1 / 25

Information Security 2 (InfSi2)

Information Security 2 (InfSi2). 2 Physical Layer Security. Prof . Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA). Communication layers. Security protocols. Application layer. Platform Security, Web Application Security, VoIP Security, SW Security.

loman
Télécharger la présentation

Information Security 2 (InfSi2)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security 2 (InfSi2) 2 Physical Layer Security Prof. Dr. Andreas SteffenInstitute for Internet Technologies andApplications (ITA)

  2. Communication layers Security protocols Application layer Platform Security, Web Application Security, VoIP Security, SW Security Transport layer TLS Network layer IPsec Data Link layer [PPTP, L2TP], IEEE 802.1X,IEEE 802.1AE, IEEE 802.11i (WPA2) Physical layer Quantum Cryptography Security Protocols for the OSI Stack

  3. f f1 f2 f3 f4 f5 f6 f7 f8 Counter measures: e.g. n parallel receivers f2 f4 f1 f3 f2 f7 f5 f7 f6 f3 t t Layer 1 Security – Frequency Hopping Frequency band divided into n hopping channels f8 f1 Standardized (public) or secret (military) hopping sequence

  4. Information Security 2 (InfSi2) 2.1 Quantum Cryptography

  5. Quantum CryptographyusingEntangled Photons • Nicolas Gisin et al.University ofGeneva • Compact sourceemittingentangledphotonpairs • Quantum correlationovermorethan 10 km • Foundingof ID Quantique

  6. 0 - 1 1 - 0 - Alice 1. 2. 3. 4. 6. 7. 5. Bob 0 - 1 1 - 0 - Eve (eavesdropping) Quantum Key Distribution usingEntangled Photons PhotonSource E91 protocol: Arthur Ekert, 1991

  7. 1 1 0 - 1. 2. 1 1 0 - Quantum Key Distribution usingthe BB84 Protocol 0 - - Alice PolarizationModulatedPhotonSource 3. 4. 5. 6. 7. Bob 0 - - Eve (eavesdropping) BB84 protocol: Charles Bennett & Gilles Brassard, 1984

  8. Decoy States against Multi-Photon Splitting Attacks • Single photonlasersarenearlyimpossibletobuild. • The naturalPoissondistributionofpracticallasersourcescausesmulti-photon pulsestooccurwhichcanbesplitby Eve. • In ordertocompensateforthestolenphotons, Eve mightinject additional photons. • As a countermeasure Alice randomlyinserts a certainpercentageofdecoystatestransmittedat a different power level. • Later Alice revealsto Bob whichpulsescontaineddecoystates. • If Eve was eavesdropping, theyieldandbiterror rate statisticsforthesignalanddecoystatesaremodifiedwhichcanbedetectedby Alice and Bob. • The useofdecoystatesextendsthe rate ofsecurekeyexchangetoover 140 km.

  9. Photon Yield versus Power Level • Poissondistributionofthenumberofphotons in a pulse,measuredover1000 pulses: Signal states Decoy states 0.80 photons/pulse 0.12 photons/pulse Power Level 449 pulses 887 pulses 0 photons/pulse 1 photon /pulse 360 pulses 106 pulses 2 photons/pulse 144 pulses 7 pulses 0 pulses 38 pulses 3 photons/pulse 8 pulses 0 pulses 4 photons/pulse 1 pulse 0 pulses 5 photons/pulse 551 of 1000 pulses 113 of 1000 pulses Yield

  10. Photon Yield versus Transmission Distance • Attenuation in a monomodefiberwith =1550nm: 0.2 dB/km • 50 km: 10dB  1 out 10 photonssurvive • 100 km: 20dB  1 out of 100 photonssurvive • 150 km: 30dB  1 out of 1000 photonssurvive

  11. Photon Yield in 50 km (10 dB Attenuation) • Receivedpulsescontainingat least onephoton,measuredover1000 pulses: Signal states Decoy states 0.80 photons/pulse 0.12 photons/pulse Power Level 0 pulses 0 pulses 0 photons/pulse 1 photon /pulse 36 pulses 10 pulses 2 photons/pulse 28 pulses 2 pulses 0 pulses 10 pulses 3 photons/pulse 3 pulses 0 pulses 4 photons/pulse 0 pulses 0 pulses 5 photons/pulse 77 of 1000 pulses 12 of 1000 pulses Yield

  12. Layer 2 Encryption with Quantum Key Distribution • 10 Gbit/s Ethernet Encryption with AES-256 in Counter Mode • QKD: RR84 and SARG protocols, upto 50 km (100 km on request) • Key Management: 1 key/minuteupto 12 encryptors

  13. Cerberis QKD Server andCentaurisEncryptors

  14. Information Security 2 (InfSi2) 2.2 Key Material andRandom Numbers

  15. Secure Network Protocols Privacy DataIntegrity Authentication Non-Repudiation Digital Signatures Encryption MACsMICs ChallengeResponse SmartCards Symmetric KeyCryptography MessageDigests IVs Nonces Secret Keys Public KeyCryptography BlockCiphers Stream Ciphers HashFunctions PseudoRandom RandomSources EllipticCurves DHRSA Cryptographical Building Blocks

  16. 0x36..0x36 Inner Key 64 bytes XOR Pad 64 bytes MD5 / SHA-1 Hash Function XOR 0x5C..0x5C Outer Key Hash 64 bytes MD5 / SHA-1 Hash Function 16/20 bytes MAC HMAC Function (RFC 2104) Document Key

  17. Client Hello RC Server Hello RS Certificate* Client *optional ServerKeyExchange* CertificateRequest* ServerHelloDone Certificate* ClientKeyExchange *optional Server ChangeCipherSpec CertificateVerify* ChangeCipherSpec Finished° Finished° Application Data° Application Data° TLS Handshake Protocol °encrypted

  18. Seed Seed key stream = PRF_MD5(secret, seed) Secret HMAC-MD5 A(1) S HMAC-MD5 A(2) S HMAC-MD5 16 bytes 16 bytes A(3) A(1) Seed A(2) Seed A(3) Seed S HMAC-MD5 S HMAC-MD5 S HMAC-MD5 1..16 17..32 33..48 Key Stream Pseudo Random Function (PRF)

  19. label seed "master secret" RC RS S1 PRF_MD5 48 bytes Pre-Master Secret Master Secret 48 bytes S2 PRF_SHA-1 60 bytes TLS_PRF label seed key stream = TLS_PRF(secret, label, seed) Computing the TLS 1.1 Master Secret

  20. label seed "key expansion" RS RC S1 PRF_MD5  n bytes Master Secret Key Material n bytes S2 PRF_SHA-1  n bytes TLS_PRF label seed key stream = TLS_PRF(secret, label, seed) Generating TLS 1.1 Key Material

  21. Generating True Random Numbers (RFC 1750) • The securityof modern cryptographicprotocolsreliesheavily on theavailabilityoftruerandomkey material andnonces. • On standardcomputerplatformsitis not a trivial tasktocollecttruerandom material in sufficientquantities: • Key Stroke Timing • Mouse Movements • Sampled Sound Card Input Noise • Air Turbulence in Disk Drives • RAID Disk Array Controllers • Network Packet Arrival Times • Computer Clocks • Best Strategy: Combiningvariousrandomsourceswith a strong mixingfunction (e.g. MD5 or SHA-1 hash) into an entropypool (e.g. Unix /dev/random) protectsagainstsingledevicefailures.

  22. Hardware-based True Random Generators • Quantum SourcesorRadioactiveDecaySources • Reliable, high entropysources, but oftenbulkyand expensive. • Thermal Noise Sources • Noisydiodesorresistorsarecheapandcompact but leveldetectionusuallyintroducesconsiderableskewthat must becorrected. • Free RunningorMetastableOscillators • The frequencyvariationof a freerunningoscillatoris a goodentropysourceifdesignedandmeasuredproperly. Usede.g in smart cardcryptoco-processors. • The Intel Ivy Bridge processorfamilyimplements an on-chipmetastable digital oscillator. • Lava Lamps • Periodic digital snapshotsof a lavalampexhibit a lotofrandomness.

  23. The Intel RDRAND Instruction • Availablewith Intel Ivy Bridge Processors (XEON & Core i7) • The RDRAND instructionreads a 16, 32 or 64 bitrandomvalue • Throughput 500+ MB/s randomdatawith 8 concurrentthreads • The randomnumbergeneratoriscompliantwith NIST SP800-90,FIPS 140-2, and ANSI X9.82

  24. Quantum Random Number Generatorwww.idquantique.com • Detectionofsinglephotons viaa semi-transparent mirror • High throughput: 4 – 16 Mbit/s • Low cost (990…2230 EUR)

  25. - 0 - - 1 1 - 0 1 - 1 0 - 1 0 - 0 - - 1 - 0 - - - - 0 0 SkewCorrectionsand Tests forRandomness • Simple SkewCorrection(John von Neumann) • p(1) = 0.5+e, p(0) = 0.5-e, -0.5 < e < 0.5 • Examplewith e = 0.20, i.e. p(1) = 0.7, p(0) = 0.3 11011111101011011000100111100111011111101101111111110101 • Strong Mixing using Hash functions • Hashingimprovesstatisticalproperties but does not increaseentropy. • Statistical Tests forRandomness • A number of statistical tests are defined in FIPS PUB 140-2"Security Requirements for Cryptographic Modules" : Monobit Test, Poker Test, Runs Test, etc. • EntropyMeasurements • The entropyof a randomor pseudo-randombinarysequencecanbemeasuredusing Ueli Maurer's"Universal Statistical Test for Random Bit Generators"

More Related