Quantum Readiness Scoring System - TYCHON Quantum Readiness Documentation

Overview

The Quantum Readiness Scoring System evaluates a system's preparedness for the post-quantum cryptography (PQC) era. Using a comprehensive 100-point scale, it assesses hardware capabilities, operating system support, cryptographic libraries, and network readiness to provide actionable insights and upgrade recommendations.

⚡

Local Mode Only

Quantum readiness assessment is only available during local mode scans (-mode local). It can be disabled with the -disable-quantum-readiness flag.

Assessment Categories

• Hardware Assessment: CPU, memory, security hardware (40 points)
• Operating System: Version support, crypto frameworks (30 points)
• Crypto Libraries: OpenSSL, system crypto support (25 points)
• Network Readiness: Bandwidth, protocol capabilities (6 points)

Readiness Levels

Ready: 88+ (workstation) / 92+ (server)

Partially Ready: 68–87 (workstation) / 75–91 (server)

Update Required: 45–67 (workstation) / 55–74 (server)

Not Ready: <45 (workstation) / <55 (server)

Scoring Methodology

Hardware Assessment (40 Points)

CPU Capabilities (20 Points)

• Architecture: 64-bit required (0 points for 32-bit)
• Instruction Sets: AES-NI, AVX2, BMI support
• Core Count: Multi-core performance scaling
• CPU Generation: Modern architecture support

Memory Capacity (15 Points)

• 8GB+: 8-10 points
• 16GB+: 12-13 points
• 32GB+: 15 points (server threshold)
• 64GB+: 15 points (enterprise)

Security Hardware (5 Points)

• TPM Module: Hardware security support
• Secure Boot: Boot integrity verification
• Hardware RNG: True random number generation
• Enclave Support: Intel SGX, ARM TrustZone

Operating System Assessment (30 Points)

Version Support (20 Points)

macOS Scoring:

• 15.0+ (Sequoia): 20 points
• 14.0+ (Sonoma): 15 points
• 13.0+ (Ventura): 12 points
• 12.0+ (Monterey): 8 points
• 11.0+ (Big Sur): 5 points
• 10.15+ (Catalina): 2 points
• Older versions: 0 points

Windows Scoring:

• Windows 11 24H2+: 20 points
• Windows 11: 15 points
• Windows 10 22H2: 10 points
• Windows 10 older: 5 points
• Windows 8.1 or older: 0 points

Linux Scoring:

• Kernel 6.0+: 20 points
• Kernel 5.15+: 15 points
• Kernel 5.4+: 10 points
• Kernel 4.x: 5 points
• Older kernels: 0 points

Crypto Framework (10 Points)

• Modern Framework: Native PQC APIs available
• Crypto Libraries: System-level crypto support
• API Compatibility: PKCS#11, CNG, Security.framework
• Hardware Integration: HSM and TPM support

Crypto Libraries Assessment (25 Points)

OpenSSL Version (15 Points)

• 3.4.0+: 15 points (Full PQC support)
• 3.3.0+: 12 points (Experimental PQC)
• 3.2.0+: 10 points (Limited PQC)
• 3.1.x: 8 points
• 3.0.x: 6 points
• 1.1.1: 3 points (Legacy)
• 1.1.0 or older: 0 points

System Crypto (10 Points)

Platform-Specific:

• macOS: Security.framework, CommonCrypto
• Windows: CNG, CAPI, Schannel
• Linux: libgcrypt, NSS, kernel crypto

Assessment Factors:

• Library version and PQC readiness
• Algorithm support coverage
• Performance optimization level
• Integration with system services

Network Readiness Assessment (6 Points)

Bandwidth Capacity (3 Points)

• Gigabit+: 3 points
• 100 Mbps+: 2 points
• 10 Mbps+: 1 point
• Below 10 Mbps: 0 points

Protocol Support (3 Points)

• TLS 1.3: Modern protocol support
• HTTP/2, HTTP/3: Advanced protocols
• IPv6: Next-generation networking
• WPA3 WiFi: Secure wireless protocol

System Classification & Thresholds

Workstation Systems

Classification Criteria:

• Desktop or laptop computers
• Single-user or personal systems
• Platform family contains "workstation" or "standalone"
• RAM < 32GB (typical threshold)

Readiness Thresholds:

Ready 88-100 points

Partially Ready 68-87 points

Update Required 45-67 points

Not Ready 0-44 points

Server Systems

Classification Criteria:

• Enterprise or data center systems
• Multi-user or service systems
• High-performance hardware specifications
• RAM ≥ 32GB (typical threshold)

Readiness Thresholds:

Ready 92-100 points

Partially Ready 75-91 points

Update Required 55-74 points

Not Ready 0-54 points

Criticality Levels & Score Adjustments

Critical

Mission-critical systems (domain controllers, CAs, HSMs).

Score <85 → ×0.90 penalty applied.

Important

High-importance systems (application servers, web servers).

Score <75 → ×0.95 penalty applied.

Standard

Standard business systems with normal security needs.

No score adjustment applied.

Critical Failure Conditions

Certain system characteristics result in automatic score reductions or caps, reflecting fundamental incompatibilities with post-quantum cryptography requirements.

Hard Block — Overall Score = 0

32-bit Architecture
Assessment returns immediately with overall score 0 and status "Not Ready". Cannot support PQC key sizes or operations.

Score Penalties & Limitations

Low Memory (<4GB)
Earns 0 points for the memory component only (up to 10 pts lost). The overall assessment continues; the system is not hard-blocked.
Critical System Scoring <85
10% penalty applied to overall score for mission-critical systems (domain controllers, CAs) that have not yet reached the critical threshold.
Important System Scoring <75
5% penalty applied to overall score for high-importance systems (application servers, web servers) below the target threshold.

Recommendations & Upgrade Pathways

Immediate Actions (High Impact)

• Operating System Update: Upgrade to latest OS version with PQC framework support
• OpenSSL Upgrade: Update to OpenSSL 3.4.0+ for full post-quantum algorithm support
• Memory Upgrade: Increase RAM to recommended levels (16GB+ workstation, 32GB+ server)
• Architecture Migration: Replace 32-bit systems with 64-bit alternatives

Medium-Term Improvements

• Hardware Security: Enable TPM, Secure Boot, hardware RNG capabilities
• Network Infrastructure: Upgrade to gigabit networking, implement TLS 1.3
• Crypto Framework: Integrate modern cryptographic APIs and libraries
• CPU Upgrade: Modernize processors with AES-NI, AVX2 instruction sets

Long-Term Strategy

• PQC Algorithm Testing: Implement and test NIST-approved algorithms
• Performance Optimization: Tune systems for PQC cryptographic workloads
• Security Policy Updates: Develop quantum-safe cryptographic policies
• Training & Documentation: Prepare teams for post-quantum transition

Timeline Estimates

Ready

88+ workstation / 92+ server

Immediate deployment

Partially Ready

68–87 workstation / 75–91 server

2–6 months

Update Required

45–67 workstation / 55–74 server

6–12 months

Not Ready

<45 workstation / <55 server

12+ months

Technical Integration

Command Line Usage

# Enable quantum readiness assessment (default in local mode)
./certscanner -mode local -output report.json

# Disable quantum readiness assessment
./certscanner -mode local -disable-quantum-readiness -output report.json

# View quantum assessment in different formats
./certscanner -mode local -outputformat json -output quantum.json
./certscanner -mode local -outputformat tychon -output quantum.ndjson
./certscanner -mode local -outputformat html -output quantum.html

Output Integration

• JSON: quantum_readiness field in scan report
• NDJSON: Flattened quantum.* fields in all events
• Tychon: ECS-compliant quantum assessment events
• HTML: Interactive scoring dashboard
• EventLog: Event ID 1005 for quantum assessments

API Data Structure

{
  "quantum_readiness": {
    "assessment_id": "qr_20250915_101539_abc123",
    "timestamp": "2025-09-15T10:15:39.123456-07:00",
    "assessment_type": "workstation",
    "overall_score": 65,
    "max_possible_score": 100,
    "readiness_status": "Update Required",
    "status_color": "orange",
    "hardware_score": {
      "total_score": 32,
      "total_max_score": 40,
      "cpu_score": 18,
      "cpu_max_score": 20,
      "memory_score": 14,
      "memory_max_score": 15,
      "security_hw_score": 0,
      "security_hw_max_score": 5
    },
    "operating_system_score": {
      "total_score": 15,
      "total_max_score": 30,
      "os_version_score": 12,
      "os_version_max_score": 20,
      "crypto_api_score": 3,
      "crypto_api_max_score": 10
    },
    "crypto_library_score": {
      "total_score": 12,
      "total_max_score": 25,
      "openssl_score": 8,
      "openssl_max_score": 15,
      "system_crypto_score": 4,
      "system_crypto_max_score": 10
    },
    "network_score": {
      "total_score": 6,
      "total_max_score": 6,
      "bandwidth_score": 3,
      "bandwidth_max_score": 3,
      "protocol_score": 3,
      "protocol_max_score": 3
    },
    "recommendations": [
      "Upgrade to macOS 15.0+",
      "Update OpenSSL to 3.4.0+"
    ]
  }
}

TLS Letter Grade System

In addition to the system-level 0–100 score, each TLS port, application, and the overall system receives a letter grade (A+ through F) derived from what the scanner observes on the wire: TLS protocol, key exchange, certificate, and cipher suite quality.

Grade Thresholds

Grade	Score	Meaning
A+	98–100	CNSA 2.0 compliant — ML-KEM-1024 + post-quantum cert + TLS 1.3.
A	85–97	Quantum ready — PQC KEX present (ML-KEM-768 or hybrid), strong cert.
B	70–84	Best achievable with classical-only crypto — TLS 1.3 + X25519 + good cert.
C	50–69	Moderate risk — TLS 1.2 + ECDHE or weak cert.
D	30–49	Significant risk — RSA KEX, old TLS, or poor cert.
F	0–29	Critical — broken ciphers, TLS 1.0/1.1 primary, very weak RSA.

Per-Port Scoring (0–100 points)

Design intent: An A grade is unreachable without actual PQC key exchange. TLS 1.3 + ML-KEM-768 + any reasonable cert (RSA-2048+) guarantees a minimum A. A+ requires CNSA 2.0 key sizes (ML-KEM-1024).

Component	Max Points	Key Rules
Protocol Level	20	TLS 1.3 = 20; TLS 1.2 = 10; TLS 1.1 = 3; TLS 1.0 = 1. Deduct −3 if TLS 1.1 in supported list; −5 if TLS 1.0.
Primary Key Exchange	35	ML-KEM-1024 hybrid = 35; ML-KEM-768 hybrid = 32; ML-KEM-1024 only = 33; ML-KEM-768 only = 30; ML-KEM-512 = 25; X25519/X448 = 20; secp384r1/P-521 = 18; secp256r1 = 17; RSA (no ephemeral) = 5.
Certificate Public Key	20	ML-DSA/SLH-DSA/FALCON = 20; EC P-384+/P-521/Ed448 = 17; EC P-256/Ed25519 = 16; RSA-4096 = 15; RSA-3072 = 13; RSA-2048 = 12; RSA-1024 = 3.
Signature Hash	10	SHA-512/SHA-384 = 10; SHA-256 = 8; SHA-1 = 2; MD5 = 0; unknown = 5.
Cipher Suite Quality	15	Start 15. AES-128-GCM = −1; CBC mode = −4; broken (RC4/DES/3DES/NULL) = −8; any insecure in supported list = −3; weak cipher = −1. Floor at 0.

Certificate Validity Deductions

Applied post-sum; can push score below a grade threshold. Floor at 0.

Condition	Deduction
Certificate is expired	−10 pts
Certificate is self-signed	−5 pts
Certificate validity > 5 years	−8 pts
Certificate validity > 3 years	−5 pts

Application & System Grades

Application Grade

Base = worst-port score (weakest link)
OS deductions: −5 if no TLS 1.3 support; −5 if no PQC crypto stack; −3 if OS is end-of-life
Deductions are additive — apps with their own TLS stack (Nginx, JVM) may still earn A/A+

System Grade

Weighted average of app scores (weighted by port count)
OS bonus: 0–5 pts from OperatingSystemScore
Capped at 100; uses same A–F thresholds

Score Ceiling Examples

Configuration	Max Score	Grade
Classical only — TLS 1.3 + X25519 + Ed25519 + SHA-384 + AES-256	83	B
TLS 1.3 + ML-KEM-768 only + RSA-2048 + SHA-256 + AES-256	85	A
TLS 1.3 + ML-KEM-768 hybrid + ML-DSA cert + perfect	97	A
TLS 1.3 + ML-KEM-1024 only + ML-DSA cert + perfect	98	A+
TLS 1.3 + ML-KEM-1024 hybrid + ML-DSA cert + perfect	100	A+