Technical specifications
What the wire actually carries.
If you're the security engineer scanning this page, you're not here for marketing copy. Here are the primitives, by their formal names.
| Surface | Primitive | Standard |
|---|---|---|
| Key exchange (PQ) | ML-KEM-768 | NIST FIPS 203 |
| Key exchange (classical) | X25519 | RFC 7748 |
| Hybrid combiner | HKDF(X25519 ‖ ML-KEM-768) | TLS 1.3 hybrid draft |
| Bulk AEAD | AES-256-GCM, ChaCha20-Poly1305 | RFC 5288, RFC 7539 |
| Server signature | ECDSA-P256-SHA256, RSA-PSS-SHA256 | RFC 8446 |
| JWT signature (PQ) | ML-DSA-65 | NIST FIPS 204 |
| JWT signature (classical) | ES256, EdDSA | RFC 7518, RFC 8037 |
| Hash | SHA-256, SHA-384, BLAKE3-128 | FIPS 180-4, BLAKE3 spec |
| HMAC (audit cursor) | HMAC-SHA-256 | FIPS 198-1 |
| CSPRNG | aws-lc-rs SystemRandom | NIST SP 800-90A |
| Cert lifetime (Scrutari edge) | 90 days, auto-renewed at 60d | CA/B Forum BR |
| TLS version | TLS 1.3 only | RFC 8446 |
Move your TLS posture to post-quantum before the timeline moves you.
Scrutari is in early access for enterprise SaaS teams who've been told to have a migration plan by their largest customers and don't want to rebuild their TLS stack to get there. We'd like to talk to yours.