Secure Video Links

Objectives

Our goal is to extend state-of-the art video conferencing systems (e.g., Kurento) with quantum-resistant cryptographic security guarantees. Thereby, both end-to-end authenticity and confidentiality shall be guaranteed by integrating post-quantum secure digital signatures and key exchange algorithms (e.g., via the integration of quantum-resistant TLS). Additionally, for instances of the video conferencing system hosted in data centers with a QKD link, connections are additionally protected by combining the PQC keys with QKD keys from the QKD network. A secure network infrastructure for the key management and the exchange of PQC keys is considered. Our objective is to elaborate findings and technical results as basis for dissemination and creation of later standards and to integrate suggestions for technically feasible methods for post-quantum technology and high-speed networks.

Architecture

The multi-user secure video chat system with quantum-resistant encryption is based on the open source conferencing solution Jitsi. It features both QKD and PQC encryption where applicable and provides a secure alternative to traditional encryption. We adapted the source code of the client and introduced a new component called QKDKeyHandler. The QKDKeyHandler is an alternative to the existing KeyHandlers and introduces the integration to a QKD device.

A secure video chat session is created by connecting to the web server which loads the video client and opens up a secure session in the web browser. Upon initialization of the session the QKDKeyHandler requests a key from the KMS (key management system) based on the session id and begins encrypting the video stream. The videobridge receives the encrypted stream and distributes it to additional clients. This approach implements real E2E encryption that can not be intercepted by the videobridge.

The KMS is interfacing with a QKD (quantum key distribution) device, which is responsible for the key exchange on the QKD network. Access to the KMS is secured with x.509 client certificates that can be based on RSA or PQC (post quantum cryptography).

Depending on the requirements and framework conditions of a video conference, a wide variety of communication applications with different security concepts are further available.

To realize end-to-end encryption, the architecture concept foresees both, the integration of post-quantum secure digital signature schemes and public-key encryption schemes to provide the highest level of encryption. A key management system is integrated. This kind of video communication only works within an organization and does not allow any external use.

Video cluster encryption supports high level encryption of the cluster server and storage and can be used any time where unencrypted data processing is needed. In this case, end-to-end encryption is not possible. For demonstration purposes, the under open source license available video conference system BigBlueButton and Kurento Media Server was considered.

Implementation Plan

The following methodology was used to design the architecture and realize the basis for a first demonstration system:

A technology analysis and market research was executed under considering the key performing indicators and state-of-the art video conferencing technologies. The audit of the most relevant video conferencing systems especially contained the assessment of security features, encryption applications and weak-points. The results were matched to the demands on the use case video chat and two video conferencing tools were chosen for further evaluation, conception and first implementation tests.

The implementation is planned to start in Q1 2024, the deployment of the use case in a demonstration testbed is planned to start in December 2024. Evaluation and tests follow to use findings and technical results as basis for dissemination and creation of later standards.