Zscaler Launches Interactive Reporting and Logging Capabilities for Rapid Access to Post-Quantum Cryptography (PQC) Insights

Zscaler Blog

Zscaler Launches Interactive Reporting and Logging Capabilities for Rapid Access to Post-Quantum Cryptography (PQC) Insights

Quantum computing is set to redefine the world's computational capabilities. Classical computers manipulate data in binary 0s and 1s, but quantum computers allow for a single quantum bit (or qubit) to represent multiple states simultaneously-this means that tasks formerly deemed computationally infeasible, like factoring large numbers, will be solved exponentially faster.

Of course, this comes with risk. When quantum computing achieves large-scale usage, malicious actors will be able to use these powerful machines to break certain traditional encryption algorithms. Threat actors are already using a tactic called "harvest now, decrypt larger" in which they capture and steal encrypted data with the intention to decrypt it down the road. Therefore, transitioning to quantum-resistant algorithms, known as Post-Quantum Cryptography (PQC), is on the short-term roadmap for many CISOs.

Zscaler is committed to providing the highest level of security for our customers and that includes timely adoption of the latest innovations in the encryption space. In that spirit, we're excited to launch the Post-Quantum Cryptography Visibilityreport, now generally available to all customers in the Zscaler Admin Portal which can be accessed under Analytics > Interactive Reports > Web Activity > Post Quantum Cryptography Visibility.

The new interactive report provides insights including details on PQC algorithms as applied to customer traffic including:

• Most frequently used PQC Key Exchange and SSL/TLS versions
• Distribution of transactions, differentiating between traffic processed with PQC and non-PQC key exchange
• Top users that have engaged in PQC key exchange

Access Quantum Algorithm Data in Web Insights Logs

We know our customers need to access data in different ways that suit their workflows, and to that end we've updated the Web Insights Log report also to include quantum algorithm data at a granular level. The new fields and columns include:

• Client Digital Signature Proposal
• Client Key Exchange Proposal
• Client Side Key Exchange Algorithm
• Server Side Key Exchange Algorithm
• Client Side Digital Signature Algorithm
• Server Side Digital Signature Algorithm

Nanolog Streaming Service (NSS) Feeds Updated to Enable Ingesting Quantum Algorithm Data via API

Customers can also add the new fields listed below to the Feed Output Format when configuring an NSS or Cloud NSS feed for web logs. Once ingested via API into a SIEM or other data manipulation tool, IT or Security stakeholders can further examine the data for further analysis.

• %d{client_tls_keyex_pqc_offers}
• %d{client_tls_keyex_non_pqc_offers}
• %d{client_tls_keyex_hybrid_offers}
• %d{client_tls_keyex_unknown_offers}
• %d{client_tls_sig_pqc_offers}
• %d{client_tls_sig_non_pqc_offers}
• %d{client_tls_sig_hybrid_offers}
• %d{client_tls_sig_unknown_offers}
• %s{client_tls_keyex_alg}
• %s{server_tls_keyex_alg}
• %s{client_tls_sig_alg}
• %s{server_tls_sig_alg}

Reduce the Friction of Transitioning to Post-Quantum Cryptography

Access to more data about your organization's environment and the traffic it generates will reduce the friction of transitioning to post-quantum cryptography. With these new capabilities you can focus on three areas of activity to apply this new post-quantum cryptographic algorithm data for both strategic planning and operational execution:

Identify and mitigate risks associated with post-quantum adoption

• Understand how traffic is segregated between classical vs. PQC algorithms when it comes to what crypto stack and client algorithms are in use.
• Know what key exchange algorithms are in use by client software or other software services in your environment: the visibility we provide can show you what clients across your organization are not PQC-ready.
• Identify misconfigurations such as the usage of pure PQC key exchange algorithms instead of the industry-recommended hybrid approach. Visibility ensures that configurations adhere to best practices.

Ensure compatibility and regulatory compliance

• Monitor hybrid cryptography use:many organizations will use hybrid cryptographic models during their transition from classical algorithms to PQC-for example, combining traditional algorithms (ECDHE) with post-quantum algorithms (ML-KEM). Visibility ensures that hybrid schemes are properly implemented and monitored for the strongest security.
• Manage algorithm vulnerabilities: knowing which algorithms are being used allows organizations to monitor for potential issues and pivot quickly if a particular algorithm is compromised or no longer recommended by the regulators or the security community.

Protect against quantum threats and data theft today

• Classical encryption detection: customers can monitor whether classical algorithms, such as ECDHE, are still being used alongside or instead of post-quantum algorithms. Doing so can detect transitional flaws during migrations from classical to quantum-resistant algorithms. Additionally, you can detect where older encryption methods are still used, exposing critical data to quantum threats (e.g., rapidly decrypting data that is transferred over communications leveraging a traditional key exchange algorithm instead of post-quantum algorithm).
• Encryption strength monitoring: Organizations can confirm that PQC algorithms are being correctly implemented to safeguard traffic from future quantum-powered decryption.

Building the Foundation for a Quantum-Safe Future

This release marks the first of three phases of Zscaler's vision for a Post-Quantum Era:

Now that we're providing the visibility you need to know what quantum algorithms are in use on the traffic in your environment, we're working now towards our second phase milestone of enabling full decryption and inspection of TLS traffic leveraging post-quantum key exchange. In our third phase we'll support post-quantum digital signatures across the Zero Trust Exchange platform and fully transition to quantum-resistant algorithms. In summary, Zscaler is building the foundation for a secure digital future.

Disclaimer: This blog post has been created by Zscaler for informational purposes only and is provided "as is" without any guarantees of accuracy, completeness or reliability. Zscaler assumes no responsibility for any errors or omissions or for any actions taken based on the information provided. Any third-party websites or resources linked in this blog post are provided for convenience only, and Zscaler is not responsible for their content or practices. All content is subject to change without notice. By accessing this blog, you agree to these terms and acknowledge your sole responsibility to verify and use the information as appropriate for your needs.

Explore more Zscaler blogs

Get the latest Zscaler blog updates in your inbox