惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

WordPress大学
WordPress大学
The GitHub Blog
The GitHub Blog
T
Threatpost
人人都是产品经理
人人都是产品经理
大猫的无限游戏
大猫的无限游戏
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
博客园 - Franky
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Apple Machine Learning Research
Apple Machine Learning Research
酷 壳 – CoolShell
酷 壳 – CoolShell
M
MIT News - Artificial intelligence
小众软件
小众软件
Hugging Face - Blog
Hugging Face - Blog
云风的 BLOG
云风的 BLOG
S
Security Affairs
P
Proofpoint News Feed
L
LINUX DO - 最新话题
宝玉的分享
宝玉的分享
S
Security @ Cisco Blogs
H
Hacker News: Front Page
Security Archives - TechRepublic
Security Archives - TechRepublic
Vercel News
Vercel News
Engineering at Meta
Engineering at Meta
Know Your Adversary
Know Your Adversary
Y
Y Combinator Blog
美团技术团队
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
月光博客
月光博客
量子位
博客园_首页
The Last Watchdog
The Last Watchdog
D
DataBreaches.Net
www.infosecurity-magazine.com
www.infosecurity-magazine.com
P
Privacy International News Feed
The Register - Security
The Register - Security
Schneier on Security
Schneier on Security
H
Help Net Security
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
V
Visual Studio Blog
Google DeepMind News
Google DeepMind News
F
Full Disclosure
C
Cyber Attacks, Cyber Crime and Cyber Security
MyScale Blog
MyScale Blog
aimingoo的专栏
aimingoo的专栏
S
Schneier on Security
L
Lohrmann on Cybersecurity
S
Secure Thoughts
Stack Overflow Blog
Stack Overflow Blog
Cloudbric
Cloudbric
Microsoft Security Blog
Microsoft Security Blog

Cisco Blogs

Cisco Live 2026: Bringing the Future of Customer Experience to Las Vegas Edge opportunity for service providers: Turn infrastructure into new services MRC and SRv6: How Foundational Networking Innovations Are Enabling the Next Generation of AI Supercomputers The SMB Marketing Reset: Winning Customer Trust in a Digital-First Economy Inside the SOC: AI-powered DNS defense against ransomware Our Path Forward Securing the Federal Digital Experience with Cisco ThousandEyes for Government Cisco at ONUG Dallas 2026: Securing the AI Data Center in the Agentic Era Cisco and Red Hat are powering intelligent core to edge: Red Hat Summit insights Building the Capabilities That Win: How Cisco Partners Can Lead in the SMB & Mid-Market Era How Two Hours Felt Bigger Than My To-Do List Announcing Foundry Security Spec Ace the CCIE Collaboration Lab: Success Tips from a TAC Engineer Turned CCIE Protecting Agents with Cisco AI Defense and Google Agent Development Kit Powering an Inclusive Future: Your guide to the Purpose Pavilion at Cisco Live Las Vegas The Infrastructure Behind the Mission: SOF Week 2026 Cisco Networking App Marketplace Partners at Cisco Live 2026 Beyond the Pilot: Building the Clinical Data Fabric for the Agentic Era Benchmarking scale-out AI fabrics with Cisco N9000 + AMD Pensando™ Pollara 400 NICs Month of Developer Productivity: Build and Forget The race to autonomous transport networks: A new study Lean IT, future-ready: How to save time and simplify wireless management with AI Reading Between the Pixels: Failure Modes in Vision Language Models Biochar’s triple win: Healthier soils, improved crops, and decarbonization Designing a Proactive Customer Journey Modernize your data center operations with Cisco Nexus Dashboard Why your automation stack needs Cisco Agentic Workflows Try Cisco AI Defense Explorer Edition in this hands-on lab From Bandwidth to Intelligence: How Cisco is Powering AI-Ready Networks Spotlight on digital transformation | FY25 Purpose Report Galaxy Mode is live: A limited-time look at what your Cisco AI Assistant and AgenticOps can already do Securing the Agentic Workforce: Cisco Announces Intent to Acquire Astrix Security Understanding CISA BOD 26-02: Mitigating Risk from End-of-Support Edge Devices Digging Deeper: The Future of Mining with Automation and Ultra-Reliable Wireless Voices from the field: Helping farmers build resilient local economies across rural America Built like a startup, scaled like Cisco: Transforming data center cooling for the AI era Defining Model Provenance: A Constitution for AI Supply Chain Safety and Security Introducing Model Provenance Kit: Know Where Your AI Models Come From Security Insights: A Threat-First View for the Platform That Enforces Access How I Turned My Curiosity into a Patent Maximizing Managed Security Services: A Strategic Guide to Optimizing Your Portfolio (Part 1 of 2) Simplify access control in five easy steps Trust: Why security is your next growth engine Cisco IQ is generally available. Here’s what that actually means. From Vision to Reality: Intelligence in Action with Cisco IQ How connectivity is shaping the future of surgical care The power of your network: Solving a physical security incident on Vision portal 5 signs your data center is holding your AI strategy back Stop Overthinking OT Security: The Total Cost of Ownership and Being Smart with Refreshes AI-Ready, Simpler, and More Secure WAN: Cisco SD-WAN Innovations Scaling the digital future: Why AI and skills investments matter for business and society Expanding our Product Organization Recap Scaling the Future: Reddit AMA on Network Automation at Scale Bringing Professional-Level Skills to Cisco Networking Academy Announcing Cisco Availability in Google Cloud Marketplace: A New Path to Scalable, Partner-Led Growth The Innovation Paradox: How We Reduced Incidents by 25% While Deploying Faster Funding the AI-ready data center: Why flexibility wins The switch that quantum networking has been waiting for From a Message I Couldn’t Believe to a Stage I’ll Never Forget The Hidden Bottleneck Slowing Down Manufacturing Transformation 30 Years as a CCIE: Why Certifications Matter in the AI Era Securing Enterprise AI: Cisco AI Defense Expands to Google Cloud How ThousandEyes Closed the Cloud Visibility Gap by Solving It Themselves First Energy Will Define the Scale of AI Introducing the AI Agent Security Scanner for IDEs: Verify Your Agents Stop Overthinking OT Security: People, Process and Technology Powering the Future of Research: Join Cisco at NLIT 2026 Building the Digital Foundation for a Smarter West Lincoln Memorial Hospital How Cisco built an AI-RRM that maximizes your wireless solution From Automation to Autonomy: Cisco and Rockwell Power a New Era for Manufacturing Unlocking the Future of Fan Engagement: The Power of VisionEDGE Find Yourself in the Future: AI Is the New Baseline—Here’s How to Build Your Skills One Day with Our Customers: Driving better outcomes through customer centricity What It Really Takes to Build an AI-First Workforce From Connectivity to Security: How E80 Future-proofed its AGV Operations with Cisco The Infrastructure of a Floating City: AIDA Cruises’ CX-Led Digital Transformation Scaling your network for AI without a forklift upgrade Why modern networks are moving DDoS defense to the edge Evolve IP Media to AI-Driven Media Fabrics: Future-Proof Broadcast with Cisco and NVIDIA Cisco and Generation are scaling AI-powered pathways to employment Reading Between the Pixels: Assessing Prompt Injection Attack Success in Images Lean IT, future-ready: Why Wi-Fi is your AI growth strategy Cisco Modeling Labs: Bringing the Network Digital Twin to Life AI on the Factory Floor: Why Manufacturing Requires a New Architecture with Cisco Unified Edge Designing for What’s Next: Securing AI-Scale Infrastructure Without Compromise Scaling the Future: Join Our Reddit AMA on Network Automation at Scale 5 wireless trends retail IT teams can’t ignore in 2026 Can your infrastructure management tools do that? Sustainability 101: Let’s talk about energy efficiency From Chai Breaks to Checkpoints: A Day at Cisco Bengaluru Preparing for Post-Quantum Cryptography: The Secure Firewall Roadmap Non-Obvious Patterns in Building Enterprise AI Assistants Making AI Trustworthy and Observable in Real-Time: Cisco Announces Intent to Acquire Galileo A simpler path to unified, AI-ready network operations Cisco Celebrates The Smart Industry Industrial Transformation Award Winners Mobile World Congress 2026: AI-powered Network Security Powering MWC Barcelona – Building a Unified SOC and NOC with Splunk in Record Time How New Data Streams Transformed Cisco Store’s Decision-Making AI-powered Network Security at the Mobile World Congress 2026 SNOC Inside the Mobile World Congress 2026 SOC: Detecting Shadow Traffic with Firepower 6100
From Strategy to Architecture: How Cisco is Building a Quantum-Safe Future
Christian Chisholm · 2026-04-30 · via Cisco Blogs

We recently outlined the quantum threat: cryptographically relevant quantum computers are coming, adversaries are already harvesting encrypted data today, and the risk isn’t limited to confidentiality. The integrity of the systems we depend on, the trust layer underneath everything, is equally exposed.

We also introduced Cisco’s two-pillar response: Secure Communications and Secure Products. We believe that both pillars are needed to ensure consistent, pervasive protection across the entire network, the kind that closes gaps rather than just addressing the most visible ones.

This blog will dive into the architecture behind the strategy to explain how Cisco is operationalizing the pillars across the communication planes, inside the chipset, and down to the firmware that loads before your operating system even boots.

Secure Communications: Protecting Every Layer of Your Network

Most conversations around Post-Quantum Cryptography (PQC) have focused on data in transit and the ‘Harvest Now, Decrypt Later’ (HNDL) threat. But pursuing quantum-secure communications requires more holistic solutions than what is typically discussed.

A network isn’t a single surface. It operates across three distinct planes, each with its own protocols and its own exposure to quantum risk.

The Management Plane handles remote administration (e.g., SSH, TLS/HTTPS, NETCONF, gRPC). These are the sessions through which infrastructure is configured and controlled. A harvested management session doesn’t just expose data; it can expose privileged access. Integrating PQC into these protocols helps ensure that the cryptography protecting privileged access remains resilient as quantum capabilities evolve.

The Control Plane governs how devices communicate with each other – routing decisions, authentication between peers, and signaling. Compromising the control plane is how you redirect traffic, create blind spots, and manipulate what a network believes to be true. PQC integration here means those signals are better able to remain authenticated against quantum-capable forgery.

The Data Plane is where user traffic flows – and where the HNDL exposure is most direct. The sessions your customers, employees, and operations depend on today are the harvest targets of tomorrow.

Cisco is integrating PQC across all three planes and at every relevant layer of the OSI model. For example

  • Layer 2: Quantum-resistant MACsec for local link protection
  • Layer 3: IPsec VPNs with PQC-based IKEv2 key exchange, protecting remote access at the tunnel level
  • Layer 4+: PQC in TLS, securing web applications, APIs, and customer-facing traffic end to end

Meeting Organizations Where They Are

No organization transitions to quantum-safe infrastructure overnight. The ability to adopt new algorithms without rearchitecting everything is as important as the algorithms themselves.

On the key exchange side, Cisco supports multiple paths forward:

  • Hybrid Key Exchange uses a PQC algorithm like ML-KEM, optionally combined with a classical algorithm like Diffie-Hellman. Session keys generated this way are more secure against both classical and quantum attacks.
  • Enhanced Pre-Shared Keys (PPK) strengthens existing key exchanges by mixing in a quantum-resistant, pre-shared key established out-of-band. This integrates naturally with external key management systems, including Quantum Key Distribution platforms for the most sensitive environments.

To maintain trustworthy authentication, Cisco is transitioning to PQC-based certificates and PKI-leveraging, quantum-safe signature algorithms such as ML-DSA. This transition will help ensure device and user identities remain trustworthy in a post-quantum world.

Secure Products: Beyond Communication to Where the Trust Chain Begins

Here’s the uncomfortable truth about most quantum-safe strategies: they stop at the network layers.

Protecting data in transit is necessary. But ask a harder question: what happens if the device generating, managing, and enforcing that security has been compromised at a deeper level, before a single packet is encrypted?

Cryptography is the foundation beneath every technology that protects our systems from cyber threats. To maintain that foundation, cryptographic capabilities across the entire product stack must be modernized, not just at the communication layer, but at the platform level where those protections are enforced.

Every device runs a boot sequence: a series of steps that load firmware, initialize hardware, and hand off to the operating system. Each step assumes the previous one was legitimate. Each step, in other words, is a link in a chain of trust.

If any link in that chain can be forged – through a quantum-capable signature attack – the foundation collapses. An attacker doesn’t need to break your VPN. They can compromise the device before the VPN ever loads.

This is where Cisco’s approach diverges from the field. Most vendors are solving the protocol problem. Cisco is also solving the platform problem.

A Secure Boot Process Built for the Quantum Era

Before NIST finalized post-quantum algorithms, Cisco had already deployed a proprietary, hash-based signing scheme on select platforms, recognizing that the window between an emerging threat and finalized standards is itself a risk period that cannot be ignored.

With NIST-approved algorithms now in place, Cisco is implementing, on select platforms, a multi-stage quantum-safe secure boot process:

  • LMS (Leighton–Micali Signatures) / XMSS (eXtended Merkle Signature Scheme): The root of trust verifies the first-stage bootloader using a hash-based, quantum-resistant signature scheme such as LMS or XMSS (on select platforms).
  • ML-DSA-87: The bootloader verifies the operating system image prior to execution using ML-DSA signatures.

This chain extends further, to OS-level validation of application images. Every layer of software that loads on a Cisco platform is designed to be cryptographically verified as authentic and untampered before it runs. That verification will be quantum-resistant at each stage.

Trust Anchor Module

At the center of this architecture is Cisco’s Trust Anchor Module, a tamper-resistant hardware root of trust that Cisco plans to embed in Cisco’s Secure Routers, Smart Switches, Firewalls and more.

The Trust Anchor Module (TAm) underpins both secure boot and device identity. It is designed to securely store cryptographic keys, Secure Unique Device Identifier (SUDI), and Attestation Identity Key (AIK) certificates that have been updated with PQC algorithms including LMS and ML-DSA-87. The TAm provides a certifiable entropy source for strong key generation and supports PQC-signed certificates that help ensure each device’s identity can be verified, trusted, and attested, even as quantum capabilities advance.

What this means operationally: a device can prove what it is, prove that it hasn’t been tampered with, and maintain that attestable proof and trustworthiness across its lifecycle. For organizations whose infrastructure refresh cycles span longer periods, that matters enormously. The security embedded at manufacturing time either holds up – or it doesn’t.

That’s a fundamentally different level of protection than protocol updates alone can provide.

Quantum-safe communications running on a compromised platform is a false sense of security. It’s the equivalent of installing a high-security lock on a door with a compromised frame – the lock is real, but the protection isn’t.

As we move closer to Q-Day, the nature of the threat evolves. Early concerns focus on HNDL attacks against data in transit. But over time, the risk shifts toward direct attacks on system integrity and altogether undermining the platforms enforcing security. The goal will no longer be just to protect network traffic, but to protect entire platforms.

By embedding quantum-resistant trust directly into firmware, hardware, and through all relevant stages of the boot process, we help ensure that the platform enforcing your security posture is itself beyond quantum reach. That’s a fundamentally different level of protection, one that becomes more valuable, not less, as quantum capabilities mature.

Two Pillars. One Posture.

Secure Communications and Secure Products aren’t parallel workstreams. They are complementary layers of the same architecture: quantum-safe protocols protecting traffic in transit, quantum-resistant hardware anchoring the platforms that enforce it, and PQC-based identity running through both.

We’ve spent considerable time building that clarity internally. What we’ve developed goes beyond our own products – it’s a way of thinking about quantum readiness that we believe has broader relevance for the industry.

We’ll be sharing more on our quantum-safe infrastructure framework soon. In the meantime, visit the Cisco Trust Center to learn more about our PQC approach and stay ahead of what’s coming.


We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social Media

LinkedIn
Facebook
Instagram