1、 ETSI GS QKD 004 V1.1.1 (2010-12)Group Specification Quantum Key Distribution (QKD);Application InterfaceDisclaimer This document has been produced and approved by the Quantum Key Distribution (QKD) ETSI Industry Specification Group (ISG) and represents the views of those members who participated in
2、 this ISG. It does not necessarily represent the views of the entire ETSI membership. ETSI ETSI GS QKD 004 V1.1.1 (2010-12) 2Reference DGS/QKD-0004_APPLINTF Keywords quantum cryptography, Quantum Key Distribution, use case ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33
3、 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the present document can be downloaded from: http:/www.etsi.org The present document may be made availa
4、ble in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a s
5、pecific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find err
6、ors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in a
7、ll media. European Telecommunications Standards Institute 2010. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTM, TIPHONTM, the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members an
8、d of the 3GPP Organizational Partners. LTE is a Trade Mark of ETSI currently being registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI GS QKD 004 V1.1.1 (2010-12) 3Contents Inte
9、llectual Property Rights 4g3Foreword . 4g31 Scope 5g32 References 5g32.1 Normative references . 5g32.2 Informative references 5g33 Definitions and Abbreviations 6g33.1 Definitions 6g33.2 Abbreviations . 6g34 Introduction to the QKD Key Management Layer . 7g35 QKD Application Interface Specification
10、Description . 7g36 QKD Application Interface API Specification . 8g36.1 Sequence diagrams for QKD Application Interface . 11g36.1.1 Case 1: Undefined key handle 11g36.1.2 Case 2: Undefined key handle and failed blocking call 12g36.1.3 Case 3: Predefined key handle 13g36.1.4 Case 4: Predefined key ha
11、ndle and failed blocking call 13g3Annex A (informative): Authors and Contributors . 14g3Annex B (informative): Conventional Key Management Systems . 15g3B.1 KMIP Draft Documents Version 0.98 15g3B.2 Other Material 15g3Annex C (informative): Scenario for a QKD network 16g3Annex D (informative): Bibli
12、ography . 18g3History 19g3ETSI ETSI GS QKD 004 V1.1.1 (2010-12) 4Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-mem
13、bers, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp.etsi.org/IPR/home
14、.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the
15、present document. Foreword This Group Specification (GS) has been produced by ETSI Industry Specification (ISG) Group Quantum Key Distribution (QKD). ETSI ETSI GS QKD 004 V1.1.1 (2010-12) 51 Scope The present document is intended to describe the interface between security applications and a QKD key
16、management layer, which is an additional layer that sits between the QKD systems and various applications. Key Management in general, covers the exchange, storage, protection, use, identification, installation, replacement and destruction of cryptographic keys. A QKD system may provide keys for a Ke
17、y Management System. QKD, like most key distribution protocols, requires a distributed key management process that operates in a symmetric (vs. server/client) mode. So both key management peers shall negotiate and verify all reservations and allocations. The QKD protocol generates a pool of ordered
18、secure bits. The function of this key management layer is to demultiplex these bits into separate, ordered groups, where each group is used independently by applications and thus shall be synchronized between the two communication end points. By synchronized we mean that a group of secure bits reser
19、ved at one communication end point are identical to the associated group at the other communication end point. It is also required that these same secure bits are then discarded by this layer once they are used and never revealed to anyone else. 2 References References are either specific (identifie
20、d by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. Referenced documents which are not found to be pu
21、blicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee their long term validity. 2.1 Normative references The following referenced documents are necess
22、ary for the application of the present document. Not applicable. 2.2 Informative references The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 OMG IDL Syntax and Semantics, Object Man
23、agement Group Inc., formal/02-06-39 (CORBA 3.0 - OMG IDL Syntax and Semantics chapter). NOTE: Available at http:/www.omg.org/cgi-bin/doc?formal/02-06-39. ETSI ETSI GS QKD 004 V1.1.1 (2010-12) 63 Definitions and Abbreviations 3.1 Definitions For the purposes of the present document, the following ter
24、ms and definitions apply: Application Program Interface (API): interface implemented by a software program to be able to interact with other software programs Key Management Interface: interface between an application and a Key Management Layer Key Management Interoperability Protocol (KMIP): protoc
25、ol for the communication between enterprise key management systems and encryption systems NOTE: The KMIP is directed by the OASIS initiative. Key Management Layer: abstraction in a layered model including physically distributed key management systems, e.g. on two network nodes connected with a QKD L
26、ink NOTE: The Key Management Layer sits between the QKD Link and various applications. Key Management System: part of a cryptography system managing the exchange, storage, protection, use, identification, installation, replacement and destruction of cryptographic keys Link Encryptor: device performi
27、ng link encryption, i.e. the communication security process of encrypting information between two peers on the data link level Organization for the Advancement of Structured Information Standards (OASIS): global consortium that drives the development, convergence and adoption of e-business and web s
28、ervice standards, incluing KMIP QKD Link, QKD System: pair of two QKD Modules, interconnected by a quantum channel and a classical channel QKD Module: set of hardware and software components that implements cryptographic functions and quantum optical processes, including cryptographic algorithms and
29、 protocols and key generation, and is contained within a defined cryptographic boundary QKD protocol: list of steps that have to be performed in a QKD module to distill a secure key out of the measurement data of the underlying quantum optical subsystem Quality of Service (QoS): ability to provide d
30、ifferent priority to different applications or users of a QKD system. Transport Layer Security (TLS): cryptographic protocols used to encrypt the segments of network connections above the Transport Layer, using symmetric cryptography for privacy and a keyed message authentication code for message re
31、liability 3.2 Abbreviations For the purposes of the present document, the following abbreviations apply: API Application Program Interface APPA Application A APPB Application BKMIP Key Management Interoperability Protocol OASIS Organization for the Advancement of Structured Information Standards QKD
32、 Quantum Key Distribution QoS Quality of Service TLS Transport Layer Security ETSI ETSI GS QKD 004 V1.1.1 (2010-12) 74 Introduction to the QKD Key Management Layer The QKD key management layer is an additional layer that sits between the QKD protocol and various security applications. This is a dist
33、ributed process and shall operate in a symmetric (vs. server/client) mode. So all key management peers shall negotiate and verify all reservations and allocations that are associated with them. The QKD protocol generates a pool of ordered secure bits. The function of this key management layer is to
34、demultiplex these bits into separate, ordered groups, where each group is used independently by applications and thus shall be synchronized between the two ends of the communication end points. By synchronized we mean that a group of secure bits reserved at one end point are identical to the associa
35、ted group at the other end point. It is also required that these same secure bits are then discarded by this layer once they are used (delivered to the application) and never revealed to anyone else. The Key Management Interface describes the interface of the applications with this layer. It is assu
36、med that applications that call upon the services of this layer do so via the application programming interfaces (APIs) specified in the following clauses and that this interchange is accomplished within the security perimeter of the QKD System. Manufacturers shall supply and implement these API fun
37、ction calls when a key management layer is provided. Manufacturers may provide additional APIs and expanded functionality as they deem fit. Furthermore this layer is not required if the manufacturer is using the QKD system in a dedicated single application, such as a link encryptor product where the
38、y are the only user. 5 QKD Application Interface Specification Description The QKD key management layer shall demultiplex the ordered QKD pool of secure bits into separate independent groups that are synchronized at both ends of the QKD link and pass those groups to their associated applications. Th
39、is requires that each local key manager shall communicate with its peer at the other end of the QKD link to perform this service. In addition, some communication between the peer applications may also be necessary to establish a common key association. Communication between the local applications an
40、d the local QKD key manager is assumed to occur within the security perimeter of the local system, as shown in the Figure 1. Figure 1: QKD Application Interface and peer relationship Scenario for a QKD network with multiple QKD links per node is described in Annex C. ETSI ETSI GS QKD 004 V1.1.1 (201
41、0-12) 86 QKD Application Interface API Specification The QKD key provider mode must provide the following API functions. Name Description QKD_OPEN Reserve an association (key_handle) to a set of future keys at both ends of the QKD link through this distributed Key Management Layer and establish a se
42、t of parameters that define the expected levels of key service. This function shall return immediately and not block. QKD_CONNECT_NONBLOCK Verifies that the QKD link is available and the key_handle association is synchronized at both ends of the link. This function shall not block and returns immedi
43、ately indicating that both sides of the link have rendezvoused or an error has occurred. QKD_CONNECT_BLOCKING Verifies that the QKD link is available and the key_handle association is synchronized at both ends of the link. This function shall block until both sides of the link have rendezvoused, an
44、error is detected, or the specified TIMEOUT delay has been exceeded. QKD_CLOSE This terminates the association established for this key_handle and no further keys will be allocated for this key_handle. Due to timing differences at the other end of the link, the peer operation will happen at some oth
45、er time and any unused keys shall be held until that occurs and then be discarded. QKD_GET_KEY Obtain the required amount of key material requested for this key_handle. Each call shall return the fixed amount of requested key or an error message indicating why it failed. This function may be called
46、as often as desired, but the key manager only needs to respond at the bit rate requested through the QOS parameters, or at the best rate the system can manage. The key manager is responsible for reserving and synchronizing the keys at the two ends of the QKD link through communication with its peer.
47、 This function may be blocking (wait for the key or an error) or non-blocking and always return with the status parameter indicating success or failure, depending on the request made via the QKD_OPEN function. The TIMEOUT value for this function is specified in the QKD_OPEN() function. The syntax of
48、 these functions is as follows (according to OMG IDL syntax defined in i.1). Interface QKD_AppInt QKD_OPEN (in destination, in QoS, inout key_handle , out status); QKD_CONNECT_NONBLOCK (in key_handle, out status); QKD_CONNECT_BLOCKING (in key_handle, in timeout, out status); QKD_GET_KEY (in key_hand
49、le, out key_buffer, out status); QKD_CLOSE (in key_handle, out status); NOTE: The parameter “key_handle“ is an output parameter when the caller is initially opening the connection and the value passed in is “NULL“. If the value is not “NULL“ the value is assumed to be either a “key_handle“ recently established by the peer end or a specifically desired/predefined “key_handle“. For use in all other functions “key_handle“ is an input. If the “key_handle“ is already in use by some other application, the QKD_OPEN function will return with an error. The parameters are descr
