5.2 TLS 1.3 with PQ Algorithms

Configuration of transport encryption.

Supported Algorithms

Function	Algorithm	NIST Standard
Key Exchange	ML-KEM-768¹⁾	FIPS 203
Signature	ML-DSA-65²⁾	FIPS 204
Backup Signature	SLH-DSA³⁾	FIPS 205

TLS 1.3

Transport Layer Security 1.3⁴⁾ is the current version of the encryption protocol for secure network communication.

Hybrid Mode

For transition period: Classical + PQ combined⁵⁾.

Key Exchange: X25519((Curve25519: https://cr.yp.to/ecdh.html)) + ML-KEM-768
Signature: ECDSA + ML-DSA-65

.NET Configuration

builder.WebHost.ConfigureKestrel(options =>
{
    options.ConfigureHttpsDefaults(https =>
    {
        https.SslProtocols = SslProtocols.Tls13;
        https.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
    });
});

Cipher Suites

Recommended TLS 1.3 Cipher Suites⁶⁾ with PQ:

TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256

Validation

# Test TLS connection
openssl s_client -connect gateway.intern:443 -tls1_3

PQ-Crypto Library

For programmatic implementation of PQ Key Exchange see:

Sources

¹⁾

FIPS 203 (ML-KEM): https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf

²⁾

FIPS 204 (ML-DSA): https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf

³⁾

FIPS 205 (SLH-DSA): https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.205.pdf

⁴⁾

IETF RFC 8446 (TLS 1.3): https://datatracker.ietf.org/doc/html/rfc8446

⁵⁾

IETF Hybrid Key Exchange: https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/

⁶⁾

IANA TLS Cipher Suites: https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4