The Bust
QKD systems have performance limitations, device non-idealities, and system vulnerabilities which are not well understood (Scarani & Kurtsiefer, 2009). Thus, potential users often question both the effectiveness of the technology and its system security posture. For QKD to be accepted as a cybersecurity technology the following critical issues (at a minimum) should be addressed.
- QKD is Point-to-Point Technology – Because QKD is a point-to-point solution, it does not scale well for modern communications infrastructures. While gains are being made towards networked key management solutions, they are fundamentally limited by QKD’s quantum underpinnings, which prevent the amplification of single photons (Wootters & Zurek, 1982). Given this critical limitation, QKD does not appear to be a good fit for wide scale implementation and may only be viable for specialized two site applications such as encrypted voice communications in a metropolitan area.
- Implementation Security Vulnerabilities – QKD systems have implementation non-idealities which introduce vulnerabilities and negatively impact both performance and security. For example, these “unconditionally secure” QKD systems protocols are vulnerable to attacks over the quantum channel, including man-in-the-middle (authentication failures), intercept/resend (measuring and replacing photons), photon number splitting (stealing photons), and blinding optical receivers (unauthorized laser sources). Additionally, QKD systems are also vulnerable to common cybersecurity attacks against computers, applications, and protocols. These implementation security issues and their resulting vulnerabilities must be well-studied and addressed through established architectural design principles, verifiable designs, and assured operational configurations to provide trustworthy systems to end users.
- No Formal Certification Method – As high-security crypto devices, QKD systems should undergo formal security assessments and certification processes to address (at a minimum) physical attacks, side channel analysis, and data manipulation. However, within the QKD community there is little discussion thereof, and arguably sluggish progress towards an independent certification process (ETSI, 2015). Furthermore, QKD developers must adopt a more holistic view of security including proactive techniques such as assuring secure operational baselines and continuous monitoring of the system’s communication links.
Despite QKD’s drawbacks, the technology does show promise as an enabler to unbreakable encryption (i.e., generating unlimited amounts of random key for use in On-Time Pad encryption) for niche applications such as point-to-point communications and data transfer.