W 12: Making an HTTPS Server with Post-Quantum Cryptography (10 pts extra)

What You Need

Purpose

To implement post-quantum cryptography on a Web server.

I am following this tutorial.

Using Chrome

In the Chrome browser, open your secure page, as shown below.

Using Chrome Developer Tools

In Chrome, at the top right, click the three-dot icon. Point to "More Tools" and click "Developer Tools".

In the Developer Tools pane, click the Security tab.

In the Connections section, notice these three items, outlined in red in the image below.

Using Wireshark to Examine the HTTPS Handshake

On your host system, launch Wireshark.

Start sniffing on the interface that carries traffic from your host system to your virtual machine.

In Wireshark, at the top left, enter this display filter:

tcp.port==443
Press Enter to activate the filter.

In Chrome, refresh this page:

https://yourname-https.net
When the page loads, stop Wireshark capturing.

Find the Client Hello packet.

Expand these items:

Find the "Supported Group: Unknown (0x11ec)" item, as shown below.

This corresponds to X25519MLKEM768, a hybrid PQC algorithm combining X25519 (ECDH) with ML-KEM-768 (a PQC key encapsulation mechanism).

Server Hello

Find the Server Hello packet.

Expand these items:

The server did not select post-quantum encryption, but the normal x25519 elliptic curve protocol, as shown below.

Adding Post-Quantum Encryption to the Server

On your Debian server, execute this command: 
openssl version
You must have version 3 or later, as shown below.

Install Software

On your Debian server, execute these commands: 
sudo apt update
sudo apt install git cmake libssl-dev ninja-build -y
git clone https://github.com/open-quantum-safe/oqs-provider.git
cd oqs-provider
./scripts/fullbuild.sh
sudo cmake --install _build

Run Tests

On your Debian server, execute this command: 
./scripts/runtests.sh
The tests should pass, as shown below.

Configuring OpenSSL

On your Debian server, execute this command: 
sudo nano /etc/ssl/openssl.cnf
Near the top of the file, remove the "#" to uncomment this line, as shown below: 
openssl_conf = openssl_init

Add the following lines at the end of the file, as shown below. 

# PQC via OpenQuantumSafe
[provider_sect]
default = default_sect
oqsprovider = oqsprovider_sect
[default_sect]
activate = 1
[oqsprovider_sect]
activate = 1

Save the file with Ctrl+X, Y, Enter.

Viewing OpenSSL Providers

On your Debian server, execute this command: 
openssl list -providers
You should see the "OpenSSL OQS Provider", as shown below.

Viewing Key Exchange Algorithms

On your Debian server, execute this command: 
openssl list -kem-algorithms
You should see "X25519MLKEM768 @ oqsprovide", highlighted in the image below.

This is the only post-quantum algorithm supported by default in current web browsers.

Enabling the X25519MLKEM768 group in Apache

On your Debian server, execute this command: 
sudo nano /etc/apache2/mods-enabled/ssl.conf
At the bottom ofmthe file, add these lines, as shown below. 
# Configure key exchange and key encapsulation mechanisms
 SSLOpenSSLConfCmd Curves X25519MLKEM768:X448:X25519:prime256v1

Save the file with Ctrl+X, Y, Enter.

Execute this command to restart Apache: 


sudo service apache2 restart

Using Chrome Developer Tools

In Chrome, reload your page.

In the Developer Tools pane, click the Security tab.

In the Connections section, you should now see X25519MLKEM768, outlined in red in the image below.

Flag W 12.1: Server Hello (10 pts)

Capture a TLS handshake in Wireshark.

Find the Server Hello packet.

Expand these items:

  • Transport Layer Security
  • TLSv1.3 Record Layer: Handshake Protocol: Server Hello
  • Handshake Protocol: Server Hello
  • Extension: key_share
  • Key Share extension
The flag is covered by a green rectangle in the image below.

Posted 3-2-25
Font size typo fixed 3-7-25