Inter-government cross-border link (Use-Case 20)
The national governments of the European Union do have to be able to communicate in a private and secret manner. Prior to any voting of the respective council at EU level, every eligible member has to have access to all required information. Hence any EU member state has to intrinsically trust all the others. Therefore a QKD network is initiated and implemented between the cities Vienna (AT), Prague (CZ), Bratislava (SK), Budapest (HU) and potentially also Zagreb (CR) and Ljubljana (SI). While the decision making process has to be public, it should be possible to distribute and discuss the respective issue in full secrecy. The possibility for the latter shall be provided based on a QKD layer network infrastructure. Various QKD protocols and systems for compensating temporal varying environmental influences will be tested and refined.
With use case #09 we intend to connect the PSNC datacenter in Poznań and a banking datacenter that provide critical digital banking services for citizens. PSNC site is also the main Point Of Presence of the PIONIER network (Polish National Research and Education Network), GEANT network and other international PSNC and PIONIER partners. The banking datacenter site is one of the PSNC metro area POZMAN sites. The banking sector relies heavily on advanced, fast digital services delivered to end users and between the bank data centers themselves. Large amounts of confidential data is being sent, backed up and synchronized between various banking institutions and divisions. Digital trading platforms are delay and speed sensitive. The services and communication channels between banking institutions are to be secured with advanced QKD network layer infrastructure. The nodes will be deployed in Poznan between PSNC data centers and data centers that host services for the banking sector. The investigated impact will include maximum possible key exchange rate, delay introduced for the services and management overhead of QKD network layer, number of interconnected, synchronized and secured by QKD network layer systems/platforms, distance vs key rate vs optical power. It is proposed to investigate also concept of “quantum money” and possible implementation in exemplary transactions.
All these services are to be secured and further enhanced with QKD network layer infrastructure and its impact is to be evaluated. The nodes will be deployed in Poznan between PSNC data centers and banking data centers. These use cases introduce specific requirements for the data security and potential QKD integration. The QKD network services must run on various hardware and software platforms. Impact on services and infrastructure will be investigated. The route is 8 km in distance. A QKD system will be installed along with an encryptor to ensure that network traffic and services may relay on secure connection and critical messages are forwarded to the PIONIER and POZMAN Network Operator Center.
Data security and privacy are among the top concerns in the datacenter environment. The financial cost of a security breach can be substantial, especially when customer data is exposed. Sensitive data has historically been protected by IP segmentation and firewalls with intrusion prevention systems that were simpler and faster than encryption. However, this model is now expanding. As workloads in the corporate data center begin to migrate to the public cloud, the need to encrypt any data traversing the network becomes foundational. Hyperscale cloud service providers are increasingly enabling encryption across their massive DCI networks to meet customer expectations. In order to eliminate vulnerabilities in the public cloud infrastructure all segments of the cloud datacenter network will need to be fortified with encryption. New crypto acceleration devices are becoming available that mitigate the performance degradations imposed by encryption, thus laying inroads to the broad introduction of encryption in the datacenter. The generalized introduction of encryption in the cloud datacenter can offer additional benefits in the flexibility and efficiency of the cloud infrastructure. If the encryption system being deployed can span multiple hybrid clouds, it allows the IT team to think about clouds simply as pools of capacity. End-to-end connections will be deployed using commercial datacenter networking equipment working in liaison with QKD infrastructure and will be evaluated in a realistic datacenter setting.
Data security and privacy are among the top concerns of the European Union as well as of the member states. The national governments have large amounts of confidential data which must be shared between different ministries and other government agencies. Highly sensitive data are being sent, backed up and synchronized between various stakeholders. Therefore, a first initial QKD network is initiated and implemented between different ministries in Vienna (AT) to secure data in transit.
Encryption is very relevant for securing government data at rest. Based on the QKD infrastructure of use-case 29 in connection with a secure cloud solution based on secret sharing, a completely information-theoretic secure storage solution for government data will be initiated and implemented. The achievements of this use-case like the data rate for information theoretic storage will be compared with the data rate for storage using AES encryption in transit. The minimum duration between two re-encryptions of data required due to key or algorithm change will be analyzed.
GÉANT prides itself on providing what commercial operators cannot: a highspeed network that pushes the boundaries of networking technology whilst delivering a cost-effective, pan-European infrastructure. Almost all large Educational and research institutions in Europe rely on GÉANT for outstanding service availability and service quality, which is to be secured through QKD layer equipment. Within a project running under the name QUAPITAL, OEAW will be interfacing capital cities and their Internet eXchange points and further connect them to one or more academic partners directly. As of today, three nodes in Vienna (Austria), two in Bratislava (Slovak) and three in Budapest (Hungary) will be participating in this network until 2021. The individual QKD links will be established using systems based on direct detection (DV) and ultimate security will be provided due to the fact that no trusted nodes will be implemented in between the cities. Still, the average generation rate of secret keys will be on the order of 1kbps during 24/7 operation. The infrastructure established within the QUAPITAL project will be openly provided not only to all partners of the OPENQKD team, but also to any team from around the world interested in testing and benchmarking their systems on the same fiber Network.
A 3D-Scanner generates sensitive medical imaging “big” data at MUG. The data is split by a FRX cluster storage appliance into 3 shares with information-theoretic security and transported to 2 datacenters from CYC with dark fibre and QKD protection. Adding a public or private S3 storage for more resilience and data error protection will be also demonstrated. The Hospital Saint Johns of God in Graz is also connected to all CYC datacenters and can retrieve the images securely. Biometric and security token access will be implemented as an integral part of the use-case.
With use case #11 we intend to connect one of the PSNC nodes and PoPs that include devices and infrastructure for the distribution of the reference time and frequency signals. PSNC takes part in national and international projects that are focused on establishing reference time and frequency signals distribution system. The signals are transmitted either on separate dark fibers (with specially designed transmission system) or within the spectrum of existing optical data transmission system. The latest project involves transmission of reference optical carrier that can be used in various metrological systems using optical combs at the transmission terminals. Already established reference T&F transmission system use PIONIER (Polish National Research and Education Network) and POZMAN, GEANT network and other international PSNC and PIONIER partners network nodes and infrastructure. The links require also special monitoring and maintenance procedures due to calibration requirements. A QKD system will be installed along and together with reference T&F links with an encryptor. Performance and influence of both systems will be analyzed and performance evaluated, In order to ensure that network traffic, and services are properly analyzed, critical messages will be forwarded and analyzed in the PIONIER Network Operator Center. The system and use case has the capability to be extended on cross-border international links.
With use case #10 we intend to connect the PSNC datacenter in Poznań and the local police datacenter that provide critical services for police infrastructure. The PSNC site is also the main Point Of Presence of the PIONIER network (Polish National Research and Education Network), GEANT network and other international PSNC and PIONIER partners. The police datacenter site is one of the PSNC metro area POZMAN sites. The police currently uses different advanced digital tools in its operational activities. Such tools frequently use large amount of confidential, operational data, big data analytics and deep learning techniques. The data is being collected and stored from a large number of different digital sources and its integrity and security is essential. Such services are planned to be secured and enhanced with QKD network layer equipment. The nodes will be deployed in Poznan between PSNC data centers, City Hall divisions and local Police departments. Investigated aspects will include: speed and key exchange rate, management overhead, delay connected with QKD network layer integration with various operational software tools, distance vs key speed vs optical power dependency.
All these services are to be secured and further enhanced with QKD network layer infrastructure and its impact is to be evaluated. These use cases introduce specific requirements for the data security and potential QKD integration. The QKD network services must run on various hardware and software platforms. The impact on services and infrastructure will be investigated. The route is 5 km in distance. A QKD system will be installed along with an encryptor to ensure that network traffic and services may relay on secure connection and critical messages forwarded to the PIONIER and POZMAN Network Operator Center.
With use case #08 we intend to connect the PSNC datacenter in Poznań and Poznan city hall branches that provide critical IT services for citizens. PSNC site is also the main Point Of Presence of the PIONIER network (Polish National Research and Education Network), GEANT network and other international PSNC and PIONIER partners. City hall site is one of the main PSNC metro area POZMAN sites. Currently more and more local and central government institutions—in particular city halls—provide a large number of services for citizens using digital platforms. Large numbers of confidential, private and state documents are being digitized, confirmed and sent between various institutions that generally use different software and hardware platforms for the each specific service. Most of these services were and are developed independently and use different technologies, software solutions, architecture and hardware solutions. An important element of such platforms is user authentication (trusted profiles etc.). Apart from the documents aspect, local state institutions provide different services like registration to schools, exam evaluations, digital libraries etc. All these services are to be secured and further enhanced with QKD network layer infrastructure and its impact is to be evaluated. The nodes will be deployed in Poznan between PSNC data centers and Poznan city hall branches. These use cases introduce specific requirements for the data security and potential QKD integration. The QKD network services must run on various hardware and software platforms. The nodes will be deployed in Poznan between city hall branches and PSNC data centers. Impact on services and infrastructure will be investigated. The route have 4 km in distance. A QKD system will be installed along with an encryptor to ensure that network traffic, services, may relay on secure connection and critical messages forwarded to the PIONIER and POZMAN Network Operator Center.
With use case #07 we intend to connect the PSNC datacenter in Poznań and hospital where PSNC delivers a number of IT services. PSNC site is also the main Point Of Presence of the PIONIER network (Polish National Research and Education Network), GEANT network and other international PSNC and PIONIER partners. Hospital site is one of the main PSNC metro area POZMAN sites. Existing medical infrastructure and its modern services rely heavily on storing of digital medical data, results and its frequent exchange between hospitals, medical institutions, and medical staff (using remote and mobile services, devices). It applies for both the medical test results and its interpretation documentation. One of the important aspects in this context is also telemedicine and remote live transmission, participation in medical surgeries, activities and consulting. Due to inherent personal and confidential data, these services are planned to be secured and integrated with QKD layer network and services. This requirement is strengthened by the increasing amount of medical services that store, analyze and sent entire human genome data that should be protected particularly well. These use cases introduce specific requirements for the data security and potential QKD integration. The QKD network services must run on various hardware and software platforms. The nodes will be deployed in Poznan between hospitals and PSNC data centers. Impact on services and infrastructure will be investigated. The route is 9 km in distance. A QKD system will be installed along with an encryptor to ensure that network traffic, services, may relay on secure connection and critical messages forwarded to the PIONIER and POZMAN Network Operator Center.
With use case #06 we intend to connect the VSB and PSNC datacenters in Ostrava and Poznań. These sites are also Point Of Presence of HPC infrastructures and National Research and Education Network infrastructures, GEANT network and other international VSB, PSNC partners. Load balancing of work schedule of supercomputers or parallel processing of “big data” within a network of supercomputers involves the transport of virtual machines, which is to be secured through QKD layer equipment. Compression techniques of virtual machines will be evaluated for fast data exchange optimized for QKD technology. Two nodes will be deployed at the Cieszyn and Ostrava supercomputing centers and the impact of QKD on HPC traffic pattern and services will be investigated. The QKD link is planned to be implemented with one trusted relay along the route and a key rate in the rage of 1 Mbps. The HPC traffic from Cieszyn – remote HPC site will be forwarded using PSNC PIONIER network to PSNC datacenter in Poznań. Due to segment lengths and required number of QKD trusted nodes it is not possible to connect directly by QKD PSNC and VSB datacenters in Ostrava and Poznan.
A QKD system will be installed along with an encryptor to ensure that network traffic, backup services, data from HPC machines may relay on secure connection and critical messages forwarded to the PIONIER Network Operator Center.
For the next 7 years to come, SIG will create a Smart grid network to connect its power stations (over 800) in Geneva. Each power station will be connected in p2p fashion to the SIG Telecom optical fibre network and to SIG’s Electricity NOC using L2/L3 transport services. To highly secure data transmission/detection intrusion (hackers taking control of the electricity distribution network), SIG would like to test Quantic technology in a real production and operational environment. Towards this end, SIG will connect 5 power stations to the QKD testbed and asses available QKD technologies and services offered by our consortium.
With use case #01 we intend to connect the PSNC datacenters (primary and backup) in Poznań. These sites are also the main Point Of Presence of PIONIER network (Polish National Research and Education Network), GEANT network and other international PSNC and PIONIER partners. Due to resilience and Service Level Agreement requirements these datacenters are connected using two independent optical cables, different cable route and cable pipes. The two routes are 4 and 10 km in distance. A QKD system will be installed along with an encryptor to ensure that network traffic, backup services, data from HPC machines may relay on secure connection and critical messages forwarded to the PIONIER Network Operator Center.
The challenge of telecommunication providers is to integrate QKD systems into existing network architecture comprising multiple vendors and technologies. This includes minimum disturbance of the existing network and cost efficient QKD implementation. Furthermore, the key management has to support various connections to be secured, including e.g. management, data, national, international, access, and peering connections. This use case accounts for the implementation of QKD systems in an existing carrier network. This use case is based on the concept to protect the network itself. The threat scenario is that of an “almighty Eve” who targets not a single financial transaction or tries to decipher a certain encrypted communication relation. Instead Eve is assumed to attack the communication network as part of a critical infrastructure. From an IT integration point of view, the challenges are similar, because there already exists an (security) eco-system of legacy systems and applications. While for the management of the QKD layer one can adopt unification strategies well known from promising network abstraction approaches, it is much harder to define the correct interfaces between established and rather rigid systems, which were never meant to actually undergo such a change of paradigms as it is imposed by QKD.
While the combination of QKD and symmetric encryption is used to secure the communication among applications along the core fiber networks, the communication across future 5G wireless networks is unique within this project. This use case proposes an integration of core fiber and 5G access networks, where the fiber sections are secured by QKD and the 5G services are secured by post-quantum cryptography (PQC). As a result, telecommunication services (voice, video, data or chat) will be secured by both quantum secure encryption method to allow telco operators to make use of the optimum security level to secure their confidentiality asset.
Globally deployed critical infrastructure that combines links in space and on earth (like Galileo GNSS) has to be protected on a long-term scale. To supply keys to this end, an additional “last mile” terrestrial link interfaced to the satellite ground segment is needed. This is done via fiber infrastructure and trusted interface node. Within the OPENQKD testbed we will study the important interfaces of this future satellite-QKD infrastructure to the ground-based optical fiber network. As the satellite infrastructure most likely will not yet be available during the testbed run time the satellite-fiber interface will be tested by emulating the satellite input used in the fiber QKD link. The emulation will be based on real-time parameters derived from channel measurements with optical ground stations as input. Optical ground stations will be situated at Oberpfaffenhofen (DE) and Matera (IT), with the option to add more later on. This situation resembles interfacing satellite links to fiber carrier infrastructure as well as securing critical infrastructure of satellite command & control and critical data exchange on a continental and global scale. One concrete example will be securing communication between distant ground control centers and other critical infrastructure of the Galileo system. The use case will study the availability of final key over various situation including realistic orbits and weather situation. Optimal parameters for final key buffer size and priority of key usage will be tested.
In order to combine satellite with terrestrial QKD infrastructure it is necessary to have an interface between free-space link and fiber connections. This could be done by a trusted or untrusted node ground station. In the case of a trusted node, a ground station will be connected by a fiber link to a different ground location and to a (virtual) satellite by a daylight QKD link with polarization encoding. The trusted node will be used to share the key between the satellite and the ground location. In the case of an untrusted ground station, the station will act as a relay between a (virtual) satellite and a different ground location connected with a fiber link with the ground station. No key information is acquired by the untrusted node. Also in this case the use-case will be carried out in daylight with polarization encoding. “Virtual satellite” means a free-space link simulating a satellite link. The optical ground stations for this use-case will be located in Padua (IT), at the Department of Information Engineering of the University, and in Matera (IT), at the Matera Laser Ranging Observatory of the Italian Space Agency.
As any communication network, and in particular communication networks that are part of critical infrastructure, a future quantum internet that will allow blind or networked quantum computation requires all control information to be authenticated. By developing QKD into a tool that authenticates network control traffic, we will enable this goal in an information-theoretic secure, that is unbreakable, fashion. This task will furthermore ensure that near-term developments within OPENQKD remain valid, useful, and will be used in a future quantum network based on quantum repeaters and nodes that share long-lived entanglement.
Whenever possible, users prefer to secure their sensitive data transmission without reliance on trust upon intermediate nodes, e.g., communication between headquarter of a large organization and its remote branch office. Very often, secure locations for trusted repeaters are just impossible to find. These scenarios call for a use-case of long-span quantum links without the use of trusted repeater nodes. We will approach this use-case through a conventional QKD system with ultra-low noise detector as well as next generation technologies, such as MDI-QKD and TF-QKD. We target a single span distance of 200-400km. We have access to the EPSRC National Dark Fibre Infrastructure Service for testing long span QKD links between Cambridge, London and Bristol over a total course of approximately 390 km.
With exponentially improved key rates, QKD is a viable technology to provide sufficient bandwidth in order to simultaneously serve a large number of users in metropolitan area networks. This use-case is to demonstrate such viability in a network that connects high tech clusters in the healthcare sector and University sites in Cambridge, over an area of approximately 100 sq. km. The major nodes include the Cambridge Science Park (home to 105 high tech companies including TREL), the West Cambridge Data Centre, University sites, the Biomedical Campus (the largest centre of health science and medical research in Europe) and the Babraham Research Campus (which supports early stage bioscience companies). The network will feature a fully meshed topology enabled by 10 QKD links providing Mb/s secure bit rates, complemented by quantum access networks connecting multiple users. The network will be used to develop quantum technologies for securing private medical data and records in transit and at rest (using encrypted data shares).
The greater Paris testbed will lead to the connection of several universities and engineering schools of the region with a special focus on testing interoperability between QKD systems. The network will aim to join central Paris universities –including the Jussieu campus of Sorbonne Université and Université de Paris—with the new Paris-Saclay campus growing south of the city, through links with the Institut d’Optique Graduate School and the Institut Mines-Télécom. In terms of organisation, the research and education communication networks in European countries are managed by institutional partners knows as NREN. In France, the NREN concerned is RENATER who will jointly contribute to building up a European infrastructure through the GÉANT Association. Security is now a crucial issue in all NREN networks and due to the close connection between NRENs, RTOs, and Universities, the (non-commercial) NREN infrastructures naturally form an excellent testbed for QKD implementations. In particular, they may allow demonstrations of key technology improvements, which are still needed before QKD can be deployed at the full European level. The focus on interoperability translates into the planned deployment of commercial systems built by ID Quantique SA alongside next-generation CV-QKD systems of high baudrate developed by both the Laboratoire d’Informatique of Sorbonne Université (CNRS) and Nokia Bell Labs France. The integration of the CNRS systems will be performed by iXblue Photonics Besançon to obtain reliable and portable QKD devices for easier installation into the network nodes.
UNIGE-HUG is a group of hospitals spread over the whole Canton of Geneva area. Criticality of its computing infrastructure led to the move of the second central data center to a location that is more than 6km away from the first one. Data replication, fail over and load balancing imply the transfer of a large amount of highly sensitive data. Communication will be secured though QKD, with two nodes being deployed. High availability, high performance and failover solutions will be key for this use case.
Encryption is more and more often required for securing patients’ medical records. This is in particular the case for the regional implementations of the electronic patient record law, in which each documents repository has to encrypt documents. As such storage is long term (10 years at least, possibly during the patients’ life times), strategies for managing long-term encryption as well as keeping with up-to-date technologies are required. The use of QKD for strong and long-term encryption will be evaluated.
The use of crypto assets is currently increasing at an exponential rate. The secure generation, backup and storage (custody) of these crypto assets is an important issue. A modern solution of storing these assets is based on secret sharing protocols. This use case will exploit QRNGs for the so-called token generation in the key management node (KMN) and QKD for securing the data exchange with three key storage nodes (KSN), all located in the Geneva testbed. Each key storage node will only contain a piece of the original key in a way that you will need access to at least 2 nodes to reconstruct the key.
QKD will be used to secure video transmission between public agency buildings in the Barcelona area. Alice (sender) and Bob (receiver) stations will be installed in the two buildings connected by existing fiber infrastructure that will be used to generate secure keys with and without the presence of strong classical communication light in the same fiber. A video chat software will be developed which will utilize the exchanged secure key to encrypt the video transmission. Video transmission needs typically data rates greater than 3 Mbps. Hence, the flexibility of using either OTP (one-time pad) or AES (advanced encryption scheme) encryption will be provided in the software when the generated key rates are lower than the required data rates.
Novel network paradigms can play a very important role for the integration of QKD in the operator’s networks. But it is not wise to look at the beneficial arrangement in only one direction. Within the operator’s network, QKD is a technology to be deployed only in secure areas or PoPs, where the rest of the network elements (NEs) are also deployed. This situation allows such NEs to make use of the QKD-derived keys to secure its own communications towards network management systems or SDN controllers. Therefore, upon installation we can simultaneously control the QKD elements, while securing any control plane channel between the PoPs and data centers. Examples of these channels are the communications between a SDN controller and a NE, or the communication between NFV architectures (e.g. OpenSource MANO-OSM) and remote virtual infrastructure managers (VIMs).
As the network is evolving towards flexible and scalable architectures, it enables for a higher granularity when managing network services. This means that new technologies and services can be seamlessly integrated in the network within very few days, while networks can be sliced and their management left for the end users be changed on demand. One of the most desired and demanded capabilities is to have an enhanced layer for securing the transport segment, traditionally seen as a “black box” from the end user perspective. QKD will play an important role when securing the network, as traditional transport services (e.g. virtual private networks-VPNs, label switched paths-LSPs or tunnels) can additionally integrate QKD for securing end-to-end communications. This will allow services on top of the transport network, such as VPNs for business to business (B2B) or connectivity from base stations to core or data center premises (e.g. for 5G), to incorporate quantum-safe security for end users communications.
Securing the access to health data and services is an application where security is mandatory. In this use case we intend to demonstrate how to secure health related data and services. The use case that we are envisioning with a network of hospitals in Madrid is actually double. On one side it is about the secure transfer of patients data and also accessing health databases for research purposes (data mining). These databases can be very large in the case of personalised medicine, where also genomic data has to be transferred in many cases. However, there is another application that we envision will also have a large impact and it is related to the rise of technologies like virtual or augmented reality made possible also by technologies like 5G networks. The usage of these technologies in hospitals will imply applications ranging from simple remote medical assistance to remote surgical operations, where securing the communications line and low latency will be crucial. In this use case we will also have the 5G networks lab of Telefonica and the IMDEA Networks institute.
The core of this use-case is to link a couple of cloud datacenters. Instead of using directly the link to encrypt all the traffic, as has been done in other use cases, here the QKD systems will be integrated in the cloud infrastructure to provide secret keys as a service. In this way, client applications can request keys to encrypt only the data that needs it, thus optimizing the infrastructure and making QKD available to all users of the cloud. Since many business, including banks, are migrating all their IT services to cloud providers, this is a significant application. As a starting point an implementation using two OpenStack deployments in two nodes of the network will be used, extending it later to more places to study the scalability and performance of the network. The number of requests per time unit will be optimized while providing scalable solutions.
Critical infrastructure protection (Use-Case 16)
Nowadays, many industrial infrastructures are monitored and managed remotely through the network. These – typically SCADA (Supervisory Control and Data Acquisition) networks – are responsible for infrastructures that control systems ranging from the water supply to the electrical grid and are, thus, critical to our society. This use case intends to demonstrate the securing of this type of networks through QKD.
The ability to guarantee that a given network packet has passed through certain nodes and in a given order is one of the most powerful mechanisms to insure that the services in a network are working as expected and to make them resilient against attacks. It also allows to attest the service or monitored behavior in case of legal problems. Here we will be using a novel protocol based on QKD that is currently going through a standardization process at IETF to enforce OPoT: Ordered Proof of Transit.
Test bla bla