Welcome to the most recent installment in our comprehensive 8-part series on discovering cryptographic usage in your organization and cataloging it according to risk. In this article, we’ll focus on validating the discovery of quantum-vulnerable algorithms in non-executable files on both Windows-based and Linux-based operating systems.
Introduction
As quantum computing races towards practical reality, the cryptographic foundations of our digital world face an unprecedented threat. Quantum computers have the potential to break widely-used algorithms like RSA, DSA, and elliptic curve cryptography (ECC). This makes it crucial for organizations to identify and mitigate risks in their cryptographic materials before quantum computers become a reality.
In this blog post, we’ll outline a methodical approach to use Automated Cryptography Discovery & Inventory (ACDI) tools to validate the discovery of quantum-vulnerable algorithms in non-executable files, with a specific focus on keystores and other cryptographic files commonly found in Windows and Linux systems.
Targeted File Types for Quantum Vulnerability Validation
To effectively identify quantum-vulnerable algorithms, we need to focus on specific cryptographic file formats. Here are the key types of keystores and cryptographic containers we’ll be examining:
- PKCS#12 keystores (created via OpenSSL)
- Java keystores (created via keytool utility)
- PKCS#1 keystores (created via OpenSSL)
- PKCS#8 keystores (created via OpenSSL)
- OpenSSH keystores (created via ssh-keygen)
- OpenPGP keystores (created via gpg)
Step-by-Step Guide to Validate Quantum Vulnerability
1. Identify Cryptographic Files on the System
Windows
We can automate this process using PowerShell scripts or other file-search utilities.
Example PowerShell Command:
Get-ChildItem -Recurse -Path C:\ -Include *.p12, *.jks, *.pem, *.key, *.pgp | Select-Object FullName
Ubuntu Linux
On Linux, we can use the find command to locate relevant files:
sudo find / -type f \( -name "*.p12" -o -name "*.jks" -o -name "*.pem" -o -name "*.key" -o -name "*.pgp" \) 2>/dev/null
This command searches the entire filesystem for files with extensions commonly associated with the targeted keystores and cryptographic containers.
2. Analyze File Content for Quantum-Vulnerable Algorithms
Once we’ve identified the files, we need to inspect their content to determine whether they contain quantum-vulnerable algorithms. Let’s look at how to do this for each file type:
PKCS#12 Keystores (OpenSSL)
Use OpenSSL commands to inspect the contents of a PKCS#12 keystore:
Windows & Linux:
openssl pkcs12 -info -in file.p12 -noout
Look for lines indicating RSA or DSA key types in the output.
Java Keystores (keytool)
Use the keytool utility to inspect Java Keystores:
Windows & Linux:
keytool -list -v -keystore file.jks
Examine the output for RSA or DSA key algorithms.
PKCS#1 and PKCS#8 Keystores (OpenSSL)
For PKCS#1 and PKCS#8 keystores, use OpenSSL to parse the key files:
Windows & Linux:
openssl rsa -in file.key -text -noout
openssl pkcs8 -in file.pem -inform PEM -text -noout
These commands will reveal the type of key (e.g., RSA, DSA).
OpenSSH Keystores (ssh-keygen)
OpenSSH keys can be inspected using the ssh-keygen utility:
Windows & Linux:
ssh-keygen -l -f file
The output will include information about the key type. Look for RSA or DSA, which are quantum-vulnerable.
OpenPGP Keystores (gpg)
GPG keys can be inspected using the gpg command-line tool:
Windows & Linux:
gpg --list-keys --with-keygrip --with-fingerprint
Review the output for RSA, DSA, or other vulnerable algorithms.
3. Automate the Process for Large-Scale Validation
For large-scale environments, it’s crucial to automate the validation process.
Windows
Here’s an example PowerShell script that can help:
$files = Get-ChildItem -Recurse -Path C:\ -Include *.p12, *.jks, *.pem, *.key, *.pgp
foreach ($file in $files) {
$ext = $file.Extension.ToLower()
switch ($ext) {
".p12" { & openssl pkcs12 -info -in $file.FullName -noout }
".jks" { & keytool -list -v -keystore $file.FullName }
".pem" { & openssl pkcs8 -in $file.FullName -inform PEM -text -noout }
".key" { & openssl rsa -in $file.FullName -text -noout }
".pgp" { & gpg --list-keys --with-keygrip --with-fingerprint }
}
}
Ubuntu Linux
Here’s a Bash script that performs similar functions on Linux:
#!/bin/bash
find / -type f \( -name "*.p12" -o -name "*.jks" -o -name "*.pem" -o -name "*.key" -o -name "*.pgp" \) 2>/dev/null | while read file; do
case "${file##*.}" in
p12)
openssl pkcs12 -info -in "$file" -noout
;;
jks)
keytool -list -v -keystore "$file"
;;
pem)
openssl pkcs8 -in "$file" -inform PEM -text -noout
;;
key)
openssl rsa -in "$file" -text -noout
;;
pgp)
gpg --list-keys --with-keygrip --with-fingerprint
;;
esac
done
These scripts search for files and automatically run the appropriate inspection command based on the file extension.
4. Review and Mitigate Identified Vulnerabilities
After running the above commands or scripts, carefully review the output for quantum-vulnerable algorithms. Any keys found using RSA, DSA, or ECC should be flagged for replacement with quantum-resistant alternatives, such as lattice-based cryptographic algorithms (e.g., Kyber, Dilithium).
Conclusion and Next Steps
Validating and mitigating the presence of quantum-vulnerable algorithms in your cryptographic infrastructure is a critical step in preparing for the post-quantum era. By following the steps outlined in this article, you can efficiently identify these vulnerabilities in non-executable files on both Windows and Linux-based systems and take the necessary actions to secure your environment against future quantum attacks.
Remember, this process is just one part of a larger cryptographic inventory and risk assessment strategy. Be sure to integrate these findings into your overall cybersecurity framework and keep abreast of developments in post-quantum cryptography.
Learn More
