Threat and adversary models for QRNG web services

Authors

DOI:

https://doi.org/10.30837/rt.2025.2.221.04

Keywords:

STRIDE, QRNG, web service, entropy, information security, cryptography, threat model, adversary model, randomness post-processing

Abstract

Quantum Random Number Generators (QRNG), based on physical processes of quantum mechanics, provide a high level of entropy and unpredictability, making them a promising source of randomness for use in information and communication systems, particularly in the context of post-quantum cryptography.

However, using the QRNG in the format of a web service (e.g., via public APIs or cloud platforms) introduces new attack vectors that may compromise the trust in the generated data. This work develops a threat model and an offender model for a QRNG web service. The methodological foundation of the study is based on modern risk analysis standards, including the ISO/IEC 27005, STRIDE, and Common Criteria. Critical system assets are identified, potential threats are classified considering the specifics of quantum generation, and an offender profile is constructed.

Typical attack scenarios are considered, including random number interception, physical generator compromise, API service attacks, and insider threats. For each scenario, a risk assessment is performed based on the likelihood of occurrence and potential consequences. A comprehensive set of protection measures is proposed, including technical (TLS, post-processing, monitoring), organizational (access control, auditing), and procedural (incident response)solutions.

The results of this work can be used to develop secure QRNG services integrated into critical cryptographic systems and serve as a basis for further research in the field of quantum technology security modeling.

References

M. Herrero-Collantes and J. C. Garcia-Escartin. Quantum random number generators // Rev. Mod. Phys. Marh 2017. Vol. 89, no. 1. P. 015004. DOI: 10.1103/RevModPhys.89.015004

T. Lunghi et al. Self-testing quantum random number generator // Phys. Rev. Lett. Apr. 2015. Vol. 114, no. 15. P. 150501. DOI:10.1103/PhysRevLett.114.150501

M. Stipčević and C. K. Koc. True random number generators // Open Problems in Mathematics and Computa-tional Science. Springer, 2014. Р. 275–315. DOI:10.1007/978-3-319-10683-0_12, link: https://cetinkayakoc.net/docs/b08.pdf

Microsoft Corporation. The STRIDE Threat Model // Microsoft Docs, 2005. link: https://learn.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20)

ISO/IEC 27005:2022, Information technology – Security techniques – Information security risk management. International Organization for Standardization, 2022.

ДСТЗІ України НД ТЗІ 1.4-001-2000. Типове положення про службу захисту інформації в автоматизованій системі. Київ, 2000. link: https://tzi.com.ua/downloads/1.4-001-2000.pdf

B. Schneier, Attack Trees: Modeling Security Threats, Dr. Dobb’s // Journal, 1999. link: https://www.schneier.com/academic/archives/1999/12/attack_trees.html

G. McGraw and G. Hoglund, Exploiting Software: How to Break Code, Boston, MA: Addison-Wesley, 2004. link: https://archive.org/details/Exploiting_Software_How_To_Break_Code/mode/2up

ДСТЗІ України НД ТЗІ 1.1-002-99. Типове положення про службу захисту інформації в автоматизованій системі. Київ, 1999. link: https://tzi.com.ua/downloads/1.1-002-99.pdf.

L. Conklin, V. Drake, S. Strittmatter, Z. Braiterman, A. Shostack. Threat Modeling Process // OWASP.org link: https://owasp.org/www-community/Threat_Modeling_Process#stride-threat--mitigation-techniques.

C. Evans, C. Palmer, and R. Sleevi. Transport Layer Security (TLS) Parameters // IETF, RFC 9325, Nov. 2022. link: https://www.rfc-editor.org/rfc/rfc9325

D. Hardt. The OAuth 2.0 Authorization Framework // IETF, RFC 6749, Oct. 2012. link: https://tools.ietf.org/html/rfc6749

L. Bassham et al. A Statistical Test Suite for Random and Pseudorandom Number Generators for Crypto-graphic Applications // NIST Special Publication 800-22, Rev. 1a, Apr. 2010. link: https://csrc.nist.gov/publications/detail/sp/800-22/rev-1a/final

A. Nelson, S. Rekhi, M. Souppaya, K. Scarfone et al. Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile // NIST SP 800-61 Rev. 3, Apr. 2025. link: https://csrc.nist.gov/pubs/sp/800/61/r3/final

Downloads

Published

2025-06-19

How to Cite

Morhul, D., Nariezhnii, O., & Hrinenko, T. (2025). Threat and adversary models for QRNG web services. Radiotekhnika, (221), 31–38. https://doi.org/10.30837/rt.2025.2.221.04

Issue

No. 221 (2025): Радіотехніка

Section

Articles

License

Authors who publish with this journal agree to the following terms:

1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.

2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.

3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).