Jim Theodoras March 2014 Network Security Where are the holes, and does QKD help?
Dec 05, 2014
Jim Theodoras
March 2014
Network Security
Where are the holes, and does QKD help?
© 2014 ADVA Optical Networking. All rights reserved.22
• Confidentiality• Nobody can read content of message.• Encryption only guarantees confidentiality.
• Integrity• Modification of message will be detected.• Encryption does not protect against this.• Example of breach: Flipping the null bit in IPsec.
• Authenticity• Verify that I am really connected to whom I expected.• Encryption does not protect against this.• Example of breach: Spoofing a receiver to obtain keys.
Cryptographic Goals
© 2014 ADVA Optical Networking. All rights reserved.33
Networks are breached with sideways attacks, not direct or brute force attacks.
• Example: Masterlock• 64,000 possible combinations• A “sideways attack” reduces that to 100 combinations.• A “backdoor” renders the lock useless (beer can shim)
• Example: Copying Encryption Keys• If stored in DRAM, keys are vulnerable• Freeze spray slows down decay in DRAM
• Example: • A supercomputer that could check 1018 keys/sec would require 1051
years to exhaust 256 bit key space.• A typical mining rig can brute force 30 billion passwords/sec, cracking
all eight-character passwords in just a few hours.• Relational data reduces this to mere minutes.
F2o<fa!7S7052C5JavW%G.@uQc/0JymD>CA:lsLZ"P+fU3Js6l@]ie9<A{$L3Nh
Sideways Attacks
© 2014 ADVA Optical Networking. All rights reserved.44
It’s All About the Key, Not the Encryption
• Audi RS4 thefts• At the time, the hottest car on black
market.• The car security system was unhackable.• So, the thieves broke into the owners
home and stole the keys
• Similarly, a major content provider recently disclosed to me:• After revelations, taps were found everywhere in their network.• However, after further investigation, no important data lost through taps
or taps alone.• The important breaches of data were due to compromised keys.• Keys were compromised in a variety of ways.
© 2014 ADVA Optical Networking. All rights reserved.55
Major Paradigm Shift
Before:
We have to keep data thieves out.
Today:
Assume we are breached and design accordingly.
© 2014 ADVA Optical Networking. All rights reserved.66
So, does QKD help with any of this?
• Cryptographic goals:• Confidentiality: Makes existing encryption more secure.• Integrity: You know if someone is listening.• Authenticity: You do not know who is on the other end.
• Intrusion detection: Reading the key changes it.
• Sidewaysing: Good key entropy
• Compromised keys: Fast generation of new truly random keys.
Quantum Key Distribution?
© 2014 ADVA Optical Networking. All rights reserved.77
Main Takeaways
• Encryption alone does not protect.
• It’s all about the keys.
• You must focus on prevention of sideways attacks.
• With proper key management and entropy, even AES-256 can be
sufficient.
• Design assuming breach already exists.
• QKD is currently the only key system today that meets all needs.
Thank you
IMPORTANT NOTICE
The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited.
The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation.
Copyright © for the entire content of this presentation: ADVA Optical Networking.