QKDLite Manual

QKDLite by pQCee

QKDLite, by pQCee, is a set of middleware modules that are designed for businesses to connect easily and securely to Quantum Key Distribution (QKD) infrastructures with minimal changes to the applications. It abstracts away the protocol complexities for integrating with technical standards such as ETSI QKD GS 014, PKCS #11, RFC 8784, FIPS 197, and PCI-DSS to present a unified interface that focuses on secure key generation and management. This is the administration manual for QKDLite.

Benefits of using QKDLite

1. Seamless Connectivity

   QKDLite allows business applications to request for QKD quantum keys directly from QKDLite nodes via the standards-based ETSI GS QKD 014 protocol. This allows for a seamless integration of QKDLite into existing infrastructure that has IT appliances that support or are already consuming QKD quantum keys from a QKD infrastructure.

2. HSM Support

   QKDLite also adds the ability to cache QKD quantum keys in a FIPS 140 certified permanent storage, such as a PKCS #11 hardware security module (HSM). This minimises the downtime experienced by business applications as they continue to have uninterrupted access to QKD quantum keys via QKDLite nodes in the event of a downtime in the QKD infrastructure.

3. Multi-party Inbuilt Key Management

   QKDLite introduces the ability to segregate a key pool per business application, ensuring it can serve multiple applications simultaneously, while preventing any single application from depleting the QKD quantum keys allocated to others.

   In addition, key policies can be specified to cater to the unique key pool requirements of each application (e.g., key creation, deletion, renewals, synchronisation) across QKDLite nodes located at different sites. This feature enables a hub-and-spoke deployment configuration, where one QKDLite node (the hub) replicates different pools of keys to multiple remote QKDLite nodes (the spokes).

4. High-availability Configuration

   QKDLite improves high availability (HA) property for business applications to request for QKD quantum keys from the QKD infrastructure. QKDLite supports features such as being able to gracefully failover across QKD key management entities (KMEs) for the same QKD entity, and replicate QKD quantum keys to cold sites that do not have access to a QKD infrastructure.

5. Digital QKD Configuration

   QKDLite can function as a digital QKD, enabling security appliances (such as virtual private network gateways) to request for quantum keys directly from QKDLite nodes, via the ETSI GS QKD 014 protocol, in which the quantum keys are generated from a quantum random number generator (QRNG) source. This configuration facilitates the quantum-safe transition of infrastructures, especially when access to a QKD infrastructure is not available in time for the transition plan.

6. Additional Layer of Defence

   QKDLite provides an additional layer of defence against quantum eavesdropping and quantum man-in-the-middle attacks against the QKD protocol (such as BB84). When business applications request for QKD quantum keys via QKDLite nodes, these quantum keys are derived from the QKD key and a secret key stored in the HSM. As such, quantum attackers who are able to determine the QKD key present minimal impact to the business applications receiving QKD quantum keys via QKDLite nodes.

7. QKDLite for Secure File Transfer

   QKDLite for Secure File Transfer is a web service, which can be enabled on QKDLite nodes, to allow senders to securely send files to others without the need to distribute secret keys. This is achieved when senders encrypt a file with a one-time-use QKD quantum encryption key via the web service, and recipients use the same web service to decrypt the file with a corresponding one-time-use QKD quantum decryption key.

Mentions on QKDLite

• Quantum-safe Message Authentication for Industrial IOT using “QKDLite” with LPN

• Securing QKD-HSM connectivity by pQCee and Thales - Solution Brief

• Making QKD-VPN setups resilient against disruptions

• Threat Modelling on a Secure File Transfer solution using QKD keys

About pQCee

pQCee.com is a quantum cybersecurity startup that designs and builds post-quantum products and solutions to strengthen and protect the next generation of computing against quantum attacks. Please contact info@pqcee.com for more offerings.

For information on conducting proof-of-concept trials with QKDLite, see Product Trial for more details.

Who is this manual for?

This manual is for IT infrastructure system administrators, who want to set up and configure QKDLite in their organisation IT infrastructure. This manual assumes the organisation IT infrastructure supports Linux Virtual Machines (VMs).

Table of Contents

• 1. Overview
  • 1.1. Background
  • 1.2. Key Terms and Concepts
    • 1.2.1. Quantum Key
    • 1.2.2. QKD Entity
    • 1.2.3. KME
    • 1.2.4. QRNG
    • 1.2.5. Quantum-safe Communications
  • 1.3. Technical Architecture
  • 1.4. Deployment Configuration
    • 1.4.1. Configuration #1: QKDLite with quantum-safe TLS Capable Appliance
    • 1.4.2. Configuration #2: QKDLite with pQCee pqTLS
    • 1.4.3. Configuration #3: Digital QKD
    • 1.4.4. Configuration #4: Digital QKD with pQCee pqTLS
    • 1.4.5. Configuration #5: High-availability QKDLite
• 2. Product Trial
  • 2.1. QKDLite KME - ETSI Protocol
  • 2.2. QKDLite for Secure File Transfer
• 3. Installation
  • 3.1. Installing QKDLite solution
    • 3.1.1. Set Up the Virtual Machines
    • 3.1.2. Install QKDLite in the VMs
    • 3.1.3. Connect QKDLite Main Node to Remote Node
  • 3.2. Configure pQCee pqTLS
• 4. QKDLite for Secure File Transfer
  • 4.1. Enable QKDLite for Secure File Transfer Web Server
  • 4.2. Verify QKDLite for Secure File Transfer Web Server
  • 4.3. Enable HTTPS with Caddy
  • 4.4. Verify Caddy is running
• 5. API Terms and Definitions
  • 5.1. Device Definitions
  • 5.2. Terms
  • 5.3. Quantum-migration Ciphers
• 6. QKDLite Utility API Reference
  • 6.1. Key Object
    • 6.1.1. Components in Key Object
  • 6.2. QKDLite Utility Commands
    • 6.2.1. Key Creation
    • 6.2.2. Key Listing
    • 6.2.3. Key Counting
    • 6.2.4. Key Deletion
    • 6.2.5. File Encryption and Decryption
    • 6.2.6. Key Synchronization
    • 6.2.7. Key Retrieval
• 7. QKDLite Scripts API Reference
  • 7.1. Types of QKDLite Scripts
  • 7.2. Script Error Codes
  • 7.3. Logging Approach
  • 7.4. Choice of Syslog Facility and Priority Values
  • 7.5. Scope of Information Captured in Logs
  • 7.6. QKDLite Script Commands
    • 7.6.1. Local Scripts
    • 7.6.2. Replication Scripts
    • 7.6.3. Cron Scripts
• 8. REST APIs
  • 8.1. ETSI Protocol
    • 8.1.1. Get status
    • 8.1.2. Get key
    • 8.1.3. Get key with key ID
• 9. Troubleshooting Guide
  • 9.1. Receive “Error [3] in QKD connectivity” error message when creating a new key
    • 9.1.1. Broken link to custom quantum-safe libcurl library
    • 9.1.2. pQCee pqTLS service is down