Technical
HNDL for security engineers: handshakes, archives, and evidence
Engineers need specifics: which protocol artifacts are harvested, what hybrid TLS changes, and what evidence to attach after remediation.
Key terms
ECDH, forward secrecy, key encapsulation, ML-KEM, STARTTLS — see tooltips on the HNDL hub.
Threat model for engineers
| Asset | Harvested artifact | Post-Q-Day attack |
|---|---|---|
| TLS 1.2/1.3 (ECDHE) | Full handshake + ciphertext | Solve ECDLP → derive session keys |
| RSA-wrapped backups | Encrypted blob + envelope | Factor RSA / break ECIES |
| Email (S/MIME, PGP) | Archived messages | Break public-key layer |
| Code signing | Certificate + signed artifacts | Forge signatures |
Inventory scope beyond web TLS
Your external scan should include:
- JWKS endpoints (OAuth/OIDC signing keys)
- SSH host keys and certificate-based auth
- SMTP STARTTLS for notification and claims systems
- Uploaded PEM bundles and K8s TLS secrets
Hybrid TLS migration path
- Pilot X25519MLKEM768 or equivalent hybrid KEX on non-production
- Capture handshake proof appendix for auditor review
- Re-scan to verify PQC-ready classification
- Expand to production edge after rollback testing
See ML-KEM framework guide and hybrid TLS blog.
Evidence chain
Auditors want machine-readable inventory (CycloneDX CBOM), signed PDF with /verify link, and drift diffs between scans — not slide decks.
Continue on the Q-Day hub: Harvest now, decrypt later guide
References & further reading
Authoritative primary sources cited in this article. Summaries are our own — follow links for full context.
Last verified 2026-06-04
- What Is Post-Quantum Cryptography?NIST · 2024Official overview of NIST's PQC project, finalized standards, and the harvest-now-decrypt-later threat model.
- FIPS 203 — Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM)NIST · 2024-08Standardized post-quantum key encapsulation (formerly Kyber).
- NIST IR 8547: Transition to Post-Quantum Cryptography StandardsNIST · 2024Federal transition guidance with deprecation timelines for quantum-vulnerable algorithms.
- Why Your Encrypted Data Is Already Being Stolen (Jeremy Allison, CIQ)YouTube · 2025Practitioner perspective on HNDL, PQC migration complexity, and FIPS certification for open source.
See your exposure with evidence
Run a live PQC inventory scan, export a CBOM, and verify signed reports independently.
