Quantum Key Distribution (QKD) protocols, such as BB84, require secure authentication of their classical communication channel to ensure message integrity and authenticity, which is fundamental to successfully distribute unconditionally secure keys and prevent critical vulnerabilities. Traditionally, QKD relies on pre-shared secret keys for this authentication, posing significant scalability challenges. Employing asymmetric encryption methods is also not a viable alternative, as these methods are either vulnerable to quantum computing attacks or lack rigorous security proofs. To address these issues, we propose using the well-established Kerberos authentication protocol, which relies on symmetric cryptography inherently resistant to known quantum attacks, to securely distribute symmetric session keys that authenticate classical communication in QKD systems. We demonstrate the feasibility and practical security advantages of employing Kerberos-generated session keys, inherently resistant to quantum computing attacks, without modifying existing Kerberos workflows, providing a practical quantum-secure solution that leverages existing IT infrastructure.
Künstner et al. (Fri,) studied this question.