||
此文转载于美国国家安全局的报告,为避免转载失真,全文截屏不做任何修改,也不做任何评论,不涉及任何针对个人与公司的侵权或者毁誉,不违反任何科学网的红线。QKD的大幕在美国尚未升起已经落下。
由于截屏字体模糊,为便于阅读,将文字版附下,作为参照:
Quantum Key Distribution (QKD) and Quantum Cryptography (QC)
Synopsis
NSA continues to evaluate the usage of cryptography solutions to secure the transmission of data in National Security Systems .NSA does not recommend the usage of quantum key distribution and quantum cryptography for securing the transmission of data in National Security Systems (NSS) unless the limitations below are overcome.
What are Quantum Key Distribution (QKD) and Quantum Cryptography (QC)??
Quantum key distribution utilizes the unique properties of quantum mechanical systems to generate and distribute cryptographic keying material using special purpose technology. Quantum cryptography uses the same physics principles and similar technology to communicate over a dedicated communications link. Published theories suggest that physics allows QKD or QC to detect the presence of an eavesdropper, a feature not provided in standard cryptography.
Quantum-resistant algorithms are implemented on existing platforms and derive their security through mathematical complexity. These algorithms used in cryptographic protocols provide the means for assuring the confidentiality, integrity, and authentication of a transmission—even against a potential future quantum computer. The National Institute of Standards and Technology (NIST) is presently conducting a rigorous selection process to identify quantum-resistant (or post-quantum) algorithms for standardization . Once NIST completes its selection process, NSA will issue updated guidance through CNSSP-15.
Understanding the QKD/QC story
Quantum key distribution and Quantum cryptography vendors—and the media—occasionally state bold claims based on theory—e.g., that this technology offers “guaranteed” security based on the laws of physics. Communications needs and security requirements physically conflict in the use of QKD/QC, and the engineering required to balance these fundamental issues has extremely low tolerance for error. Thus, security of QKD and QC is highly implementation-dependent rather than assured by laws of physics. Although we refer to QKD only to simplify discussion below, similar statements can be made for QC.
Technical limitations
1. Quantum key distribution is only a partial solution. QKD generates keying material for an encryption algorithm that provides confidentiality. Such keying material could also be used in symmetric key cryptographic algorithms to provide integrity and authentication if one has the cryptographic assurance that the original QKD transmission comes from the desired entity (i.e. entity source authentication). QKD does not provide a means to authenticate the QKD transmission source. Therefore, source authentication requires the use of asymmetric cryptography or preplaced keys to provide that authentication. Moreover, the confidentiality services QKD offers can be provided by quantum-resistant cryptography, which is typically less expensive with a better understood risk profile.
2. Quantum key distribution requires special purpose equipment. QKD is based on physical properties, and its security derives from unique physical layer communications. This requires users to lease dedicated fiber connections or physically manage free-space transmitters. It cannot be implemented in software or as a service on a network, and cannot be easily integrated into existing network equipment. Since QKD is hardware-based it also lacks flexibility for upgrades or security patches.
3. Quantum key distribution increases infrastructure costs and insider threat risks. QKD networks frequently necessitate the use of trusted relays, entailing additional cost for secure facilities and additional security risk from insider threats. This eliminates many use cases from consideration.
4. Securing and validating quantum key distribution is a significant challenge. The actual security provided by a QKD system is not the theoretical unconditional security from the laws of physics (as modeled and often suggested), but rather the more limited security that can be achieved by hardware and engineering designs. The tolerance for error in cryptographic security, however, is many orders of magnitude smaller than in most physical engineering scenarios making it very difficult to validate. The specific hardware used to perform QKD can introduce vulnerabilities, resulting in several well-publicized attacks on commercial QKD systems.
5. Quantum key distribution increases the risk of denial of service. The sensitivity to an eavesdropper as the theoretical basis for QKD security claims also shows that denial of service is a significant risk for QKD.
Conclusion
In summary, NSA views quantum-resistant (or post-quantum) cryptography as a more cost effective and easily maintained solution than quantum key distribution. For all of these reasons, NSA does not support the usage of QKD or QC to protect communications in National Security Systems, and does not anticipate certifying or approving any QKD or QC security products for usage by NSS customers unless these limitations are overcome.
译文(只包括概要、技术限制和结论三部分):
概要
NSA 继续评估加密解决方案以确保国家安全系统中数据的传输安全。 NSA不建议使用量子密钥分发和量子密码术来确保国家安全系统(NSS)中的数据传输,除非能解决以下这些技术困境。
技术限制
1)量子密钥分发只是部分解决方案。
QKD为加密算法生成所需的密钥以保证通信的私密性。如果这个由QKD传输过来的密钥确实来自身份可信的通信方(即经过身份认证的),那么该密钥也可以为对称密码提供通信完整性和身份认证功能。但是QKD本身不能提供通信客户的身份认证。因此,客户身份验证还得需要使用非对称密码或预置的密钥来提供身份验证。更重要的是,通过抗量子密码技术(PQC)可以取代QKD为通信提供保密性服务,而且PQC通常成本较低廉又风险可控。
2)量子密钥分发需要专用设备。
QKD基于物理原则,其安全性基于特定的物理层通信。这要求用户租用专用的光纤连接或物理控制的自由空间发射器。它不能通过软件或网络服务来实现,它也不能轻松地集成到现有的网络设备中。由于QKD是硬件系统,因此它必然缺乏安全补丁和系统升级的灵活性。
3)量子密钥分发增加了基础架构成本和内部风险。
QKD网络经常需要使用“可信任中继”,这会增加安全设施的建设和使用成本,而由此产生的内部威胁带来了严重安全风险。这就注定了在许多实用环境中QKD没有立足之地。
4)确保和验证量子密钥分配的安全性是一个重大的挑战。
QKD系统提供的实际安全性不可能来自物理定律的理论无条件安全性(后者只是数学建模的结果),它更决定于由硬件和工程设计提供的有限的安全性。但是,密码安全对不确定性的容忍度要比大多数物理工程方案小很多个数量级,因此QKD安全性验证很难通过。用于执行QKD的特定硬件会引入漏洞,从而导致对商业QKD系统的一系列广为人知的黑客攻击。
5.量子密钥分发会增加拒绝服务(DoS)的风险。
作为QKD安全的理论基础是对窃听行为的敏感反应,由此可知拒绝服务(DoS)攻击必然是QKD的死穴。
结论
总之,NSA将抗量子加密技术(PQC)视为比量子密钥分发更具成本效益的且易于维护的解决方案。由于所有以上的这些原因,NSA不支持使用QKD或QC来保护通信,除非克服了这些限制,否则不会期望对美国国家安全系统(NSS)客户使用的任何QKD或QC安全产品进行认证或批准。
Archiver|手机版|科学网 ( 京ICP备07017567号-12 )
GMT+8, 2024-10-11 22:59
Powered by ScienceNet.cn
Copyright © 2007- 中国科学报社