Introduction
Quantum Key Distribution solutions promise the highest security levels and are intended for the protection of critical information in critical applications, where a breach of confidentiality might have the severest consequences. Therefore, prospective owners and users will need confidence in a QKD system, or a QKD network—confidence that their data is protected, that all important risks are minimized by sufficient and effective countermeasures.
Security certification is a structured process for security assessment and can deliver assurance for prospective users. Thus, Security certification enables safe deployment of QKD solutions, and observance of due diligence in managerial decisions towards using QKD in a critical context. Certified QKD products will be mandatory for any actual QKD deployment as, rightfully, nobody would entrust their secrets to a product which is not security certified.
Thus, being able to offer certified products constitutes a valuable competitive advantage for any company in the QKD market. Even though no company has thus far (2022) been able to offer a certified system, an early involvement in QKD security certification already today represents an important strategic advantage through acquisition of experience and expertise. An early involvement also means potential influence on the procedures that are just currently evolving in several standards developing organizations (SDOs).
Principal procedure and involved parties
Current approaches use the paradigm of ISO/EN 15408 “Common Criteria for IT Security Evaluation” (CC), of which a new major version has been officially published in November 2022 (online: commoncriteriaportal.org/cc/, here the standard can be downloaded free of charge). It is called “CC:2022 Release 1” and replaces the CCV3.1 series of 2017). According to a statement on the commoncriteriaportal website (to be accessed using the above link), the situation is now as follows: “CCV3.1R5 version is the last from the 3.1 series, and may optionally be used for evaluation starting no later than 30th of June 2024; STs conformant to CC:2022 based on PPs certified according to CC3.1 will be accepted up to the 31st of December 2027” (PP stands for Protection Profile, which is an implementation independent specification of a customer’s security need; ST stands for Security Target, which is a security specification for a particular implementation). It is therefore advised, to use the new standard for any upcoming activities, even though e.g. the ETSI Protection Profile (we will come to this later) is conformant to CCV3.1R5.
The procedure of a CC certification works as follows: A vendor provides a security specification for a QKD product (an ST, either conformant to a PP, or without a PP). An evaluation lab evaluates the specification (that it is consistent, complete, and sufficient); an evaluation lab evaluates the QKD product against its specification; a certification authority oversees the process and finally issues a certificate (which is basically a “stamped and signed” document). Evaluations can be carried out with different degrees of rigor—the CC define seven Evaluation Assurance Levels EAL1 to EAL7, which basically differ in the procedures a producer needs to implement, in the documentation they need to deliver, and in the actions the evaluators will exercise to determine the conformance of an implantation with its specification. Due to their high security nature, QKD products will need to be evaluated at a high EAL: It will likely be EAL4 “Methodically designed, tested and reviewed”, and likely augmented with increased requirements regarding development security and vulnerability assessment; this is the required EAL of the ETSI PP.
History and current state of QKD security certification
A first (unsuccessful) attempt towards QKD security certification was undertaken in the SECOQC (”Development of a Global Network for Secure Communication based on Quantum Cryptography“) Integrated Project of the 6th European Framework Programme 2004-2008. Missing standards were identified as one roadblock, and on the last day of the project the ETSI Industry Specification Group for QKD (ETSI ISG-QKD) was founded to work on these foundations. This group has been active now for 14 years and has produced several standards in the field of QKD, including basic standards, metrology standards for testing, calibration, and characterization of components, like photon sources and detectors, interface standards, and standards for QKD key management and delivery. The ISG-QKD’s most recent achievement is the finalization of a sample Common Criteria Protection Profile for a prepare-and-measure QKD link, ETSI GS QKD 016 “Quantum Key Distribution (QKD); Protection Profile (PP)”, which was approved on 30 NOV 2022 and is currently being evaluated by an ETSI Specialist Taskforce (taskforce ends 30 JUN 2023).
The ISO/IEC JTC1 SC27 Working Group 3 (which are also the maintainers of the CC standard itself) has also recently finalized two standards for the CC certification of QKD links: ISO/IEC 23837, parts 1 and 2: “Security requirements, test and evaluation methods for quantum key distribution – Part 1: Requirements” and “Information security – Security requirements, test and evaluation methods for quantum key distribution – Part 2: test and evaluation methods”. While the ETSI PP proposes a security specification for a pair of QKD modules, the ISO standards involves a catalogue of generic security functional requirements (Part 1) and a related test and evaluation methodology (Part 2). Both the ETSI and ISO/IEC propose security functional requirements and although these are very similar, they are not fully compatible and the exact differences, as well as the identification of opportunities to overcome these differences, need to be assessed in detail. With these “tools” available, an important step towards practical security certification has been achieved—and several companies have already started activities towards certification of their products.
Open issues and outlook
But a problem is looming in this approach and threatening to become a major roadblock: the certification, and specifically the specification of an actual product requires “background documents” (BGDs), i.e. widely recognized external documents, ideally standards, where cryptographic protocols and algorithms need to be specified. QKD products are highly individual implementations, often with individual security features, based on cryptography, for which no standard functional requirements are available in the standard CC catalogues. The CC, in general, is agnostic towards cryptographic algorithms and protocols—and so all these cryptographic requirements need to be specified by referencing external BGDs. Especially also the security specification of the quantum optical part of a QKD link will have to reference external BGDs, i.e. standards for the employed QKD protocol, for its security proof, for specific optical components and subsystems (e.g. photon detectors, photon sources), for random number generators, and potentially several more. Here, some of the required BGDs may already be available—but the detailed gaps are not yet identified. Activities for the identification of gaps and the coordination of activities to fill them are underway in the ETSI ISG, and especially also in the CEN/CENELEC Focus Group Quantum Technologies (and its successor CEN/CENELEC JTC 22 QT, which will be officially kicked-off in March 2023), which maintains a Quantum Technology Standardization Roadmap, addressing the issue of the missing BGDs and the necessary coordination among standards developing organizations to ensure an efficient generation of these BGDs without inefficiencies and double work (The first publication of the FGQT QT Standardization Roadmap is currently being finalized, and will probably happen in February 2023, when all national bodies of its European members will have agreed).
Another problem is related to the existence and applicability of evaluation methodologies, especially for the quantum optical part. Although ISO/IEC 23837 Part 2 covers such a methodology, it does so for the functional requirements of its Part 1, but not for the ETSI PP, on which upcoming efforts for security specification of QKD links will likely be based. Also, currently there exist no “Quantum Security Evaluation Facilities” to carry out the evaluation of the quantum optics part of a QKD link. There are the European metrology institutes, which have the expertise, and also have created several metrology standards for testing, calibration, characterization, stability, attacks, countermeasures of specific quantum optical components, but it is unclear if they will carry out the evaluations, or if dedicated “quantum evaluation labs” need to be created. The EC, in its “Digital Europe Work Programme 2021-2022”, in its objectives for the EuroQCI large scale quantum communication infrastructure, sees these problems and defines an objective to “[d]eploy a large-scale testing and certification infrastructure for QKD devices, technologies and systems enabling their accreditation and rollout in EuroQCI” (p. 104).
One strategy to overcome the present difficulties in QKD certification could be to commission dedicated feasibility studies, involving a broad range of stakeholders e.g. quantum information theory scientists, metrology institutes, producers of QKD systems and components, evaluation labs, and certification bodies.
Another field where security certification is necessary are QKD networks. Architectures and Interfaces for key distribution networks involving QKD links of different vendors and subnetworks of different network operators are currently being developed (in the ETSI ISG-QKD, in the ITU-T, in informal exchange of telecommunications providers and QKD producers). A security certification of these so-called “Key Management Systems—KMSs” could be more straightforward, as it does not involve the analogue world of quantum optics.
(Copyright © Thomas Länger 2023. All rights reserved)