1.2 Security

Threat model and security aspects of post-quantum cryptography.

The Quantum Threat

Harvest Now, Decrypt Later (HNDL)

The Scenario:

Attackers intercept encrypted data today
Store it for years/decades
Decrypt it with a future quantum computer

Affected Algorithms:

RSA (all key lengths)
ECDSA / ECDH (all curves)
DSA

Timeline:

Estimates: 10-20 years until cryptographically relevant quantum computers
BSI¹⁾: Migration recommended by 2030

Why Hybrid?

Hybrid cryptography provides:

Backward compatibility: Legacy systems can validate classical signature
Future security: PQ signature protects against quantum attacks
Security margin: Secure if at least one algorithm is secure

Hybrid Certificate:
+-- RSA-4096 Signature (classical)
+-- ML-DSA-65 Signature (PQ, in X.509 extension)

Validation:
+-- Legacy client: Verifies only RSA [check]
+-- Modern client: Verifies RSA + ML-DSA [check][check]

Best Practices

For Developers

Use CryptoMode.Hybrid as default
Validate both signatures when possible
Never hardcode private keys
Use using statements for crypto objects
Set OpenSSL path once at startup

For Administrators

Keep OpenSSL 3.6+ updated
Backup PQ key store (%LOCALAPPDATA%\WvdS.Crypto\PqKeys\)
Plan certificate renewal before expiry
Set up monitoring for validation errors

For Organizations

Plan migration now (not when quantum computers are available)
Prioritize long-term data (contracts, health data, state secrets)
Hybrid certificates for all new systems

Known Limitations

Limitation	Description	Workaround
Windows Store	No native PQ keys	Side-store is used
Argon2id	OpenSSL 3.6 experimental	Fallback to PBKDF2
Custom OIDs	Not yet IANA-registered	Will be updated upon standardization
WASM Performance	10-100x slower than native	Suitable for interactive use

Security Notes

DLL Sideloading Risk: Ensure OpenSSL DLLs come from a trusted source and the path is correctly configured.

PQ Key Backup: The PQ key store is not included in Windows Certificate Store backup. Separate backup required!

Inhaltsverzeichnis