This is the fourth in our series of blogs about quantum threat. Our latest contribution, impacts of government regulations on the availability of PQC, government standards DiscusD for Postal calculations (PQC) and their impact on PQC acceptance. Given that another collection of participating parties expects maturation of PQC, Q-Day risks and harvest now, decrypt later (HNDL) cybertacks because of concern. In this post, we will investigate what is available today for quantum safe solutions, along with the viability and potential of quantum distribution of keys (QKD), newly emerging technology that bridges the abyss between the present and the future of PQC.
Today’s quantum safety solution
While the quantum threat remains in the future, technology companies, standards and government entities have been looking for their alleviation for some time. To this end, Cisco was the first pioneer in the efforts to define and provide network solutions safe. Our initial focus was on secure boot for safe hardware safe, followed by network transport protocols with quantity safe.
The Secure Boot first took the form of Cisco’s LDWM signature scheme, which was published in 2013 by McGrew & Curcio, which provides asymmetric authentication without the need for mathematics with extensive integer. Cisco began to transport hardware products with a secure shoe based on LDWM based on LDWM. In 2019, D. McGrew, M. Curcio and S. created Leighton-Micinali Signature Digital Signature Scheme, which creates secure digital signatures using cryptographic hash function. The LMS is included in the requirements of the NSA CNSA 2.0, which we discussed in our post Cryptography in the post of quantum world.
QKD, SKIP, ETSI and ability to share keys between endpoints
Cisco then turned his attention to creating quantum secure network transport protocols. This work focused primary on integration with QKD, technology that provides secure sharing of cryptographic keys using physical suitable fiber optics. By sharing keys using photons, it is possible to ensure that the key is not interrupted or damaged. In recent years, many suppliers have developed QKD systems, although the idea of technology has been back in decades.
Please note that for simplicity I use the term “QKD” to reproduce the booth of these hardware solutions listed above and “QKD” solutions that provide quantum secure keys using other methods. Some of these alternative methods are solutions only for software. My following use “QKD” refers to all these solutions.
Since PQC algorithms have not been standardized at that time Cisco concerning ways to provide the keys to quantum safe to replace or increase the older key exchange method that was not quantum safe. The SKIP interface, developed in 2017, serves this purpose. SKIP is an API allowing network devices to obtain quantum secure keys from an external key management system such as QKD. These keys are used in transport protocols, Likec and Macsec to make quantum safe and protect from harvest night attacks. IETF RFC 8784 defines the use of these keys for IPSEC (IKEV2). There is no standard for using these keys for Macsec.
Cisco presented SKIP IETF to become an information RFC. Skip is supported in many Cisco devices and is openly available for use in the field. Currently, about a dozen suppliers support the SKIP interface:
In 2019, the European Telecommunications Standard Institute (ETSI) published its specification QKD, ETSI GS-QKD-014. The API ETSI API offers a subset of the ability to skip, but it is generally similar in terms of functionality. QKD sellers, who initially implemented ETSI specialties, said they were able to add the SKIP interface for just weekends.
Some QKD suppliers have implemented both specialties. Many of them said they support the current activities of SKIP and ETSI in their solution. However, several smaller differences between specialties will prevent Skip-Etsi interoperation.
Future QKD
We often asked if Cisco implemented ETSI Special. This question raises a wider and more important question in some ways: What is the future of QKD? What will the role of QKD in the spectrum of solutions and devices that use optics and quantum technology to process and distribute keys in quantum safe as well as those based on software?
One answer is that for all its promise, QKD is still relatively early in its technology life cycle. Many companies actively evaluate the use of solutions similar to QKD and QKD for their networks. The key problems to be considered include:
- How well do specific QKD solutions work?
- Are they really safe? What are the threat vectors and how are they dealt with?
- Are they viable for the requirements and environment of the organization?
- Are they financially viable?
- Are components used in a trusted solution?
- How does QKD solution fit into the emerging PQC solution?
Many governments prohibit QKD systems in government or military applications. This applies, for example, to the United Kingdom. The US, Australia and EMEA do not use QKD certain limitations have been overcome. Capability, maturity and acceptance of QKD systems are constantly expanding. Some organizations predict the depth of security using the QKD and PQC solutions in cases of selected applications (eg BSI, Section 6.11) and QKD systems are also used in several production networks.
Conclusion
While QKD systems show promising and, in some cases, they can become part of protection against the growing threat of quantum computers, Cisco is doing PQC solutions at this time. This is in line with how most governments and organizations are close to this matter.
Related blogs
We would like to hear what you think. Ask how below and stay in conjunction with Cisco Secure on Social!
Cisco Security Social Channels
Instagram
Facebook
Twitter
LinkedIn
Share: