Cryptographic Agility in Mozilla Firefox and NSS: Implementing Post-Quantum Cryptography via Loadable Modules : A PKCS 11 Based Approach to Strengthen Browser Security
Khan, Nouman Ali (2025)
2025
Tietotekniikan DI-ohjelma - Master's Programme in Information Technology
Informaatioteknologian ja viestinnän tiedekunta - Faculty of Information Technology and Communication Sciences
Hyväksymispäivämäärä
2025-10-15
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:tuni-202510149905
https://urn.fi/URN:NBN:fi:tuni-202510149905
Tiivistelmä
The rise of Quantum Computing poses a significant risk to current cryptographic infrastructures, prompting an urgent shift towards a more secure alternatives such as Post-Quantum Cryptography (PQC). Although PQC algorithms have been standardized in recent years by organizations bodies like National Institute of Standards and Technology (NIST), their integration into real-world cryptographic infrastructures is still far from straightforward. This thesis responds to such challenges by introducing PQC support into cryptographic infrastructure, with the scope limited Mozilla Firefox (Firefox) fork of the Network Security Services (NSS) library. The implementation is guided by the principle of cryptographic agility, which ensures that the infrastructure can adapt to evolving algorithmic standards with minimal disruption.
To introduce the support for PQC algorithms inside the Firefox/NSS, a modular Public-Key Cryptography Standard #11 (PKCS#11)-compliant software token named Qryptotoken was developed. The token follows a ”Shallow Module architecture“, in which cryptographic operations are delegated to external libraries rather than being implemented within the token itself. This design promotes modularity, simplifies updates, which aligns with the goal of cryptographic agility.
This thesis extends earlier efforts in which a foundational version of Qryptotoken was created to establish a flexible PKCS#11 interface. While that initial version provided a working skeleton, the present research focuses on incorporating two NIST-recommended PQC algorithms, ML-DSA for digital signatures and ML-KEM for key encapsulation, via the formally verified Rust-based Libcrux library.
At time of writing, the Firefox fork of NSS library does not currently expose ML-DSA in its digital signature list. Therefore, additional modifications were necessary to enable its usage for later interoperability testing. To achieve this, ML-DSA support was integrated into Firefox’s NSS by applying pattern-based modifications modeled after looking at the existing digital signature algorithms inside the Firefox’s NSS library.
Once the Qryptotoken and Firefox’s NSS were updated, the real-world interoperability tests were conducted against the PQC-enabled TLS 1.3 servers, including Open Quantum Safe (OQS) and Cloudflare. These tests confirmed that a modified Firefox client, using Qryptotoken as an external PKCS#11 module, could successful establish PQ/T hybrid handshakes.
Despite these achievements, full modularity has not yet been realized. Adding new algorithms still involves manual effort, and runtime configuration remains limited. This thesis highlights these issues as future work and positions Qryptotoken as a flexible foundation for PQC integration in modern cryptographic infrastructures.
To introduce the support for PQC algorithms inside the Firefox/NSS, a modular Public-Key Cryptography Standard #11 (PKCS#11)-compliant software token named Qryptotoken was developed. The token follows a ”Shallow Module architecture“, in which cryptographic operations are delegated to external libraries rather than being implemented within the token itself. This design promotes modularity, simplifies updates, which aligns with the goal of cryptographic agility.
This thesis extends earlier efforts in which a foundational version of Qryptotoken was created to establish a flexible PKCS#11 interface. While that initial version provided a working skeleton, the present research focuses on incorporating two NIST-recommended PQC algorithms, ML-DSA for digital signatures and ML-KEM for key encapsulation, via the formally verified Rust-based Libcrux library.
At time of writing, the Firefox fork of NSS library does not currently expose ML-DSA in its digital signature list. Therefore, additional modifications were necessary to enable its usage for later interoperability testing. To achieve this, ML-DSA support was integrated into Firefox’s NSS by applying pattern-based modifications modeled after looking at the existing digital signature algorithms inside the Firefox’s NSS library.
Once the Qryptotoken and Firefox’s NSS were updated, the real-world interoperability tests were conducted against the PQC-enabled TLS 1.3 servers, including Open Quantum Safe (OQS) and Cloudflare. These tests confirmed that a modified Firefox client, using Qryptotoken as an external PKCS#11 module, could successful establish PQ/T hybrid handshakes.
Despite these achievements, full modularity has not yet been realized. Adding new algorithms still involves manual effort, and runtime configuration remains limited. This thesis highlights these issues as future work and positions Qryptotoken as a flexible foundation for PQC integration in modern cryptographic infrastructures.