Securely transfer files to Broadcom using PQC safe encryption
search cancel

Securely transfer files to Broadcom using PQC safe encryption

book

Article ID: 439237

calendar_today

Updated On:

Products

Generic Non Product

Issue/Introduction

Secure Data Transmission using Post-Quantum Cryptography (PQC).

This article provides instructions for securely signing and encrypting files for transmission to Broadcom using Post-Quantum Cryptography (PQC) in the context of a technical support case. Following these steps ensures that your data remains protected against both current classical threats and future quantum computing capabilities.

 

Why Post-Quantum Cryptography?

Standard encryption methods like RSA and Elliptic Curve Cryptography (ECC) rely on mathematical problems (like integer factorization) that are easily solved by a sufficiently powerful quantum computer using Shor’s Algorithm.

 

The "Harvest Now, Decrypt Later" (HNDL) Threat.

Even though "Cryptographically Relevant Quantum Computers" (CRQC) do not fully exist today, adversaries are currently practicing Harvest Now, Decrypt Later. They intercept and store encrypted sensitive data today, intending to decrypt it years from now once quantum technology matures. To defend against this, we must use PQC algorithms that are resistant to quantum attacks today.

Environment

Broadcom has made available scripts and a Windows Client that utilizes an OpenSSL workflow to sign & encrypt the file. Both the provided automation scripts and the Windows application operate strictly locally, requiring no network connectivity, and contain no telemetry or data-tracking mechanisms.

 

Linux based

Red Hat Enterprise Linux (RHEL) 9.7 includes native support for PQC via OpenSSL.

  • Required OpenSSL rpm Version: openssl-3.5.1-7.el9_7 or higher.
  • Note: You do not need to manually compile or install the oqsprovider  (Open Quantum Safe) anymore.
  • OpenSSL has native support since version 3.5 (April 2025), see Release Notes.

You can use the provided Bash scripts as templates for your file upload workflow. These scripts utilize standard Linux tools to demonstrate a basic OpenSSL implementation. While specifically tested on RHEL, they are compatible with most modern Linux distributions.

 

Windows based

For Windows environments, we provide both a PowerShell script and a standalone GUI application (BroadcomPQCTool.exe) for key generation and encryption. Both options require a manual installation of OpenSSL (and Coreutils for the script) to function, with setup details and download links conveniently included directly within the GUI app. To ensure file integrity, verify the executable's SHA256 hash against the value listed below.

 

PS > Get-FileHash -Algorithm SHA256 BroadcomPQCTool.exe

Release DateSHA256
2026-06-1749FD33D5D6B22CD4B7AAD09697F63213C4F4178094992155D457449A413BDA8D

 

Resolution

 

How to get started?

While the specific workflow varies depending on your chosen method—whether utilizing automated Bash scripts in a Linux environment, manual Windows PowerShell commands, or the standalone Windows GUI application—the underlying core principles remain identical across all options.

 

Step 1: Create Your Signing Key and certificate.

To secure your uploads, complete a one-time setup to generate a private identity key (.key) and a public signing certificate (.pem). Keep the private key confidential, but share the public certificate with Broadcom via email or inside a support case prior to transmission; Broadcom will automatically reject any uploads that fail signature validation or lack a pre-registered certificate. This flexible framework supports multiple keys per site, credential sharing among administrators, and a recommended 398-day expiration threshold to facilitate regular security rotation. The sample script contain details on the -Subject (Common Name).

 

Step 2: Download Broadcom's generic Public Encryption Key.

To encrypt your data so that only Broadcom can decrypt it, save the attached key key_enc_pub_859d63a6_2026-06-16.pem.
This is the "generic" public key and Broadcom may ask you to install a specific one that will be provided to you.

 

Step 3: Sign & Encrypt a file.

Regardless of whether you utilize the Linux Bash script, Windows PowerShell script, or Windows GUI application, all deployment methods generate the identical secure file format. For bulk uploads, please bundle multiple files into a single compressed archive (e.g., consolidating multiple .tgz files into a single .zip file) prior to processing.

 

Step 4: Upload the secure file.

This workflow introduces no changes to your existing file transfer methods or transport mechanisms; only the file payload itself is modified. You may continue to utilize your established transmission channels—such as SFTP, Wolken case attachments, or HTTPS uploads via CrushFTP—to submit the secured files.

 

 

Understanding the Security Layers.

This solution employs a hybrid cryptographic approach to ensure both performance and security: bulk data is encrypted using AES-256-CBC (FIPS 197), while the unique, machine-generated session key for each file is protected using Post-Quantum Cryptography (ML-KEM-1024, FIPS 203). File authenticity is guaranteed via ML-DSA-87 (FIPS 204) digital signatures, with the entire technical implementation strictly adhering to the standards outlined in the referenced Cybersecurity Information Sheet.


The generated <uuid>.enc file is a multi-layered security container designed to be "Atomic" - the receiver cannot decrypt the data without verifying your identity first.

 

 

Additional Information

 

Attachments

key_enc_pub_859d63a6_2026-06-16.pem get_app
send_file.sh get_app
create_signing_key.sh get_app
send_file.ps1 get_app
create_signing_key.ps1 get_app
BroadcomPQCTool.exe get_app
file_layout.txt get_app
file_layout.png get_app
Powered by Wolken Software