a. steffen, 22.09.2013, 02-physicallayer.pptx 1 information security 2 (infsi2) prof. dr. andreas...
TRANSCRIPT
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 1
Information Security 2 (InfSi2)
Prof. Dr. Andreas Steffen
Institute for Internet Technologies and Applications (ITA)
2 Physical Layer Security
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 2
Security Protocols for the OSI Stack
Application layer Platform Security, Web Application Security, VoIP Security, SW SecurityTransport layer TLS
Network layer IPsec
Data Link layer [PPTP, L2TP], IEEE 802.1X,IEEE 802.1AE, IEEE 802.11i (WPA2)Physical layer Quantum Cryptography
Communication layers
Security protocols
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 3
Layer 1 Security – Frequency Hopping
f1 f2 f4 f5 f6 f7f3 f8
f
Counter measures: e.g. n parallel receivers
tf8 f1f2
t
f4 f1 f3 f2 f7 f5 f7 f6 f3
Standardized (public) or secret (military) hopping sequence
Frequency band divided into n hopping channels
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 4
Information Security 2 (InfSi2)
2.1 Quantum Cryptography
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 5
Quantum Cryptography using Entangled Photons
• Nicolas Gisin et al.University of Geneva
• Compact source emittingentangled photon pairs
• Quantum correlation overmore than 10 km
• Founding of ID Quantique
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 6
4.
Quantum Key Distribution using Entangled Photons
PhotonSource
PhotonSource 1.
Alice
Bob
3. 7.2. 6.
0
0
-
-
1
1
1
1
-
-
0
0
5.
Eve (eavesdropping)
-
-
E91 protocol: Arthur Ekert, 1991
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 7
Quantum Key Distribution using the BB84 Protocol
PolarizationModulated
PhotonSource
PolarizationModulated
PhotonSource
Alice
Bob
1.
0
0
2.
-
-
3.
1
1
4.
1
1
6.
-
-
7.
0
0
BB84 protocol: Charles Bennett & Gilles Brassard, 1984
5.
-
-
Eve (eavesdropping)
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 8
Decoy States against Multi-Photon Splitting Attacks
• Single photon lasers are nearly impossible to build.• The natural Poisson distribution of practical laser sources
causesmulti-photon pulses to occur which can be split by Eve.
• In order to compensate for the stolen photons, Eve might inject additional photons.
• As a counter measure Alice randomly inserts a certain percentage of decoy states transmitted at a different power level.
• Later Alice reveals to Bob which pulses contained decoy states.
• If Eve was eavesdropping, the yield and bit error rate statistics for the signal and decoy states are modified which can be detected by Alice and Bob.
• The use of decoy states extends the rate of secure key exchange to over 140 km.
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 9
Photon Yield versus Power Level
Power Level 0.80 photons/pulse0.12 photons/pulse
449 pulses
360 pulses
144 pulses
38 pulses
8 pulses
887 pulses
106 pulses
7 pulses
0 pulses
0 pulses
0 photons/pulse
1 photon /pulse
2 photons/pulse
3 photons/pulse
4 photons/pulse
Signal states Decoy states
• Poisson distribution of the number of photons in a pulse,measured over 1000 pulses:
1 pulse 0 pulses5 photons/pulse
551 of 1000 pulses 113 of 1000 pulsesYield
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 10
Photon Yield versus Transmission Distance
• Attenuation in a monomode fiber with =1550nm: 0.2 dB/km• 50 km: 10dB 1 out 10 photons survive• 100 km: 20dB 1 out of 100 photons survive• 150 km: 30dB 1 out of 1000 photons survive
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 11
Photon Yield in 50 km (10 dB Attenuation)
Power Level 0.80 photons/pulse0.12 photons/pulse
0 pulses
36 pulses
28 pulses
10 pulses
3 pulses
0 pulses
10 pulses
2 pulses
0 pulses
0 pulses
77 of 1000 pulses 12 of 1000 pulses
0 photons/pulse
1 photon /pulse
2 photons/pulse
3 photons/pulse
4 photons/pulse
Signal states Decoy states
Yield
• Received pulses containing at least one photon,measured over 1000 pulses:
0 pulses 0 pulses5 photons/pulse
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 12
Layer 2 Encryption with Quantum Key Distribution
• 10 Gbit/s Ethernet Encryption with AES-256 in Counter Mode
• QKD: RR84 and SARG protocols, up to 50 km (100 km on request)
• Key Management: 1 key/minute up to 12 encryptors
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 13
Cerberis QKD Server and Centauris Encryptors
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 14
Information Security 2 (InfSi2)
2.2 Key Material andRandom Numbers
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 15
Cryptographical Building Blocks
BlockCipher
s
Stream
Ciphers
Symmetric KeyCryptography
Authentication
Privacy
Encryption
HashFunction
s
Challenge
Response
IVs
MACsMICs
MessageDigests
Nonces
PseudoRandom
Random
Sources
Secret Keys
SmartCards
DHRSA
Public KeyCryptography
EllipticCurve
s
Digital Signatures
DataIntegrity
Secure Network Protocols
Non-Repudiatio
n
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 16
HMAC Function (RFC 2104)
DocumentDocument
KeyKey
Inner KeyInner Key
64 bytes
MD5 / SHA-1 Hash FunctionMD5 / SHA-1 Hash Function
HashHash
MD5 / SHA-1 Hash FunctionMD5 / SHA-1 Hash Function
0x36..0x360x36..0x36
XOR
Outer KeyOuter Key
64 bytes
0x5C..0x5C0x5C..0x5C
XOR
PadPad 64 bytes
MACMAC 16/20 bytes
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 17
TLS Handshake Protocol
Server
Server HelloServer Hello RSRS
ServerHelloDoneServerHelloDone
Client
Client HelloClient Hello RCRC
Application Data°Application Data°Application Data°Application Data°
Certificate*
ClientKeyExchange
CertificateVerify**optional
ServerKeyExchange*
Certificate*
CertificateRequest*
*optional
Finished°Finished°
ChangeCipherSpec
Finished°Finished°
ChangeCipherSpec
°encrypted
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 18
Secret
Key Stream
Seed key stream = PRF_MD5(secret, seed)
Pseudo Random Function (PRF)
A(3)
S
A(3)
HMAC-MD5
1..16
S
Seed
17..32
S
Seed
33..48
S
Seed
HMAC-MD5 HMAC-MD5 HMAC-MD5
A(2)
S HMAC-MD5
A(2)
16 bytes
A(1)
A(1)
16 bytes
HMAC-MD5
Seed
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 19
Computing the TLS 1.1 Master Secret
Master Secret
"master secret"
48 bytesPRF_MD5
60 bytes PRF_SHA-1
S1
S2
Pre-Master Secret
RC RS
label seed
label seed
key stream = TLS_PRF(secret, label, seed)
TLS_PRF
48 bytes
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 20
Generating TLS 1.1 Key Material
Key Material
"key expansion"
n bytesPRF_MD5
n bytesPRF_SHA-1
S1
S2
Master Secret
RS RC
label seed
label seed
key stream = TLS_PRF(secret, label, seed)
TLS_PRF
n bytes
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 21
Generating True Random Numbers (RFC 1750)
• The security of modern cryptographic protocols relies heavily on the availability of true random key material and nonces.
• On standard computer platforms it is not a trivial task to collect true random material in sufficient quantities:• Key Stroke Timing• Mouse Movements• Sampled Sound Card Input Noise• Air Turbulence in Disk Drives• RAID Disk Array Controllers• Network Packet Arrival Times• Computer Clocks
• Best Strategy: Combining various random sources with a strong mixing function (e.g. MD5 or SHA-1 hash) into an entropy pool (e.g. Unix /dev/random) protects against single device failures.
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 22
Hardware-based True Random Generators
• Quantum Sources or Radioactive Decay Sources• Reliable, high entropy sources, but often bulky and
expensive.
• Thermal Noise Sources• Noisy diodes or resistors are cheap and compact but level
detection usually introduces considerable skew that must be corrected.
• Free Running or Metastable Oscillators • The frequency variation of a free running oscillator is a good
entropysource if designed and measured properly. Used e.g in smart card crypto co-processors.
• The Intel Ivy Bridge processor family implements an on-chipmetastable digital oscillator.
• Lava Lamps• Periodic digital snapshots of a lava lamp exhibit a lot of
randomness.
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 23
The Intel RDRAND Instruction
• Available with Intel Ivy Bridge Processors (XEON & Core i7)• The RDRAND instruction reads a 16, 32 or 64 bit random
value• Throughput 500+ MB/s random data with 8 concurrent
threads• The random number generator is compliant with NIST SP800-
90,FIPS 140-2, and ANSI X9.82
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 24
Quantum Random Number Generatorwww.idquantique.com
• Detection of single photons viaa semi-transparent mirror
• High throughput: 4 – 16 Mbit/s• Low cost (990…2230 EUR)
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 25
Skew Corrections and Tests for Randomness
• Simple Skew Correction (John von Neumann)• p(1) = 0.5+e, p(0) = 0.5-e, -0.5 < e < 0.5• Example with e = 0.20, i.e. p(1) = 0.7, p(0) = 0.3
• Strong Mixing using Hash functions • Hashing improves statistical properties but does not increase
entropy.
• Statistical Tests for Randomness• A number of statistical tests are defined in FIPS PUB 140-2
"Security Requirements for Cryptographic Modules" : Monobit Test, Poker Test, Runs Test, etc.
• Entropy Measurements• The entropy of a random or pseudo-random
binary sequence can be measured using Ueli Maurer's"Universal Statistical Test for Random Bit Generators"
- 0 - - 1 1 - 0 1 - 1 0 - 1 0 - 0 - - 1 - 0 - - - - 0 0
11011111101011011000100111100111011111101101111111110101