Quantum Cybersecurity Standards & Technical Information
Cybersecurity standards enhance the physical security of an organization and contribute to its overall risk management. Technical standards also allows the sharing of knowledge and best practices by helping to ensure common understanding of conditions, terms, and definitions, which can prevent costly errors. Currently, the threat of quantum computers is driving new cybersecurity innovations and standards today, highlighting quantum-safe cryptography strategies will soon become standard.
Also called public key cryptography (or asymmetric cryptography). Asymmetric cryptography uses two keys. One key is called a public key and the other is called a private key. Asymmetric cryptography solves the secret key transport problem encountered during initial attempts to communicate securely using symmetric encryption. Asymmetric encryption algorithms include RSA and ECC (elliptic curve).
Common Criteria is a framework in which computer system users can specify their security functional and assurance requirements in a Security Target (ST), and may be taken from Protection Profiles (PPs). Vendors can then implement or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims. Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous, standard and repeatable manner at a level that is commensurate with the target environment for use. Common Criteria maintains a list of certified products, including operating systems, access control systems, databases, and key management systems.
Encryption is the process of converting data, also known as plaintext, to another form, called ciphertext, which cannot be easily understood by anyone except authorized parties. It is commonly used to protect sensitive information—this includes files and storage devices, as well as data transferred over wireless networks and the Internet. The information is transformed from plaintext into ciphertext through encryption and then transformed back from ciphertext to plaintext via decryption.
Encryption Key Management (EKM)
The management of cryptographic keys used for encryption. This includes generating, exchanging, protecting, storing, using and replacing encryption keys throughout their full lifecycle. Encryption key management is one of the most complex problems of encryption and is critical to the security of a cryptosystem.
Encryption Key Manager System (KMS)
A solution delivering encryption key management. Encryption key managers include policies, procedures, components, and devices that are used to protect, manage and distribute cryptographic keys and associated information.
A measure of the randomness of data. High entropy corresponds to higher levels of randomness. Many parameters used in security are based on random data. The security strength of such cryptographic parameters depends on the actual entropy delivered by the underlying random number generator.
European Telecommunications Standards Institute (ETSI)
European Telecommunications Standards Institute (ETSI) is an independent, not-for-profit, standardization organization in the field of information and communications. ETSI supports the development and testing of global technical standards for ICT-enabled systems, applications, and services.
ETSI QKD Standards
ETSI – Quantum Key Distribution | Quantum Cryptography (ETSI.org)
ETSI Industry Specification Group (ISG) QKD is now working on various specifications:
- Protection Profile for QKD systems
- Protection against Trojan horse attacks in one-way QKD systems
- Characterization of the optical output of QKD transmitter module
- A control interface for SDN (Software Defined Networks)
- A review of network architecture
- Application Interface (API) in response to new network developments
QKD has published ETSI White Papers:
The work of the ETSI ISG in QKD is important to enable the future interoperability of the quantum communication networks being deployed around the world. Just as important, it will ensure that quantum cryptography is implemented in a safe manner that mitigates the risk of side channels and active attacks. By defining common interfaces, it will stimulate markets for components, systems and applications.
Federal Information Processing Standards PUB 140-2 – Security Requirements for Cryptographic Modules. FIPS 140-2 defines four levels of security, simply named “Level 1” to “Level 4”. In addition to the tamper-evident physical security mechanisms required at Security Level 2, Security Level 3 attempts to prevent the intruder from gaining access to critical cryptographic material held within the cryptographic module. Physical security mechanisms required at Security Level 3 are intended to have a high probability of detecting and responding to attempts at physical access, use or modification of the cryptographic module. The physical security mechanisms may include the use of strong enclosures and tamper-detection/response circuitry that zeroes all plaintext critical security parameters when the removable covers/doors of the cryptographic module are opened.
Hardware Security Module (HSM)
A hardware security module (HSM) is a security device that serves as the server’s root of trust and provides encryption capabilities by storing and using keys. HSMs can be added to a system to manage, generate, and securely store cryptographic keys. HSMs are high performance and can be external devices connected to a network. HSMs can also come in smaller expansion card form factors making it possible to embed the HSM within the key and policy manager for ease of HSM management, operation, and deployment. Unlike TPMs, HSMs are removable or external devices. HSMs typically use a FIPS 140-2 Level 3 validated cryptographic module.
Key Management Interoperability Protocol (KMIP)
The Key Management Interoperability Protocol (KMIP) is an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server. This facilitates data encryption by simplifying encryption key management. Keys may be created on a server and then retrieved, possibly wrapped by other keys. Both symmetric and asymmetric keys are supported, including the ability to sign certificates. KMIP also allows for clients to ask a server to encrypt or decrypt data, without needing direct access to the key. KMIP is maintained by the Organization for the Advancement of Structured Information Standards (OASIS).
The National Institute of Standards and Technology (NIST) is a physical sciences laboratory and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote innovation and industrial competitiveness. NIST’s activities are organized into laboratory programs that include nanoscale science and technology, engineering, information technology, neutron research, material measurement, and physical measurement.
NIST SP 800-57 Part 1
This overall standard provides the NIST Recommendations for Key Management. NIST SP 800-57 Part 1 provides guidance on cryptographic key management. It includes details on key management lifecycle requirements that encryption key management solutions should implement.
NIST SP 800-90A
Recommendation for Deterministic Random Bit Generator Validation System (DRBGVS).
NIST SP 800-90B
Recommendation for the Entropy Sources Used for Random Bit Generation.
Organization for the Advancement of Structured Information Standards (OASIS). OASIS is a nonprofit consortium that drives the development, convergence, and adoption of open standards for the global information society. The OASIS KMIP Technical Committee works to define a single, comprehensive protocol for communication between encryption systems and a broad range of new and legacy enterprise applications, including email, databases, and storage devices. Additional KMIP goals include removing redundant, incompatible key management processes, providing better data security while at the same time reducing expenditures on multiple products.
One-Time Pad (OTP)
In cryptography the one-time pad (OTP) is an encryption technique that cannot be cracked if used correctly. Using the OTP technique, a plaintext is paired with a random secret key (also referred to as a one-time pad) that is truly random and at least as long as the plaintext. Then, each bit or character of the plain text is encrypted by combining it with the corresponding bit or character from the pad using modular addition. If the key is truly random, is at least as long as the plaintext, is never reused in whole or in part, and is kept completely secret, then the resulting cipher text will be mathematically impossible to decrypt or break.
Public Key Cryptography Standards #11 Application Program Interface. The PKCS #11 standard defines a platform-independent API to cryptographic tokens, such as hardware security modules (HSM) and smart cards, and names the API itself “Cryptoki” (from “cryptographic token interface” and pronounced as “crypto-key” – but “PKCS#11” is often used to refer to the API as well as the standard that defines it). The API defines most commonly used cryptographic object types (RSA keys, X.509 Certificates, AES keys, etc.) and all the functions needed to use, create/generate, modify and delete those objects.
Post-Quantum Cryptography (PQC)
Post-quantum cryptography (sometimes referred to as quantum-proof, quantum-safe or quantum-resistant) refers to cryptographic algorithms (primarily public-key algorithms) that are thought to be secure against a cryptanalytic attack by a quantum computer. Even though current, publicly known, experimental quantum computers lack processing power to break any real cryptographic algorithm, many cryptographers are designing the new algorithms to prepare for the time when quantum computing is a threat. In contrast to the threat quantum computing poses to current public-key algorithms, most current symmetric cryptographic algorithms and hash functions are considered to be relatively secure against attacks by quantum computers. While quantum computing can speed up attacks against symmetric ciphers, doubling the key size can effectively block these attacks. Thus, post-quantum symmetric cryptography does not need to differ significantly from current symmetric cryptography.
Pseudo Random Numbers
PRNs are numbers generated from pseudo random number generators (PRNGs). PRNGs use a short random seed using deterministic mathematical algorithms. Poorly constructed pseudo-random numbers have resulted in security breaches.
Quantum cryptography leverages non-deterministic random number generation to create entropy used to seed digital keys that cannot be mathematically derived. True entropy and the Observer Effect are fundamental components of next generation encryption systems and key generation.
Quantum Key Distribution (QKD)
Quantum Key Distribution (QKD) allows the information-theoretically secure distribution of keys between two spatially separate parties. There are several approaches to QKD, including discrete variable quantum key distribution (DV-QKD) which uses single-photons or weak coherent states and single photon detectors; and continuous variable quantum key distribution (CV-QKD), which uses coherent or squeezed states of light and homodyne detectors. Both continuous and discrete approaches have been experimentally demonstrated; just as importantly, both have been proven to be information-theoretically secure. QuintessenceLabs’ quantum key distribution technology (qOptica) uses a continuous variable bright laser beam for key distribution, while leveraging commercial off-the-shelf (COTS) telecommunications components and existing fiber optic cables to offer a very cost competitive solution.
Quantum Random Number Generator (QRNG)
QRNGs are true random number generators using quantum physics. (QRNGs) can be truly random. Many quantum random number generators are based on the detection of single photons and have relatively limited throughput.
Legacy encryption algorithms rely on the amount of time and power required for a classical computer to factor large integers. In 1994 Peter Shor (LinkedIn), an MIT professor, published an algorithm proving that finding an integer’s prime factors quickly and efficiently is possible using a quantum computer with enough qubits and sufficiently low noise. Grover’s search algorithm followed Shor’s with similar results.
The Observer Effect
The Observer Effect is similar to the Heisenberg Uncertainty Principle. It is a quantum phenomenon that prevents measuring both position and momentum of quanta without changing one or the other. In quantum cryptography the Observer Effect is used to detect and mitigate Man-in-the-Middle (MITM) attacks against cryptographic keys.
Trusted Platform Module (TPM)
A Trusted Platform Module (TPM) is a hardware chip typically included on the key management server’s motherboard used to encrypt the keys. Keys protected by a TPM chip cannot be directly used on another system —they must be decrypted by a key which is locked inside the TPM chip. To preserve the secrecy of the key when exported, the key is exported as a pair of files. The first file is an encrypted blob and contains the key protected by an asymmetric key pair and then further encrypted using an OTP. The second file contains the OTP itself. Security conscious administrators can assign privileges to ensure no single account can download both the OTP and the encrypted blob—two administrators are required to take custody of an exported key, and the two files can be stored separately.
True Random Number Generator (TRNG)
TRNGs uses random physical processes to generate numbers instead of deterministic computational algorithms used by pseudo random number generators. Pseudo random numbers based on classical deterministic systems can be predicted if enough is known about the system, or if they can be influenced by actions such as temperature changes. High speed true random numbers generated using quantum physics, also known as quantum random number generators (QRNGs), are truly random.