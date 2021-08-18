



That 2031, and the pandemic is a thing of the past. The headlines catch his attention while Dave drinks morning coffee and reads the news. Finally, a large quantum computer is in operation! Suddenly, the spirit of Daves is competing. A few seconds later, when his heartbeat slows, he looks up in the mirror and proudly says, “Yes, I’m ready.”

What you don’t know about Dave is that he has been working for the last decade to ensure that all aspects of broadband communications and access networks remain secure and protected. In addition to looking for new quantum tolerance algorithms, Dave has focused on the practical aspects of their deployment and addressed their impact on the broadband industry.

In 2021, the broadband industry needs to start on the same path that Dave navigated 10 years later. Obstacles need to be removed in advance so that they can lay the foundation for adopting new security tools such as post-quantum (PQ) encryption.

NIST has not yet completed the PQ encryption standardization process, but there are interesting trends and practical long-term considerations for PQ deployment and broadband industry that can already be inferred.

Most of the algorithms that still exist in the final round of algorithm competition are based on a mathematical structure called a lattice, which is actually a collection of evenly spaced vectors or points. Lattice-based cryptographic security properties are rooted in the difficulty of solving certain topological problems (even in quantum computers) that lack efficient algorithms, such as the Shortest Vector Problem (SVP) and Closest Vector Problem (CVP). I am. Algorithms like Falcon and Dilithium are lattice-based and generate the smallest authentication traces overall (that is, the signature range is 700 to 3,300 bytes).

Another class of algorithms to monitor is based on the same kind. These algorithms use a different structure than the lattice and have been proposed for key exchange algorithms. These new key exchange algorithms, the Key Encapsulation Mechanism (KEM), leverage the morphism (or isogeny) between elliptic curves to provide Diffie-Hellman-like key exchange properties and implement Perfect Forward Secrecy. .. Homogeneous encryption uses the shortest key in the PQ algorithm landscape, but it is very computationally expensive.

In addition to these two classes of algorithms, hash-based signing schemes should be kept in mind as a possible alternative. Specifically, it offers proven security at the expense of very large cryptographic signatures (public keys are very small), which is currently hampering their adoption. A well-known hash-based algorithm that will probably be included again in the NIST standardization process is SPHINCS +.

Now that you understand the options available for your next-generation crypto infrastructure, it’s time to look at how these new algorithms affect broadband environments. In fact, the DOCSIS protocol has used digital certificates and public key cryptography since its inception, but the broadband ecosystem relies solely on the RSA algorithm, which has very different characteristics than the PQ algorithm currently under consideration. I have.

Fortunately, from a security point of view, a minimal upgrade is required to replace the use of RSA with the latest version of the DOCSIS protocol (that is, DOCSIS 4.0) when compared to previous versions. Specifically, DOCSIS 4.0 removes the reliance on the use of the RSA algorithm for key exchange and uses the standard signature format, Encrypted Message Syntax (CMS), to deliver signatures. The CMS will be upgraded to provide standard support for the PQ algorithm as soon as the algorithm standardization process is complete. Since DOCSIS 1.03.1 relies on the RSA algorithm for key exchange, the required protocol changes may be more extensive and use symmetric keys in addition to RSA keys to provide secure authentication. To do.

The size of the new algorithm is another important aspect of deployment. Lattice-based and homogeneous-based algorithms are very efficient for the size of authentication (signature) or encrypted (key exchange) data, but are still one digit (or more) than those used to date. its big.

Therefore, the broadband industry needs to focus on the first set of considerations surrounding the impact of encryption on the size of authentication and authorization messages. The DOCSIS protocol uses Baseline Privacy Key Management (BPKM) messages at Layer 2 to transfer credentials through the cable modem and its termination system. Fortunately, BPKM messages can provide support for any data size through fragmentation support, so I think we need to update or change the structure of the Layer 2 authentication message to accommodate the new size of cryptography. Is not …

Somewhat related to the size of the new cipher is a consideration related to algorithm performance. Unlike RSA and ECDSA, PQ algorithms are very computationally intensive and can pose additional engineering hurdles when designing the hardware to support them. For end-entry devices such as cable modems and optical network units, there are various options to consider. For example, one option is to consider integrating a modern microcontroller that can offload calculations and provide an isolated environment in which algorithms can be safely executed. Another approach is to take advantage of the reliable execution environment already available on the central processing unit (CPU) of many edge devices without updating today’s hardware architecture. Core devices may require additional resources due to the additional CPU load when compared to very fast RSA verification. This is an active research area.

The final set of considerations pertains to algorithm deployment models and certificate chain validation considerations. Specifically, the current implementation paradigm of the PQ algorithm required by NIST does not use the hash-and-sign paradigm (signing the data directly without first hashing the data), so there are some important considerations. .. This approach removes the security dependency on the hash algorithm, but it also has subtle but significant performance implications. The data to be authenticated or signed (that is, when the device is trying to authenticate to the network) must be processed directly by the algorithm. This may require a large data bus to transmit data to the MCU and to migrate the CPU’s reliable execution environment. The performance bottlenecks generated by the adopted signing mechanism have already been observed and require further investigation to better understand the actual impact on deployment.

For example, when signing using the hash and signing paradigm, the signing part of an operation on a 1TB or 1KB document takes the same amount of time (because it always signs a hash that is several bytes long). By comparison, when using a new paradigm (which is not possible with algorithms such as RSA), signing times can vary significantly depending on the size of the data to be signed. This issue becomes even more apparent when dealing with the costs associated with generating and signing hundreds of millions of certificates through this new approach. In other words, if a new paradigm is adopted, it can affect certificate providers and increase the costs associated with signing large numbers of certificates.

Now that we know where and what to look for, how can we learn more about these new algorithms and start experimenting with them for real deployment?

One of the best places to get started is the Open Quantum Safe (OQS) project, which aims to support the development and prototyping of quantum-resistant cryptography. The OQS project provides two major repositories (open source and available on GitHub). A fork of the base liboqs library, which provides a C implementation of quantum-resistant cryptographic algorithms, and the OpenSSL library, which provides a prototype implementation that integrates liboq. CableLabs Composite encryption technology.

The OQS project is a great tool to get started with these new algorithms, but the integration with OpenSSL does not support common signing operations. This is a limitation that can affect the likelihood of testing new algorithms in different use cases. To address these limitations and provide better Composite Crypto support along with the hash and signature implementation of the PQ algorithm, CableLabs has PQ-enabled OpenSSL code and the new PQ-enabled LibPKI (a fork from the original OpenCAs LibPKI). Has started to integrate the repository). It can be used to build and test these algorithms in all aspects of PKI lifecycle management, from complete certificate chain validation to generation of quantum-tolerant revocation information (such as CRLs and OCSP responses). ..

