View on GitHub

Quantum Key Distribution (QKD) in OpenSSL

A report describing how we implemented QKD for OpenSSL during the RIPE Quantum Internet Hackathon 2019

The pan-European quantum Internet hackathon

On 5 and 6 November 2019 I (Bruno Rijsman) took part in the Pan-European Quantum Internet Hackathon organized by RIPE labs.

Pan European Quantum Hackathon Logo

Participants from six geographically distributed locations (Delft, Dublin, Geneva, Padua, Paris, and Sarajevo) formed teams that worked on various projects related to the Quantum Internet.

I participated in Delft where the hackathon was hosted by QuTech, a world-leading quantum technology research and development office within the Delft University of Technology.

The OpenSSL integration challenge

In Delft, I joined Yvo Keuter and Tim Janssen to form a team working on one of the challenges suggested by the hackathon organizers, namely the OpenSSL integration challenge.

This challenge was developed by Wojciech Kozlowski, a postdoctoral researcher at QuTech and one of the organizers of the Delft hackathon. He is also the main author of the Architectural Principles of the Quantum Internet document that is being developed in the Quantum Internet Research Group (QIRG) in the Internet Research Task Force (IRTF).

The OpenSSL integration challenge consists of two parts:

Enhance OpenSSL to be able to use Quantum Key Distribution (QKD) as a key agreement protocol. OpenSSL is an open source cryptography library that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. OpenSSL is widely used in Internet applications such as web browsers and web servers.
Implement a specific quantum key distribution protocol, namely the Bennett and Brassard 1984 (BB84) protocol, on top of the SimulaQron quantum network simulator.

The end-goal of the challenge is to use an off-the-shelf browser (e.g. Chrome) and connect it to a secure HTTPS website hosted on an off-the-shelf web server (e.g. Apache), while using the BB84 quantum key distribution algorithm as the key agreement protocol (running a SimulaQron simulated quantum network), instead of the classical Diffie-Hellman protocol that is normally used in classical networks.

The following figure shows what was actually achieved soon after the end of the hackathon (see part 4 for more details). At some time in the future I will replace the “mock QKD” implementation with a “real” implementation of BB84 QKD and update this report to document the results (I put “real” in quotes because it will run on a simulated quantum network using SimulaQron).

Architecture using engines and mock QKD

Structure of this report

In this report I describe how we achieved the goals set forth by the OpenSSL integration challenge.

The report consists of multiple parts (if you are already familiar with classical cryptography and quantum cryptography you probably want to skip ahead to part 4 which describes the actual implementation):

Part 1: Security in the classical Internet:
- Summarizes the security challenges in the classical (pre-quantum) Internet such as authentication, confidentiality, and integrity.
- Describes the protocols such as Transport Layer Security (TLS) and algorithms such as Diffie-Hellman key exchange that are used to solve these security challenges in the classical Internet.
- Shows an example packet trace of a secure HTTPS session between a web browser and a web site and explains what is going on.
- Describes what the open source OpenSSL library is and how it fits into the picture.
Part 2: Quantum computing breaks and fixes classical security:
- Describes that mathematical assumptions upon which the security of classical security algorithms is based.
- Explains how quantum information theory, in particular the famous Shor’s quantum algorithm for efficiently factoring large numbers, breaks classical security algorithms.
- Describes the two approaches to fixing the fact that classical security has been broken: (1) Quantum Key Distribution (QKD) protocols and (2) post-quantum cryptography.
- Gives the details of one specific Quantum Key Distribution (QKD) protocol, namely BB84 protocol.
- Gives an idea of what Quantum Key Distribution (QKD) currently looks like in the real world. It introduces a few companies that already have commercially available quantum key management systems.
Part 3: The ETSI QKD API:
- Introduces a standard framework and standard Application Programmers Interface (API) for Quantum Key Distribution (QKD) defined by the European Telecommunications Standards Institute (ETSI).
Part 4: Implementing QKD in OpenSSL:
- Describes two possible approaches for implementing Quantum Key Distribution (QKD) in OpenSSL: (1) hacking the existing engine-based extension mechanism for Diffie-Hellman and (2) introducing QKD as a new key exchange protocol.
- Describes in detail how we implemented the first approach, i.e. how we “hacked” the existing engine-based extension mechanism for Diffie-Hellman to add support for QKD in OpenSSL on top of the ETSI QKD API.
- Describes how we created a “mock” (i.e. fake) implementation of the ETSI QKD API that allows us to test OpenSSL QKD without using any quantum network (neither a real quantum network nor a simulated quantum network).
- Gives instructions on how to build and run the code in this repository.

At some point in the future, I also plan to implement BB84 on top of SimulaQron and add a part 5 to this report to document that work.