Skip to content

nm727/PQC-Workshop

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
docker
docker
 
 
lab
lab
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
DOWNGRADE_ATTACKS.md
DOWNGRADE_ATTACKS.md
 
 
FLEXIBLE_ALGORITHM_SYSTEM.md
FLEXIBLE_ALGORITHM_SYSTEM.md
 
 
README.md
README.md
 
 

Repository files navigation

PQC MITM + Quantum Demo Lab

This lab demonstrates a full 5-phase flow:

  1. Negotiation
  2. Attack path / downgrade
  3. Interception + packet dump
  4. Quantum break (Shor demo)
  5. Decryption summary

The runtime output is already phase-labeled ([VIEW] PHASE x/5 ...).

Current architecture (post-modularization)

  • Orchestration: lab/scripts/09_quantum_mitm_flow.py
  • Logging + file output: lab/lib/logging.py
  • Network namespace / tcpdump / packet send: lab/lib/network.py
  • Weak crypto registry + Shor simulator path: lab/lib/crypto.py
  • Runtime artifact collection and parsing: lab/lib/evidence.py
  • MITM strategy transforms: lab/lib/mitm.py

Design intent:

  • Keep policy + sequencing in one script (09_*).
  • Keep mechanisms in small focused modules (lab/lib/*).
  • Keep evidence parsing independent from crypto simulation.

Linear command list (single container, multi-terminal)

Follow these steps in order.

1) Build the image (host)

docker build -f docker/Dockerfile --build-arg LIBRESWAN_VERSION=5.3 -t pqc-lab-min .

Quick verify after container starts:

docker exec pqc-lab bash -lc 'ipsec --version'

2) Start one persistent lab container (host)

docker rm -f pqc-lab 2>$null
docker run -d --privileged --name pqc-lab pqc-lab-min tail -f /dev/null

3) Open terminal A into the container (host)

docker exec -it pqc-lab bash

4) Open terminal B/C as needed (host)

docker exec -it pqc-lab bash

All commands below are intended to run inside the container.

Linear runbook (inside container)

5) Create the MITM topology

Creates alice <-> eve <-> bob namespaces and links.

TOPOLOGY_MODE=mitm bash lab/scripts/start_topology.sh

5b) (Optional) Start Libreswan daemons in namespaces

This attempts real IKEv2 bring-up and writes immediate status/log snapshots.

bash lab/scripts/07_start_libreswan_ns.sh

6) Run the full attack flow (recommended baseline)

Runs negotiation, downgrade, interception view, quantum break, and summary.

The script now prefers runtime evidence (status/log/tcpdump artifacts) for protocol selection, and only falls back to config/strategy parsing when no runtime evidence is found.

python3 lab/scripts/09_quantum_mitm_flow.py \
  --mode mitm \
  --strategy packet-drop \
  --weak-algo xor-phi21 \
  --message 'hello' \
  --config lab/configs/ipsec.conf \
  --no-live-capture

6b) Send multiple customized packets (same flow)

Customize packet count, interval, and payload content:

python3 lab/scripts/09_quantum_mitm_flow.py \
  --mode mitm \
  --strategy packet-drop \
  --weak-algo xor-phi21 \
  --message 'network-level' \
  --packet-count 6 \
  --packet-interval 0.1 \
  --payload-override 'CUSTOM-DEMO-PAYLOAD' \
  --config lab/configs/ipsec.conf \
  --live-capture

7) Run with live packet capture and dump printing

Enables real tcpdump parsing and prints packet metadata + payload extraction.

python3 lab/scripts/09_quantum_mitm_flow.py \
  --mode mitm \
  --strategy strip-pqc \
  --weak-algo auto \
  --message 'capture-me' \
  --config lab/configs/ipsec.conf \
  --live-capture

8) Manual tcpdump view (raw)

Shows raw packet bytes directly from Eve namespace.

First ensure namespaces exist in the current container session:

TOPOLOGY_MODE=mitm bash lab/scripts/start_topology.sh
ip netns list
ip netns exec eve tcpdump -X -A -n -v -i veth-eve-a udp port 500

8b) Live sniffer terminal (recommended while running Phase 6/7)

Open a second container terminal and run:

ip netns exec eve tcpdump -n -vv -X -A -l -i veth-eve-a udp port 500

Then run Phase 6/6b/7 in terminal A and watch packets in real time in terminal B.

8c) Watch Eve changing the network (packet-drop strategy)

Open another terminal and run:

watch -n 1 "ip netns exec eve iptables -S FORWARD; echo; ip netns exec eve sysctl net.ipv4.ip_forward"

This shows Eve's forwarding/drop rules live while the attack is running.

9) Print saved dump file

Reads the dump saved by the flow script.

cat /lab/lab/data/tcpdump_raw.txt

10) Inspect unified event log

tail -n 200 /lab/lab/data/events.log

Live view:

tail -f /lab/lab/data/events.log

11) Inspect per-run artifact bundles

Each run creates a bundle under /lab/lab/data/runs/<timestamp>/, including:

  • ipsec_status_<ns>.txt
  • pluto_log_<ns>.txt
  • ike_tcpdump_eve.txt
  • protocol_selection.txt
  • protocol_selection_source.txt
  • kex_tokens.txt
ls -1 /lab/lab/data/runs
latest=$(ls -1 /lab/lab/data/runs | tail -n 1)
ls -1 "/lab/lab/data/runs/${latest}"
cat "/lab/lab/data/runs/${latest}/protocol_selection.txt"
cat "/lab/lab/data/runs/${latest}/protocol_selection_source.txt"

Notes:

  • --no-live-capture prints a synthetic payload dump (CT:... + hex + ASCII).
  • --live-capture prints real capture details when namespaces are available.
  • --packet-count, --packet-interval, and --payload-override control custom traffic from Alice to Bob.

Command snippets by output phase

Show full phased story (recommended)

python3 lab/scripts/09_quantum_mitm_flow.py \
  --mode mitm \
  --strategy packet-drop \
  --weak-algo xor-phi21 \
  --message 'network-level' \
  --config lab/configs/ipsec.conf \
  --no-live-capture 2>&1 | grep -E '^\[(VIEW|NEGOTIATION|FLOW|INTERCEPT|QUANTUM|SUMMARY)\]'

Show only negotiation lines

... | grep '^\[NEGOTIATION\]'

Show only interception / dump lines

... | grep '^\[INTERCEPT\]'

Show only quantum lines

... | grep '^\[QUANTUM\]'

Show only phase banners

... | grep '^\[VIEW\]'

Weak algorithm options

Current registered weak models:

  • xor-phi15 (N=15, phi=8)
  • shift-phi15 (N=15, phi=8)
  • xor-phi21 (N=21, phi=12)
  • xor-phi35 (N=35, phi=24)

CLI:

python3 lab/scripts/09_quantum_mitm_flow.py --weak-algo auto
python3 lab/scripts/09_quantum_mitm_flow.py --weak-algo xor-phi21

Tests

python -m unittest discover -s tests -v

Shell tests (also under tests/):

bash tests/test_all_algorithms.sh
bash tests/test_capture.sh
bash tests/test_tcpdump.sh

Maintainer proof gate: PQ baseline then downgrade

Use this script to produce a review-grade verdict:

python3 lab/scripts/10_prove_pqc_then_downgrade.py

Behavior:

  • Exit 0: baseline shows runtime PQ negotiation evidence and downgrade run changes outcome to non-PQ.
  • Exit 2: UNPROVEN (no runtime PQ negotiation evidence in baseline).
  • Other non-zero: orchestration failure.

Artifacts are written under:

  • /lab/lab/data/proof-runs/<timestamp>/baseline/<run-id>/
  • /lab/lab/data/proof-runs/<timestamp>/downgrade/<run-id>/

This gate is intended for review and prevents claiming downgrade success without runtime PQ evidence.

Notes

  • This is an educational toy model.
  • Event logs are appended to /lab/lab/data/events.log inside the running container.
  • For packet-drop strategy, container must include iptables and run with --privileged.
  • This workshop simulates downgrade pathways and observability around hybrid IKE/IPsec negotiation; it does not claim practical cryptanalysis of production PQC

About

Needed lab for the upcoming PQC Workshop

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages