Encryption is commonly used to protect communications over a variety of media, especially communication networks and/or data networks. Encryption is generally based on the parties who wish to protect their communication sharing some secret value. This value may be used to derive a cryptographic key which is used to protect the communication. The more sophisticated the encryption, the harder it is to decode without the key—it is generally believed that breaking modem, well administered encryption schemes would require vast conventional computing resources. It is well known however that using the same cryptographic key repeatedly for different communications gives a possible code breaker more material to work with and potentially introduces vulnerabilities into the encryption. Therefore changing the cryptographic key often is desirable.
Distributing new key material securely is vital as, with knowledge of the key, an eavesdropper can decrypt all communications. Preferably, key distribution also is also efficient and convenient but previously used methods, for instance physical delivery of new keys by trusted courier or the like, is expensive and impractical for many situations.
Quantum key distribution (QKD) is a known technique which offers the possibility of secure key distribution. QKD relies on fundamental quantum properties and allows two parties, commonly referred to as Alice and Bob, to exchange a value and know that an eavesdropper, usually referred to as Eve, has not learnt much about the value. QKD allows key material to be securely derived by Alice and Bob as needed, which offers significant advantages over other methods of key distribution.
There are several known protocols for QKD. For example, Bennet and Brassard described a QKD protocol in C. H. Bennet and G. Brassard, “Quantum cryptography: ‘Public key distribution and coin tossing’,” IEE Conf. Computers Systems Signal Processing, Bangalore, India 1984 which has become known as the BB84 protocol. The BB84 protocol uses the transmission of a suitably encoded series of single photons (a quantum exchange) followed by an open discussion via any conventional communication medium (a key agreement stage) to allow Alice and Bob to derive a shared string of random numbers. As single photons are used in the quantum exchange, the only way and Eve can gain any information about this exchange is to intercept the single photons sent by Alice and measure the information herself. To avoid detection she should also transmit a photon to Bob which attempts to replicate the original photon she intercepted. Due to the random choice of encoding and the quantum mechanical properties of single photons, Eve can not guarantee to pass a correctly encoded photon to Bob and this will generate a statistical error which will be spotted by Alice and Bob during their conventional communication.
A quantum signal is any signal which may be used as the basis of a quantum key agreement protocol as would be understood by one skilled in the art. For instance the quantum signal may comprise a series of suitably modulated single photons. The skilled person will be well aware of various modulation schemes which may be used for instance, without limitation, signals based on the BB84 protocol or the B92 protocol (as described in Bennett, Charles H., ‘Quantum cryptography using any two non-orthogonal states’, Physical Review Letters, Vol. 68, No. 21, 25 May 1992, pp 3121-3124) or the six-state protocol or any of their variants. The modulation may for instance comprise phase, time, frequency or polarisation modulation. The quantum signal could also comprise entangled photons. For instance a source of entangled photons may generate an entangled photon pair and one of these photons may be sent across a suitable link. Thus the quantum exchange of the quantum signal may include transfer of an entangled photon. It is possible that a source of entangled photon pairs is located remotely and one photon from each pair is provided to Alice and Bob. Protocols using continuous variables and the like are also known. The bits used to make up a quantum signal are generally known as qubits.
QKD offers a secure means of distributing new key material which protects against eavesdropping. The BB84 protocol as originally described is potentially vulnerable to a so-called man-in-the-middle attack. Here an attacker, usually referred to as Mallory, positions himself so as to be able to intercept and stop all data exchanged between Alice and Bob. Mallory then communicates with Alice but pretends to Alice that he is Bob. He also communicates with Bob but in doing so pretends to be Alice. Thus each of Alice and Bob think they are talking to one another but in fact they are actually both talking to Mallory. Were simple QKD protocols to be used in this scenario, Alice would establish a quantum key, i.e. a key derived through QKD using a string of mutually agreed random photons, with Mallory (thinking it was Bob). Bob would likewise establish a quantum key with Mallory (which may be the same key, as Mallory can send a bit string based on the string agreed with Alice). Alice, thinking she had set up a quantum key with Bob, would encrypt a message meant for Bob with this key. Mallory could intercept or copy this communication, which is sent on classical channels, decrypt it and take any information he wants from the message. Communications from Bob to Alice would follow the same principle in reverse order.
To overcome the man-in-the-middle attack, it is usual for the communicating parties to undertake an authentication step to ensure that Alice is indeed talking to Bob (and Bob to Alice) and not to Mallory. Authentication usually involves revealing or using a shared secret, such as an identity key, which is known only to Bob and Alice. Alice, wishing to communicate with Bob, would attempt to contact Bob and set up a quantum key. In doing so she requests authentication based on Bob's identity key. Mallory would not know this and hence could not successfully pretend to be Bob. Similarly Bob, receiving a request to set up a quantum key with someone purporting to be Alice, would request authentication based on Alice's identity key. Authentication does require Alice and Bob to share knowledge of at least one identity key prior to commencing QKD but this key can be supplied once on initialisation of the system. In use the identity key can then be updated using a quantum key derived from an authenticated QKD session.
In summary then, QKD enables a cryptographic key to be agreed between two parties (generally known as Alice and Bob) in a manner which is designed to alert users if any information concerning the key has been intercepted by a third party (generally known as Eve or, if taking an active role and replacing messages or the like, Mallory). Information sent between Alice and Bob can be encrypted using the key according to standard cryptographic techniques. Although the encryption is not impervious to standard attacks on encrypted information, because QKD can operate over a network, the keys can be frequently replaced and therefore any successful attack will result in limited access to communications between Alice and Bob.
QKD as described above requires an uninterrupted optical path from Alice to Bob to act as a quantum channel. This may be in free space or through an optical waveguide such as a fibre optic cable. In either case distances are limited, not least due to the use of single photons. Further, in a network having a large number of connected users it will impractical for each user to have a direct optical link with each other user.
One way of overcoming this limitation would be to have a network of nodes, such as is shown in FIG. 1. To communicate from Alice to Bob a chain of nodes is formed, each node being connected to the next node by an optical link over which QKD can be applied. In this example (although the reverse could be true) Alice would be the first node in the chain and Bob the last. In one example, each node could then establish a quantum key by QKD with its neighbours. The key established by a pair of nodes would then be used to encrypt data traffic passing between those nodes. In this way a message passing along the chain is encrypted between nodes, though a different key is used on each link. This provides protection against Eve attempting to eavesdrop on any link. However it will be clear that the data is in the clear, i.e. unencrypted, within a node and hence it is necessary to protect against Mallory pretending to be a node in the chain. This requires each node to authenticate the adjacent nodes in the chain.
Whilst such an arrangement is possible it does require Alice and Bob to trust the nodes to establish the correct path through the network and to authenticate correctly. Also it requires each node to know its own identity key and the identity keys of the previous and subsequent nodes in a chain.
Distributed Quantum Key Distribution (DQKD) describes techniques of establishing an authenticated step by step route from Alice to Bob.
Techniques for DQKD networks are described in WO2009/093037, WO2009/093036, WO2009/093034, WO2009/141586, WO2009/141587, WO2010/049673, WO2010/064004 (PCT/GB2009/002802), WO 2010/064003 (PCT/GB2009/002801) and WO 2001/039503 (PCT/GB2010/001811), all of which are incorporated herein by reference.
In one such method, as described WO2009/093036, the first and destination nodes of an optical network agree a quantum key directly using the principles of quantum key distribution, even when the first and destination nodes are linked by a network path that includes at least one intermediate node and thus may not have a direct optical link between them. The first node in the path, which may also be referred to as a source node or control node, establishes a separate quantum key with each node in the path in turn until a key is agreed with the destination node. Once a quantum key has been directly agreed with the destination node it can be used for end-to-end encryption of communications between the source and destination nodes. Note that as used herein the term ‘node’ means a location in the optical network which has at least one apparatus capable of transmitting and/or receiving a quantum signal suitable for quantum key distribution. A node may be an endpoint of a network or an intermediate part of the network.
This has the advantage that it allows ‘Key Escrow’ by a key management centre, which can be required by bodies (e.g. network management or security standards bodies) to have access to traffic keys used by participants communicating across the network.
WO2010/064004 describes how nodes can connect between two sub-networks which are managed by separate Key Management Centres (KMCs) but there is an overlap with some nodes common to each KMC. In this case, nodes not directly connected to one another can be mutually authenticated if the two KMCs cooperate or if one is a slave to the other.
Such DQKD methods create an authenticated route which aims to prevent any mis-routing by intermediate nodes along the path. Efficient networks may be developed which identify the optimum path for each signal through a network depending upon the traffic load and include routers to schedule each connection according to priorities set by a Network Management System. A full set of keys, which includes authentication and traffic keys, may be generated and managed by one or more centralised KMC.
In such QKD systems, the nodes are preferably physically secured, i.e. secure against leaking data accidentally and also in a secure location and/or protected from tampering. If any intermediate node is physically compromised, its identity can be assumed by an attacker who can transmit messages and agree a key of its choosing (or at least gain information about the key agreed). Therefore, nodes tend to be sealed in screened, tamper evident secure boxes or otherwise physically secured. Using known techniques, any successful attempt to gain access to the node itself may result in an alert being generated and the communication system may generally be shut down. In other systems, a node may transmit a status report—the content or absence of such a report may constitute an alert. In preferred systems, nodes are arranged such that, if opened, a node irretrievably deletes all keys known to it.
When the system is a Distributed QKD system, or comprises a number of relay nodes, each node should preferably be capable of transmitting a signal which can indicate that its physical security has been compromised in order for the network as a whole to be secure. The signal may be an indication that there is at least a possible security breach, or may be a signal indicating that the status is satisfactory. Without such a signal indicating that a node may be compromised, security along any path through the compromised node may be breached and this breach may continue until, for example, a physical inspection of the node is carried out.
As will be readily appreciated, the level of protection required in a network depends on the value of the information contained in that network, and therefore how much of an incentive the information provides a would-be code breaker. In assessing the necessary security level of a network, consideration may also be made of the nature of the data itself. For example, if its value is only transitory (for example, a few days) then it may be sufficient that the code in unlikely to be broken for a number of days. If however the value of the information is sustained, a network requiring more, or more sophisticated cryptographic security mechanisms (e.g., encryption algorithms, hashing functions including privacy amplification, improved physical and/or electromechanical security of nodes, etc) or the like may be required,