Security Architecture
Threat model, key custody architecture, BYOC integration, HSM mode, air-gapped security, post-quantum algorithms, evidence bundles, revocation model, and known limitations.
Threat Model
Six adversary profiles with documented mitigations. QuantumLock is designed for the classical-to-post-quantum transition era.
Classical Attacker
Vector: Computational attacks on RSA-4096 via factorization.
Mitigation: RSA-4096 keys with PSS padding. 4096-bit modulus breaks classical factoring bounds.
Quantum Attacker
Vector: Shor algorithm on large-scale fault-tolerant quantum computer.
Mitigation: ML-DSA-65 hybrid signatures (FIPS 204). Classical RSA + PQC. Both must validate.
Insider Threat
Vector: Compromised operator or stolen API key with signing privileges.
Mitigation: Scoped API keys (quantumlock:use/keys/sign/read). Immutable audit trail. RBAC roles.
Supply Chain
Vector: Tampered software distribution or compromised build pipeline.
Mitigation: Nuitka-compiled binaries (.so/.pyd). Zero .py source in production. Docker image signing.
Replay Attacks
Vector: Reuse of previously valid signatures or evidence bundles.
Mitigation: Epoch-based revocation with anti-rollback. Monotonically increasing epoch numbers. HMAC-protected local store.
Evidence Tampering
Vector: Modified or deleted audit log entries.
Mitigation: SHA256-chained immutable audit log. Each entry includes hash of previous entry. Tampering is cryptographically detectable.
Key Custody Model
Strict separation between policy decisions (QuantumLock) and key custody (your KMS or HSM). QuantumLock never accesses private key material.
Policy Engine
Decides which algorithm to use, which key to call, when to sign, when to rotate, and lifecycle rules.
KMS Integration
Routes cryptographic operations to the correct KMS provider via native SDK. AWS, Azure, GCP, or PKCS#11.
Private Key Material
Stored exclusively in your cloud KMS or HSM. QuantumLock never accesses, transmits, or stores your private keys.
HSM Hardware
Thales Luna, Entrust nShield, Utimaco, YubiHSM 2. You procure, configure, and physically secure the HSM.
Cloud Account & IAM
AWS, Azure, or GCP account. You control IAM roles, service accounts, and billing.
Access Control & Scopes
QuantumLock enforces scopes. Your organization manages API key distribution and role assignments.
Post-Quantum Cryptography
QuantumLock implements all three NIST FIPS post-quantum standards plus hybrid defense-in-depth modes.
| Algorithm | Standard | Level | Use |
|---|---|---|---|
| ML-DSA-65 | FIPS 204 | 3 | Primary PQC signature algorithm |
| ML-DSA-87 | FIPS 204 | 5 | High-security PQC for critical operations |
| ML-KEM-768 | FIPS 203 | 3 | Key encapsulation mechanism |
| SLH-DSA-SHAKE-256S | FIPS 205 | 5 | Conservative stateless hash-based backup |
| Falcon-1024 | NIST Selected | 5 | Bandwidth-optimized signature |
| Hybrid RSA+ML-DSA | Proprietary | Defense-in-depth | Both classical and PQC must validate |
Hybrid Signature Mode
Hybrid RSA+ML-DSA signatures require both classical (RSA-4096) and post-quantum (ML-DSA-65) signatures to be valid. No single algorithm compromise can break the security guarantee. This defense-in-depth approach ensures security during the quantum transition period where both classical and quantum-capable attackers may coexist.
Cryptographic evidence bundles
Every license operation, key lifecycle event, signature, and certificate issuance produces a cryptographically sealed evidence bundle. JCS RFC 8785 canonicalization, dual classical + PQC signatures, and Merkle-tree transparency log with signed checkpoints.
Compliance Alignment
QuantumLock aligns with recognized cryptographic standards and regulatory frameworks.
Limitations
Honest disclosure of what QuantumLock does not claim or provide. Enterprise procurement requires clear boundaries.
- QuantumLock PKI is a private/internal CA. It does not replace a qualified trust service provider (QTSP) or public certificate authority.
- Local KMS mode (software keys) is not equivalent to FIPS 140-3 certified HSM. Defense deployments require PKCS#11 HSM.
- PQC-ready means QuantumLock implements NIST-standardized post-quantum algorithms. It does not mean quantum-proof certification.
- SecNumCloud-ready means the software is compatible for deployment on SecNumCloud-qualified infrastructure. It is not itself SecNumCloud certified.
- License validation provides software-based protection. It is not a hardware security module and does not prevent physical tampering.
- OCSP responder is RFC 6960 compliant but requires the PKI root CA certificate to be distributed and trusted by relying parties.
Review the full security architecture
Schedule a 30-minute security review with our engineering team. We walk through threat model, key custody, and deployment architecture.
Security advisories and architecture updates
Get notified about threat model updates, new PQC algorithm support, and security best practices.