Securely transfer files to Broadcom using PQC safe encryption
Article ID: 439237
Updated On:
Products
Issue/Introduction
Secure Data Transmission using Post-Quantum Cryptography (PQC), e. g. on RHEL 9.7.
This article provides instructions for securely signing and encrypting files for transmission to Broadcom using Post-Quantum Cryptography (PQC) in the context of a technical support case. Following these steps ensures that your data remains protected against both current classical threats and future quantum computing capabilities.
Why Post-Quantum Cryptography?
Standard encryption methods like RSA and Elliptic Curve Cryptography (ECC) rely on mathematical problems (like integer factorization) that are easily solved by a sufficiently powerful quantum computer using Shor’s Algorithm.
The "Harvest Now, Decrypt Later" (HNDL) Threat.
Even though "Cryptographically Relevant Quantum Computers" (CRQC) do not fully exist today, adversaries are currently practicing Harvest Now, Decrypt Later. They intercept and store encrypted sensitive data today, intending to decrypt it years from now once quantum technology matures. To defend against this, we must use PQC algorithms that are resistant to quantum attacks today.
Environment
The Red Hat Enterprise Linux (RHEL) 9.7 includes native support for PQC via OpenSSL.
- Required OpenSSL Version: openssl-3.5.1-7.el9_7 or higher.
- Note: You do not need to manually compile or install the oqsprovider (Open Quantum Safe) anymore.
- OpenSSL has native support since version 3.5 (April 2025), see Release Notes.
It is assumed that the signing/encryption is performed on a Linux based system. We have not tested the process on Windows.
Since the process is based on OpenSSL it is very likely to work on Windows too.
Resolution
Step 1: Create Your Signing Key.
You must generate a unique identity key. This identifies you as the sender and ensures the file has not been tampered with. This is a one-time setup and the resulting public key must be provided to Broadcom before uploading an encrypted file. You keep the private key secret. The authenticity on arrival of the secured file is validated and decryption is getting rejected if the signature check fails or has not been provided beforehand. Multiple keys for different sites can be facilitated. Keys shall have a reasonable expiry date to allow for regular rotation.
For your convenience Broadcom has created 2 Bash scripts to assist with the process. They are meant to be simple without any error handing and serve as templates that can be further improved or converted into other programming languages.
create_signing_key.sh
(attached)
Step 2: Download Broadcom's generic Public Encryption Key.
To encrypt your data so that only Broadcom can decrypt it, save the following key.
This is the "generic" public key and Broadcom may ask you to install a specific one that will be provided to you.
key_enc_pub_56c4f7cd_2026-04-20.pem
(attached)
Step 3: Encrypt and send files.
Use the attached script to automate signing and encryption of your file.
To upload multiple files at once, bundle them together in a tar or zip.
This can be any type of file but in most cases it is a product support bundle.
The process uses a Hybrid Approach: PQC (ML-KEM) protects the session key, while AES-256-CBC handles the bulk data encryption for maximum performance. The technical implementation is based on this "Cybersecurity Information Sheet".
send_file.sh
(attached)
Understanding the Security Layers.
The generated <uuid>.enc.zst file is a multi-layered security container designed to be "Atomic" - the receiver cannot decrypt the data without verifying your identity first.
Summary of Algorithms.
- AES-256-CBC (FIPS 197): Protecting the signed payload and metadata (file name).
- ML-KEM-768 (FIPS 203): Replaces RSA/Diffie-Hellman for key exchange. Based on Lattice math, which is currently unbreakable by quantum computers.
- ML-DSA-65 (FIPS 204): Replaces traditional digital signatures. Proves the file came from you and hasn't been tampered with.
Additional Information
Attachments
Feedback
