





















Vishnu Ajith, Ulster University
Muhammed Sihan Haroon, Ulster University
The transition to post-quantum cryptography (PQC) is essential to safeguard networked systems against future quantum-enabled adversaries. While recent standardisation efforts have introduced PQC algorithms such as ML-KEM into protocols like TLS 1.3, verifying their correct deployment in realworld systems remains a challenge. Existing approaches rely on configuration-level inspection or high-level cryptographic libraries, which do not reflect actual runtime behaviour. This paper presents a novel methodology for detecting postquantum and hybrid TLS key exchange mechanisms through direct inspection of raw TLS handshake records. By parsing ServerHello messages at the byte level and extracting keyshare group identifiers from the key share extension, the proposed approach enables accurate classification of endpoints into CLASSICAL_ONLY, PQC_ONLY, and HYBRID_CONFIRMED states. We implement the methodology within a prototype compliance system and evaluate it across 38 production endpoints and a controlled three-node cloud testbed spanning two validation phases. Phase 1 reveals that all three testbed nodes — including a PQC-capable application server — are correctly classified as CLASSICAL_ONLY, exposing an application-layer versus transport-layer mismatch invisible to configuration auditing. Phase 2, following an OQS-capable TLS frontend upgrade, produces a confirmed HYBRID_CONFIRMED result with group 0x11EC (X25519MLKEM768) on the same physical server, achieving 100% target accuracy across all three nodes. We further document a critical false positive failure mode in naive string-matching approaches and validate correct four-state classification under known ground-truth conditions. Unlike prior work, this approach provides verifiable, evidence-based assessment of cryptographic posture, enabling reliable auditing of PQC readiness.
Note: This paper presents an external, black-box methodology for detecting post-quantum and hybrid TLS deployments through direct inspection of raw TLS handshake records. The approach classifies endpoints into four cryptographic states using ServerHello key-share group identifiers, evaluated across 38 production endpoints and a controlled three-node cloud testbed. A confirmed HYBRID_CONFIRMED result with group 0x11EC (X25519MLKEM768) is reported alongside documentation of a critical false-positive failure mode in naive subprocess-based probing. A companion paper on topology-driven symbolic verification of PQC migration paths using Tamarin Prover is forthcoming.
BibTeX
@misc{cryptoeprint:2026/834,
author = {Muhammad Ibrahim and Vishnu Ajith and Muhammed Sihan Haroon},
title = {Detecting Post-Quantum and Hybrid {TLS} Deployments via Raw {TLS} Record Inspection},
howpublished = {Cryptology {ePrint} Archive, Paper 2026/834},
year = {2026},
url = {https://eprint.iacr.org/2026/834}
}
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。