Security Architecture

Cryptographic security
for the post-quantum threat landscape

Nation-state adversaries are harvesting today's encrypted traffic to decrypt when quantum computers arrive. ntkVDI uses NIST-standardized post-quantum algorithms in every session — not as an upgrade, but as the default foundation.

Cryptographic Core

NIST PQC standards.
Not retrofits.

CRYSTALS-Kyber · FIPS 203

Key Encapsulation

Kyber-1024 replaces ECDH for session key establishment. Based on the Module Learning With Errors (MLWE) lattice problem, which has no known efficient quantum algorithm.

Security level
NIST Level 5 (AES-256 equivalent)
Key size
1568 bytes public key
Ciphertext
1568 bytes
Operations
Per-session, non-reusable

CRYSTALS-Dilithium · FIPS 204

Digital Signatures

Dilithium5 signs every authentication message, preventing man-in-the-middle forgery. Replaces ECDSA signatures throughout the control stream handshake.

Security level
NIST Level 5
Public key
2592 bytes
Signature
4595 bytes
Scheme
Module-LWE / Module-SIS lattice

Zero-Trust Model

Never trust. Always verify.
Per session, not per login.

Traditional VDI grants access at login and trusts until logout. ntkVDI verifies cryptographic identity at each session initiation. A stolen credential cannot pivot because there's no implicit standing access.

Step 1
Client initiates QUIC connection TLS 1.3 + self-signed cert No credentials in transit yet
Step 2
NTK Access Point challenge Kyber-1024 KEM encapsulation Dilithium5 identity signature
Step 3
Session key derived (per-session) Keys not persisted server-side Stream 0 control channel established
Step 4
Video/Audio/Input streams open Each stream cryptographically bound to session Keepalive on 30s interval
Idle / End
SESSION_CLOSE after 8hr idle Keys zeroized on session end No session resume tokens stored

Threat Model Summary

Known threats and
how ntkVDI defeats them

Mitigated

Harvest-Now-Decrypt-Later

Adversaries store ciphertext for future quantum decryption. Defeated by Kyber-1024: no known quantum speedup against MLWE.

Mitigated

Man-in-the-Middle

Impersonation during key exchange. Defeated by Dilithium5 signatures — forgery requires solving Module-LWE, computationally infeasible classically or quantumly.

Mitigated

Credential Pivot / Lateral Movement

Compromised credential reuse across sessions. Per-session key derivation means a stolen long-term credential cannot reuse any prior session key material.

Mitigated

Broker / Gateway Compromise

Legacy VDI: compromise the broker, own all sessions. ntkVDI: there is no broker. The NTK access point handles auth; no single network node has session visibility.

Residual — High

Client Endpoint Compromise

If the endpoint running the Flutter client is fully compromised, screen content is visible to the attacker. Mitigated by endpoint posture checks (roadmap).

Residual — High

Side-Channel on Server

Physical access to the VDI host. Scope-limited: keys are per-session and zeroized on close. Full-disk encryption on the host is required but outside ntkVDI scope.

Compliance Posture

Framework alignment

Framework Relevant Controls ntkVDI Status Notes
NIST SP 800-207 (Zero Trust) PE-3, AC-17, IA-3 Aligned Per-session re-auth, no standing network access
NIST PQC (FIPS 203/204) Kyber / Dilithium Native Not an add-on; baked into control stream
FIPS 140-3 Cryptographic module validation In Progress Target: CMVP submission Q3 2026
SOC 2 Type II CC6, CC7 (Logical access, monitoring) In Progress Audit period begins Q2 2026
ISO/IEC 27001 A.9 (Access control), A.10 (Cryptography) Aligned Control mapping complete
GDPR / CCPA Data minimization, encryption at rest/transit Aligned No session data persisted beyond session lifetime