Securing IPSec with SKAP
Overview¤
IPSec is currently the most approachable network protocol to be secured with the SKAP platform. RFC-8784 extends the IPSec protocol to provide a mechanism to inject symmetric keys 'out of band' to the Diffie-Hellman key-exchange.
At a high level it can described as:
- Diffie-Hellman key exchange occurs as expected.
- On each endpoint a number of 'Post-quantum Pre-shared Keys' (PPKs) exist.
- A mutually acceptable PPK are negotiated.
- the PPK as a secondary transform in addition to the standard IPSec cryptography.
Two implementations have been tested with QuantumCloud:
- StrongSwan library, the default IPSec implementation included in many linux distributions including Ubuntu and Centos.
- Fortinet FortiOS (Beta) integration with Fortinet's physical and virtual Firewall products.
StrongSwan / LibreSwan configuration¤
StrongSwan has two mechanisms by which PPKs can be injected into the configuration:
- StrongSwan configuration files can have PPKs injected in (either by hand or by integration.
- This requires manual reload is required.
- StrongSwan VICI The vici plugin can allow applications to integrate directly into StrongSwan.
Both of these methods can be used, via custom integration with SKAP.
QuantumCloud™ Network Adapter & Fortinet (FortiOS) network appliances.¤
Fortinet and Arqit have announced an integration between FortiOS and the QuantumCloud platform.
Pre release
FortiOS integration is currently pre-release. Use of the FortiOS requires the use of custom firmware on your physical or virtual network appliance.
The integration uses a new ETSI standard API provides the integration mechanism a pre-built "Network Adapter" application is provided which integrates with FortiOS.