|
Work item:
|
TR.kdc_qkdn
|
|
Subject/title:
|
Technical Report: Key distribution center based approaches in the service layer to manage keys supplied by QKDN
|
|
Status:
|
Under study
|
|
Approval process:
|
Agreement
|
|
Type of work item:
|
Technical report
|
|
Version:
|
New
|
|
Equivalent number:
|
-
|
|
Timing:
|
2025-08 (Medium priority)
|
|
Liaison:
|
ETSI ISG-QKD; ITU-T SG11, SG13 and SG15
|
|
Supporting members:
|
CAS Quantum Network Co. Ltd., China Mobile Communications Corporation, QuantumCTek Co. Ltd.
|
|
Summary:
|
A key is the most important security asset in a cryptosystem, as its security strength to a considerable extent determines whether the cryptosystem is secure or not. QKD (Quantum Key Distribution) nodes can provide the secure keys to cryptographic applications in service layer. Keys generated by using QKD mechanism are anticipated to be widely used in many fields, such as government affairs, finance, energy and transportation for a higher security level. These keys should be able to be used different kinds of devices, including mobile devices and immovable devices.
Key management is of utmost important to a cryptosystem as any fault in the key management may leads to key disclosure. KDC (Key Distribution Center) is a commonly used facilities to manage keys for a larger user scale in the conventional system, whose functionalities at least include key generation, entity authentication, key distribution and key life-cycle management. Kerberos [b-kerberos] is a typical example of a KDC in real-world, which consists of an Authentication Server (AS) and a Ticket Granting Service (TGS). As a trusted third party, Kerberos enables the secure authentication of users to Target Servers (TSs) over an unprotected network. It can also provide for the establishment of cryptographic keys between a client and a TS.
Quantum key distribution (QKD) relies on quantum mechanical properties (single quantum indivisibility, quantum state none cloning) to ensure communication security. The shared key is negotiated by two communication nodes connected on the optical fiber line. If the communication devices don’t have optical fiber connection, such as wireless mobile device, currently there is no way for them to acquire keys generated by using QKD mechanism. Several recommendations related to key management in QKDNs have been ratified by ITU-T. However, these standards just deal with key management inside QKDN rather than key management in the service layer. These limitations confine not only the large-scale usage of keys from QKDN, but also the type of user device in the service layer. Therefore, there is a strong need to start a work to study how to build a key management system to provide large-scale key services for different types of user devices.
This contribution proposes a new work item for draft Technical Report: “Key distribution center-based approaches in the service layer to manage keys supplied by QKDN” on the work area of interest in Q15/17. The objective of this work is to create a key distribution center (KDC) in the service layer, whose operation is independent of QKDN, in order that keys generated in QKDN can be applied to various security services and a large number of user devices no matter whether these devices are movable or immovable. The significant difference between the proposed KDC and conventional KDC is that keys to be managed come from QKDN in the proposed KDC, while keys to be managed in a conventional KDC are self generated inside KDC. The proposed KDC has at least following functionalities: entity authentication, key distribution, and key life-cycle management. Moreover, the trust of a KDC is discussed.
|
|
Comment:
|
-
|
|
Reference(s):
|
|
|
Historic references:
|
|
Contact(s):
|
|
| ITU-T A.5 justification(s): |
|
|
|
|
First registration in the WP:
2023-09-20 23:50:16
|
|
Last update:
2024-03-11 13:00:20
|
|
