PQC Technology for Data Protection in German Medical Services
A Quantum Leap Ahead of the Threats
Over the history of modern computing, one rule has always held true: As technology becomes more powerful, the potential risks and active threats also become greater and more sophisticated. Each new technological generation has brought unique new capabilities and new functionalities to serve the user better, but also new inroads for potential attackers – a never-ending game of cat-and-mouse.
For critical infrastructure like connected medical technology, the digital revolution has created amazing new opportunities for more responsive, connected, and data-driven services, but it also exposes the systems to new attacks. Protection for these types of systems goes beyond the already exceedingly important and legally relevant questions of confidentiality and integrity for the often highly sensitive patient data contained on modern smart medical devices. A new protection paradigm is required to ensure the safe, reliable, and trustworthy operation of such devices even in an environment in which the scale of the problem and – as quantum computing promises to bring another leap in computing capabilities for both sides – the capabilities of the opponent cannot be predicted with any certainty. In the post-quantum world, cryptographic countermeasures have to stay one step ahead of a threat they cannot yet know when they are introduced.
General Goals of PQC4MED
The project intends to secure access to appropriate and sufficiently powerful countermeasures by preempting the new level of threat created by the development of new computing capabilities. This calls for a completely new conceptual approach to security-by-design: Putting in place potential defenses against potential threats long before they become actual. PQC4MED does so by integrating a secure element as constituent part of the embedded system to act as a versatile and flexible vessel for the right post-quantum cryptographic algorithms when and where the need for such protection arises.
The project intends to achieve this crypto-agility by creating holistic post-quantum-cryptographic capabilities:
Developing and embedding powerful and versatile secure element with updateable firmware
Enabling the replacement and updating of the secure element firmware
Creating a backend infrastructure of PCQ-ready protection tools, license and key management, and system automation and management resources
Providing a process and user GUI for updates on the ground
The Contribution of Wibu-Systems
Wibu-Systems brings its unique expertise and experience in the use of hardware secure elements as part of a comprehensive and holistic protection and licensing infrastructure to the PQC4MED project. As project coordinator, Wibu-Systems cooperates with the consortium partners to analyze the specific use cases in the medical technology industry, taking into account the stringent legal requirements, confidentiality concerns, and the commercial and technological potential of a field that is still evolving, but highly competitive in terms of both the commercial promise of upgradeable secure elements and the opportunity for new patent protections to secure technological advantages in the area.
Wibu-System intends to establish a new ground zero for the production of PQC-capable systems, with a sustainably secure infrastructure and platform for highly secure updates. The scope of the project suggests further potential in other aspects of critical infrastructure beyond the medical technology sector.
Introducing new updating capabilities for Infineon secure elements to ensure full compatibility with PQC factory updates.
Providing an update mechanism for high-end secure elements, including devices already working in the field, to inject new cryptographic capabilities through a secure and backwards-compatible (hybrid) updating scheme without the need for replacing any physical hardware.
Developing a generic hardware module for low-end, limited-resource cases that ensures crypto-agility by allowing the physical replacement of the module in factory while keeping the established secure element platform in place.
Producing demonstration units for both integrated or replaceable secure elements as proofs of concept of the technology, including the requisite backend infrastructure.
DFKI (German Research Center for Artificial Intelligence) in Bremen, Germany
ITI (Institute of Theoretical Computer Science) at the KIT (Karlsruhe Institute of Technology)
ITS (Institute for IT Security) at the University of Lubeck, Germany