At the cryptocurrencies API fintech service, I found TLS 1.0 with RC4 on three internal endpoints - interservice interaction, not updated since 2018, because "does not look out". A month and a half after the correction of the threat intelligence team recorded on the network equipment the intercept and traffic recording artifacts - the classic Harvest Now, Decrypt Later. RC4 is already broken by classical methods, here the quantum computer is not needed. And RSA-2048 on the outer perimeter is a matter of the next decade. Post-quantum cryptography in the 2026 pentest must take into account both horizons: algorithms that are leaky right now, and those that will become a target with the arrival of quantum computing.
Harvest Now, Decrypt Later and Testing Cryptographic Sustainability
Harvest Now, Decrypt Later (HNDL) is the main argument in favor of immediate cryptography. The attacker intercepts encrypted traffic now, storing it and waiting for the moment when a quantum computer will decrypt the captured. Formally, the HNDL script is not covered by MITRE ATT&CK Enterprise, but the nearest analogues - Network Sniffing (T1040) when accessing the network segment and Adversary-in-the-Middle (T1557) with active interception with downgrade.
According to NIST, full migration of cryptographic infrastructure takes from 10 to 20 years from the standardization of the new algorithm. In 2024, NIST produced the first three finalized post-quantum standards: FIPS 203 (ML-KEM, previously CRYSTALS-Kyber - key encapsulation mechanism), FIPS 204 (ML-DSA, previously CRYSTALS-Dilithium - digital signatures) and FIPS 205 (SLH-DSA - hash-base signatures). According to NIST IR 8547 (draft, November 2024), asymmetric algorithms of 112-bit security (RSA-2048, ECDSA P-256) should be deprecated after 2030 and disallowed after 2035 in federal systems. Symmetric ciphers (AES-256) are not affected by this timeline.
Mosca’s theorem formula translates this into a risk metric: if the migration time (X) plus the period of mandatory data privacy (Y) exceeds the time of the appearance of a cryptographically significant quantum computer (Z) – migration is already late. For banking data with a 10-year shelf life and a realistic 5-year migration cycle, the formula shows: it was necessary to start yesterday. According to Eviden, for the average organization, the minimum undecreased migration period is three years, and this is without taking into account inventory and risk assessment.
For the SOC team, this is a specific task: to know what cryptographic algorithms are used in the infrastructure, to identify channels vulnerable to future decryption, and set up a detection interception and downgrade attacks.
Weak cryptographic algorithms: what to look for when auditing
With cryptographic application audit, algorithms are divided into three categories. The first is the holes right now, operation does not require quantum computing. The second is vulnerable when a quantum computer appears, critical to data with a long privacy period. The third is quantum-resistant algorithms that need to be migrated to.
Vulnerable now (critical priority):
Symmetric ciphers affect the Grover algorithm, but it only gives a square acceleration - compensated by doubling the length of the key. The transition from AES-128 to AES-256 closes the issue. For symmetries, migration is less urgent than for asymmetrics.
In terms of MITRE ATT&CK, the presence of weak algorithms in the infrastructure creates the prerequisites for Weaken Encryption (T1600) - the attacker exploits a weak configuration - and Reduce Key Space (T1600.001) - targeted reduction of resistance through downgrade or substitution of parameters.
[Applicable: external and internal pentest] On the internal audit, outdated protocols are much more often - legacy services from the series "works and do not touch". On the outer perimeter, the main focus is the TLS-configuration of the fronts and support for weak cipher suites.
Tools and methodology for finding outdated encryption algorithms
openssl s_client - PQC point check
For manual diagnostics of support for post-quantum key exchange:
Application level audit and toolbar restrictions
Testsl.sh and sslyze see only TLS-configuration of network services. They will not find cryptography inside the application: ECB-mode AES for encrypting fields in the database, MD5 for hashing passwords, SHA-1 in JWT signatures. For the application level, code and configuration analysis are needed - a rough but working approach:
Detection of weak cryptography in SIEM: rules and alerta for SOC
Crypto audit is a one-off event. Continuous monitoring of cryptographic anomalies is the task of the SOC. Below are the specific rules of correlation.
Approval deprecated cipher suites
If in the logs of the TLS-terminator (nginx, HAProxy, F5) or in Zeek data pops up the approval of the cipher suite from the deprecated list - this is an alterth. Logic:
• Source: TLS-terminator logs, field ssl_cipher/ cipher_suite; for Zeek - field cipherin ssl.log
• Condition: the meaning contains RC4, 3DES, DES-CBC, NULL, EXPORTor anon
• Severity: High for external-faction services, Medium for internal
• Action: SOC notification, automatic remediation ticket
For nginx cryptographic parameters are available through variable $ssl_cipher in the access log - it must be included in the form of logging clearly.
Downgrade TLS versions
The server, previously worked on TLS 1.3, suddenly began to agree on TLS 1.0 - it can be a crooked deck, and can be an active downgrade attack (T1557, Adversary-in-the-Middle) Correlation rule:
• Baseline: fix the "normal" TLS version for each service
• Alert: deviation from baseline downwards
• Enrichment: check the match with the deck window or configuration change; if there is no match - escalation
Certificate anomalies
• Certificate with RSA < 2048 bits on production service - immediate alteration
• Signature of the certificate by SHA-1 - altrate
• Self-signed certificate on the service where CA-signed was used - a critical altrate, MitM is possible
• Examination certificate (less than 30 days) - operating altrate
Unexpected appearance of PQC-parameters
If the traffic is characterized by the agreement of the X255MLKEM768, and the organization did not initiate PQC migration - this is an anomaly that requires an investigation. Real script: Kubernetes v1.33, assembled on Go 1.24, received the X25519MLKEM768 as a default key exchange - a side effect of tulling, without a separate release flag. The enlarged ClientHello (~1.6 KB for the X25519MLKEM768 due to the public key of the ML-KEM-768 in ~1184 bytes) exceeds one TCP segment and fragmented, which breaks middleware and network devices waiting for ClientHello in one package. This is not an attack, but an unplanned change of a cryptographic profile – the SOC should see it.
Quantum-Sustainable Application Auditic Clearance
Ready-made checklist for transfer to the command of operation or inclusion in the report:
1. Cryptoinventory. Draw a registry of all the algorithms, protocols and key lengths used: TLS configurations, certificates, JWT signatures, encryption at rest, password hash. Link to the services and owners.
2. TLS scan. Launch testssl.sh --fullon all external and internal HTTPS endpoints. Collect JSON reports, filter out the severity HIGH and CRITICAL.
3. Removal of deprecated algorithms. No service should agree on RC4, 3DES, MD5-signatures, SHA-1-signatures, TLS 1.0/1.1, RSA < 2048 bit. Fix a remediation plan with responsible and deadlines.
4. Rating crypto agility. Check whether it is possible to replace the algorithm at each level of the stack through the configuration, without reassembled the application. Hardcode of algorithms - risk, recorded in the report.
5. Classification by HNDL-risk. Select data with a long confidentiality period (>10 years) - personal data, trade secrets. Prioritize the transition to hybrid circuits (classical + PQC).
6. SIEM-rule. Configure the correlations: deprecated cipher suits, TLS downgrade, certificate anomalies, unexpected PQC parameters in traffic.
7. PQC compatibility on the stand. Check the work of the services with X25519MLKEM768 (OpenSSL 3.5.0+, Go 1.24+). Record the incompatibility of middleware.
8. Roadmap migration. Form a plan taking into account the timing of NIST: deprecated after 2030, disallowed after 2035. Priority: First Key Exchange (KEM), then signatures - key exchanger more critical because of HndL.
Harvest Now, Decrypt Later and Testing Cryptographic Sustainability
Harvest Now, Decrypt Later (HNDL) is the main argument in favor of immediate cryptography. The attacker intercepts encrypted traffic now, storing it and waiting for the moment when a quantum computer will decrypt the captured. Formally, the HNDL script is not covered by MITRE ATT&CK Enterprise, but the nearest analogues - Network Sniffing (T1040) when accessing the network segment and Adversary-in-the-Middle (T1557) with active interception with downgrade.
According to NIST, full migration of cryptographic infrastructure takes from 10 to 20 years from the standardization of the new algorithm. In 2024, NIST produced the first three finalized post-quantum standards: FIPS 203 (ML-KEM, previously CRYSTALS-Kyber - key encapsulation mechanism), FIPS 204 (ML-DSA, previously CRYSTALS-Dilithium - digital signatures) and FIPS 205 (SLH-DSA - hash-base signatures). According to NIST IR 8547 (draft, November 2024), asymmetric algorithms of 112-bit security (RSA-2048, ECDSA P-256) should be deprecated after 2030 and disallowed after 2035 in federal systems. Symmetric ciphers (AES-256) are not affected by this timeline.
Mosca’s theorem formula translates this into a risk metric: if the migration time (X) plus the period of mandatory data privacy (Y) exceeds the time of the appearance of a cryptographically significant quantum computer (Z) – migration is already late. For banking data with a 10-year shelf life and a realistic 5-year migration cycle, the formula shows: it was necessary to start yesterday. According to Eviden, for the average organization, the minimum undecreased migration period is three years, and this is without taking into account inventory and risk assessment.
For the SOC team, this is a specific task: to know what cryptographic algorithms are used in the infrastructure, to identify channels vulnerable to future decryption, and set up a detection interception and downgrade attacks.
Weak cryptographic algorithms: what to look for when auditing
With cryptographic application audit, algorithms are divided into three categories. The first is the holes right now, operation does not require quantum computing. The second is vulnerable when a quantum computer appears, critical to data with a long privacy period. The third is quantum-resistant algorithms that need to be migrated to.
Vulnerable now (critical priority):
Symmetric ciphers affect the Grover algorithm, but it only gives a square acceleration - compensated by doubling the length of the key. The transition from AES-128 to AES-256 closes the issue. For symmetries, migration is less urgent than for asymmetrics.
In terms of MITRE ATT&CK, the presence of weak algorithms in the infrastructure creates the prerequisites for Weaken Encryption (T1600) - the attacker exploits a weak configuration - and Reduce Key Space (T1600.001) - targeted reduction of resistance through downgrade or substitution of parameters.
[Applicable: external and internal pentest] On the internal audit, outdated protocols are much more often - legacy services from the series "works and do not touch". On the outer perimeter, the main focus is the TLS-configuration of the fronts and support for weak cipher suites.
Tools and methodology for finding outdated encryption algorithms
openssl s_client - PQC point check
For manual diagnostics of support for post-quantum key exchange:
The team verifies whether the server agrees to the hybrid PTC circuit X25519MKEMKEM768. This diagram is already supported by Go 1.24, Chrome 131, Firefox 135 and OpenSSL 3.5.0. If the group is not agreed in the output, the server does not support PQC KEM, and this is a fact for the report. The reverse check is also valuable: if the server agrees with the PTC, and the organization did not plan to migrate - you need to understand where the support came from (more in the section about detection).
Application level audit and toolbar restrictions
Testsl.sh and sslyze see only TLS-configuration of network services. They will not find cryptography inside the application: ECB-mode AES for encrypting fields in the database, MD5 for hashing passwords, SHA-1 in JWT signatures. For the application level, code and configuration analysis are needed - a rough but working approach:
It looks primitive, but in practice that’s how half the problems are. OWASP ASVS asks formalized cryptography requirements at the L1/L2/L3 verification levels - useful as a checklist for code review.
Detection of weak cryptography in SIEM: rules and alerta for SOC
Crypto audit is a one-off event. Continuous monitoring of cryptographic anomalies is the task of the SOC. Below are the specific rules of correlation.
Approval deprecated cipher suites
If in the logs of the TLS-terminator (nginx, HAProxy, F5) or in Zeek data pops up the approval of the cipher suite from the deprecated list - this is an alterth. Logic:
• Source: TLS-terminator logs, field ssl_cipher/ cipher_suite; for Zeek - field cipherin ssl.log
• Condition: the meaning contains RC4, 3DES, DES-CBC, NULL, EXPORTor anon
• Severity: High for external-faction services, Medium for internal
• Action: SOC notification, automatic remediation ticket
For nginx cryptographic parameters are available through variable $ssl_cipher in the access log - it must be included in the form of logging clearly.
Downgrade TLS versions
The server, previously worked on TLS 1.3, suddenly began to agree on TLS 1.0 - it can be a crooked deck, and can be an active downgrade attack (T1557, Adversary-in-the-Middle) Correlation rule:
• Baseline: fix the "normal" TLS version for each service
• Alert: deviation from baseline downwards
• Enrichment: check the match with the deck window or configuration change; if there is no match - escalation
Certificate anomalies
• Certificate with RSA < 2048 bits on production service - immediate alteration
• Signature of the certificate by SHA-1 - altrate
• Self-signed certificate on the service where CA-signed was used - a critical altrate, MitM is possible
• Examination certificate (less than 30 days) - operating altrate
Unexpected appearance of PQC-parameters
If the traffic is characterized by the agreement of the X255MLKEM768, and the organization did not initiate PQC migration - this is an anomaly that requires an investigation. Real script: Kubernetes v1.33, assembled on Go 1.24, received the X25519MLKEM768 as a default key exchange - a side effect of tulling, without a separate release flag. The enlarged ClientHello (~1.6 KB for the X25519MLKEM768 due to the public key of the ML-KEM-768 in ~1184 bytes) exceeds one TCP segment and fragmented, which breaks middleware and network devices waiting for ClientHello in one package. This is not an attack, but an unplanned change of a cryptographic profile – the SOC should see it.
Quantum-Sustainable Application Auditic Clearance
Ready-made checklist for transfer to the command of operation or inclusion in the report:
1. Cryptoinventory. Draw a registry of all the algorithms, protocols and key lengths used: TLS configurations, certificates, JWT signatures, encryption at rest, password hash. Link to the services and owners.
2. TLS scan. Launch testssl.sh --fullon all external and internal HTTPS endpoints. Collect JSON reports, filter out the severity HIGH and CRITICAL.
3. Removal of deprecated algorithms. No service should agree on RC4, 3DES, MD5-signatures, SHA-1-signatures, TLS 1.0/1.1, RSA < 2048 bit. Fix a remediation plan with responsible and deadlines.
4. Rating crypto agility. Check whether it is possible to replace the algorithm at each level of the stack through the configuration, without reassembled the application. Hardcode of algorithms - risk, recorded in the report.
5. Classification by HNDL-risk. Select data with a long confidentiality period (>10 years) - personal data, trade secrets. Prioritize the transition to hybrid circuits (classical + PQC).
6. SIEM-rule. Configure the correlations: deprecated cipher suits, TLS downgrade, certificate anomalies, unexpected PQC parameters in traffic.
7. PQC compatibility on the stand. Check the work of the services with X25519MLKEM768 (OpenSSL 3.5.0+, Go 1.24+). Record the incompatibility of middleware.
8. Roadmap migration. Form a plan taking into account the timing of NIST: deprecated after 2030, disallowed after 2035. Priority: First Key Exchange (KEM), then signatures - key exchanger more critical because of HndL.
𝗨𝗦𝗔 , 𝗘𝗥𝗢𝗨𝗣𝗘 & 𝗔𝗦𝗜𝗔 . 𝗝𝘂𝘀𝘁 𝗳𝗶𝗻𝗱 𝗮 𝗻𝗲𝗮𝗿𝗯𝘆 𝗔𝗧𝗠 𝗮𝗻𝗱 𝗵𝗼𝗹𝗹𝗮 𝗮𝘁 𝗺𝗲 𝗳𝗼𝗿 𝘆𝗼𝘂𝗿 𝗰𝗹𝗼𝗻𝗲 𝗰𝗮𝗿𝗱
