skip to Main Content

Quantum Cybersecurity Standards & Technical Information

Cybersecurity standards enhance the physical security of an organization and contribute to its overall risk management. Technical standards also allows the sharing of knowledge and best practices by helping to ensure common understanding of conditions, terms, and definitions, which can prevent costly errors. Currently, the threat of quantum computers is driving new cybersecurity innovations and standards today, highlighting quantum-safe cryptography strategies will soon become standard.

Asymmetric Encryption

Also called public key cryptography (or asymmetric cryptography). Asymmetric cryptography uses two keys. One key is called a public key and the other is called a private key. Asymmetric cryptography solves the secret key transport problem encountered during initial attempts to communicate securely using symmetric encryption. Asymmetric encryption algorithms include RSA and ECC (elliptic curve).

Common Criteria

Common Criteria: CC Portal (commoncriteriaportal.org)

Common Criteria is a framework in which computer system users can specify their security functional and assurance requirements in a Security Target (ST), and may be taken from Protection Profiles (PPs). Vendors can then implement or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims. Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous, standard and repeatable manner at a level that is commensurate with the target environment for use. Common Criteria maintains a list of certified products, including operating systems, access control systems, databases, and key management systems.

Encryption

Encryption is the process of converting data, also known as plaintext, to another form, called ciphertext, which cannot be easily understood by anyone except authorized parties. It is commonly used to protect sensitive information—this includes files and storage devices, as well as data transferred over wireless networks and the Internet. The information is transformed from plaintext into ciphertext through encryption and then transformed back from ciphertext to plaintext via decryption.

Encryption Key Management (EKM)

The management of cryptographic keys used for encryption. This includes generating, exchanging, protecting, storing, using and replacing encryption keys throughout their full lifecycle. Encryption key management is one of the most complex problems of encryption and is critical to the security of a cryptosystem.

Encryption Key Manager System (KMS)

Encryption Key Manager | QuintessenceLabs

A solution delivering encryption key management. Encryption key managers include policies, procedures, components, and devices that are used to protect, manage and distribute cryptographic keys and associated information.

Entropy

Quantum Entropy Enhancer | QuintessenceLabs

A measure of the randomness of data. High entropy corresponds to higher levels of randomness. Many parameters used in security are based on random data. The security strength of such cryptographic parameters depends on the actual entropy delivered by the underlying random number generator.

European Telecommunications Standards Institute (ETSI)

ETSI – Welcome to the World of Standards! (ETSI.org)

European Telecommunications Standards Institute (ETSI) is an independent, not-for-profit, standardization organization in the field of information and communications. ETSI supports the development and testing of global technical standards for ICT-enabled systems, applications, and services.

ETSI QKD Standards

ETSI – Quantum Key Distribution | Quantum Cryptography (ETSI.org)
ETSI Industry Specification Group (ISG) QKD is now working on various specifications:

  • Protection Profile for QKD systems
  • Protection against Trojan horse attacks in one-way QKD systems
  • Characterization of the optical output of QKD transmitter module
  • A control interface for SDN (Software Defined Networks)
  • A review of network architecture
  • Application Interface (API) in response to new network developments

QKD has published ETSI White Papers:

The work of the ETSI ISG in QKD is important to enable the future interoperability of the quantum communication networks being deployed around the world. Just as important, it will ensure that quantum cryptography is implemented in a safe manner that mitigates the risk of side channels and active attacks. By defining common interfaces, it will stimulate markets for components, systems and applications.

FIPS 140-2

FIPS 140-2, Security Requirements for Cryptographic Modules | CSRC (nist.gov)

Federal Information Processing Standards PUB 140-2 – Security Requirements for Cryptographic Modules. FIPS 140-2 defines four levels of security, simply named “Level 1” to “Level 4”. In addition to the tamper-evident physical security mechanisms required at Security Level 2, Security Level 3 attempts to prevent the intruder from gaining access to critical cryptographic material held within the cryptographic module. Physical security mechanisms required at Security Level 3 are intended to have a high probability of detecting and responding to attempts at physical access, use or modification of the cryptographic module. The physical security mechanisms may include the use of strong enclosures and tamper-detection/response circuitry that zeroes all plaintext critical security parameters when the removable covers/doors of the cryptographic module are opened.

Hardware Security Module (HSM)

A hardware security module (HSM) is a security device that serves as the server’s root of trust and provides encryption capabilities by storing and using keys. HSMs can be added to a system to manage, generate, and securely store cryptographic keys. HSMs are high performance and can be external devices connected to a network. HSMs can also come in smaller expansion card form factors making it possible to embed the HSM within the key and policy manager for ease of HSM management, operation, and deployment. Unlike TPMs, HSMs are removable or external devices. HSMs typically use a FIPS 140-2 Level 3 validated cryptographic module.

Key Management Interoperability Protocol (KMIP)

OASIS Key Management Interoperability Protocol (KMIP) TC | OASIS (oasis-open.org)

The Key Management Interoperability Protocol (KMIP) is an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server. This facilitates data encryption by simplifying encryption key management. Keys may be created on a server and then retrieved, possibly wrapped by other keys. Both symmetric and asymmetric keys are supported, including the ability to sign certificates. KMIP also allows for clients to ask a server to encrypt or decrypt data, without needing direct access to the key. KMIP is maintained by the Organization for the Advancement of Structured Information Standards (OASIS).

NIST

National Institute of Standards and Technology | NIST

The National Institute of Standards and Technology (NIST) is a physical sciences laboratory and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote innovation and industrial competitiveness. NIST’s activities are organized into laboratory programs that include nanoscale science and technology, engineering, information technology, neutron research, material measurement, and physical measurement.

NIST SP 800-57 Part 1

SP 800-57 Part 1 Rev. 5, Recommendation for Key Management: Part 1 – General | CSRC (nist.gov)

This overall standard provides the NIST Recommendations for Key Management. NIST SP 800-57 Part 1 provides guidance on cryptographic key management. It includes details on key management lifecycle requirements that encryption key management solutions should implement.

NIST SP 800-90A

SP 800-90A Rev. 1, Random Number Generation Using Deterministic RBGs | CSRC (nist.gov)

Recommendation for Deterministic Random Bit Generator Validation System (DRBGVS).

NIST SP 800-90B

SP 800-90B, Entropy Sources Used for Random Bit Generation | CSRC (nist.gov)

Recommendation for the Entropy Sources Used for Random Bit Generation.

OASIS

OASIS Open | OASIS Open (oasis-open.org)

Organization for the Advancement of Structured Information Standards (OASIS). OASIS is a nonprofit consortium that drives the development, convergence, and adoption of open standards for the global information society. The OASIS KMIP Technical Committee works to define a single, comprehensive protocol for communication between encryption systems and a broad range of new and legacy enterprise applications, including email, databases, and storage devices. Additional KMIP goals include removing redundant, incompatible key management processes, providing better data security while at the same time reducing expenditures on multiple products.

One-Time Pad (OTP)

One-time Pad Encryption | Virtual Zeroization | QuintessenceLabs

In cryptography the one-time pad (OTP) is an encryption technique that cannot be cracked if used correctly. Using the OTP technique, a plaintext is paired with a random secret key (also referred to as a one-time pad) that is truly random and at least as long as the plaintext. Then, each bit or character of the plain text is encrypted by combining it with the corresponding bit or character from the pad using modular addition. If the key is truly random, is at least as long as the plaintext, is never reused in whole or in part, and is kept completely secret, then the resulting cipher text will be mathematically impossible to decrypt or break.

PKCS#11 API

PKCS#11 Cryptographic Token Interface Base Specification Version 2.40 | OASIS Open (oasis-open.org)

Public Key Cryptography Standards #11 Application Program Interface. The PKCS #11 standard defines a platform-independent API to cryptographic tokens, such as hardware security modules (HSM) and smart cards, and names the API itself “Cryptoki” (from “cryptographic token interface” and pronounced as “crypto-key” – but “PKCS#11” is often used to refer to the API as well as the standard that defines it). The API defines most commonly used cryptographic object types (RSA keys, X.509 Certificates, AES keys, etc.) and all the functions needed to use, create/generate, modify and delete those objects.

Post-Quantum Cryptography (PQC)

Post-Quantum Cryptography | CSRC (nist.gov)

Post-quantum cryptography (sometimes referred to as quantum-proof, quantum-safe or quantum-resistant) refers to cryptographic algorithms (primarily public-key algorithms) that are thought to be secure against a cryptanalytic attack by a quantum computer. Even though current, publicly known, experimental quantum computers lack processing power to break any real cryptographic algorithm, many cryptographers are designing the new algorithms to prepare for the time when quantum computing is a threat. In contrast to the threat quantum computing poses to current public-key algorithms, most current symmetric cryptographic algorithms and hash functions are considered to be relatively secure against attacks by quantum computers. While quantum computing can speed up attacks against symmetric ciphers, doubling the key size can effectively block these attacks. Thus, post-quantum symmetric cryptography does not need to differ significantly from current symmetric cryptography.

Pseudo Random Numbers

PRNs are numbers generated from pseudo random number generators (PRNGs). PRNGs use a short random seed using deterministic mathematical algorithms. Poorly constructed pseudo-random numbers have resulted in security breaches.

Quantum Cryptography

Quantum cryptography leverages non-deterministic random number generation to create entropy used to seed digital keys that cannot be mathematically derived. True entropy and the Observer Effect are fundamental components of next generation encryption systems and key generation.

Quantum Key Distribution (QKD)

Quantum Key Distribution | QuintessenceLabs

Quantum Key Distribution (QKD) allows the information-theoretically secure distribution of keys between two spatially separate parties. There are several approaches to QKD, including discrete variable quantum key distribution (DV-QKD) which uses single-photons or weak coherent states and single photon detectors; and continuous variable quantum key distribution (CV-QKD), which uses coherent or squeezed states of light and homodyne detectors. Both continuous and discrete approaches have been experimentally demonstrated; just as importantly, both have been proven to be information-theoretically secure. QuintessenceLabs’ quantum key distribution technology (qOptica) uses a continuous variable bright laser beam for key distribution, while leveraging commercial off-the-shelf (COTS) telecommunications components and existing fiber optic cables to offer a very cost competitive solution.

Quantum Random Number Generator (QRNG)

Quantum Random Number Generator | QuintessenceLabs

QRNGs are true random number generators using quantum physics. (QRNGs) can be truly random. Many quantum random number generators are based on the detection of single photons and have relatively limited throughput.

Shor’s Algorithm

Legacy encryption algorithms rely on the amount of time and power required for a classical computer to factor large integers. In 1994 Peter Shor (LinkedIn), an MIT professor, published an algorithm proving that finding an integer’s prime factors quickly and efficiently is possible using a quantum computer with enough qubits and sufficiently low noise. Grover’s search algorithm followed Shor’s with similar results.

The Observer Effect

The Observer Effect is similar to the Heisenberg Uncertainty Principle. It is a quantum phenomenon that prevents measuring both position and momentum of quanta without changing one or the other. In quantum cryptography the Observer Effect is used to detect and mitigate Man-in-the-Middle (MITM) attacks against cryptographic keys.

Trusted Platform Module (TPM)

A Trusted Platform Module (TPM) is a hardware chip typically included on the key management server’s motherboard used to encrypt the keys. Keys protected by a TPM chip cannot be directly used on another system —they must be decrypted by a key which is locked inside the TPM chip. To preserve the secrecy of the key when exported, the key is exported as a pair of files. The first file is an encrypted blob and contains the key protected by an asymmetric key pair and then further encrypted using an OTP. The second file contains the OTP itself. Security conscious administrators can assign privileges to ensure no single account can download both the OTP and the encrypted blob—two administrators are required to take custody of an exported key, and the two files can be stored separately.

True Random Number Generator (TRNG)

TRNGs uses random physical processes to generate numbers instead of deterministic computational algorithms used by pseudo random number generators. Pseudo random numbers based on classical deterministic systems can be predicted if enough is known about the system, or if they can be influenced by actions such as temperature changes. High speed true random numbers generated using quantum physics, also known as quantum random number generators (QRNGs), are truly random.