Skip to content

Securing IPSec with SKAP

Overview¤

IPSec is currently the most approachable network protocol to be secured with the SKAP platform. RFC-8784 extends the IPSec protocol to provide a mechanism to inject symmetric keys 'out of band' to the Diffie-Hellman key-exchange.

At a high level it can described as:

  1. Diffie-Hellman key exchange occurs as expected.
  2. On each endpoint a number of 'Post-quantum Pre-shared Keys' (PPKs) exist.
  3. A mutually acceptable PPK are negotiated.
  4. the PPK as a secondary transform in addition to the standard IPSec cryptography.

Two implementations have been tested with QuantumCloud:

  1. StrongSwan library, the default IPSec implementation included in many linux distributions including Ubuntu and Centos.
  2. Fortinet FortiOS (Beta) integration with Fortinet's physical and virtual Firewall products.

StrongSwan / LibreSwan configuration¤

StrongSwan has two mechanisms by which PPKs can be injected into the configuration:

  1. StrongSwan configuration files can have PPKs injected in (either by hand or by integration.
  2. This requires manual reload is required.
  3. StrongSwan VICI The vici plugin can allow applications to integrate directly into StrongSwan.

Both of these methods can be used, via custom integration with SKAP.

QuantumCloud™ Network Adapter & Fortinet (FortiOS) network appliances.¤

Fortinet and Arqit have announced an integration between FortiOS and the QuantumCloud platform.

Pre release

FortiOS integration is currently pre-release. Use of the FortiOS requires the use of custom firmware on your physical or virtual network appliance.

The integration uses a new ETSI standard API provides the integration mechanism a pre-built "Network Adapter" application is provided which integrates with FortiOS.