| Tip of the day: Consider contributing to make UnrealIRCd even better: reporting bugs, testing, helping out with support, .. |
PQC measures
This is a background article for expert admins to show what we are doing in terms of moving to Post-quantum cryptography. It's similar - in a way - to Moving users to TLS.
And yes, if one would do a threat assessment then this issue would likely come last (as of 2025). We are still trying to move users to TLS, closing port 6667 and getting people to use a valid trusted certificate, -sigh- :(
Network: Protect against harvest now, decrypt later
In 2025 (onwards) the most important move to make first is to protect against the Harvest now, decrypt later scenario. The way to protect against this is to use a quantum-proof key exchange and the standard way to do this is to use Kyber with X25519 (a "hybrid"). This so if X25519 is cracked, then Kyber still protects things. And if Kyber is cracked (due to unforeseen crypto analysis) then one still has X25519.
Updating UnrealIRCd to use PQC
UnrealIRCd 6.2.0+ (2025-09-XX)
UnrealIRCd 6.2.0 will use the hybrid TLS group X25519MLKEM768 (so Kyber with X25519) if both the server and client supports it. It is released as -beta2 at the moment. It requires OpenSSL 3.5.0 or later (released April, 2025) and naturally the client must support this as well. Just to get an idea: browsers like Chrome and Firefox started supporting this in 2024.
unrealircd.org infrastructure
From 2025-07-25 onwards
We use Cloudflare in front, which already supports X25519MLKEM768 since 2024 or so. Our Origin servers didn't yet at that point so that was of limited use. The connection from Cloudflare to our Origin servers started to use X25519MLKEM768 from 2025-07-25 onwards. So since that date, *.unrealircd.org is really using PQC. Of course, the client (eg: browser) needs to support this as well.
Network: Protect against active attacks
This is about when quantum computers are actually there and they would inject/rewrite traffic. This targets RSA/ECC certificates (and thus needs a replacement of those). That's not a serious threat in 2025 yet. Various working groups are working on this one (ML-KEM, ML-DSA). Such a chance has a lot of impact, it's not only about TLS libraries but also affects root CA certificates (otherwise one would just attack the CA cert instead of the end-user cert). Browsers don't support this yet. Of course when it is standardized and becomes available this will find its way in UnrealIRCd too. This may happen in 2026 or 2027.
Databases on disk
UnrealIRCd supports encryption of database files (such as history) via Dev:UnrealDB. It uses the XChaCha20 cipher which is mostly safe (similar to AES being safe) from quantum computers. The key derivation is through Argon2, which too should be safe.