ETSI - European Telecommunications Standards Institute
Latest
GS QKD 008-2010
Scope
The present document aims to establish the necessary requirements for a QKD module to have a high probability of detecting and responding precisely and timely to attempts of direct physical access@ and use or modification of modules inside. The principal objective is to detect any possible penetration with high probability@ and resulting in the immediate zeroization of all Critical Security Parameters in plain text. This objective requires mechanisms to provide a complete envelope of protection around the QKD module@ and sensors and circuits to detect and respond in time to all unauthorized attempts of physical access. This can be obtained using strong enough enclosures and redundant tamper detection and response circuitry that zeroizes all plaintext Critical Security Parameters. Enclosure's integrity can be controlled using tamper-evident coatings or seals@ and pick-resistant locks on all removable covers or doors of the module. Strong enclosures must be opaque to all visual and non-visual radiation examination and the tamper detection and zeroization circuitry is protected against disablement. When zeroization is required@ Public and Critical Security Parameters are zeroized. Access and module operation must require identity-based authentication mechanisms that enhance a role-based organization. This authentication must require at least two-factor authentication for operator authentication (secret password@ physical key or token@ biometric.). The proper operation requires the operator's identity authentication and to verify that he is authorized to assume a specific role and perform a corresponding set of services. Entry or output of Critical Security Parameters must be done using ports that are physically separated from other ports@ or trough interfaces that are logically separated using a trusted-channel from any other interfaces. All QKD secure modules must be protected against environmental conditions or fluctuations outside of the module's normal operating ranges@ because such deviations can be seen as an attack@ or they can increase the module failure probability and that can compromise the module security and its operation. The environmental magnitudes to control must be darkness (when required)@ temperature@ voltage@ pressure@ humidity@ atmosphere chemical composition@ mechanical vibrations and the presence of nuclear and any other ionizing radiation. Because QKD modules include optical and electro-optical subsystems@ it is necessary to control any environmental variable that could affect specifically to that components and the way that they perform@ no matter if it is temporally or permanently. A QKD module is required to either include special environmental protection features designed to detect fluctuations and zeroize Critical Security Parameters@ or to undergo rigorous Environmental Failure Testing to provide a reasonable assurance that the module will not be affected by fluctuations outside of the normal operating range in a manner that can compromise its security. In particular@ all QKD modules require the protection of Critical Security Parameters against Timing Analysis attacks@ Simple Power Analysis@ Differential Power Analysis attacks@ Electromagnetic Emanation Attacks and any attack performed through the optical channels. QKD modules must use strong cryptographic protection to detect and prevent the disclosure and modification of Public Security Parameters as well as Critical Security Parameters when the module is inactive. To be sure that every time the module is operating in a safe mode@ the module must have a clear indication that the module is operating in an Approved Mode. Because software has the final control in any QKD module@ this component must provide robust and tested solutions for the encryption and authentication of all the Critical Security Parameters@ all the Sensitive Security Parameters in the system and also to provide secure integrity tests for the software code when the module is not in use. QKD Module software components can be executed on a general purpose computing system if the operating system provides the auditing of all operator accesses to the audit data@ to all requests to use authentication data management mechanisms@ all use of security-relevant Crypto Officer Functions@ and to all requests to access authentication data associated with the QKD module. In particular@ the operating system running the general purpose computing system has to: ? prevent operators in the user role from modifying software@ system Sensitive Security Parameters (SSPs)@ and audit data stored in the operational environment of the module; ? communicate all SSPs@ authentication data@ control inputs@ and status outputs via a trusted channel; and ? audit the operation of any trusted channel.