Post Quantum Ciphers Analysis

Public-key cryptography is the invisible trust fabric which secures web browsing, VPN connectivity, cloud authentication, software updates, and identity verification. For decades, the global economy, national security apparatus, and critical infrastructure have relied on asymmetric cryptography—specifically RSA and Elliptic Curve Cryptography (ECC)—to secure this data. Their security rests on the mathematical difficulty of factoring large integers or solving discrete logarithm problems within any realistic timeframe.  Quantum computing changes that assumption. Quantum computers utilize qubits, which combined with quantum entanglement, allows for massive parallelism in calculation. Tenable’s Research team has developed a series of plugins to help identify an organization's progress in mitigating this future threat.  

While quantum systems, capable of shattering current encryption standards may be years away, there is a significant threat operational today, through a strategic doctrine of "Harvest Now, Decrypt Later" (HNDL).  Adversaries can identify and capture and store encrypted data now, awaiting for future decryption when quantum decryption becomes readily available, and the data can be decrypted retroactively. For security leaders this creates a familiar strategic problem.  Public-key cryptography is embedded everywhere:  certificate authorities, TLS stacks, VPN gateways, secure email, identity providers, firmware signing, code pipelines, and cloud key management.  The implications are catastrophic for current standards:

• RSA-2048 and RSA-4096: Completely broken.
• ECDH and ECDSA (Elliptic Curve): Completely broken.
• Diffie-Hellman: Completely broken. 

Tenable has a number of plugins that assist organizations, including: 

• 277650 - Remote Services Not Using Post-Quantum Ciphers.
• 277652 - Target Cipher Inventory.
• 277653- Remote Services Using Post-Quantum Ciphers. 

Understanding the impact of the transition to using Post Quantum Ciphers is where security teams need actionable insight, understanding where vulnerable cryptographic algorithms are deployed across their infrastructure. To support this visibility, Tenable provides the Post Quantum Ciphers Dashboard.  This Security Center dashboard is designed to help organizations identify systems relying on cryptographic algorithms that will be vulnerable in a post-quantum world. Key features are the identification where RSA and ECC are currently deployed across your infrastructure, supporting prioritization of modernization efforts. Information within the dashboard assists organizations identify remote services using/not using post-quantum ciphers, including the identification of ciphers in Web Application Scanning (WAS) environments, and identifies potentially vulnerable ciphers, certificates and assets.

Organizations need a coherent operational strategy to navigate the migration. Based on NIST SP 1800-38 and CISA guidance, the following phased approach is recommended.

Phase 1: Automated Discovery -> Phase 2: Prioritization and Risk Assessment -> Phase 3: Remediation and Crypto-Agility -> Phase 4: Continuous Verification

This approach begins with establishing the baseline. Tenable Plugin 277652 (Target Cipher Inventory) Extends detection capabilities to cover cryptographic ciphers and algorithms discovered during the scan as a machine parsable JSON file attachment. Tenable Plugins 277653 (Remote Services Using Post-Quantum Ciphers) and 277650 (Remote Services Not Using Post-Quantum Ciphers) help filter the signal from the noise. Identify systems with the highest risk and the most critical data, allowing organizations to move quickly into the remediation phase.  Regression is prevented naturally with Tenable’s ability to provide Continuous Verification by incorporating this assessment into regular scanning intervals.

Bottom line, these tactics allow for the surfacing of cryptographic dependencies across the environment, security teams gain the operational intelligence needed to begin structured migration planning today. Organizations that begin assessing exposure now, establish migration roadmaps, and integrate post-quantum readiness into security strategy will move through this transition deliberately and safely.

This Dashboard contains the following components:

• Remote Services Not Using Post-Quantum Ciphers - This chart provides a port summary of findings that utilize plugin 277650 which identifies network services that do not offer post-quantum ciphers. Tenable makes no attempt to determine whether the remote service would be vulnerable to a post-quantum attack.
• Post-Quantum Ciphers - This line chart shows counts of three separate queries to provide a historic understanding of the organization's progress in mitigating Post-Quantum Cipher related issues. The first query displays the count over time of the Remote Services not using Post-Quantum Ciphers plugin by utilizing the Remote Services. The second query displays the count over time of the Post-Quantum Ciphers by utilizing the Remote Services plugin. Lastly, the third query displays the count over time of the Ciphers Inventory plugin. By monitoring these counts over time, the risk management team can easily track progress and related mitigation efforts.
• Remote Services Using Post-Quantum Ciphers - This chart provides a port summary of findings that utilize plugin 277653 which identifies network services that offer post-quantum ciphers and enumerates the post-quantum ciphers that they offer.
• Target Cipher Inventory - This table utilizes the Target Cipher Inventory plugin which collects cryptographic ciphers and algorithms discovered during a Nessus scan. Using the IP Summary tool, this widget provides a per asset inventory of ciphers and algorithms.
• Encryption Ciphers Detected by WAS - This table displays all the SSL/TLS plugins which were detected by WAS. The component displays this information by using the plugin name filter to look at plugin names containing ‘SSL/TLS’ in the name.
• SSH Algorithms Detected by Nessus - This component displays any detected SSH algorithm plugin that was seen by Nessus. The widget utilizes the Plugin Name filter that matches on 'SSH.*Algorithm' this ensures the plugin names displayed show detected SSH algorithms.
• Encryption Ciphers Detected by Nessus - This component displays any detected Cipher plugins that were seen by Nessus. The widget utilizes the Plugin Name filter with a regex match on ‘(Cipher Suites)|(SSL Ciphers)|(Weak Kerberos)’ this ensures the plugin names displayed show detected Ciphers.
• Certificate Information Detected by Nessus  - The component displays any detected SSL Certificate plugins that were seen by Nessus. The widget utilizes the Plugin Name filter to match on plugin names that contain 'SSL Certificate'.