Key management strategies are a critical yet often overlooked aspect of integrating quantum key distribution (QKD) networks as a service into critical infrastructure. It has a considerable impact on the efficiency of QKD network services, thereby shaping its suitability for diverse applications. In this paper, we examine the effectiveness of key management strategies developed through practical testbeds, identifying their strengths and weaknesses. A novel, to the best of our knowledge, organization of key storage to enhance key construction efficiency and overall service performance is introduced. Using simulation tools, the proposed strategy is evaluated against existing approaches, demonstrating superior performance and effectiveness.

This paper presents a vendor-agnostic architecture for secure pre-shared key (PSK) exchange between Quantum Key Distribution (QKD) nodes, leveraging post-quantum cryptography (PQC) tools. The proposed system combines PQC-OpenVPN and OQS-OpenSSH with USB mass storage emulation and single-board computers (SBCs) to automate the transfer of initial authentication secrets. This design significantly reduces manual intervention and mitigates risks associated with physical key handling. The solution was experimentally validated on IDQ Clavis3 and Cerberis3 devices and is broadly applicable to other QKD platforms that support only USB-based key input. Integration of lattice-based algorithms such as Kyber, Dilithium, and ML-DSA enables encapsulation and authentication of quantum-safe keys. Furthermore, a layered design using VPN and SSH channels provides robust cryptographic isolation for authentication material in transit. The work contributes a reproducible and cost-effective testbed for post-quantum hardened QKD deployments and demonstrates the practical feasibility of combining PQC mechanisms with QKD systems to enhance trust in future quantum-safe infrastructures.

Network emulators are essential in testing network systems, applications, and protocols. Emulators bridge the gap between simulation setups that lack realism in results and real-world trials that are accurate but often expensive, non-reproducible, and uncontrollable. This paper describes the simulations and emulations of the national Czech QKD network. Using emulation techniques, a unique ecosystem is formed that includes the processes of generating, processing, storing, and consuming cryptographic keys. The presented tool will undoubtedly spur future development, understanding, and teaching, and it is critical for testing novel applications and protocols applied to QKD networks.

The development of telecommunications networks sets greater appetites to ensure secure communication flows. One of the approaches to providing information-theoretical levels of security is the application of quantum cryptography based on the quantum laws of nature. However, quantum networks differ significantly from existing networks in terms of their organization and availability of resources. This technology’s convergence largely depends on how it is integrated into existing networks and on the economic return of investment. Towards analyzing the latter, we consider the business model for accessing QKD network resources through a mechanism of pricing a QKD link upon a user’s request, with continuous fairness monitoring of the network utilization.

Quantum Key Distribution (QKD), a secret key agreement primitive, makes possible long-awaited real-world Information-Theoretical Security (ITS). In the last twenty years, the development of QKD-based networks that deliver ITS keys to distant parties has been a focus of the academic and industry sectors. Several key-delivery specifications have been developed for the practical delivery of keys to end applications. In this paper, we discuss key-delivery specifications with a focus on security and authentication.

Network emulators play an important role in testing network systems, applications, and protocols. Emulators bridge the gap between simulation setups that lack realism in results and real-world trials that are accurate but often expensive, non-reproducible, and uncontrollable. This article presents an extended model of the Quantum Key Distribution Network Simulation Module (QKDNetSim) with a model catalog of QKD components and functionalities. We explore emulations of point-to-point connections in QKD networks and the interaction of essential components within QKD nodes. The presented tool will undoubtedly spur future development and teaching, and it is critical for testing novel applications and protocols applied to QKD networks.

Software-Defined Networking (SDN) is the actual approach in the network design, based on separating the control and data plane. Such architectural model has brought improvements in terms of network monitoring, management and troubleshooting, but has also increased risks related to network security. Security attacks can occur at all SDN layers and disrupt part or the entire network. Existing research is mostly focused on the security of the control plane, since it contains all control logic of SDN networks and thus represents their main part. Although the data plane has many vulnerabilities and can also be a significant source of security threats towards the control plane, it is only partially covered in existing research, without enough details related to differences between methods and implementation techniques which provide security enhancement. In this paper, we present a comprehensive survey on security of the data plane, focusing on the latest advanced solutions. The survey starts with an overview of attacks, threats and affected security attributes in the data plane, classified using common security models: STRIDE, CIA and AAA. After that, we present a detailed analysis of solutions explored in the literature, including the methods used for security enhancement, implementation techniques, experimental environments, their contributions in terms of vulnerabilities that they address, performance analysis and limitations. Through this analysis, we introduce the concept of adaptive security and select several mechanisms which can be used to achieve it. Additionally, we propose possible combinations of presented mechanisms to provide strong, comprehensive solution which should adapt to dynamics of network, attackers and users, and in that way protect the network from different threats and also satisfy the requirements of services which need different levels of security.