PQC Readiness

PQC Readiness

CBOM automatically classifies every discovered cryptographic asset by its vulnerability to quantum computing attacks, providing a clear picture of your post-quantum migration status.

---

Quantum Risk Classification

The QuantumRiskService classifies every asset when it’s ingested. Classification is based on the algorithm, asset type, and key size.

Risk Levels

Level	Meaning	Action Required
CRITICAL	Already broken or deprecated — provides no meaningful security even without quantum computers	Immediate replacement
HIGH	Vulnerable to Shor’s algorithm — will be broken by cryptographically relevant quantum computers	Plan migration to PQC
MEDIUM	Reduced strength under Grover’s algorithm — effective security halved	Consider upgrade
LOW	Adequate security with acceptable margin	Monitor
NONE	Quantum-safe — either PQC algorithms or symmetric with sufficient key size	No action needed

Classification Rules

CRITICAL — Broken/Deprecated:

• MD5, SHA-1 (hash collisions already practical)
• DES, 3DES, RC4 (insufficient key size)
• TLS 1.0, TLS 1.1 (deprecated protocols)

HIGH — Quantum-Vulnerable (Shor’s Algorithm):

• RSA (all key sizes)
• ECDSA, ECDH (all curves)
• DH, DSA
• EdDSA (Ed25519, Ed448)
• Certificates signed with RSA/ECDSA

MEDIUM — Reduced Strength (Grover’s Algorithm):

• AES-128 (effective 64-bit security under Grover’s)

LOW — Adequate:

• AES-192 (effective 96-bit security)

NONE — Quantum-Safe:

• AES-256, ChaCha20 (256-bit symmetric)
• SHA-256, SHA-384, SHA-512, SHA-3
• ML-KEM (Kyber) — all parameter sets
• ML-DSA (Dilithium) — all parameter sets
• SLH-DSA (SPHINCS+)

---

NIST Quantum Security Levels

Each asset maps to a NIST Quantum Security Level (QSL 0–5) in the CycloneDX export:

QSL	Equivalent Security	Example Algorithms
0	No quantum security	RSA, ECDSA, DH, MD5, SHA-1
1	AES-128 equivalent	ML-KEM-512, ML-DSA-44, AES-128
2	SHA-256 collision	SHA-256
3	AES-192 equivalent	ML-KEM-768, ML-DSA-65, AES-192
4	SHA-384 collision	SHA-384
5	AES-256 equivalent	ML-KEM-1024, ML-DSA-87, AES-256, SHA-512

---

PQC Readiness Score

The dashboard displays a readiness percentage:

PQC Readiness = (Assets with risk NONE or LOW) / Total Classified Assets × 100

Track this score over time to measure migration progress.

---

Risk by Asset Type

The classification considers asset type context:

Certificates

Risk is determined by the signature algorithm (from properties.signatureAlgorithm):

• SHA256withRSA → HIGH (RSA signature is quantum-vulnerable)
• SHA256withECDSA → HIGH (ECDSA is quantum-vulnerable)

Private/Public Keys

Risk is determined by the key algorithm:

• RSA-2048 private key → HIGH
• Ed25519 public key → HIGH
• AES-256 symmetric key → NONE

Protocols

Risk considers both version and cipher suite:

• TLS 1.0/1.1 → CRITICAL (deprecated)
• TLS 1.2 with ECDHE_RSA → HIGH (quantum-vulnerable key exchange)
• TLS 1.3 with ML-KEM → NONE (post-quantum)

Signatures

Risk is determined by the signing algorithm:

• SHA256withRSA signature → HIGH
• MD5withRSA signature → CRITICAL (broken hash + quantum-vulnerable)

---

Viewing Risk in the UI

Dashboard

The risk distribution chart shows the percentage of assets at each level.

Inventory

Every asset row displays its risk level as a colored badge. Filter by risk level to focus on assets needing attention.

Export

The nistQuantumSecurityLevel field in CycloneDX export carries this classification to downstream tools.

---

Migration Planning

Use the risk classification to prioritize migration:

1. CRITICAL — Replace immediately (these are already insecure)
2. HIGH — Plan migration timeline based on asset criticality
3. MEDIUM — Upgrade when convenient (AES-128 → AES-256)
4. LOW/NONE — No immediate action required

The Compliance page can enforce policies that require specific minimum security levels.

---

Related

• Dashboard — PQC readiness score widget
• Inventory — Filter by risk level
• Compliance — Enforce minimum security levels
• Import/Export — NIST QSL in CycloneDX export