INDECT Advanced Security Requirements
This paper reviews the requirements for the security mechanisms that are currently being developed in the framework of the European research project INDECT. An overview of features for integrated technologies such as Virtual Private Networks (VPNs), Cryptographic Algorithms, Quantum Cryptography, Federated ID Management and Secure Mobile Ad-hoc networking are described together with their expected use in INDECT.
đĄ Research Summary
The paper presents a comprehensive set of security requirements for the European research project INDECT (Integrated European Network for Detection and CounterâTerrorism), which aims to build a largeâscale, realâtime urban surveillance and dataâanalysis platform. The authors structure the discussion around five core technology domainsâVirtual Private Networks (VPNs), cryptographic algorithms, quantum key distribution (QKD), federated identity management, and secure mobile adâhoc networking (MANET)âand describe how each must be adapted to meet the unique operational, privacy, and resilience demands of the project.
In the VPN section, the authors argue that traditional IPsecâbased tunnels are insufficient for the highly dynamic, multiâtenant environment envisioned for INDECT. They propose a softwareâdefined networking (SDN)âenabled tunneling architecture that can instantiate, reâconfigure, and tear down VPN slices on demand. Each slice carries its own encryption layer, qualityâofâservice policies, and trafficâpadding mechanisms to hide metadata. Key exchange is realized through a hybrid approach that combines EllipticâCurve DiffieâHellman (ECDH) with postâquantum keyâexchange algorithms (e.g., Kyber, NTRU) to futureâproof the system against quantum adversaries.
The cryptographic algorithms segment recommends retaining AESâ256 and SHAâ3 as baseline primitives while simultaneously evaluating latticeâbased (Kyber, NTRU) and codeâbased (McEliece) schemes for longâterm confidentiality. The paper stresses the importance of algorithm agility, keyâlifecycle management, and the separation of dataâatârest and dataâinâtransit protection layers. It also outlines a keyârotation schedule aligned with the expected lifespan of quantumâresistant algorithms, ensuring that the system can transition smoothly as standards evolve.
Quantum cryptography requirements focus on deploying fiberâbased BB84 QKD links across the cityâs backbone network. The authors detail the necessary parameters: photonâerror rates, errorâcorrection codes, privacyâamplification procedures, and authentication of the classical channel. They also explore freeâspace optical (FSO) QKD for mobile assets such as drones and emergency vehicles, providing models for atmospheric loss and realâtime key synchronization. The goal is to generate symmetric session keys that are provably secure against any computational attack, including those from future quantum computers.
Federated identity management is approached from a privacyâbyâdesign perspective. The paper proposes a decentralized identifier (DID) framework built on blockchain technology, combined with ZeroâKnowledge Proof (ZKP) protocols for attribute verification. This architecture enables multiple public agencies to authenticate the same individual without exposing personal data to a central repository. Policyâbased access control (PBAC) and dynamic delegation mechanisms are defined to allow realâtime adjustment of permissions in response to evolving threat levels. Interâagency trust is established through mutual certificate exchange and a hierarchical trust anchor model.
The secure MANET component addresses the need for resilient communication among mobile units (e.g., police cars, UAVs) operating in contested or infrastructureâdenied environments. The authors introduce a Secure ClusterâBased Routing Protocol (SCBRP) that incorporates selfâhealing capabilities, multiâpath routing, and an onâtheâfly temporary publicâkey infrastructure (TPKI) for peer authentication. A behaviorâbased trust evaluation system is described to detect and isolate compromised nodes, while cryptographic protection of routing messages relies on the same postâquantum primitives selected for the broader INDECT ecosystem.
Finally, the paper emphasizes integration: common data formats, standardized APIs, and unified securityâevent logging are prescribed to ensure that each subsystem can interoperate without introducing gaps. By aligning the technical specifications across VPN, cryptography, quantum key distribution, identity management, and MANET, the authors aim to deliver a scalable, futureâproof security fabric that can be deployed across European cities to support the INDECT mission of enhanced public safety and counterâterrorism capabilities.