PQSee Overview

This repository contains data and source code to look for Post Quantum Cryptography (PQC) signatures in Zeek compressed logs (SSH, SSL, DNS, etc.)

Modern network security monitors often struggle to parse and log emerging Post-Quantum Cryptography (PQC) signatures correctly. Due to draft signature being developed and legacy assumptions, such as parsing signature schemes via single-byte lookup tables, PQC algorithms like ML-DSA can be mislabeled as classical cryptosystems (e.g., RSA-PSS), while other metadata like public key types and key lengths in X.509 certificates are not logged. These parsing blind spots allow quantum-resistant traffic to masquerade as legacy protocols, defeating monitoring rules and leaving security teams unaware of post-quantum cryptographic activities.

To address this, PQSee provides the data and analytical scripts to measure real-world PQC adoption across key network protocols including TLS, SSH, and DNSSEC. Grounded in research deployed at the National Center for Supercomputing Applications (NCSA) and Research Education partners such as FABRIC, this repository presents a passive network measurement instrument capable of processing high-speed network traffic. This allows organizations to build cryptographic inventories and establish baseline adoption metrics, revealing how and where quantum-safe algorithms are currently deployed.

Measuring adoption and fixing parsing vulnerabilities are critical steps in preparing for future quantum threats, particularly for non-U.S. quantum-resistant protocols and "Harvest Now, Decrypt Later" (HNDL) attacks where adversaries capture encrypted traffic today to decrypt it once quantum computers mature. By implementing tools like PQSee, organizations can map an inventory of in-transit encrypted data, key exchange, and digital signature. PQSee team will provide them with migration pathways to achieve true crypto-agility, transition safely to NIST-standardized algorithms, and ensuring robust defenses against potential quantum adversaries.

PQC Signature Identifiers for Zeek Network Monitoring

Requirements

A recent Zeek version (>= 8.2.0) is required per our report to Zeek issue "ML-DSA / PQC Key Type and Key Length Not Logged in X.509" zeek/zeek#5321

The keywords list of current PQC signatures in corresponding Zeek log is provided below.

1. Transport Layer Security (TLS) / X.509 Certificates

In TLS 1.3 and X.509 certificate parsing, digital signatures are identified via specific SignatureScheme hex codes or ASN.1 Object Identifiers (OIDs) for NIST standardized algorithms, i.e., ML-DSA and Falcon.

• Keywords for ssl.log and x509.log:

  • mldsa44
  • mldsa65
  • mldsa87
  • falcon512
  • falcon1024

• Hexadecimal SignatureScheme Identifiers:

  • 0x0807 (ML-DSA-44)
  • 0x0808 (ML-DSA-65)
  • 0x0809 (ML-DSA-87)
  • 0x080a (Falcon-512)
  • 0x080b (Falcon-1024)

• ASN.1 OIDs (for X.509 certificate validation fields):

  • 2.16.840.1.101.3.4.3.17 (id-ml-dsa-44)
  • 2.16.840.1.101.3.4.3.18 (id-ml-dsa-65)
  • 2.16.840.1.101.3.4.3.19 (id-ml-dsa-87)
  • 1.3.9999.3.1 (Common academic/test identifier for Falcon-512)
  • 1.3.9999.3.4 (Common academic/test identifier for Falcon-1024)

2. Secure Shell (SSH)

During the SSH handshake, public key host key algorithms are negotiated as plain text strings. Zeek extracts these into the server_host_key_algorithms field of ssh.log.

• Keywords for ssh.log:
  • mldsa-44-ecdsa-p256-sha256 (Hybrid ML-DSA)
  • mldsa-65-ecdsa-p256-sha256
  • mldsa-87-ecdsa-p384-sha384
  • ssh-mldsa44 (Pure ML-DSA)
  • ssh-mldsa65 (Pure ML-DSA)
  • ssh-mldsa87 (Pure ML-DSA)
  • ssh-falcon512 (Pure Falcon)
  • ssh-falcon1024 (Pure Falcon)
  • ssh-sphincs-shake256-128f-robust (State-free hash-based signatures)
  • ssh-sphincs-sha256-128f-robust (State-free hash-based signatures)

3. Fully Qualified Domain Names (DNSSEC)

DNS Security Extensions (DNSSEC) publish signature algorithms inside RRSIG and DNSKEY records. These are logged in dns.log.

• Keywords / Integers for dns.log:
  • ML-DSA-44 or Algorithm Code 17
  • ML-DSA-65 or Algorithm Code 18
  • ML-DSA-87 or Algorithm Code 19
  • ED25519 or Algorithm Code 15, e.g., often queried during PQC transition inventories due to its compact size

A detailed description of how Zeek parsed these PQC signatures can be found in the sub-directory src/zeek-pqc-poc. (Note, descriptions of these "bugs" were created with the help of Gemini and have since been reported to Zeek and fixed.)

Sample data

A sample of processed data and statistics can be found in data

A sample of synthetic pcap data (containing PQC signatures) to test Zeek can be found in src/zeek-pqc-poc

Scripts structure

The analysis scripts are located in the src/separated_scripts/ directory:

TLS / X.509

• count_tls_pqc_signatures.sh: Counts occurrences of TLS/X.509 PQC signatures.

SSH

• extract_ssh_pqc_signatures.sh: Extracts SSH log entries containing PQC signature algorithms to ~/ssh-pqc-signatures.tsv.
• count_ssh_pqc_signatures.sh: Counts total SSH PQC signatures in the extracted TSV.
• count_unique_host_key_alg.sh: Counts occurrences of each unique host key algorithm in the TSV.
• count_unique_client_ip_prefix.sh: Summarizes client IP prefixes at the /16 level.
• print_host_key_alg.sh: Prints host key algorithms for the SSH PQC connections.

DNS

• extract_dns_pqc_signatures.sh: Extracts DNS log entries containing DNSSEC PQC signatures or algorithm codes to ~/dns-pqc-signatures.tsv.
• count_dns_pqc_signatures.sh: Counts total DNSSEC PQC signatures in the extracted TSV.

Utility

• count_non_comment.sh: Counts the total number of non-comment records in any Zeek compressed logs.

Publications

Please cite when refering to statistics of state of PQC adoption:

Sowa, Jakub, Bach Hoang, Advaith Yeluru, Steven Qie, Anita Nikolich, Ravishankar Iyer, and Phuong Cao. "Post-quantum cryptography (pqc) network instrument: Measuring pqc adoption rates and identifying migration pathways." In 2024 IEEE International Conference on Quantum Computing and Engineering (QCE), vol. 1, pp. 1835-1846. IEEE, 2024. DOI 10.1109/QCE60285.2024.00213

BibTeX and citations

@inproceedings{sowa2024post,
  title={Post-quantum cryptography (pqc) network instrument: Measuring pqc adoption rates and identifying migration pathways},
  author={Sowa, Jakub and Hoang, Bach and Yeluru, Advaith and Qie, Steven and Nikolich, Anita and Iyer, Ravishankar and Cao, Phuong},
  booktitle={2024 IEEE International Conference on Quantum Computing and Engineering (QCE)},
  volume={1},
  pages={1835--1846},
  year={2024},
  organization={IEEE}
}

Acknowledgements

This material is based upon work supported by the National Science Foundation under Grant No. 2402940

Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.