pqcscan: Open-source post-quantum cryptography scanner

pqcscan: Open-source post-quantum cryptography scanner

pqcscan is an open-source tool that lets users scan SSH and TLS servers to see which Post-Quantum Cryptography (PQC) algorithms they claim to support. It saves the results in JSON files. You can turn one or more of these files into an HTML report that opens in a web browser.

The road to PQC

“I created pqcscan because we see all the big ones rolling out PQC algorithms in production,” Vincent Berg, CTO at Anvil Secure and the creator of the tool, told Help Net Security.

Governments are also raising the stakes. “The EU, US, and UK are all creating deadlines for when governments and corporations need to be compliant and at minimum support PQC algorithms before transitioning to a full PQC-only future,” Berg explained.

But getting there won’t be easy. Legacy cryptographic algorithms still linger across many systems. “This will be very hard. We’re still encountering the use of SHA-1 and MD5 in our day jobs as security engineers,” Berg said.

That’s where tooling like pqcscan comes in. “Having tooling that helps us investigate quickly which of the services we analyze are compliant, which ones are not, helps us focus our attention,” he said.

pqcscan features

Unlike general-purpose scanners packed with a wide range of options, pqcscan is built for a single task: checking which services support PQC algorithms.

“It is unique in the sense that it does just this one thing,” said Berg. “It is not like other scanners that have a ton of knobs and bells and whistles and other features.”

While it’s possible that broader tools may catch up through updates to projects like nmap, its scripting engine, or even commercial platforms, Berg sees pqcscan filling a gap. “Some of the features that pqcscan has might be implemented in nmap or nmap scanning engine scripts, someone might update tlscan to support PQC-specific filtering, and commercial tools like Nessus will also start flagging these things separately if they don’t do so already,” he said.

But for now, pqcscan offers something focused and immediate. “This is one dedicated tool for one purpose: investigate the rollout of PQC algorithms in your infrastructure,” Berg said.

Future plans and download

“For the future, I’m thinking of better output options,” said Berg. “There are some GitHub issues on that already, such as a nice standard output progress interface and printing results there.”

Current tools can sometimes struggle under large-scale workloads, particularly when visualizing scan results. “The HTML output, for example, gets somewhat unwieldy when you’re dealing with 10,000 hosts,” Berg noted.

He’s also eyeing smarter algorithm selection options. Rather than scanning for every post-quantum algorithm in existence, he wants users to be able to fine-tune the scan. “Only scan for these PQC algorithms and not these,” he explained.

In addition to improving output formats and flexibility, Berg is exploring companion tools designed to analyze packet capture (pcap) files. “The idea is to analyze pcaps and tell us what connections within that pcap use PQC algorithms, to the extent that we can deduce this from encrypted traffic,” he said.

This capability could prove valuable for organizations trying to inventory their cryptographic posture in real-world environments. “That will also help people monitoring networks with analyzing what client and servers of theirs already support PQC algorithms and what don’t,” Berg added. “Good for statistics gathering as people move towards the deadlines set by governments all over.”

pqcscan is available for free on GitHub.

pqcscan: Open-source post-quantum cryptography scanner

Must read:

pqcscan: Open-source post-quantum cryptography scanner

Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!

pqcscan: Open-source post-quantum cryptography scanner



Source link