IETF Logo Mail Archive

Re: [Qirg] QKD in OpenSSL

Bruno Rijsman <brunorijsman@gmail.com> Tue, 19 November 2019 11:06 UTC

Return-Path: <brunorijsman@gmail.com>
X-Original-To: qirg@ietfa.amsl.com
Delivered-To: qirg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFC8A12080A for <qirg@ietfa.amsl.com>; Tue, 19 Nov 2019 03:06:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tmYG5nWoh-pL for <qirg@ietfa.amsl.com>; Tue, 19 Nov 2019 03:06:25 -0800 (PST)
Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BF8112094C for <qirg@irtf.org>; Tue, 19 Nov 2019 03:06:24 -0800 (PST)
Received: by mail-wr1-x42d.google.com with SMTP id r10so23296824wrx.3 for <qirg@irtf.org>; Tue, 19 Nov 2019 03:06:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=5gK5WU9WtWxOlh1vUQbd1o4AO/3jLKZ0husdMXegv+8=; b=m21K0u9YOcX6Y5yXm0YKGlF5xnQsb6oXFM/2D9QF98fNRJSsCmM7NwLGPvZKqlt4f6 iYQekULs0et1TvThunQtQ6kRMU/o0T1fUjMaggYi93dLt709CwKdLEqNE2CW47EILeCx 4rOvzShw24itMA6nN+lTsByvDYGKAC8HjMYqzzR8WBlCQKiK763AbNMk0GHfp5ACE5gI BhBOLPUWi7R3mLlwXtPrTYhcPZu/R9tdSbvzs5xPdmmSqOyP5ZYZGrqSIHx4OP4oojai ednaQ695xavloalw+peVpwlePL7QlCOOjc764sl/j/pv1Twpxtdjy09UL+DQThDn0WSl 3AhQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=5gK5WU9WtWxOlh1vUQbd1o4AO/3jLKZ0husdMXegv+8=; b=fmUonUL7vABVWj4CS2xKa94VqX+M+shU0MjoKlGSELlQ/RumC0xXbqHIunDl3GJFOX YX6/+Ck+VqMAlQ7Jz/DxMnDCZrdD6LqPJkIDcTk1p54q87mVVVP7tYwb+JhQgePngfY+ ZuoFGs2pevKR9hT5397+1ywpjc40csIym83X4fvQ1LHWuz8y9NQlt1qb8MfTkTC7o56X NaiWTpPjAenodvLpCA2NNJM3D7LRtQYCPcd4CihjuvAHyNO7B0w8wkut+2eeSBPFIYl+ gR/9SPVTuGrJYh5TSKOwnnpxWAMrmCpTciHzxUaOk/16mEBgrrnrKuHFxFelUWG8Fqp5 qFEg==
X-Gm-Message-State: APjAAAXMIYUzukoQ8L0h3U22WPz66FNrWoFPk5ubGMfMQtH8w4eNL20h fve16ArCgwDevM08+l2zJ6k=
X-Google-Smtp-Source: APXvYqwaKOCZpAuwk9ZUQ15BXTQlp7Gg8b1azYe3pLFZIH2c1qPNQl2X+37rUO8YqzpP1b8LsxgiOQ==
X-Received: by 2002:a05:6000:12d1:: with SMTP id l17mr35512483wrx.261.1574161582339; Tue, 19 Nov 2019 03:06:22 -0800 (PST)
Received: from brunos-macbook.ws.tudelft.net (x032197.tudelft.net. [131.180.32.197]) by smtp.gmail.com with ESMTPSA id d202sm2482931wmd.47.2019.11.19.03.06.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 19 Nov 2019 03:06:21 -0800 (PST)
From: Bruno Rijsman <brunorijsman@gmail.com>
Message-Id: <B8AD7020-3156-48F9-9B7B-6F382984D61D@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_7A279AFF-B946-49D1-8F3C-84043B72F119"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Tue, 19 Nov 2019 12:06:18 +0100
In-Reply-To: <B4D330A6-0DF8-4846-B16D-518BFC51E0B6@telefonica.com>
Cc: Rodney Van Meter <rdv@sfc.wide.ad.jp>, "qirg@irtf.org" <qirg@irtf.org>
To: "Diego R. Lopez" <diego.r.lopez@telefonica.com>
References: <331F2FAA-6B26-40E7-BE68-379943AECF8F@gmail.com> <9E1CC1FD-A06E-4996-A2A7-EEE618BBFB78@sfc.wide.ad.jp> <A18993AF-F31A-4B4F-BEF6-E9CC474241D2@gmail.com> <B4D330A6-0DF8-4846-B16D-518BFC51E0B6@telefonica.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/qirg/As6MFUvgO61uJrq55_gYF9XQ7l4>
Subject: Re: [Qirg] QKD in OpenSSL
X-BeenThere: qirg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Quantum Internet \(proposed\) RG" <qirg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/qirg>, <mailto:qirg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/qirg/>
List-Post: <mailto:qirg@irtf.org>
List-Help: <mailto:qirg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/qirg>, <mailto:qirg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2019 11:06:28 -0000

Hi Diego,

Having heard your comments at the mike at the QIRG session in Singapore, I think I have a better appreciation of the point you are making.

Yes, we need to be very careful that we don't assume that the experiences and instincts (gut feelings) that we have as classical network engineers necessarily translate well to quantum networks.

In this specific case, we as classical network engineers have gotten used to the fact of life that we must assume that all traffic is being monitored, copied, and possibly even stored as the traffic transits the network.

Service and content providers are analyzing traffic for advertising purposes. And governments are analyzing traffic for law enforcement purposes.

Thus, we build our protocols (e.g. Diffie-Hellman) in such a manner that it is okay if the traffic is being monitored. The party that does the monitoring will not be able to learn anything from the monitoring (unless they have access to a quantum computer).

Furthermore, we (correctly) assume that it is *physically possible* to tap and monitor a classical link without the communicating parties being aware or affected.

Because of this "baggage of classical intuition" we classical network engineers feel very nervous about the fact that merely tapping and monitoring a quantum link in itself and by itself is already a DOS attack because it causes the tapped communication to be invalidated (e.g. the key exchange to be aborted).

Rather than thinking of this as a defect of quantum networks, it may be an example of our classical intuition not serving us well.

In fact, we should think of it as a benefit of quantum networks. The point is that tapping and monitoring a quantum link is physically impossible, due to the very fundamental laws of quantum physics. So, with quantum networks we will never end up in the situation that service providers and governments will be pervasively observing all traffic on the network. Our "classical paranoia" for this situation will no longer be needed.

And, yes, it is still true the very fact of attempting to monitor a quantum link is in itself any by itself already a DOS attack. But you are very correct to point out that this requires physical access to the link, in which case cutting the link is a much cheaper attack.

In classical networks, the eavesdropper chooses to monitor rather than to cut the link because (a) monitoring is physically possible and relatively inexpensive and (b) the eavesdropper is more interesting in learning some information rather than initiating a DOS attack. In quantum networks neither (a) nor (b) are possible.

-- Bruno


> On Nov 18, 2019, at 10:34 AM, Diego R. Lopez <diego.r.lopez@telefonica.com> wrote:
> 
> Hi Bruno,
>  
> It looks I’m becoming the “physical argument” guy in the group, but the fact is that QKD (and I guess quantum communication at large) has to do with physical effects, and we have not achieved (not sure if we eve would) the levels of abstraction and virtualization we see in classical digital environments. So observation in QKD implies physical access, and therefore the capacity of direct physical interference. And, FWIW,  cutting a fiber is always cheaper than any quantum-level observations…
>  
> Be goode,
>  
> --
> "Esta vez no fallaremos, Doctor Infierno"
>  
> Dr Diego R. Lopez
> Telefonica I+D
> https://www.linkedin.com/in/dr2lopez/ <https://www.linkedin.com/in/dr2lopez/> 
>  
> e-mail: diego.r.lopez@telefonica.com <mailto:diego.r.lopez@telefonica.com>
> Tel:         +34 913 129 041
> Mobile:  +34 682 051 091
> ----------------------------------
>  
> On 18/11/2019, 15:08, "Qirg on behalf of Bruno Rijsman" <qirg-bounces@irtf.org <mailto:qirg-bounces@irtf.org> on behalf of brunorijsman@gmail.com <mailto:brunorijsman@gmail.com>> wrote:
>  
> Yes, this is something that has always bothered me about QKD.
>  
> In classical key exchange (e.g. Diffie-Hellman), if an eavesdropper Eve passively observes a key exchange (e.g. by passively tapping a fiber), then Alice and Bob neither need to know nor care that Eve is doing that. Alice and Bob can just use the key “knowing” that Eve (if she is present) cannot determine the shared key by just observing the key exchange (assuming Eve doesn’t have a quantum computer).
>  
> But in QKD, if Eve passively observes the key exchange, then Alice and Bob will detect that Eve has “observed" the key exchange and by doing so Eve has invalidated the key exchange. Hence, Alice and Bob cannot use the shared key and must start over or fall back to classical key exchange, just because Eve was there “observing" the key exchange.
>  
> Just as you say, just “passively observing” a fiber constitutes a Denial-of-Service attack.
>  
> Of course, the terminology “passively observing” is kind of meaningless in quantum mechanics, because observing = interfering. 
>  
> But still, this bothered me a lot, and made me feel that QKD is more “vulnerable” than classical key exchange to DoS attacks.
>  
> The standard defense that I always read in the QKD literature is that if Eve is in a position to passively monitor a link, then she is also in a position to initiate a DoS attack by simply cutting the fiber. So, the argument goes, QKD is no more vulnerable to a DoS attack than classical key exchange.  I am not sure if I agree with that — it does not feel quite right to me.
>  
> — Bruno
> 
> 
>> On Nov 18, 2019, at 7:00 AM, Rodney Van Meter <rdv@sfc.wide.ad.jp <mailto:rdv@sfc.wide.ad.jp>> wrote:
>>  
>> Very cool. 
>>  
>> You might check out some of the work we did five years ago that never made it to RFC.
>> https://tools.ietf.org/html/draft-nagayama-ipsecme-ipsec-with-qkd-01 <https://tools.ietf.org/html/draft-nagayama-ipsecme-ipsec-with-qkd-01>
>>  
>> One interesting, and controversial, topic is what to do when an eavesdropper *does* interfere with a QKD connection.  It’s a great, and easy, DOS attack.  So, should the rekeying stop, and the connection depending on the rekeying be killed when the key lifetime expires?  Or should there be a fallback mechanism of potentially lower security?
>>  
>> This is more of an issue for IPsec, which has rekeying and explicit lifetimes, than for SSL.
>>  
>> Rodney Van Meter
>> Professor, Faculty of Environment and Information Studies
>> Keio University, Japan
>> rdv@sfc.wide.ad.jp <mailto:rdv@sfc.wide.ad.jp>
>>  
>>  
>> 
>> 
>>> On Nov 13, 2019, at 21:47, Bruno Rijsman <brunorijsman@gmail.com <mailto:brunorijsman@gmail.com>> wrote:
>>>  
>>> For those interested, I just posted a report on how we added support for Quantum Key Distribution (QKD) to OpenSSL during the RIPE Pan-European Hackathon at QuTech last week. 
>>>  
>>> http://bit.ly/openssl-qkd <http://bit.ly/openssl-qkd>
>>>  
>>> — Bruno
>>> _______________________________________________
>>> Qirg mailing list
>>> Qirg@irtf.org <mailto:Qirg@irtf.org>
>>> https://www.irtf.org/mailman/listinfo/qirg <https://www.irtf.org/mailman/listinfo/qirg>
>>  
> 
>  
> 
> 
> Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.
> 
> The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.
> 
> Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição

v2.23.0 | Report a Bug | By Email