QKDLite Manual¶
QKDLite by pQCee¶
QKDLite, by pQCee, is a set of middleware modules that are designed for businesses to connect easily and securely to Quantum Key Distribution (QKD) infrastructures with minimal changes to the applications. It abstracts away the protocol complexities for integrating with technical standards such as ETSI QKD GS 014, PKCS #11, RFC 8784, FIPS 197, and PCI-DSS to present a unified interface that focuses on secure key generation and management. This is the administration manual for QKDLite.
Benefits of using QKDLite
Seamless Connectivity
QKDLite allows business applications to request for QKD quantum keys directly from QKDLite nodes via the standards-based ETSI GS QKD 014 protocol. This allows for a seamless integration of QKDLite into existing infrastructure that has IT appliances that support or are already consuming QKD quantum keys from a QKD infrastructure.
HSM Support
QKDLite also adds the ability to cache QKD quantum keys in a FIPS 140 certified permanent storage, such as a PKCS #11 hardware security module (HSM). This minimises the downtime experienced by business applications as they continue to have uninterrupted access to QKD quantum keys via QKDLite nodes in the event of a downtime in the QKD infrastructure.
Multi-party Inbuilt Key Management
QKDLite introduces the ability to segregate a key pool per business application, ensuring it can serve multiple applications simultaneously, while preventing any single application from depleting the QKD quantum keys allocated to others.
In addition, key policies can be specified to cater to the unique key pool requirements of each application (e.g., key creation, deletion, renewals, synchronisation) across QKDLite nodes located at different sites. This feature enables a hub-and-spoke deployment configuration, where one QKDLite node (the hub) replicates different pools of keys to multiple remote QKDLite nodes (the spokes).
High-availability Configuration
QKDLite improves high availability (HA) property for business applications to request for QKD quantum keys from the QKD infrastructure. QKDLite supports features such as being able to gracefully failover across QKD key management entities (KMEs) for the same QKD entity, and replicate QKD quantum keys to cold sites that do not have access to a QKD infrastructure.
Digital QKD Configuration
QKDLite can function as a digital QKD, enabling security appliances (such as virtual private network gateways) to request for quantum keys directly from QKDLite nodes, via the ETSI GS QKD 014 protocol, in which the quantum keys are generated from a quantum random number generator (QRNG) source. This configuration facilitates the quantum-safe transition of infrastructures, especially when access to a QKD infrastructure is not available in time for the transition plan.
Additional Layer of Defence
QKDLite provides an additional layer of defence against quantum eavesdropping and quantum man-in-the-middle attacks against the QKD protocol (such as BB84). When business applications request for QKD quantum keys via QKDLite nodes, these quantum keys are derived from the QKD key and a secret key stored in the HSM. As such, quantum attackers who are able to determine the QKD key present minimal impact to the business applications receiving QKD quantum keys via QKDLite nodes.
QKDLite for Secure File Transfer
QKDLite for Secure File Transfer is a web service, which can be enabled on QKDLite nodes, to allow senders to securely send files to others without the need to distribute secret keys. This is achieved when senders encrypt a file with a one-time-use QKD quantum encryption key via the web service, and recipients use the same web service to decrypt the file with a corresponding one-time-use QKD quantum decryption key.
Mentions on QKDLite
About pQCee¶
pQCee.com is a quantum cybersecurity startup that designs and builds post-quantum products and solutions to strengthen and protect the next generation of computing against quantum attacks. Please contact info@pqcee.com for more offerings.
For information on conducting proof-of-concept trials with QKDLite, see Product Trial for more details.
Who is this manual for?¶
This manual is for IT infrastructure system administrators, who want to set up and configure QKDLite in their organisation IT infrastructure. This manual assumes the organisation IT infrastructure supports Linux Virtual Machines (VMs).
Table of Contents
- 1. Overview
- 2. Product Trial
- 3. Installation
- 4. QKDLite for Secure File Transfer
- 5. API Terms and Definitions
- 6. QKDLite Utility API Reference
- 7. QKDLite Scripts API Reference
- 8. REST APIs
- 9. Troubleshooting Guide