August 19, 2024
Recommended
Introduction
In the world of secure communications, the smallest detail can decide the difference between safety and exposure. For decades, organizations have relied on systems that patch vulnerabilities as they appear, always one step behind the adversary. But what if the foundation itself could be redesigned—built to withstand both today’s attacks and tomorrow’s threats?
The whitepaper tells the story of Isidore and Cassian, two technologies built not only to keep pace with change but also to anticipate it. At the core of Isidore lies a radical approach to cryptographic key management in which every connection generates fresh, one-time keys that disappear once their task is complete. Cassian expands upon this concept by orchestrating entire fleets of devices, ensuring that trust is established, maintained, and, when required, rebuilt.
The discussion will focus on four essential pillars of secure key management: generation, provisioning, rekeying, and zeroization. Along the way, readers will see how ephemeral session keys, post-quantum algorithms, and automated orchestration replace fragile, human-dependent processes with resilient, standards-driven security. The paper also highlights deployment considerations, showing how three- module architectures, strict red/black separation, and hardened operating environments create not just systems but ecosystems of trust.
That’s why software-only fixes and “we use AES-256” won’t save you. AES-256 remains robust against brute force, but real systems fail at the seams: quantum breaks the key-exchange scaffolding around AES, side-channels steal keys during use, and OT stacks leak across poorly segmented, legacy links.
By the end, the key takeaways will be clear:
Why ephemeral, one-time keys represent a fundamental shift in safeguarding sensitive data.
How Cassian enables organizations to scale cryptographic trust across complex networks.
What post-quantum resilience means for real-world communications.
And how these technologies together close the gap between present vulnerabilities and future-proof security.
The lesson here is simple, yet profound: the best way to protect tomorrow’s secrets is to rethink how we handle them today.
Key Loading (Initial Provisioning)
Isidore Quantum implements a secure, autonomous key management architecture for channel provisioning that ensures confidentiality, integrity, and resilience across red and black domains. The system begins with a pre-placed bootstrap key (Key 0), which may derive from random or locally combined materials. This key establishes an initial AES-256 tunnel (Tunnel 0), creating a trusted path for mutual authentication and secure negotiation.
During initial setup, the system blocks all traffic until the provisioning process is complete, eliminating any chance of unprotected or unauthorized data flow. A controlled startup sequence establishes encryption keys correctly before the device becomes operational, providing a foundational safeguard for system integrity.
As part of provisioning, Isidore devices perform a secure authentication and key agreement procedure that validates the identity of both endpoints. The device continues to block traffic until provisioning concludes, ensuring no unprotected communication can occur. A carefully managed startup process guarantees that encryption keys are established properly before the device becomes active.
Within the protected bootstrap channel, peers sequentially exchange lattice-based ML-1024 KEM secrets to derive new session keys. Each successive tunnel replaces the prior, eliminating exposure of earlier material. The resulting shared key incorporates entropy from both endpoints, strengthening cryptographic assurance.
Cassian enhances this process by providing administrators with the ability to securely provision or derive shared secrets within Isidore devices. Cryptographic trust is established through mutual authentication conducted over a protected Cassian-Isidore management channel.
Control messages are digitally signed using ML-DSA, eliminating the risk of unauthorized provisioning, while policy enforcement ensures that all operations remain aligned with organizational security requirements. Together, these measures provide a resilient and standards-based foundation for secure device deployment.
Cassian provides fleet-wide cryptographic binding to secure Isidore deployments operating in peer-to-peer, hub-and-spoke, or mesh topologies. Remote fleet initialization enables administrators to distribute or derive shared secrets across large groups of devices, establishing a trusted baseline without requiring direct physical access.
Automated cryptographic binding builds on this foundation by creating trust relationships between devices and validating their operational integrity in real time
Dynamic rekeying further strengthens resilience by regularly reissuing ephemeral session keys, enforcing cryptoperiods, and ensuring that compromised or outdated keys cannot be exploited. Together, these capabilities deliver a scalable, policy-driven approach to managing cryptographic trust across complex networks.
Once trust between paired devices is confirmed, the system automatically loads the agreed-upon keys into its encryption modules without operator intervention. Communications are fully protected from the outset, and the risk of human error in handling sensitive cryptographic material is significantly reduced. Automated loading ensures immediate protection while delivering a smooth and reliable startup experience.
The pairing of Isidore devices relies on cryptographic shared secrets. A shared secret may be introduced during initialization or securely derived through ML-KEM during device pairing. Once established, the shared secret provides the basis for generating ephemeral session keys, which secure all subsequent communications.
Session keys are regenerated frequently and remain confined within the device boundary, never exported or reused. Strict compartmentalization of cryptographic material guarantees forward secrecy, ensuring that past communications remain protected even if current keys are compromised. Collectively, these measures provide a resilient, automated, and standards-driven process that establishes trust, maintains confidentiality, and strengthens operational security across Isidore deployments.
Key takeaways:
During setup, paired devices perform a secure authentication and key agreement step
This ensures both devices trust each other before exchanging data
Keys are then loaded automatically into the encryption modules inside the Isidore Quantum device
Key Generation
Isidore devices generate fresh, one-time session keys for every secure connection, ensuring that no key is ever reused. Entropy generation relies on FIPS 140-compliant random number generators, hardware-based RNGs, and nondeterministic system behaviors. Entropy is continuously pooled and may be combined across the channel pair .
Key takeaways:
Isidore Quantum creates new session keys for every secure link
Keys are generated using a trusted random number source that meets government crypto standards
Keys are never reused; each session has unique keys
Key Updates (Rekeying)
Isidore devices use an automated rekeying process to safeguard the integrity of encrypted communications. Keys are refreshed either on a fixed schedule or according to organizational security policies, ensuring that cryptographic protections remain strong while adapting to operational requirements. Automation eliminates the need for manual oversight, reducing the risk of delays or errors in the rekeying process.
Once secure operation is established, nodes A and B autonomously manage key lifecycles through periodic rekey transactions. Initiation alternates between peers, with each ML-1024 KEM exchange generating fresh recovery keys to address potential desynchronization.
Regular replacement of encryption keys prevents the reuse of older keys that could otherwise be exploited if intercepted or compromised. By systematically retiring outdated keys and introducing new ones, Isidore devices ensure that sensitive data remains secure against evolving threats, protecting both confidentiality and integrity.
Cassian strengthens this process by allowing administrators to securely initiate rekeying events across multiple devices. Digitally signed commands guarantee that only authorized actions are executed, preventing tampering or malicious interference.
The combined capabilities of Isidore and Cassian deliver a scalable, policy-driven solution for maintaining encryption strength across entire networks. Organizations benefit from simplified cryptographic management, minimized human error, and consistent protection of mission-critical communications.
Cassian extends Isidore’s zero-touch cryptography into a managed ecosystem, enabling secure orchestration of large-scale deployments without introducing vulnerabilities. Through this integration, enterprises gain both resilience and efficiency in safeguarding sensitive information.
Key takeaways:
Keys are automatically refreshed (rekeyed) on a set schedule or based on security policy
Rekeying ensures old keys cannot be used to attack the system
Cassian, the management tool, can trigger fleet-wide rekeying securely using signed commands
Key Zeroization (Wiping Keys)
Isidore devices feature key zeroization capabilities to prevent sensitive cryptographic material from being left exposed or vulnerable. Zeroization involves the deliberate clearing of encryption keys from a device, achieved either manually by an operator or through automated management with Cassian. A safeguard of this kind ensures that once a key is no longer required, it cannot be recovered or misused, thereby protecting the confidentiality and integrity of secure communications.
For manual zeroization, Isidore devices automatically clear session keys whenever a reset or restart occurs. Since session keys are stored only in working memory, a simple reboot is sufficient to guarantee complete removal. Operators gain a straightforward method to eliminate active keys immediately without the need for complex procedures or specialized tools.
Beyond session keys, Isidore systems may also store long-term credentials based on configuration or operational needs. Such credentials can be securely erased by following vendor-provided instructions for performing a full cryptographic wipe. Proper execution of this process ensures that persistent keying material is not retained on the device, thereby preventing unauthorized recovery and aligning with best practices for secure system decommissioning.
Cassian provides fleet-wide zeroization capabilities for Isidore devices, allowing administrators to remotely trigger secure wipe actions through digitally signed commands.
Isidore Quantum provides a flexible cryptographic framework designed to operate across multiple network topologies, each addressing distinct mission and operational requirements. The platform integrates post-quantum cryptographic primitives with zero-touch key management, enabling secure and resilient deployment models that scale from point-to-point connections to full mesh environments. By abstracting cryptographic binding and key lifecycle management through Cassian, the centralized management layer, Isidore Quantum ensures uniform security enforcement regardless of network design.
Point-to-point deployments represent the simplest topology, providing a direct encrypted tunnel between two Isidore devices. Session keys are derived from shared secrets or negotiated through ML-KEM, with rekeying schedules enforced automatically to preserve confidentiality. This model is best suited for environments requiring low latency, deterministic paths, and minimal overhead. Applications include site-to-site encrypted links, backhaul transport, and mission-critical control paths where traffic is confined to two endpoints.
Point-to-point deployments represent the simplest topology, providing a direct encrypted tunnel between two Isidore devices. Session keys are derived from shared secrets or negotiated through ML-KEM, with rekeying schedules enforced automatically to preserve confidentiality. This model is best suited for environments requiring low latency, deterministic paths, and minimal overhead. Applications include site-to-site encrypted links, backhaul transport, and mission-critical control paths where traffic is confined to two endpoints.
Point-to-multiple point topologies extend the concept by enabling one Isidore device to securely communicate with multiple peers simultaneously. Each link is provisioned with unique ephemeral session keys, preventing cross-link correlation and maintaining compartmentalization of cryptographic material. Cassian’s orchestration ensures that key material is distributed or derived consistently across all participating endpoints. This approach is commonly leveraged in tactical field deployments, where a command node must securely interface with multiple subordinate units without relying on intermediate trust brokers.
Hub-and-spoke architectures leverage Isidore Quantum’s automated cryptographic binding to establish a central trust anchor at the hub. Each spoke device maintains an isolated cryptographic channel with the hub, with session keys independently managed to prevent exposure across spokes. Fleet management operations, such as rekeying, zeroization, or topology updates, are initiated at the hub through Cassian and securely propagated across the spokes using digitally signed control messages. This model provides operational simplicity while preserving strong isolation, making it ideal for enterprise or defense networks with a clear control hierarchy.
Mesh topologies represent the most resilient configuration, enabling every Isidore device to cryptographically bind with multiple peers. Shared secrets are securely derived across the fleet, with Cassian ensuring that session keys are frequently rotated and validated to enforce cryptoperiod requirements. Mesh deployments maximize survivability by eliminating single points of failure and allow encrypted communications to dynamically reroute around compromised or offline nodes. For network engineers, the mesh topology provides the highest degree of flexibility and robustness, particularly in contested or degraded environments where central management paths cannot be guaranteed.
Across all topologies, Isidore Quantum enforces strict red/black separation and confines key material within FIPS-validated cryptographic boundaries. Session keys are never exported, reused, or persisted beyond operational requirements, ensuring both forward secrecy and resistance to compromise. By combining automated key lifecycle management with topology-agnostic orchestration, Isidore Quantum provides network engineers with a scalable, secure, and quantum-resilient solution for mission-critical communications.
By removing stored credentials and cryptographic keys in accordance with approved standards, organizations can confidently enforce zeroization policies without requiring physical access to each device. The approach ensures that sensitive information remains protected while simplifying the management of large deployments.
When an Isidore device is lost or compromised, Cassian enables secure recovery operations to preserve mission continuity. The process begins with scrubbing, which zeroizes all connected channels to eliminate residual trust. New shared secrets are then provisioned across surviving devices to restore a trusted cryptographic baseline. Once a replacement device is introduced, Cassian binds it to the fleet with fresh shared secrets, seamlessly resuming encrypted communications without exposing operators to sensitive key material.
Automated handling of scrubbing, reissuance, rebinding, and resumption reduces operational overhead while preserving the confidentiality and integrity of communications. Organizations benefit from a streamlined recovery process that minimizes downtime and prevents adversaries from exploiting compromised assets.
Strict red/black separation, a defining feature of the Isidore architecture, is preserved throughout the process. Cassian enforces this security model by operating as distinct red-sideand black-side management instances when required, ensuring zeroization and recovery actions never create a cryptographic bypass.
Key revocation is supported via zeroization, locally or remotely triggered. Compromise of a single keystore terminates the channel. All keys are cryptographically wrapped under a hardware root of trust, persistently stored, and only unwrapped into volatile memory when required.”
By combining manual and Cassian-driven methods, the Isidore ecosystem delivers a flexible and resilient framework for zeroization and recovery. Administrators gain the assurance that sensitive cryptographic material can always be securely wiped or replaced, enabling both strong data protection and reliable operational continuity.
Key takeaways:
If an operator needs to clear all keys, a device reset/restart wipes session keys automatically (they are only stored in working memory)
Any long-term credentials (if configured) can be erased following vendor-provided secure wipe instructions
Cassian can send a signed “wipe” action to one or many devices. This removes stored credentials/keys in line with approved crypto standards
Red-side and Black-side Cassian instances ensure no bypass of isolation during this process
Complete erasure of all cryptographic material and entropy pools within a compromised or retired Isidore unit
Selective scrubbing of session keys across a specific channel or group of devices
Deployment Notes (for Operators)
Isidore devices are engineered with a three-module architecture—Inner, Outer, and Frontend—that must be directly linked via Ethernet to preserve strict red/black separation. All servers supporting Isidore and Cassian operate on Ubuntu Server 24.04 LTS, with network cards configured in promiscuous mode during installation to ensure effective traffic handling. Cassian connects to the black side of Isidore, and in high-security environments, may be split into separate Red and Black instances to maintain absolute isolation and prevent any cryptographic bypass. This design integrates operational efficiency with stringent security controls, enabling scalable, resilient, and quantum-resistant communications infrastructure.
Key Deployment Requirements:
With the secure channel foundation in place, Isidore Quantum supports negotiation of operational parameters such as ephemeral signing keys, MTU, and policy settings before shifting from provisioning to operational mode.
Isidore relies on three compute modules (Inner, Outer, Frontend) interconnected directly via Ethernet with no switch in between
Ubuntu Server 24.04 LTS serves as the required operating system for both Isidore servers and Cassian
Network cards must be configured in promiscuous mode at installation to properly capture and process traffic
Cassian connects to the black side of Isidore and can be separated into Red Cassian and Black Cassian instances for strict isolation
Fleet management and lifecycle operations are streamlined through Cassian, which enforces secure policies and cryptographic trust at scale
Key Security Benefits:
Elimination of traditional key loader dependencies removes common compromise vectors
Ephemeral key usage ensures entropy-driven cryptographic material with no persistence risk
Boundary integrity guarantees that keys never leave the FIPS-validated cryptographic module
CNSA 2.0-compliant post-quantum algorithms (ML-KEM and ML-DSA) deliver resilience against quantum adversaries
Automated scrubbing, rekeying, and recovery enable resilience in contested or compromised environments
Conclusion
By combining Isidore’s hardware-based separation, ephemeral key management, and post-quantum cryptography with Cassian’s centralized orchestration, organizations gain a scalable and resilient foundation for secure communications.
The design provides forward secrecy, resilience against synchronization failures, and strong revocation mechanisms, resulting in a secure and self-managing cryptographic channel for Isidore Quantum devices.
The integration eliminates legacy vulnerabilities, enforces strong boundary protections, and enables rapid recovery while ensuring forward-looking protection against emerging quantum threats. Together, Isidore and Cassian establish a trusted ecosystem for next-generation secure communications.
Use Ubuntu Server 24.04 LTS for all Isidore servers and Cassian
Network cards must run in promiscuous mode (set during install)
Cassian connects to the black side of Isidore and can be split into Red Cassian and Black Cassian instances when strict separation is required
2025 Copyright Forward Edge-AI