====== 1.2 Security ======

Threat model and security aspects of post-quantum cryptography.

----

===== The Quantum Threat =====

==== Harvest Now, Decrypt Later (HNDL) ====

**The Scenario:**
  - Attackers intercept encrypted data today
  - Store it for years/decades
  - Decrypt it with a future quantum computer

**Affected Algorithms:**
  * RSA (all key lengths)
  * ECDSA / ECDH (all curves)
  * DSA

**Timeline:**
  * Estimates: 10-20 years until cryptographically relevant quantum computers
  * BSI((BSI: https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Kryptografie/Post-Quanten-Kryptografie/post-quanten-kryptografie_node.html)): Migration recommended by 2030

----

===== Why Hybrid? =====

**Hybrid cryptography** provides:

  * **Backward compatibility:** Legacy systems can validate classical signature
  * **Future security:** PQ signature protects against quantum attacks
  * **Security margin:** Secure if at least one algorithm is secure

<code>
Hybrid Certificate:
+-- RSA-4096 Signature (classical)
+-- ML-DSA-65 Signature (PQ, in X.509 extension)

Validation:
+-- Legacy client: Verifies only RSA [check]
+-- Modern client: Verifies RSA + ML-DSA [check][check]
</code>

----

===== Best Practices =====

==== For Developers ====

  * Use ''CryptoMode.Hybrid'' as default
  * Validate both signatures when possible
  * Never hardcode private keys
  * Use ''using'' statements for crypto objects
  * Set OpenSSL path once at startup

==== For Administrators ====

  * Keep OpenSSL 3.6+ updated
  * Backup PQ key store (''%LOCALAPPDATA%\WvdS.Crypto\PqKeys\'')
  * Plan certificate renewal before expiry
  * Set up monitoring for validation errors

==== For Organizations ====

  * Plan migration now (not when quantum computers are available)
  * Prioritize long-term data (contracts, health data, state secrets)
  * Hybrid certificates for all new systems

----

===== Known Limitations =====

^  Limitation  ^  Description  ^  Workaround  ^
| Windows Store | No native PQ keys | Side-store is used |
| Argon2id | OpenSSL 3.6 experimental | Fallback to PBKDF2 |
| Custom OIDs | Not yet IANA-registered | Will be updated upon standardization |
| WASM Performance | 10-100x slower than native | Suitable for interactive use |

----

===== Security Notes =====

<WRAP important>
**DLL Sideloading Risk:** Ensure OpenSSL DLLs come from a trusted source and the path is correctly configured.
</WRAP>

<WRAP warning>
**PQ Key Backup:** The PQ key store is **not** included in Windows Certificate Store backup. Separate backup required!
</WRAP>

----

===== Further Reading =====

  * [[en:int:pqcrypt:business:risiko|Risk]] - Business perspective
  * [[en:int:pqcrypt:business:compliance|Compliance]] - NIST conformance
  * [[en:int:pqcrypt:administrator:betrieb|Operations]] - Operational measures

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//

{{tag>security threat hndl best-practices}}