First Look: QuintessenceLabs Trusted Security Foundation (TSF)
This month's First Look is not for the faint-hearted, but it is a unique, well-conceived and crafted tool. When you need what this one does you probably won't need to look any further. We probably should start with a little context. QuintessenceLabs builds quantum computing tools. There. Wasn't that easy? Maybe not so much, actually. Our first clue that we were on to a company steeped in science, mathematics and technology was when we found out that one member of the marketing leadership was a physicist with a PhD. She was one marketer with whom we enjoyed speaking. So, having set at least part of the stage for what follows, let's move on and see what a very serious scientific development effort can produce.
Quantum cryptography depends for its security on the use of very large random numbers that are, truly, random. Of course, we really only approach randomness asymptotically, except under certain circumstances. We can get to true randomness using light (photons) to generate random numbers and purists often take the position that it is not quantum unless it's photon-generated.
At a glance
Product Trusted Security Foundation (TSF)
Price On request.
What it does Key management interoperability protocol (KMIP v1.2), public-key cryptography standards (PKCS#11) conformant, also supports [Web Administration/REST API (port 443) over SSLv3, TLSv1, v1.1, and v1.2)], [Key Management Service (port 5696) over TLSv1, v1.1, and v1.2], and TCP.
What we liked This tool is vendor neutral and completely interoperable.
The bottom line You really need to understand encryption, standards and your requirements but if you need what this tool does there are no other choices of which we are aware.
While we won't go quite that far here, we likely could. In fact, it's the physical creation of the randomly generated numbers that counts rather than the complexity of the number generation algorithm. Number-generating algorithms are deterministic. That means they can be computed - guessed - and the encryption that uses them broken. QuintessenceLabs does not use this approach. Being one of the few practical applications of quantum computing, this developer has taken some giant strides.
Suffice it to say that QuintessenceLabs uses some very sophisticated methods to generate some very large random numbers giving, potentially, the strongest encryption available. The ingredients that go into good, strong encryption are really huge random numbers and really strong encryption algorithms. The random numbers are used to generate key material so, even though we think of strong key material as being, well, the key, they depend on those big random numbers in order to work.
The other piece of the puzzle is managing the key material. When you have a large enterprise, key management can be challenging. QuintessenceLabs has a suite of tools that sit under the umbrella of the Trusted Security Foundation, their name for their encryption management platform. For governments and large businesses, compliance with standards is a must. QuintessenceLabs products are compliant with ever applicable standard, as well as being Common Criteria compliant at the EAL2 level. We might argue that if you are a crypto product and are compliant with FIPS and NIST, you're in pretty good company. Add the CC and you're a pretty trustworthy product suite.
One of the key pieces of the TSF is interoperability. Since QuintessenceLabs provides the key management system, there needs to be an encryption front-end to do the dirty work. TSF can accommodate quite a few options in that regard. The product suite handles key generation, management and policy. As to policy, this is what glues everything together. We see a lot of policy engines in various products - most are role-based - and never have we seen the granularity we saw in the TSF. It is, unquestionably, the best thought-out policy engine available for any security tool of any type. The combination of quantum computing and extremely strong policy management - along with standards compliance - is a home run for qLabs.
Policies are extremely strong out of the box, but if you need some of your own that are specific to your environment - though with what is provided that would be a pretty unusual occurrence - you can build them easily yourself. Auditing logs are complete and, of course, all are standards compliant. The website has a lot of good information on it, the requisite support portal and some good explanation of why they are able to use true random numbers and where random numbers come from.