Information Security 2 (InfSi2) 2 Physical Layer Security Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 1 Security Protocols for the OSI Stack Communication layers Security protocols Application layer Transport layer Platform Security, Web Application Security, VoIP Security, SW Security TLS Network layer IPsec Data Link layer [PPTP, L2TP], IEEE 802.1X, IEEE 802.1AE, IEEE 802.11i (WPA2) Physical layer Quantum Cryptography A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 2 Layer 1 Security – Frequency Hopping Frequency band divided into n hopping channels f1 f2 f3 f4 f5 f6 f7 f f8 Counter measures: e.g. n parallel receivers f2 f8 f1 f4 f1 f3 f2 f7 f5 f7 f6 f3 t t Standardized (public) or secret (military) hopping sequence A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 3 Information Security 2 (InfSi2) 2.1 Quantum Cryptography A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 4 Quantum Cryptography using Entangled Photons • • • • Nicolas Gisin et al. University of Geneva Compact source emitting entangled photon pairs Quantum correlation over more than 10 km Founding of ID Quantique A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 5 Quantum Key Distribution using Entangled Photons 0 - 1 1 - - 0 1. 2. 3. 4. 5. 6. 7. 0 - 1 1 - - 0 Alice Photon Source Bob Eve (eavesdropping) E91 protocol: Arthur Ekert, 1991 A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 6 Quantum Key Distribution using the BB84 Protocol Alice 0 - 1 1 - - 0 1. 2. 3. 4. 5. 6. 7. 0 - 1 1 - - 0 Polarization Modulated Photon Source Bob Eve (eavesdropping) BB84 protocol: Charles Bennett & Gilles Brassard, 1984 A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 7 Decoy States against Multi-Photon Splitting Attacks • • • • • • • Single photon lasers are nearly impossible to build. The natural Poisson distribution of practical laser sources causes multi-photon pulses to occur which can be split by Eve. In order to compensate for the stolen photons, Eve might inject additional photons. As a counter measure Alice randomly inserts a certain percentage of decoy states transmitted at a different power level. Later Alice reveals to Bob which pulses contained decoy states. If Eve was eavesdropping, the yield and bit error rate statistics for the signal and decoy states are modified which can be detected by Alice and Bob. The use of decoy states extends the rate of secure key exchange to over 140 km. A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 8 Photon Yield versus Power Level • Poisson distribution of the number of photons in a pulse, measured over 1000 pulses: Signal states Decoy states 0.80 photons/pulse 0.12 photons/pulse 0 photons/pulse 449 pulses 887 pulses 1 photon /pulse 360 pulses 106 pulses 2 photons/pulse 144 pulses 7 pulses 3 photons/pulse 38 pulses 0 pulses 4 photons/pulse 8 pulses 0 pulses 5 photons/pulse 1 pulse 0 pulses Power Level Yield 551 of 1000 pulses 113 of 1000 pulses A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 9 Photon Yield versus Transmission Distance • Attenuation in a monomode fiber with =1550nm: 0.2 dB/km • • • 50 km: 100 km: 150 km: 10dB 1 out 10 photons survive 20dB 1 out of 100 photons survive 30dB 1 out of 1000 photons survive A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 10 Photon Yield in 50 km (10 dB Attenuation) • Received pulses containing at least one photon, measured over 1000 pulses: Signal states Decoy states 0.80 photons/pulse 0.12 photons/pulse 0 photons/pulse 0 pulses 0 pulses 1 photon /pulse 36 pulses 10 pulses 2 photons/pulse 28 pulses 2 pulses 3 photons/pulse 10 pulses 0 pulses 4 photons/pulse 3 pulses 0 pulses 5 photons/pulse 0 pulses 0 pulses Yield 77 of 1000 pulses 12 of 1000 pulses Power Level A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 11 Layer 2 Encryption with Quantum Key Distribution • • • 10 Gbit/s Ethernet Encryption with AES-256 in Counter Mode QKD: RR84 and SARG protocols, up to 50 km (100 km on request) Key Management: 1 key/minute up to 12 encryptors A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 12 Cerberis QKD Server and Centauris Encryptors A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 13 Information Security 2 (InfSi2) 2.2 Key Material and Random Numbers A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 14 Cryptographical Building Blocks Secure Network Protocols Privacy Data Integrity Encryption MACs MICs Symmetric Key Cryptography Block Ciphers Stream Ciphers Message Digests Hash Functions NonRepudiation Authentication Challenge Response IVs Nonces Pseudo Random Smart Cards Digital Signatures Secret Keys Public Key Cryptography Random Sources Elliptic Curves DH RSA A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 15 HMAC Function (RFC 2104) 0x36..0x36 Inner Key XOR 64 bytes Key Pad 64 bytes Document MD5 / SHA-1 Hash Function XOR 0x5C..0x5C Outer Key Hash 64 bytes MD5 / SHA-1 Hash Function MAC 16/20 bytes A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 16 TLS Handshake Protocol Client Hello RC Client Server Hello RS Certificate* *optional ServerKeyExchange* CertificateRequest* Certificate* ClientKeyExchange CertificateVerify* ServerHelloDone *optional Server ChangeCipherSpec ChangeCipherSpec Finished° °encrypted Application Data° Finished° Application Data° A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 17 Pseudo Random Function (PRF) Seed Seed Secret key stream = PRF_MD5(secret, seed) HMAC-MD5 A(1) S HMAC-MD5 A(2) S 16 bytes A(1) S Key Stream 1..16 A(3) 16 bytes Seed HMAC-MD5 HMAC-MD5 A(2) S Seed HMAC-MD5 17..32 A(3) S Seed HMAC-MD5 33..48 A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 18 Computing the TLS 1.1 Master Secret label seed "master secret" RC S1 RS PRF_MD5 48 bytes Pre-Master Secret Master Secret S2 PRF_SHA-1 48 bytes 60 bytes TLS_PRF label seed key stream = TLS_PRF(secret, label, seed) A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 19 Generating TLS 1.1 Key Material label seed "key expansion" S1 RS RC n bytes PRF_MD5 Master Secret Key Material S2 n bytes n bytes PRF_SHA-1 TLS_PRF label seed key stream = TLS_PRF(secret, label, seed) A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 20 Generating True Random Numbers (RFC 1750) • • • The security of modern cryptographic protocols relies heavily on the availability of true random key material and nonces. On standard computer platforms it is not a trivial task to collect true random material in sufficient quantities: • • • • • • • Key Stroke Timing Mouse Movements Sampled Sound Card Input Noise Air Turbulence in Disk Drives RAID Disk Array Controllers Network Packet Arrival Times Computer Clocks Best Strategy: Combining various random sources with a strong mixing function (e.g. MD5 or SHA-1 hash) into an entropy pool (e.g. Unix /dev/random) protects against single device failures. A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 21 Hardware-based True Random Generators • Quantum Sources or Radioactive Decay Sources • Thermal Noise Sources • Reliable, high entropy sources, but often bulky and expensive. • Noisy diodes or resistors are cheap and compact but level detection usually introduces considerable skew that must be corrected. • Free Running or Metastable Oscillators • The frequency variation of a free running oscillator is a good entropy • • source if designed and measured properly. Used e.g in smart card crypto co-processors. The Intel Ivy Bridge processor family implements an on-chip metastable digital oscillator. Lava Lamps • Periodic digital snapshots of a lava lamp exhibit a lot of randomness. A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 22 The Intel RDRAND Instruction • Available with Intel Ivy Bridge Processors (XEON & Core i7) • The RDRAND instruction reads a 16, 32 or 64 bit random value • Throughput 500+ MB/s random data with 8 concurrent threads • The random number generator is compliant with NIST SP800-90, FIPS 140-2, and ANSI X9.82 A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 23 Quantum Random Number Generator www.idquantique.com • • • Detection of single photons via a semi-transparent mirror High throughput: 4 – 16 Mbit/s Low cost (990…2230 EUR) A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 24 Skew Corrections and Tests for Randomness • Simple Skew Correction (John von Neumann) • p(1) = 0.5+e, p(0) = 0.5-e, -0.5 < e < 0.5 • Example with e = 0.20, i.e. p(1) = 0.7, p(0) = 0.3 11011111101011011000100111100111011111101101111111110101 - 0 - - 1 1 - 0 1 - 1 0 - 1 0 - 0 - - 1 - 0 - - - - 0 0 • Strong Mixing using Hash functions • Statistical Tests for Randomness • Hashing improves statistical properties but does not increase entropy. • A number of statistical tests are defined in FIPS PUB 140-2 "Security Requirements for Cryptographic Modules" : Monobit Test, Poker Test, Runs Test, etc. • Entropy Measurements • The entropy of a random or pseudo-random binary sequence can be measured using Ueli Maurer's "Universal Statistical Test for Random Bit Generators" A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 25