====== 5.2 TLS 1.3 s PQ algoritmi ======

Konfiguracija transportnega šifriranja.

===== Podprti algoritmi =====

^ Funkcija ^ Algoritem ^ NIST standard ^
| Izmenjava ključev | ML-KEM-768((FIPS 203 (ML-KEM): https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf)) | FIPS 203 |
| Podpis | ML-DSA-65((FIPS 204 (ML-DSA): https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf)) | FIPS 204 |
| Rezervni podpis | SLH-DSA((FIPS 205 (SLH-DSA): https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.205.pdf)) | FIPS 205 |

===== TLS 1.3 =====

Transport Layer Security 1.3((IETF RFC 8446 (TLS 1.3): https://datatracker.ietf.org/doc/html/rfc8446)) je trenutna različica protokola šifriranja za varno omrežno komunikacijo.

===== Hibridni način =====

Za prehodno obdobje: Kombinacija klasičnega + PQ((IETF Hybrid Key Exchange: https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/)).

<code>
Izmenjava ključev: X25519((Curve25519: https://cr.yp.to/ecdh.html)) + ML-KEM-768
Podpis: ECDSA + ML-DSA-65
</code>

===== .NET konfiguracija =====

<code csharp>
builder.WebHost.ConfigureKestrel(options =>
{
    options.ConfigureHttpsDefaults(https =>
    {
        https.SslProtocols = SslProtocols.Tls13;
        https.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
    });
});
</code>

===== Cipher Suites =====

Priporočene TLS 1.3 Cipher Suites((IANA TLS Cipher Suites: https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4)) s PQ:

<code>
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
</code>

===== Validacija =====

<code bash>
# Testiranje TLS povezave
openssl s_client -connect gateway.intern:443 -tls1_3
</code>

===== PQ-Crypto knjižnica =====

Za programsko implementacijo PQ izmenjave ključev glejte:

  * [[..:..:..:..:..:pqcrypt:api:wvds-system-security-cryptography:keyexchange:start|KeyExchange Namespace (ML-KEM)]]
  * [[..:..:..:..:..:pqcrypt:api:wvds-system-security-cryptography:keyderivation:keyderivationextensions|TLS 1.3 Key Derivation]]
  * [[..:..:..:..:..:pqcrypt:konzepte:algorithmen|Algoritmi (ML-KEM, ML-DSA)]]

===== Viri =====

  * [[https://datatracker.ietf.org/doc/html/rfc8446|RFC 8446: TLS 1.3]]
  * [[https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf|FIPS 203 (ML-KEM)]]
  * [[https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf|FIPS 204 (ML-DSA)]]
  * [[https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.205.pdf|FIPS 205 (SLH-DSA)]]
  * [[https://www.openssl.org/docs/man3.0/man1/openssl-s_client.html|OpenSSL s_client dokumentacija]]