encryption mechanisms.

Inputs Required:

domain (string): Primary domain to analyze (e.g., acme.com). This is essential for DNS record analysis, HTTP security header check, TLS/SSL inspection, port scanning, and service fingerprinting.

Business Impact: Ensuring the use of robust post-quantum cryptographic algorithms and maintaining secure configurations in TLS/SSL and headers is crucial to protect against future quantum computing threats. Misconfigurations can lead to significant vulnerabilities that could be exploited by malicious actors, potentially compromising sensitive data and systems.

Risk Levels:

Critical: The scanner identifies the use of deprecated or non-post-quantum algorithms, which directly compromises security against potential quantum attacks.
High: Use of outdated TLS versions and weak cipher suites significantly increases the risk of cryptographic vulnerabilities that could be exploited by attackers.
Medium: Missing or improperly configured security headers can lead to less secure default configurations, although this might not pose an immediate critical threat.
Low: Issues related to DNS record configuration and API vulnerability scanning are generally informational unless they directly affect critical services.
Info: These findings provide general information about the domain’s cryptographic practices but do not necessarily indicate a significant security risk.

Example Findings:

The scanner might identify an outdated TLS version being used, which could be critical if it affects high-value transactions or data handling.
A missing Strict-Transport-Security header could be considered high risk if the site handles sensitive user information and requires secure connections for all interactions.

Quantum Safe Key Exchange

Purpose: The Quantum-Safe Key Exchange Scanner is designed to identify and evaluate the quantum-resistant key exchange mechanisms implemented in TLS handshakes on a given domain. It ensures compliance with post-quantum cryptographic standards, safeguarding against potential threats posed by future quantum computing advancements.

What It Detects:

Quantum-Resistant KEM Implementation: The scanner identifies the presence of quantum-safe key encapsulation mechanisms such as Kyber, NTRUEncrypt, or Dilithium in TLS handshakes, ensuring that domains support and prefer post-quantum algorithms over classical ones.
Protocol Security Analysis: It checks for the use of deprecated or insecure protocols like TLSv1.0 and TLSv1.1, emphasizing the importance of using modern, secure versions of these protocols. Additionally, it ensures strong cipher suites are enabled to avoid weak ciphers such as RC4, DES, and MD5.
DNS Record Validation: The scanner examines TXT, MX, NS, CAA, and DMARC records for compliance with security best practices, including the presence of SPF (Sender Policy Framework) records to prevent email spoofing.
HTTP Security Headers: It analyzes HTTP response headers for the presence of critical security directives such as Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options, aiming to mitigate common web vulnerabilities like XSS (Cross-Site Scripting) and clickjacking.
Port and Service Fingerprinting: The scanner performs port scanning to identify open services that may pose security risks and conducts service fingerprinting to determine the software versions running on identified ports, aiding in vulnerability assessment.

Inputs Required:

domain (string): Primary domain to analyze (e.g., acme.com)

Business Impact: Ensuring compliance with post-quantum cryptographic standards is crucial for future-proofing digital security against the potential impact of quantum computing advancements, which could render classical encryption methods insecure.

Risk Levels:

Critical: The scanner identifies deprecated or insecure protocols and weak cipher suites that significantly compromise security.
High: Inadequate DNS record configuration can lead to email spoofing and other phishing attacks.
Medium: Missing critical HTTP security headers may expose the domain to various web vulnerabilities.
Low: Open ports on a server might allow unauthorized access or data leakage, though this risk is mitigated by detailed scanning and analysis.
Info: Informational findings such as unrecognized service versions running on open ports are considered low severity unless they indicate known vulnerabilities.

If the README doesn’t specify exact risk levels, infer them based on the scanner’s purpose and impact.

Example Findings:

A domain is detected to be using TLSv1.0 for its primary protocol, which is deprecated and poses a high security risk.
Weak cipher suites such as RC4 are identified in the TLS configuration of the domain, indicating a potential medium severity issue related to cryptographic strength.

Hybrid Cryptography Implementation

Purpose: The Hybrid Cryptography Implementation Scanner is designed to evaluate and analyze the cryptographic practices implemented on a given domain. It aims to ensure that secure algorithm combinations are in place and to detect any potential vulnerabilities related to post-quantum security measures.

What It Detects:

Security Headers Analysis: Checks for essential security headers such as Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options. These are crucial for enhancing the security of web applications by controlling various aspects like transport security, content policies, frame embedding restrictions, and MIME type sniffing protections.
TLS/SSL Inspection: Identifies outdated or insecure TLS versions (e.g., TLSv1.0, TLSv1.1) and detects weak cipher suites and protocols (e.g., RC4, DES, MD5). These issues can significantly impact the security of data transmitted over networks by exposing vulnerabilities to attacks.
DNS Record Validation: Examines DNS records like TXT, MX, NS, CAA, and DMARC for compliance with security best practices. Validating these records is essential for ensuring proper email authentication mechanisms and managing domain policies effectively.
Port Scanning and Service Fingerprinting: Scans common ports to identify open services and potential vulnerabilities. This includes scanning for outdated or insecure protocols used by services running on identified ports, which can be exploited if misconfigured.
API Security Evaluation: Analyzes APIs for security headers, redirects, and content to ensure they follow best practices. This helps in identifying potential misconfigurations or insecure endpoints that could be exploited through API interactions.

Inputs Required:

domain (string): The primary domain to analyze (e.g., acme.com). This is the essential input that specifies the scope of the analysis, allowing the scanner to target specific web properties for evaluation.

Business Impact: Ensuring robust cryptographic practices and secure configurations in hybrid systems is critical for protecting sensitive information from potential threats such as data breaches or unauthorized access. By identifying and mitigating vulnerabilities early through automated scanning, organizations can enhance their overall security posture and comply with regulatory requirements related to data protection.

Risk Levels:

Critical: Conditions that could lead to immediate system compromise or significant data loss, requiring urgent attention. Examples include the discovery of outdated TLS versions being used in production environments.
High: Risks that pose a substantial threat to the security and functionality of the systems but do not necessarily result in immediate compromise. An example would be the presence of weak cipher suites that are less secure than those recommended by modern cryptographic standards.
Medium: Issues that may lead to vulnerabilities or misconfigurations, potentially affecting system performance or user experience without causing severe damage. A medium risk might involve missing X-Frame-Options headers in web applications.
Low: Informal findings that do not significantly impact the security posture but still require attention for continuous improvement. Examples include minor deviations from recommended CSP (Content Security Policy) directives.
Info: Non-critical issues providing supplementary information about the system’s configuration without posing immediate risks. This category might include recommendations to upgrade outdated software components that do not affect security directly but are generally good practices to follow.

Example Findings:

The domain example.com is found to be using TLSv1.0, which is considered insecure and exposes the web application to potential attacks through known vulnerabilities in this protocol version.
The DNS configuration for example.com includes a TXT record that does not comply with best practices, potentially affecting email authentication mechanisms and overall domain reputation.

Quantum-Safe Signatures

Purpose: The Quantum-Safe Signatures Scanner is designed to assess the security and implementation correctness of signature schemes used by a domain, ensuring they are resilient against quantum attacks. This tool evaluates the use of post-quantum cryptographic algorithms and verifies the configuration of TLS/SSL settings to safeguard digital communications from potential vulnerabilities introduced by quantum computing advancements.

What It Detects:

Post-Quantum Signature Algorithms: Identifies the presence of post-quantum signature schemes such as Dilithium, Falcon, or SPHINCS+. This detection ensures that the domain is prepared for future quantum computing threats by adopting algorithms that remain secure even under potential quantum adversaries.
TLS/SSL Certificate Analysis: Examines the SSL/TLS certificates to ensure they utilize strong cryptographic suites and do not employ outdated protocols like TLSv1.0 and TLSv1.1, which are vulnerable to quantum attacks. This is crucial for maintaining a secure connection between systems and preventing eavesdropping or man-in-the-middle attacks.
DNS Security Records: Analyzes DNSSEC records to verify the integrity and authenticity of DNS data, as well as checks for CAA (Certification Authority Authorization) records that restrict which Certificate Authorities can issue certificates for the domain. This helps in securing certificate issuance processes against unauthorized entities.
HTTP Security Headers: Inspects HTTP security headers such as Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options to ensure they are properly configured, preventing various types of attacks including those exploiting protocol vulnerabilities.
Port Scanning and Service Fingerprinting: Scans common ports for open services and identifies their versions, checking for known vulnerabilities in the services running on these ports. This detection helps identify potential entry points for attackers and ensures that only secure services are exposed externally.

Inputs Required:

domain (string): The primary domain to analyze, such as acme.com. This input is essential for all scans to target specific domains for security evaluation.

Business Impact: Ensuring the use of post-quantum resistant signature schemes and up-to-date TLS/SSL configurations is crucial for maintaining trust in digital communications and protecting sensitive information from potential quantum computing threats. It directly impacts the reliability and security posture of online transactions, data exchange, and overall network integrity.

Risk Levels:

Critical: The scanner flags conditions where post-quantum resistant signature algorithms are not implemented or TLS/SSL configurations do not meet modern security standards, posing a high risk to digital security.
High: Inadequate DNSSEC configuration or missing CAA records can lead to unauthorized certificate issuance and increased exposure to phishing and other cyber threats.
Medium: Weak HTTP security headers might allow for less secure interactions and potential exploitation of protocol vulnerabilities.
Low: Open ports detected with known vulnerabilities could be exploited by attackers, although the risk is lower compared to critical issues.
Info: Informational findings such as undetected post-quantum signature algorithms or outdated TLS versions are considered low severity unless they pose an immediate threat or lead to critical risks when combined with other factors.

If specific risk levels are not detailed in the README, these inferred levels reflect typical considerations for security scanners evaluating cryptographic and network configurations.

Example Findings:

The scanner might identify a domain using outdated TLS 1.0/1.1 protocols that could be exploited by quantum-resistant adversaries.
A misconfigured DNSSEC setup leading to insecure DNS resolution, potentially exposing the domain to man-in-the-middle attacks or data tampering.

Cryptographic Agility Assessment

Purpose: The Cryptographic Agility Assessment Scanner is designed to evaluate an organization’s cryptographic readiness and flexibility by assessing DNS records, HTTP security headers, TLS/SSL configurations, and open ports. This tool helps organizations ensure compliance with post-quantum security standards, enhancing their resilience against future cryptographic threats.

What It Detects:

Security Headers Analysis: The scanner checks for the presence of critical security headers such as Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options. These headers are crucial for securing web communications.
TLS/SSL Configuration Issues: It identifies outdated or insecure TLS versions (e.g., TLSv1.0, TLSv1.1) and weak cipher suites (e.g., RC4, DES, MD5), which can lead to vulnerabilities in cryptographic implementations.
DNS Record Compliance: The scanner validates DNS records for SPF (v=spf1.*[\\+\\-\\~\\?]all), DMARC (v=DMARC1.*p=(none|quarantine|reject)), and DKIM (v=DKIM1) configurations, ensuring that the organization’s domain is properly configured to prevent phishing attacks and maintain integrity in email communications.
Port Scanning: By scanning common ports, the scanner detects open services that may require secure cryptographic implementations, highlighting potential areas of risk.
API Security Evaluation: The scanner analyzes security headers in API responses to ensure they meet modern cryptographic standards, safeguarding interactions between applications and users.

Inputs Required:

domain (string): Primary domain to analyze (e.g., acme.com). This input is essential for DNS record analysis, HTTP header checks, TLS/SSL inspection, port scanning, and API security evaluation.

Business Impact: Ensuring that cryptographic practices are up-to-date and secure is critical for maintaining the confidentiality, integrity, and availability of an organization’s digital assets. Compliance with post-quantum standards will be essential as quantum computing capabilities advance, potentially breaking many existing cryptographic algorithms.

Risk Levels:

Critical: The scanner flags missing or improperly configured security headers, outdated TLS versions, and weak cipher suites that are known to be highly vulnerable.
High: Significant risks associated with insecure DNS configurations, open ports exposing sensitive services, and inadequate API security practices.
Medium: Issues such as mixed cryptographic protocols (using both secure and non-secure versions of TLS or HTTP), partial compliance with standards, or less severe vulnerabilities in DNS or port configurations.
Low: Informal findings related to minor deviations from best practices that do not pose significant risks but are still recommended for improvement.
Info: General information about the domain’s cryptographic posture and potential areas for optimization without immediate security implications.

If specific risk levels are not detailed in the README, they can be inferred based on the severity of detected issues (e.g., critical risks would typically indicate severe vulnerabilities that need immediate attention).

Example Findings:

Missing Header: The scanner might find a domain missing the Strict-Transport-Security header, which is crucial for enforcing HTTPS usage and preventing protocol downgrade attacks.
Outdated TLS Version: An outdated version of TLS (e.g., TLSv1.0) can be detected, indicating a lack of support for modern cryptographic protocols that are resistant to quantum computing threats.
Weak Cipher Suite: The scanner might identify the use of weak cipher suites like RC4 or DES, which could allow attackers to exploit vulnerabilities in the encryption algorithms used by an organization’s systems.