Hybrid TLS Completion Badge

PQC LAB

PQC Lab 1 — Implement Hybrid TLS (Kyber + ECDHE)

Duration: 30–60 minutes • Difficulty: Intermediate

1 Learn the concepts
2 Do the hands-on lab
3 Apply & reflect
4 Career & portfolio

Hybrid TLS (Kyber + ECDHE) · Audio Lesson

Now Playing

Hybrid TLS (Kyber + ECDHE) · Video Lesson

Watch First

Flashcards · Reinforce your learning

Card – / –

Loading flashcards...

Pro tip: use ← / → arrow keys to move between cards.

Step 1 · Learn Hybrid TLS Concepts

Concept 01 · Quantum Threat

Classical crypto like RSA and ECDSA will eventually be breakable by large quantum computers (Shor’s algorithm). Attackers can capture traffic now and decrypt it later (store-now-decrypt-later).

Concept 02 · Hybrid Key Exchange

Hybrid TLS performs both a classical ECDHE key exchange AND a post-quantum Kyber KEM. If either remains secure, the session key is safe.

Concept 03 · Where Kyber Fits

Kyber (ML-KEM) is a NIST-standardised PQC KEM. In Hybrid TLS, both ECDHE and Kyber run in parallel and are combined to form the final session key.

Client ── ECDHE ──► Server
Client ── Kyber ──► Server
    ▼ combine
Session key = f(ECDHE, Kyber)

Concept Check (Quick Quiz)

Q1. What problem does Hybrid TLS solve?

Q2. In Hybrid TLS, the final session key comes from:

Extended Quiz (NotebookLM)

Try a longer, adaptive quiz generated from your PQC notes.

Open Advanced Quiz →

Step 2 · Do the Hands-on Lab

In this task, you will clone a real Hybrid TLS lab environment from GitHub and run a Dockerised nginx server that starts in CLASSIC_ECDHE mode. You will then “fix” it by switching to a hybrid-style configuration that simulates HYBRID_KYBER_ECDHE.

  1. Clone the GitHub lab repository: 
    git clone https://github.com/Vishnu2707/PQC-LAB1.git
cd PQC-LAB1
  2. Generate your own self-signed TLS certificate.
    Note: Your lab folder will create a certs/ directory automatically 
    3.     mkdir certs
    openssl req -x509 -nodes -newkey rsa:2048 \
    -keyout certs/server.key \
    -out certs/server.crt \
    -days 5 \
    -subj "/CN=localhost"
  3. Start the intentionally “broken” classical-only TLS endpoint: 
    docker compose up
  4. Inspect the HTTP headers: 
    curl -k -I https://localhost:8443
    Expected output includes: X-Key-Exchange: CLASSIC_ECDHE
  5. Open the docker configuration and fix the endpoint: 
    nano docker-compose.yml
    Change the nginx config from: 
    nginx/classic.conf
    To: 
    nginx/hybrid.conf
  6. Rebuild and restart the server: 
    docker compose down
docker compose up --build
  7. Verify the fix: 
    curl -k -I https://localhost:8443
    Now the header should show: X-Key-Exchange: HYBRID_KYBER_ECDHE
Checkpoint: What actually changed when you “fixed” the server?

You switched from a classical-only TLS configuration to one that simulates a real hybrid Kyber + ECDHE setup via nginx configuration.

In production, this represents the migration from vulnerable classical key exchange to a post-quantum-hardened hybrid handshake.

Step 3 · Apply the Idea

Once your lab is working, think like an engineer designing a real-world rollout.

  • Which services in a company should migrate to hybrid TLS first?
  • How would you monitor whether clients support the new ciphers?
  • What is the risk if you do nothing for 5–10 years?
💡 Example answer for discussion

High-value APIs, VPN gateways, and admin portals should be among the first to migrate, especially if they handle sensitive data that must stay confidential for many years. Telemetry can be collected from TLS handshakes (cipher suites, extensions) to understand client support levels.

Step 4 · Career & Portfolio

This lab gives you a concrete story for interviews and a small but real project you can show on GitHub or LinkedIn.

Roles this lab helps with

  • PQC / Cryptography-aware DevOps Engineer
  • Cloud Security or Platform Engineer
  • Secure Backend / API Engineer

Suggested LinkedIn post text 

Today I completed a hands-on Hybrid TLS lab using Docker and nginx as part of the PQC Arcade platform.

I configured a TLS 1.3 endpoint, inspected the handshake with curl, and switched it from a classical-only setup to a simulated hybrid Kyber + ECDHE configuration.

This was a great way to connect post-quantum cryptography theory with real-world infrastructure work (DevOps, cloud, security).
💾 Post to LinkedIn

Download Lab Pack

This lab uses a standalone GitHub repository containing the nginx configs, docker-compose.yml, and the sample web app. Clone or download it to follow along.

Download Lab 1 Pack (.zip) from GitHub

Or clone the repository:

git clone https://github.com/Vishnu2707/PQC-LAB1.git

Use this folder to run Docker, edit configs, and complete the tasks.

Instructor Notes

  • • Use the diagram to explain hybrid key exchange visually.
  • • Ask students to screenshot the X-Key-Exchange header as proof.
  • • Encourage them to post the LinkedIn text with their own twist.