Cryptographic Attestation
QNSP provides forensic-grade cryptographic attestation that goes beyond simple discovery scans. Every cryptographic operation produces verifiable evidence that can be audited, replayed, and used for compliance reporting.
Cryptographic Attestation
QNSP provides forensic-grade cryptographic attestation that goes beyond simple discovery scans. Every cryptographic operation produces verifiable evidence that can be audited, replayed, and used for compliance reporting.
Overview
Cryptographic attestation in QNSP includes:
- Algorithm Lifecycle Tracking - NIST status (Final/Draft/Deprecated) for every algorithm
- Policy Enforcement - Hard gates that block non-compliant cryptographic operations
- CBOM Export - Machine-verifiable Cryptographic Bill of Materials
- Compliance Assessment - Automated CNSA 2.0 and FIPS 140-3 compliance checks
- Merkle-rooted Audit Logs - Tamper-evident audit trails with signed checkpoints
Crypto Policy Engine
The Crypto Policy Engine enforces cryptographic policies at the edge gateway level, providing hard gates for algorithm allowlists/blocklists.
Policy Modes
| Mode | Description |
|---|---|
audit |
Log violations but allow operations |
enforce |
Block non-compliant operations |
Configuration Options
interface CryptoPolicyConfig {
enabled: boolean;
mode: "audit" | "enforce";
allowedKemAlgorithms: string[];
allowedSignatureAlgorithms: string[];
allowedSymmetricAlgorithms: string[];
forbiddenAlgorithms: string[];
minimumSecurityLevel: number;
requireNistFinal: boolean;
allowClassicalFallback: boolean;
hybridModeRequired: boolean;
}
Policy Presets
QNSP provides two policy presets:
Default Policy - PQC preferred, classical fallback allowed
- All NIST-final PQC algorithms allowed
- Classical algorithms allowed for migration
- Minimum security level: 1
Strict Policy - PQC required, no classical algorithms
- Only high-security PQC algorithms (Kyber-768+, Dilithium-3+)
- Classical algorithms forbidden
- NIST-final status required
- Minimum security level: 3
Algorithm Registry
QNSP maintains a comprehensive registry of cryptographic algorithms with lifecycle status:
NIST-Final Algorithms (FIPS 203/204/205)
| Algorithm | NIST Name | Type | Security Level |
|---|---|---|---|
| kyber-512 | ML-KEM-512 | KEM | 1 |
| kyber-768 | ML-KEM-768 | KEM | 3 |
| kyber-1024 | ML-KEM-1024 | KEM | 5 |
| dilithium-2 | ML-DSA-44 | Signature | 2 |
| dilithium-3 | ML-DSA-65 | Signature | 3 |
| dilithium-5 | ML-DSA-87 | Signature | 5 |
| sphincs-shake-128f-simple | SLH-DSA-SHAKE-128f | Signature | 1 |
| sphincs-shake-256f-simple | SLH-DSA-SHAKE-256f | Signature | 5 |
Draft Algorithms (Pending Standardization)
| Algorithm | Type | Security Level |
|---|---|---|
| falcon-512 | Signature | 1 |
| falcon-1024 | Signature | 5 |
Deprecated Algorithms
| Algorithm | Replacement | Deprecation Date |
|---|---|---|
| rsa-2048 | dilithium-2 | 2030-01-01 |
| rsa-4096 | dilithium-3 | 2030-01-01 |
| ecdsa-p256 | dilithium-2 | 2030-01-01 |
| ecdsa-p384 | dilithium-3 | 2030-01-01 |
API Endpoints
Get Crypto Policy
GET /platform/v1/crypto/policy
Returns the current crypto policy configuration and attestation.
Check Algorithm
GET /platform/v1/crypto/policy/check?algorithm=kyber-768&context=kem
Check if an algorithm is allowed by the current policy.
List Algorithms
GET /platform/v1/crypto/algorithms
GET /platform/v1/crypto/algorithms?status=NIST_FINAL
GET /platform/v1/crypto/algorithms?type=signature
List all algorithms in the registry with optional filtering.
Get CBOM
GET /platform/v1/crypto/cbom
Generate and return the Cryptographic Bill of Materials.
Get Compliance Status
GET /platform/v1/crypto/compliance
Get compliance status summary for all frameworks.
Get Attestation
GET /platform/v1/crypto/attestation
Generate a comprehensive cryptographic attestation document.
Cloud Portal
Access crypto attestation in the Cloud Portal:
- Navigate to Security → Crypto Attestation
- View compliance status for CNSA 2.0 and FIPS 140-3
- See algorithms in use across all services
- Download CBOM for compliance reporting
Admin Portal
Manage crypto policies in the Admin Portal:
- Navigate to Crypto → Policy
- View current policy configuration
- See algorithm registry with lifecycle status
- Monitor enforcement decisions
Best Practices
-
Start in Audit Mode - Enable policy enforcement in audit mode first to identify violations without blocking operations.
-
Use NIST-Final Algorithms - Prefer algorithms with NIST-final status for production workloads.
-
Regular CBOM Export - Export CBOM regularly for compliance documentation.
-
Monitor Deprecated Algorithms - Track deprecated algorithm usage and plan migrations.
-
Set Minimum Security Level - Configure minimum security level based on data classification.