QKDLite Manual

QKDLite by pQCee

QKDLite, by pQCee, is a set of middleware modules that are designed for businesses to connect easily and securely to Quantum Key Distribution (QKD) infrastructures with minimal changes to the applications. It abstracts away the protocol complexities for integrating with technical standards such as ETSI QKD 014, PKCS#11, RFC 8784, FIPS 197, and PCI-DSS to present a unified interface that focuses on secure key generation and management. This is the administration manual for QKDLite.

Benefits of using QKDLite

• QKDLite adds the ability to cache QKD quantum keys in a FIPS 140 certified permanent storage, such as a hardware security module (HSM). This minimises the downtime experienced by business applications as they continue to have uninterrupted access to QKD quantum keys in the event of a downtime in the QKD infrastructure.

• QKDLite introduces the ability to segregate a key pool per business application, ensuring it can serve multiple applications simultaneously, while preventing any single application from depleting the QKD quantum keys allocated to others. In addition, key policies can be specified to cater to the unique key pool requirements of each application.

• QKDLite improves high availability (HA) property for business applications to request for QKD quantum keys from the QKD infrastructure. QKDLite supports features such as being able to gracefully failover across QKD key management entities (KMEs) for the same QKD entity, and replicate QKD quantum keys to cold sites that do not have access to a QKD infrastructure.

• QKDLite can function as a virtual QKD KME, enabling security appliances (such as virtual private network gateways) to request for QKD quantum keys directly from QKDLite nodes via the QKD ETSI protocol. This allows for a seamless integration of QKDLite into existing infrastructure that has appliances already consuming quantum keys from QKD infrastructure.

• QKDLite for Secure File Transfer is a web service, which can be enabled on QKDLite nodes, to allow senders to securely send files to others without the need to distribute secret keys. This is achieved when senders encrypt a file with a one-time-use QKD quantum encryption key via the web service, and recipients use the same web service to decrypt the file with a corresponding one-time-use QKD quantum decryption key.

• QKDLite provides an additional layer of defence against quantum eavesdropping and quantum man-in-the-middle attacks against the QKD protocol (such as BB84). When business applications request for QKD quantum keys via QKDLite, these keys are derived from the QKD key and a secret key stored in the HSM. As such, quantum attackers who are able to determine the QKD key will have minimal impact to the business applications receiving QKD quantum keys via QKDLite.

Mentions on QKDLite

• Quantum-safe Message Authentication for Industrial IOT using “QKDLite” with LPN

• Securing QKD-HSM connectivity by pQCee and Thales - Solution Brief

• Making QKD-VPN setups resilient against disruptions

About pQCee

pQCee.com is a quantum cybersecurity startup that designs and builds post-quantum products and solutions to strengthen and protect the next generation of computing against quantum attacks. Please contact info@pqcee.com for more offerings. For more information, visit QKDLite product or pQCee.

Who is this manual for?

This manual is for IT infrastructure system administrators, who want to set up and configure QKDLite in their organisation IT infrastructure. This manual assumes the organisation IT infrastructure supports Linux Virtual Machines (VMs).

Table of Contents

• 1. Overview
  • 1.1. Background
  • 1.2. Key Terms and Concepts
    • 1.2.1. Quantum Key Distribution Entity
    • 1.2.2. Quantum Random Number Generator
    • 1.2.3. Quantum-safe Communications
    • 1.2.4. Security Application Entity
    • 1.2.5. Key Management Entity
  • 1.3. Technical Architecture
  • 1.4. Deployment Configuration
    • 1.4.1. Configuration #1: QKDLite with PQC TLS Capable Appliance
    • 1.4.2. Configuration #2: QKDLite with pQCee Quantum-safe TLS Proxy
• 2. Installation
  • 2.1. Compile QKDLite Transport Key Utility and QKDLite Utility
    • 2.1.1. Prepare the Build Environment
    • 2.1.2. Build the QKDLite Transport Key Utility and QKDLite Utility
  • 2.2. Set Up QKDLite Node
    • 2.2.1. Install QKDLite node
    • 2.2.2. Install Quantum-safe SSH and TLS
    • 2.2.3. Configure QKDLite Scripts
  • 2.3. Configure pQCee Quantum-safe TLS Proxy
• 3. Configuration
• 4. QKDLite KME - ETSI Protocol
  • 4.1. Build ETSI Server from Source
  • 4.2. QKDLite_ETSI Usage
  • 4.3. Enable ETSI Server
  • 4.4. Verify ETSI Server status
• 5. QKDLite for Secure File Transfer
  • 5.1. Enable QKDLite for Secure File Transfer Web Server
  • 5.2. Verify QKDLite for Secure File Transfer Web Server
  • 5.3. Enable HTTPS with Caddy
  • 5.4. Verify Caddy is running
• 6. API Terms and Definitions
  • 6.1. Device Definitions
  • 6.2. Terms
  • 6.3. Quantum-migration Ciphers
• 7. QKDLite Utility API Reference
  • 7.1. Key Object
    • 7.1.1. Components in Key Object
  • 7.2. QKDLite Utility Commands
    • 7.2.1. Key Creation
    • 7.2.2. Key Listing
    • 7.2.3. Key Counting
    • 7.2.4. Key Deletion
    • 7.2.5. File Encryption and Decryption
    • 7.2.6. Key Synchronization
    • 7.2.7. Key Retrieval
• 8. QKDLite Scripts API Reference
  • 8.1. Types of QKDLite Scripts
  • 8.2. Script Error Codes
  • 8.3. Logging Approach
  • 8.4. Choice of Syslog Facility and Priority Values
  • 8.5. Scope of Information Captured in Logs
  • 8.6. QKDLite Script Commands
    • 8.6.1. Local Scripts
    • 8.6.2. Replication Scripts
    • 8.6.3. Cron Scripts
• 9. REST APIs
  • 9.1. ETSI Protocol
    • 9.1.1. Get status
    • 9.1.2. Get key
    • 9.1.3. Get key with key ID
• 10. Troubleshooting Guide
  • 10.1. Receive “Error [3] in QKD connectivity” error message when creating a new key
    • 10.1.1. Broken link to custom quantum-safe libcurl library
    • 10.1.2. Quantum-safe TLS Proxy service is down