Network Security

Jim Theodoras

March 2014

Network Security

Where are the holes, and does QKD help?

© 2014 ADVA Optical Networking. All rights reserved.22

• Confidentiality• Nobody can read content of message.• Encryption only guarantees confidentiality.

• Integrity• Modification of message will be detected.• Encryption does not protect against this.• Example of breach: Flipping the null bit in IPsec.

• Authenticity• Verify that I am really connected to whom I expected.• Encryption does not protect against this.• Example of breach: Spoofing a receiver to obtain keys.

Cryptographic Goals

© 2014 ADVA Optical Networking. All rights reserved.33

Networks are breached with sideways attacks, not direct or brute force attacks.

• Example: Masterlock• 64,000 possible combinations• A “sideways attack” reduces that to 100 combinations.• A “backdoor” renders the lock useless (beer can shim)

• Example: Copying Encryption Keys• If stored in DRAM, keys are vulnerable• Freeze spray slows down decay in DRAM

• Example: • A supercomputer that could check 1018 keys/sec would require 1051

years to exhaust 256 bit key space.• A typical mining rig can brute force 30 billion passwords/sec, cracking

all eight-character passwords in just a few hours.• Relational data reduces this to mere minutes.

F2o<fa!7S7052C5JavW%G.@uQc/0JymD>CA:lsLZ"P+fU3Js6l@]ie9<A{$L3Nh

Sideways Attacks

© 2014 ADVA Optical Networking. All rights reserved.44

It’s All About the Key, Not the Encryption

• Audi RS4 thefts• At the time, the hottest car on black

market.• The car security system was unhackable.• So, the thieves broke into the owners

home and stole the keys

• Similarly, a major content provider recently disclosed to me:• After revelations, taps were found everywhere in their network.• However, after further investigation, no important data lost through taps

or taps alone.• The important breaches of data were due to compromised keys.• Keys were compromised in a variety of ways.

© 2014 ADVA Optical Networking. All rights reserved.55

Major Paradigm Shift

Before:

We have to keep data thieves out.

Today:

Assume we are breached and design accordingly.

© 2014 ADVA Optical Networking. All rights reserved.66

So, does QKD help with any of this?

• Cryptographic goals:• Confidentiality: Makes existing encryption more secure.• Integrity: You know if someone is listening.• Authenticity: You do not know who is on the other end.

• Intrusion detection: Reading the key changes it.

• Sidewaysing: Good key entropy

• Compromised keys: Fast generation of new truly random keys.

Quantum Key Distribution?

© 2014 ADVA Optical Networking. All rights reserved.77

Main Takeaways

• Encryption alone does not protect.

• It’s all about the keys.

• You must focus on prevention of sideways attacks.

• With proper key management and entropy, even AES-256 can be

sufficient.

• Design assuming breach already exists.

• QKD is currently the only key system today that meets all needs.

[email protected]

Thank you

IMPORTANT NOTICE

The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited.

The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation.

Copyright © for the entire content of this presentation: ADVA Optical Networking.