Upload
adva-optical-networking
View
664
Download
3
Embed Size (px)
Citation preview
Helmut Griesser, ADVA Optical Networking SE
France-IX General Meeting 2016, Paris
How to Quantum-Secure Optical Networks
© 2016 ADVA Optical Networking. All rights reserved. Confidential.22
Communication Security in Daily Life
• Cryptographic functions are essential formany everyday activities
• Confidentiality, integrity, authenticity
• Tapping fiber is easier than it might seem
• Protection is also required for data on fiber
© 2016 ADVA Optical Networking. All rights reserved. Confidential.33
Confidentiality: Symmetric Cryptography
Public key cryptography enables secure communication
to be initiated over insecure channels
Symmetriccypher
Symmetriccypher
Public (insecure) channel
Keygenerator
Secure channel
Secret key K
Message M Message M
Alice Bob
Secret key K
Cyphertext C
Problem: No secure channel, key exchange over a public channel
© 2016 ADVA Optical Networking. All rights reserved. Confidential.44
Public Key Cryptography
• For RSA two large prime factors are used to derive the secret key
• Security is based on the diffculty of calculating the private key fromthe public one without the knowledge of the factors
• The hard problem is to factorize the large integer number into itsprime factors
© W
ikip
edia
© 2016 ADVA Optical Networking. All rights reserved. Confidential.55
© 2016 ADVA Optical Networking. All rights reserved. Confidential.66
Quantum Research
© 2016 ADVA Optical Networking. All rights reserved. Confidential.77
• The Quantum Threat – Is It Real?
• Protect Against Quantum Computing With Quantum Key Distribution
• The Big Picture: Quantum Safe Cryptography
• What Is the Most Secure Option?
Outline
© 2016 ADVA Optical Networking. All rights reserved. Confidential.88
The Quantum Threat – Is It Real?
© 2016 ADVA Optical Networking. All rights reserved. Confidential.99
Public-Key Cryptography at Stake
All widely used public-key systems rely on three algebraic problems:
• integer factoring (RSA):
n = p·q, with p and q large prime numbers
• discrete logarithm (Diffie-Hellman, DSA):
A = ga mod p, with p prime and g primitive root (mod p)
• elliptic curve discrete logarithm (ECC, ECDSA):
Q = k·P, with P an elliptic curve over a finite field
Shor’s Algorithm can solve these problems on a large quantum computer
© 2016 ADVA Optical Networking. All rights reserved. Confidential.1010 Ph
oto
: IB
M
The Quantum Computer
So far scientists can stabilize only 4-10 qubits, a number far too low to
factor arbitrary, long semiprimes.
But: Quantum error correction leads to threshold effect that allows scaling.
© 2016 ADVA Optical Networking. All rights reserved. Confidential.1111
How Soon Do We Need to Worry?
time to build large quantum computer
time to update infrastructure encryption needs to be secure
secrets can be revealed
time
‘Harvesting’ attack: not everybody can do that, but …
The ETSI Quantum-Safe Whitepaper 2014, ISBN 979-10-92620-03-0
Attack scenario:
• Store encrypted data now
• Decrypt later when quantum computers are available
© 2016 ADVA Optical Networking. All rights reserved. Confidential.1212
NSA Data Center in Bluffdale / Utah
© 2016 ADVA Optical Networking. All rights reserved. Confidential.1313
Protect Against Quantum Computing WithQuantum Key Distribution?
© 2016 ADVA Optical Networking. All rights reserved. Confidential.1414
Quantum Properties
• qubit is a 2-dimensional quantum state (Hilbert space)
• Orthogonal states or
• But is linear dependent from and vice versa
• The observation of a qubits defined over basis does not allow to detect it with basis :
• For transmission qubits are best implemented by single photons
Credit: Sebastian Kleis, HSU Hamburg
© 2016 ADVA Optical Networking. All rights reserved. Confidential.1515
Quantum Key Distribution (BB84)
Image reprinted from article: W. Tittel, G. Ribordy & N. Gisin, “Quantum cryptography,” Physics World, March 1998Devil Eve is from Vadim Makarov
Sifting
© 2016 ADVA Optical Networking. All rights reserved. Confidential.1616
Key Extraction Process
• In a real system there are transmission errors thathave to be corrected via an unsecure channel
• These errors can‘t be distinguished fromeavesdropping -> reach limitation
• Privacy amplification (key compression) takes care of the information leakage during error correction
Credit: Eleni Diamanit, PhD Thesis
QuantumTransmission
Sifting
ErrorCorrection
PrivacyAmplification
Theory
raw key
sifted key
error free key
secure key
Securityrequirements
Characteristicsof the source
Error rate estimationLeakage during correction
© 2016 ADVA Optical Networking. All rights reserved. Confidential.1717
Estimation of Key Rate for BB84
System parameters
• Fiber att. 0.2dB/km + 1dB@Rx
• System BER = 0.01
• quantum efficiency 10%
• count rate 104 counts/s
• Measurement window 1ns
• Repetition rate 10MHz
Cre
dit:
Ele
ni D
iam
anit, PhD
Thesis
1. Laser photon source (Poisson distribution)
2. Decoy state sequence for bounding transmission performance
3. Ideal single photon source
Poisson
© 2016 ADVA Optical Networking. All rights reserved. Confidential.1818
QKD in a Commercial Network
Choi, I. et al., “Field trial of a quantum secured 10 Gb/s DWDM transmission system
over a single installed fiber,” Opt. Express, The Optical Society, 2014, 22, 23121
AES encrypted10G Data
10G Tx/Rx
Real-TimeQuantum Keys
10G Client Data
Key exchangeQKD Tx
AES En/Decryption
AES En/Decryption
QKD Rx
Counter mode Counter mode
10G Tx/Rx
10G Client Data
Real-TimeQuantum Keys
QKD Tx
© 2016 ADVA Optical Networking. All rights reserved. Confidential.1919
How to Build Long-Haul QKD Links
Refe
rence fro
mM
ark
.
Trusted node repeater
Also works with satellites
Alice Bob
+
+
K1 K2 K2K1
K1 K1 K2 K2 = K1
K1 K2+
+ +
Trusted nodeQKD1 QKD2
© 2016 ADVA Optical Networking. All rights reserved. Confidential.2020
Quantum Key Distribution: Pros & Cons
• QKD provides ultimate security for the key distribution problem
Does not rely on the hardness of certain computational problems
• But QKD also has disadvantages:
Decreasing key rates with distance
requiring trusted node repeaters for long haul
Physical layer technique
Relatively high complexity, still bulky
Cannot easily replace current protocols
• … and key distribution is only one of several security primitives
© 2016 ADVA Optical Networking. All rights reserved. Confidential.2121
The Big Picture: Quantum Save Cryptography
© 2016 ADVA Optical Networking. All rights reserved. Confidential.2222
Computationalsecurity
AES
Diffie-Hellman
RSA
ECC
Information theoretic security
One-Time Pad
Classification of Cryptographic Algorithms
Quantum-safecryptography
Post-Quantum
Cryptography
PhysicalLayer
SecurityNetworkCoding
QKD
Jouguet et al., “Experimental demonstration of long-distance continuous-
variable quantum key distribution”, Nature Photonics 7, 378–381 (2013)
Vahid Forutan, “Information-theoretic security through network coding”
NTRU, McEliece,
Rainbow, BLISS
“New Hope“
© 2016 ADVA Optical Networking. All rights reserved. Confidential.2323
Quantum Safe Cryptography
• Lattice-based cryptography
• Encryption (R-LWE, NTRU), Signatures (“BLISS”), and Key Exchange (“New Hope”)
• Code-based cryptography
• Encryption (McEliece, McBits, QC-MDPC)
• Multivariate polynomial cryptography
• Signatures (UOV, Rainbow, HFEv-)
• Hash-based signatures
• Signatures (XMSS, SPHINCS)
The ETSI Quantum-Safe Whitepaper 2014, ISBN 979-10-92620-03-0
© 2016 ADVA Optical Networking. All rights reserved. Confidential.2424
‘Post-quantum’ cryptography
Security relies on the hardness of certain computational problems
Vulnerable to advances in cryptoanalysis and computing power
No security proof
Quantum cryptography
Security is based on some quantum property
Typically no computational assumptions and therefore secure against quantum attacks
Conceptual security guaranteed by quantum physics
Quantum Safe Cryptography Comparison
What option delivers better security in practice?
CSA Q
uantu
m-S
ave S
ecuri
ty W
ork
ing G
roup
© 2016 ADVA Optical Networking. All rights reserved. Confidential.2525
Three Serious Encryption Problems in 2014
• Heartbleed (OpenSSL software implementation error)
• POODLE (Sloppy implementation of security protocols)
• Goto fail error (Error in Apples TLS/SSL implementation)
Mostly implementation is the problem, not the algorithm
© 2016 ADVA Optical Networking. All rights reserved. Confidential.2626
Successful Attacks on QKD Implementations
Cre
dits:
Vadim
Makaro
v,
Univ
. of W
ate
rloo
© 2016 ADVA Optical Networking. All rights reserved. Confidential.2727
But: No Need to Decide, Just Combine
AES-256 AES-256Public channel
Secret key K
Message M Message M
Alice Bob
Secret key K
Cyphertext C
+ +Diffie-
HellmanDiffie-
Hellman
QKD QKDBB84
Public key
Combined key is at least as random as both component keys individually
XORXOR
© 2016 ADVA Optical Networking. All rights reserved. Confidential.2828
• Quantum computers threaten current key exchange algorithms
• QKD offers the promise of absolute security
• Quantum safe public key protocols are an alternative
• No need to decide against or in favour of any specific key exchange
• Classic public key exchange can run in parallel with QSA
• QKD can be an additional key exchange mechanism
• All keys can be combined by bitwise XOR operation
Take-Aways
Lesson from vulnerability of public key algorithm to Shor:
Better security might be achieved by combining
fundamentally diverse mechanisms for key exchange …
© 2016 ADVA Optical Networking. All rights reserved. Confidential.2929
… But Take Care to Do It the Right Way!
© x
kdc
Acknowledgements
Sebastian Kleis
Joo Yeon Cho
Michael Eiselt
Thank You
IMPORTANT NOTICE
The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited.
The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation.
Copyright © for the entire content of this presentation: ADVA Optical Networking.
© 2016 ADVA Optical Networking. All rights reserved. Confidential.3131
Security Is Only as Strongas Its Weakest Link
© xkdc
Bruce Schneier on QKD:
It's like defending yourself against an approaching attacker by putting a
huge stake in the ground.
It's useless to argue about whether the stake should be 50 feet tall or 100 feet tall, because either way,
the attacker is going to go around it.