Key Management System for QKD Networks

The Key Management System (KMS) is an important building block within a Quantum Key Distribution Network (QKDN), making sure that a symmetric key is available at any node of the network. It uses the point-to-point established QKD keys generated by the QKD devices to establish an end-to-end key with any node for the users. It will do so in a quantum secure matter in line with best practices regarding security principles and software development. The KMS is a product-ready software solution, which will be ready to be deployed in a real world QKD network in 2024. 

Key Features

The core functionality of the KMS consists of the following components: 

  • Key Retrieval from QKD Devices: The KMS retrieves the point-to-point QKD generated keys from the QKD devices supporting interfaces compliant to ETSI GS QKD 014 or ETSI GS QKD 004.
  • Key provisioning to Applications: The KMS provides the keys with a standard compliant ETSI GS-QKD 014 or ETSI GS QKD 004 interfaces to applications.
  • Key Storage: The KMS implements a storage of QKD keys, minimizing internally used keys, while maximizing security and availability. On demand key stream assignment and batch synchronization and verification are techniques implemented to achieve this balance.
  • Operational reliability: Keeping the distributed database system that is the heart of the KMS consistent is a high priority. Consistency checks and synchronization procedures are in place to ensure this.
  • SDN by Design: The network management and route selection are implemented based on software-defined network (SDN) principles. A KMS external SDN controller can configure and monitor the KMS via an ETSI GS QKD 015 derived interface, which allows a dynamic reconfiguration of the selected paths without interrupting operation. If a SDN controller is not available, the KMS supports a static network configuration.
  • Standard Compliance: The KMS is compliant with the standards most relevant for QKD, namely ETSI GS QKD 004, 014, 015. It also complies with the ITU-T Y.3800 series. It also considers applicable concepts of non-QKD key management systems as for example defined in the NIST SP 800-57.

Security Principles

Due to the expertise at AIT of cryptographers and experienced developers in the field of cryptographic applications, the KMS is designed and developed with security in mind. 

Cryptographic algorithms. Key forwarding is implemented using established information-theoretically secure (ITS) protocols. Hence, keys are secure against an outside attacker with unbounded computational power. 

PQC hybridization. Hybridization with post-quantum cryptography (PQC) adds an additional security layer on top of QKD. The delivered key is derived from a QKD protected key and a second end-to-end secure key established using PQC algorithms. This feature is planned for mid to end 2024. 

Secure Implementation. Minimizing the probability of weaknesses in the implementation is a high priority. Secure development practices are employed for the implementation of the KMS and several tools from an extensive test suite to tools for code analysis aid the developers in this process. 

The KMS is implemented in modern C++ in an agile, test-driven development process. Unit-tests running in the CI pipeline are maintained during development at a high coverage of at least 85%. Integration tests and test deployment in a QKD network simulation are executed as well. 

Modern secure implementation techniques are applied. A zero-warning policy is in place and the CI pipeline executes a respected static code analysis tool at every commit. A dynamic code analysis tool is also used.

Development Support 

The KMS is delivered with a complete documentation suite containing a detailed API description of all interfaces. It also comes with example projects and code, as well as a software KMS mock that can be used for early integration testing. Also, a tool is provided that generates the static configuration for each KMS instance, if an SDN component is not available. 

Deployment. The KMS is a software solution deployable on industry standard commercial off-the-shelf server hardware with a modern Linux operation system. Delivery in container virtualized way can be done to be platform independent.