Fortinet recently announced that its next-generation firewall, FortiGate, now supports IPsec key retrieval with an external key encapsulation system using the ETSI standardized API. This eliminates negotiation, simplifies the process, enhances efficiency in IPsec key management, and introduces crypto-agility.
As longtime technology partners, Quantum Xchange is excited for this new feature and the efficiency it brings to Fortinet users looking to achieve quantum-safe networking easily and affordably. Now, most at-risk links, i.e. remote locations, branch offices, can achieve the security benefits of being quantum-safe with very little lift or outlay. By offering an ability to arbitrarily select cryptographic algorithms, users can experience full crypto-agility on an existing, trusted infrastructure.
Phio TX from Quantum Xchange works with the Fortinet FortiGate Next-Generation Firewall (NGFW), to transmit a secondary-symmetric key down a quantum-protected tunnel and mesh network, making data transmitted between sites within a Fortinet SD-WAN or virtual private network (VPN), immediately more secure and impervious to many cryptographic threats, including quantum attacks. See the full solution brief.
Published by the European Telecommunications Standards Institute (ETSI) in February 2019, the GS QKD 014 protocol, commonly referred to as EQKD, enables a REST API by which devices like FortiGate (or other key consuming appliances) can request keys from any EQKD compliant, quantum-safe key distribution system using one protocol. This allows makers of encryption hardware and software to maintain their existing certifications (FIPS, Common Criteria, ANSSI, PCI, etc.) while making their products immediately quantum-safe.
Special note: While the acronym ETSI points to the group’s European and telecommunications origins, the protocols the group has created are used by organizations in all industries headquartered throughout the world.
Here’s how EQKD works. For any device or application – Secure Application Entity (SAE) – that needs to share keys with a partner, they only need to know the name of the key provider – Key Management Entity (KME) – and the name and/or network address of the partner with whom they need to share a key. The KME takes care of the generation and distribution of the shared key to the partner. Because a KME does not have to be a traditional, physics-oriented QKD system, other quantum-safe and ETSI compliant key distribution solutions, like Phio TX, can be deployed.
By facilitating out-of-band key distribution, the EQKD protocol ensures that an attacker cannot simply harvest data from a TLS/SSL session and then decrypt it later when a quantum computer is available (or otherwise find a way to break the public key encryption used by TLS/SSL). This immediately raises the bar for the attacker, while minimally impacting the existing encryption infrastructure.
In addition to the security benefits achieved with its out-of-band key delivery joint Phio TX/FortiGate VPN users benefit from continuous key rotation that takes place in the Phio TX hive, where keys are generated and rotated every two minutes and on every transfer.
To date, most VPNs rely on the IPsec protocol to retrieve and rotate keys where keys can too often remain static – a poor security practice that weakens the overall security posture of the network. Phio TX corrects this flaw by providing dynamic, ultra-secure key delivery to every VPN node automatically, making continuous key rotation a norm rather than an exception and getting users closer to the one-time pad.
Contact Quantum Xchange to learn more.