A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 1 Information Security 2 (InfSi2) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.

A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 1

Information Security 2 (InfSi2)

Prof. Dr. Andreas Steffen

Institute for Internet Technologies and Applications (ITA)

2 Physical Layer Security

A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 2

Security Protocols for the OSI Stack

Application layer Platform Security, Web Application Security, VoIP Security, SW SecurityTransport layer TLS

Network layer IPsec

Data Link layer [PPTP, L2TP], IEEE 802.1X,IEEE 802.1AE, IEEE 802.11i (WPA2)Physical layer Quantum Cryptography

Communication layers

Security protocols

A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 3

Layer 1 Security – Frequency Hopping

f1 f2 f4 f5 f6 f7f3 f8

f

Counter measures: e.g. n parallel receivers

tf8 f1f2

t

f4 f1 f3 f2 f7 f5 f7 f6 f3

Standardized (public) or secret (military) hopping sequence

Frequency band divided into n hopping channels

A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 4

Information Security 2 (InfSi2)

2.1 Quantum Cryptography

A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 5

Quantum Cryptography using Entangled Photons

• Nicolas Gisin et al.University of Geneva

• Compact source emittingentangled photon pairs

• Quantum correlation overmore than 10 km

• Founding of ID Quantique

A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 6

4.

Quantum Key Distribution using Entangled Photons

PhotonSource

PhotonSource 1.

Alice

Bob

3. 7.2. 6.

0

0

-

-

1

1

1

1

-

-

0

0

5.

Eve (eavesdropping)

-

-

E91 protocol: Arthur Ekert, 1991

A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 7

Quantum Key Distribution using the BB84 Protocol

PolarizationModulated

PhotonSource

PolarizationModulated

PhotonSource

Alice

Bob

1.

0

0

2.

-

-

3.

1

1

4.

1

1

6.

-

-

7.

0

0

BB84 protocol: Charles Bennett & Gilles Brassard, 1984

5.

-

-

Eve (eavesdropping)

A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 8

Decoy States against Multi-Photon Splitting Attacks

• Single photon lasers are nearly impossible to build.• The natural Poisson distribution of practical laser sources

causesmulti-photon pulses to occur which can be split by Eve.

• In order to compensate for the stolen photons, Eve might inject additional photons.

• As a counter measure Alice randomly inserts a certain percentage of decoy states transmitted at a different power level.

• Later Alice reveals to Bob which pulses contained decoy states.

• If Eve was eavesdropping, the yield and bit error rate statistics for the signal and decoy states are modified which can be detected by Alice and Bob.

• The use of decoy states extends the rate of secure key exchange to over 140 km.

A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 9

Photon Yield versus Power Level

Power Level 0.80 photons/pulse0.12 photons/pulse

449 pulses

360 pulses

144 pulses

38 pulses

8 pulses

887 pulses

106 pulses

7 pulses

0 pulses

0 pulses

0 photons/pulse

1 photon /pulse

2 photons/pulse

3 photons/pulse

4 photons/pulse

Signal states Decoy states

• Poisson distribution of the number of photons in a pulse,measured over 1000 pulses:

1 pulse 0 pulses5 photons/pulse

551 of 1000 pulses 113 of 1000 pulsesYield

A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 10

Photon Yield versus Transmission Distance

• Attenuation in a monomode fiber with =1550nm: 0.2 dB/km• 50 km: 10dB 1 out 10 photons survive• 100 km: 20dB 1 out of 100 photons survive• 150 km: 30dB 1 out of 1000 photons survive

A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 11

Photon Yield in 50 km (10 dB Attenuation)

Power Level 0.80 photons/pulse0.12 photons/pulse

0 pulses

36 pulses

28 pulses

10 pulses

3 pulses

0 pulses

10 pulses

2 pulses

0 pulses

0 pulses

77 of 1000 pulses 12 of 1000 pulses

0 photons/pulse

1 photon /pulse

2 photons/pulse

3 photons/pulse

4 photons/pulse

Signal states Decoy states

Yield

• Received pulses containing at least one photon,measured over 1000 pulses:

0 pulses 0 pulses5 photons/pulse

A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 12

Layer 2 Encryption with Quantum Key Distribution

• 10 Gbit/s Ethernet Encryption with AES-256 in Counter Mode

• QKD: RR84 and SARG protocols, up to 50 km (100 km on request)

• Key Management: 1 key/minute up to 12 encryptors

A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 13

Cerberis QKD Server and Centauris Encryptors

A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 14

Information Security 2 (InfSi2)

2.2 Key Material andRandom Numbers

A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 15

Cryptographical Building Blocks

BlockCipher

s

Stream

Ciphers

Symmetric KeyCryptography

Authentication

Privacy

Encryption

HashFunction

s

Challenge

Response

IVs

MACsMICs

MessageDigests

Nonces

PseudoRandom

Random

Sources

Secret Keys

SmartCards

DHRSA

Public KeyCryptography

EllipticCurve

s

Digital Signatures

DataIntegrity

Secure Network Protocols

Non-Repudiatio

n

A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 16

HMAC Function (RFC 2104)

DocumentDocument

KeyKey

Inner KeyInner Key

64 bytes

MD5 / SHA-1 Hash FunctionMD5 / SHA-1 Hash Function

HashHash

MD5 / SHA-1 Hash FunctionMD5 / SHA-1 Hash Function

0x36..0x360x36..0x36

XOR

Outer KeyOuter Key

64 bytes

0x5C..0x5C0x5C..0x5C

XOR

PadPad 64 bytes

MACMAC 16/20 bytes

A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 17

TLS Handshake Protocol

Server

Server HelloServer Hello RSRS

ServerHelloDoneServerHelloDone

Client

Client HelloClient Hello RCRC

Application Data°Application Data°Application Data°Application Data°

Certificate*

ClientKeyExchange

CertificateVerify**optional

ServerKeyExchange*

Certificate*

CertificateRequest*

*optional

Finished°Finished°

ChangeCipherSpec

Finished°Finished°

ChangeCipherSpec

°encrypted

A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 18

Secret

Key Stream

Seed key stream = PRF_MD5(secret, seed)

Pseudo Random Function (PRF)

A(3)

S

A(3)

HMAC-MD5

1..16

S

Seed

17..32

S

Seed

33..48

S

Seed

HMAC-MD5 HMAC-MD5 HMAC-MD5

A(2)

S HMAC-MD5

A(2)

16 bytes

A(1)

A(1)

16 bytes

HMAC-MD5

Seed

A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 19

Computing the TLS 1.1 Master Secret

Master Secret

"master secret"

48 bytesPRF_MD5

60 bytes PRF_SHA-1

S1

S2

Pre-Master Secret

RC RS

label seed

label seed

key stream = TLS_PRF(secret, label, seed)

TLS_PRF

48 bytes

A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 20

Generating TLS 1.1 Key Material

Key Material

"key expansion"

n bytesPRF_MD5

n bytesPRF_SHA-1

S1

S2

Master Secret

RS RC

label seed

label seed

key stream = TLS_PRF(secret, label, seed)

TLS_PRF

n bytes

A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 21

Generating True Random Numbers (RFC 1750)

• The security of modern cryptographic protocols relies heavily on the availability of true random key material and nonces.

• On standard computer platforms it is not a trivial task to collect true random material in sufficient quantities:• Key Stroke Timing• Mouse Movements• Sampled Sound Card Input Noise• Air Turbulence in Disk Drives• RAID Disk Array Controllers• Network Packet Arrival Times• Computer Clocks

• Best Strategy: Combining various random sources with a strong mixing function (e.g. MD5 or SHA-1 hash) into an entropy pool (e.g. Unix /dev/random) protects against single device failures.

A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 22

Hardware-based True Random Generators

• Quantum Sources or Radioactive Decay Sources• Reliable, high entropy sources, but often bulky and

expensive.

• Thermal Noise Sources• Noisy diodes or resistors are cheap and compact but level

detection usually introduces considerable skew that must be corrected.

• Free Running or Metastable Oscillators • The frequency variation of a free running oscillator is a good

entropysource if designed and measured properly. Used e.g in smart card crypto co-processors.

• The Intel Ivy Bridge processor family implements an on-chipmetastable digital oscillator.

• Lava Lamps• Periodic digital snapshots of a lava lamp exhibit a lot of

randomness.

A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 23

The Intel RDRAND Instruction

• Available with Intel Ivy Bridge Processors (XEON & Core i7)• The RDRAND instruction reads a 16, 32 or 64 bit random

value• Throughput 500+ MB/s random data with 8 concurrent

threads• The random number generator is compliant with NIST SP800-

90,FIPS 140-2, and ANSI X9.82

A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 24

Quantum Random Number Generatorwww.idquantique.com

• Detection of single photons viaa semi-transparent mirror

• High throughput: 4 – 16 Mbit/s• Low cost (990…2230 EUR)

A. Steffen, 22.09.2013, 02-PhysicalLayer.pptx 25

Skew Corrections and Tests for Randomness

• Simple Skew Correction (John von Neumann)• p(1) = 0.5+e, p(0) = 0.5-e, -0.5 < e < 0.5• Example with e = 0.20, i.e. p(1) = 0.7, p(0) = 0.3

• Strong Mixing using Hash functions • Hashing improves statistical properties but does not increase

entropy.

• Statistical Tests for Randomness• A number of statistical tests are defined in FIPS PUB 140-2

"Security Requirements for Cryptographic Modules" : Monobit Test, Poker Test, Runs Test, etc.

• Entropy Measurements• The entropy of a random or pseudo-random

binary sequence can be measured using Ueli Maurer's"Universal Statistical Test for Random Bit Generators"

- 0 - - 1 1 - 0 1 - 1 0 - 1 0 - 0 - - 1 - 0 - - - - 0 0

11011111101011011000100111100111011111101101111111110101