QKD Support [Feature Request]

[nean-and-i]

Support for Quantum Key Distribution (QKD) [Feature Request]

This is a feature request for Rosenpass to facilitate the exchange of key_ID provided by Quantum Key Distribution (QKD) Key Management System (KMS) via ETSI-014, over a secure PQC (Post-Quantum Cryptography) channel.

Background:

The objective is to enable Rosenpass to handle the exchange of key_ID associated with QKD-generated keys. This enhancement would establish Rosenpass to become a standard solution for both Post-Quantum Cryptography (PQC) and Quantum Key Distribution (QKD) additions to WireGuard.

Workflow:

1. Key Provisioning from QKD KMS:

   • QKD KMS, for instance, QKD-KMS-Alice, will provide the keys for Pre-Shared Key (PSK) through a REST API call, adhering to the ETSI-014 specification (refer to ETSI014 specification).
   • The outcome will be a key_ID and an actual QKD-generated symmetric key, both are identical at both Location-Alice and Location-Bob.

2. Exchange Process:

   • Rosenpass on Location-Alice will need to transmit the key_ID to Location-Bob.
   • Rosenpass on Location-Bob can then leverage the received key_ID to query QKD-KMS-Bob for the corresponding symmetric key. The key will subsequently be utilised as the Pre-Shared Key (PSK) on both location.

3. Result:

   • A secure symmetric key generated by the Quantum Key Distribution system is utilised as the Pre-Shared Key for wireguard, enhancing the overall security of the communication between Location-Alice and Location-Bob.

By integrating QKD support into Rosenpass, this feature request facilitates the use of QKD-generated symmetric keys as PSK

Examples

KMS REST API calls respecting ETSI014

Location Alice: Get-New-Key-Request

curl --url https://$KMS/api/v1/keys/$SAE_ID/enc_keys --cacert $CACERT --cert $CERT --key $KEY --header "Content-Type: application/json"

Result:

{
    "keys": [
        {
            "key": "HaAm6+Y9I+mi8LgYYIW/O0DQXyNj36MIzctQtz7pnyg=",
            "key_ID": "d0344a38-169c-423b-a8d8-f39d83c57243"
        }
    ]
}

Location Alice -> Location Bob: use Rosenpass for PQC secured key_ID exchange

Location Bob: Get-Key-Via-Key_ID

curl --url https://$KMS/api/v1/keys/$SAE_ID/dec_keys?key_ID=$KEYID --cacert $CACERT --cert $CERT --key $KEY --header "Content-Type: application/json"

{
    "keys": [
        {
            "key": "HaAm6+Y9I+mi8LgYYIW/O0DQXyNj36MIzctQtz7pnyg=",
            "key_ID": "d0344a38-169c-423b-a8d8-f39d83c57243"
        }
    ]
}

[AliceOrunitia]

Hi!

Thank you for the detailed request. I think it's a topic for further discussion with Rosenpass contributors. This issue is likely to be of particular interest to both @koraa, Rosenpass' founder and lead cryptographer, and Paul Sporeen (aka: aparcar), who does a lot of research work on Quantum Key Distribution for HS Nordhausen.

Would you be interested in discussing it further with them?

Thanks,
Alice

[nean-and-i]

Hi Alice,

that's a very good idea.
How can I get in touch with them for an online meeting?

thanks,
nean

[aparcar]

Please reach out via mail[at]aparcar[dot]org

[koraa]

@nean-and-i You already wrote a long intro message. How about a quick mail to @aparcar 's email and to karo at rosenpass dot eu so we can follow up by email…

[nean-and-i]

@koraa @aparcar thanks, very much appreciated!
@AliceOrunitia thanks for connecting!

[thaodt]

@koraa @AliceOrunitia Im interested in learning more about this journey, can I take part in this thread?