Symmetric Key Agreement Platform

Overview

Cyber-attack is amongst the highest risks managed by the Defence, Governments and Enterprises. The proliferation of digital transformation devices, sensors and data are expanding the threat attack surface at an exponential rate. Critically there are two major adversary exposures to today’s internet and data security due to the inherent use of Public key Infrastructure (PKI). These are Shor’s algorithm and Quantum computing. Whilst it is understood that the collective application of the technologies will immediately break PKI, there are a number of other risk exposure for client’s data today:

• the harvesting of such client data now and then de-crypting later; and
• the current use of computer farms to apply elements of Shor’s algorithm to perform data mining.

Symmetric Key Agreement Platform, built on Arqit's Quantum Cloud, provides an alternative architecture to provide quantum-resistant cryptography to NIST's PQC algorithms such as CRYSTALS-Kyber.

Our partner - Arqit

Arqit supplies a unique quantum safe encryption Platform-as-a-Service which makes the communications links of any networked device secure against current and future forms of attack – even from a quantum computer. Arqit’s product, QuantumCloud™, enables any device to download a lightweight software agent, which can create encryption keys in partnership with any other device. The keys are computationally secure, optionally one-time use and zero trust. QuantumCloud™ can create limitless volumes of keys in limitless group sizes and can regulate the secure entrance and exit of a device in a group. The addressable market for QuantumCloud™ is every connected device. The company was recently awarded the Innovation in Cyber award at the National Cyber Awards.

How it works

SKAP does this by solely using symmetric cryptography (AES-256) which, unlike current PKI algorithms, is resistant to quantum-computing attacks.

SKAP provides this security by creating a network where:

1. Clients are bootstrapped into the network where they;
2. Prove identity by username, password, and optionally a bootstrapped symmetric key
3. Are authorized by network owners
4. Two clients can negotiate a mutually agreed symmetry key where the platform owners (e.g. AUCloud) cannot obtain visibility.
5. All communications can draw on a 'True Random Number Generator' to provide entropy into the system
6. The source of true random numbers generated by a Quintessence Labs Quantum True Random Number generator.
7. All keys within the system are subject to 'ratcheting'. This allows replacement of the key at regular intervals decreasing risk.

The result is a system which is:

• High performance as there is no overhead of asymmetric cryptography. The result is an energy efficient system
• Uses trusted cryptographic primitives (e.g. AES-256) which are widely reviewed and accelerated at the hardware layer
• Is resistant to quantum-computing attacks using Shor's algorithm.

Emerging use cases

Symmetric Key Agreement Platform is an emerging technology. Use cases are still being explored if you have ideas contact us.

Quantum computing resistance

Protocol reinforcement via pre-shared post-quantum keys

Protocols such as IPsec are beginning to explicitly support symmetric keys which are distributed 'Out of Band' with the traditional (PKI based) key negotiation channel. SKAP can be used to provide this out of band key distribution.

Other protocols (such as MACSec) which natively assume secure key distribution can be re-enforced by ensuring the keys set in devices do not rely on PKI to be distributed.

Replacement or Augmentation of link-encrypters

Military and National Security environments frequently rely on devices commonly called 'link-encrypters' which may rely on the physical distribution of key material 'KEYMAT'. SKAP provides an alternative mechanism for secure 'over the wire' distribution of KEYMAT that can be either:

• Used in conjunction with link encrypters
• Used together with IPSec to adopt industry standard devices.

"SWaP" constrained systems

Size, Weight and Power (SWAP), is used to describe the constraints on IoT systems and Satellites. By avoiding PKI energy and storage space can be saved. Severely constrained systems, such as satellites, have frequently either not encrypted data; or; used hard coded keys.

SKAP provides a energy efficient method for uplifting security where SWaP can be adjusted based on mission security requirements (e.g. key negotiation frequency).

References

Standards and RFCs

• Mixing Pre-shared Keys in the Internet Key Exchange Protocol Version 2 (IKEv2) for Post-quantum Security
• Support mechanism for SKAP keys to provide quantum-resistant cryptography to IPSec Tunnels
• ETSI QKD standards including:
• QKD REST API interface

Papers

• Arqit Quantum Cloud Overview Paper
• ARQ19 Protocol Patent