Key Material and Random Numbers

advertisement
Information Security 2 (InfSi2)
2 Physical Layer Security
Prof. Dr. Andreas Steffen
Institute for Internet Technologies and Applications (ITA)
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 1
Security Protocols for the OSI Stack
Communication layers Security protocols
Application layer
Transport layer
Platform Security, Web Application
Security, VoIP Security, SW Security
TLS
Network layer
IPsec
Data Link layer
[PPTP, L2TP], IEEE 802.1X,
IEEE 802.1AE, IEEE 802.11i (WPA2)
Physical layer
Quantum Cryptography
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 2
Layer 1 Security – Frequency Hopping
Frequency band divided
into n hopping channels
f1
f2
f3
f4
f5
f6
f7
f
f8
Counter measures: e.g. n parallel receivers
f2
f8
f1
f4
f1
f3
f2
f7
f5
f7
f6
f3
t
t
Standardized (public) or secret (military) hopping sequence
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 3
Information Security 2 (InfSi2)
2.1 Quantum Cryptography
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 4
Quantum Cryptography using Entangled Photons
•
•
•
•
Nicolas Gisin et al.
University of Geneva
Compact source emitting
entangled photon pairs
Quantum correlation over
more than 10 km
Founding of ID Quantique
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 5
Quantum Key Distribution using Entangled Photons
0
-
1
1
-
-
0
1.
2.
3.
4.
5.
6.
7.
0
-
1
1
-
-
0
Alice
Photon
Source
Bob
Eve (eavesdropping)
E91 protocol: Arthur Ekert, 1991
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 6
Quantum Key Distribution using the BB84 Protocol
Alice
0
-
1
1
-
-
0
1.
2.
3.
4.
5.
6.
7.
0
-
1
1
-
-
0
Polarization
Modulated
Photon
Source
Bob
Eve (eavesdropping)
BB84 protocol: Charles Bennett & Gilles Brassard, 1984
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 7
Decoy States against Multi-Photon Splitting Attacks
•
•
•
•
•
•
•
Single photon lasers are nearly impossible to build.
The natural Poisson distribution of practical laser sources causes
multi-photon pulses to occur which can be split by Eve.
In order to compensate for the stolen photons, Eve might inject
additional photons.
As a counter measure Alice randomly inserts a certain percentage
of decoy states transmitted at a different power level.
Later Alice reveals to Bob which pulses contained decoy states.
If Eve was eavesdropping, the yield and bit error rate statistics for
the signal and decoy states are modified which can be detected by
Alice and Bob.
The use of decoy states extends the rate of secure key exchange
to over 140 km.
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 8
Photon Yield versus Power Level
•
Poisson distribution of the number of photons in a pulse,
measured over 1000 pulses:
Signal states
Decoy states
0.80 photons/pulse
0.12 photons/pulse
0 photons/pulse
449 pulses
887 pulses
1 photon /pulse
360 pulses
106 pulses
2 photons/pulse
144 pulses
7 pulses
3 photons/pulse
38 pulses
0 pulses
4 photons/pulse
8 pulses
0 pulses
5 photons/pulse
1 pulse
0 pulses
Power Level
Yield
551 of 1000 pulses
113 of 1000 pulses
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 9
Photon Yield versus Transmission Distance
•
Attenuation in a monomode fiber with  =1550nm: 0.2 dB/km
•
•
•
50 km:
100 km:
150 km:
10dB  1 out 10 photons survive
20dB  1 out of 100 photons survive
30dB  1 out of 1000 photons survive
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 10
Photon Yield in 50 km (10 dB Attenuation)
•
Received pulses containing at least one photon,
measured over 1000 pulses:
Signal states
Decoy states
0.80 photons/pulse
0.12 photons/pulse
0 photons/pulse
0 pulses
0 pulses
1 photon /pulse
36 pulses
10 pulses
2 photons/pulse
28 pulses
2 pulses
3 photons/pulse
10 pulses
0 pulses
4 photons/pulse
3 pulses
0 pulses
5 photons/pulse
0 pulses
0 pulses
Yield
77 of 1000 pulses
12 of 1000 pulses
Power Level
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 11
Layer 2 Encryption with Quantum Key Distribution
•
•
•
10 Gbit/s Ethernet Encryption with AES-256 in Counter Mode
QKD: RR84 and SARG protocols, up to 50 km (100 km on request)
Key Management: 1 key/minute up to 12 encryptors
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 12
Cerberis QKD Server and Centauris Encryptors
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 13
Information Security 2 (InfSi2)
2.2 Key Material and
Random Numbers
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 14
Cryptographical Building Blocks
Secure Network Protocols
Privacy
Data
Integrity
Encryption
MACs
MICs
Symmetric Key
Cryptography
Block
Ciphers
Stream
Ciphers
Message
Digests
Hash
Functions
NonRepudiation
Authentication
Challenge
Response
IVs
Nonces
Pseudo
Random
Smart
Cards
Digital
Signatures
Secret
Keys
Public Key
Cryptography
Random
Sources
Elliptic
Curves
DH
RSA
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 15
HMAC Function (RFC 2104)
0x36..0x36
Inner Key
XOR
64 bytes
Key
Pad
64 bytes
Document
MD5 / SHA-1 Hash Function
XOR
0x5C..0x5C
Outer Key
Hash
64 bytes
MD5 / SHA-1 Hash Function
MAC
16/20 bytes
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 16
TLS Handshake Protocol
Client Hello
RC
Client
Server Hello
RS
Certificate*
*optional
ServerKeyExchange*
CertificateRequest*
Certificate*
ClientKeyExchange
CertificateVerify*
ServerHelloDone
*optional
Server
ChangeCipherSpec
ChangeCipherSpec
Finished°
°encrypted
Application Data°
Finished°
Application Data°
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 17
Pseudo Random Function (PRF)
Seed
Seed
Secret
key stream = PRF_MD5(secret, seed)
HMAC-MD5
A(1)
S
HMAC-MD5
A(2)
S
16 bytes
A(1)
S
Key Stream
1..16
A(3)
16 bytes
Seed
HMAC-MD5
HMAC-MD5
A(2)
S
Seed
HMAC-MD5
17..32
A(3)
S
Seed
HMAC-MD5
33..48
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 18
Computing the TLS 1.1 Master Secret
label
seed
"master secret" RC
S1
RS
PRF_MD5
48 bytes
Pre-Master Secret
Master Secret
S2
PRF_SHA-1
48 bytes
60 bytes
TLS_PRF
label
seed
key stream = TLS_PRF(secret, label, seed)
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 19
Generating TLS 1.1 Key Material
label
seed
"key expansion"
S1
RS
RC
 n bytes
PRF_MD5
Master Secret
Key Material
S2
n bytes
 n bytes
PRF_SHA-1
TLS_PRF
label
seed
key stream = TLS_PRF(secret, label, seed)
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 20
Generating True Random Numbers (RFC 1750)
•
•
•
The security of modern cryptographic protocols relies heavily on
the availability of true random key material and nonces.
On standard computer platforms it is not a trivial task to collect
true random material in sufficient quantities:
•
•
•
•
•
•
•
Key Stroke Timing
Mouse Movements
Sampled Sound Card Input Noise
Air Turbulence in Disk Drives
RAID Disk Array Controllers
Network Packet Arrival Times
Computer Clocks
Best Strategy: Combining various random sources with a strong
mixing function (e.g. MD5 or SHA-1 hash) into an entropy pool
(e.g. Unix /dev/random) protects against single device failures.
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 21
Hardware-based True Random Generators
•
Quantum Sources or Radioactive Decay Sources
•
Thermal Noise Sources
• Reliable, high entropy sources, but often bulky and expensive.
• Noisy diodes or resistors are cheap and compact but level detection
usually introduces considerable skew that must be corrected.
•
Free Running or Metastable Oscillators
• The frequency variation of a free running oscillator is a good entropy
•
•
source if designed and measured properly. Used e.g in smart card
crypto co-processors.
The Intel Ivy Bridge processor family implements an on-chip
metastable digital oscillator.
Lava Lamps
• Periodic digital snapshots of a lava lamp exhibit a lot of
randomness.
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 22
The Intel RDRAND Instruction
•
Available with Intel Ivy Bridge Processors (XEON & Core i7)
• The RDRAND instruction reads a 16, 32 or 64 bit random value
• Throughput 500+ MB/s random data with 8 concurrent threads
• The random number generator is compliant with NIST SP800-90,
FIPS 140-2, and ANSI X9.82
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 23
Quantum Random Number Generator
www.idquantique.com
•
•
•
Detection of single photons via
a semi-transparent mirror
High throughput: 4 – 16 Mbit/s
Low cost (990…2230 EUR)
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 24
Skew Corrections and Tests for Randomness
•
Simple Skew Correction (John von Neumann)
• p(1) = 0.5+e, p(0) = 0.5-e, -0.5 < e < 0.5
• Example with e = 0.20, i.e. p(1) = 0.7, p(0) = 0.3
11011111101011011000100111100111011111101101111111110101
- 0 - - 1 1 - 0 1 - 1 0 - 1 0 - 0 - - 1 - 0 - - - - 0 0
•
Strong Mixing using Hash functions
•
Statistical Tests for Randomness
• Hashing improves statistical properties but does not increase entropy.
• A number of statistical tests are defined in FIPS PUB 140-2
"Security Requirements for Cryptographic Modules" :
Monobit Test, Poker Test, Runs Test, etc.
•
Entropy Measurements
• The entropy of a random or pseudo-random
binary sequence can be measured using Ueli Maurer's
"Universal Statistical Test for Random Bit Generators"
A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 25
Download