IETF Logo Mail Archive

Re: [Qirg] QKD in OpenSSL

Bruno Rijsman <brunorijsman@gmail.com> Mon, 18 November 2019 07:08 UTC

Return-Path: <brunorijsman@gmail.com>
X-Original-To: qirg@ietfa.amsl.com
Delivered-To: qirg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B27941200B3 for <qirg@ietfa.amsl.com>; Sun, 17 Nov 2019 23:08:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.988
X-Spam-Level:
X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BDovOg7JPyth for <qirg@ietfa.amsl.com>; Sun, 17 Nov 2019 23:08:46 -0800 (PST)
Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B5C8120088 for <qirg@irtf.org>; Sun, 17 Nov 2019 23:08:46 -0800 (PST)
Received: by mail-wr1-x42a.google.com with SMTP id l7so18044880wrp.6 for <qirg@irtf.org>; Sun, 17 Nov 2019 23:08:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=YRs9Pb0OG3sndn9x2uoVZSk91jMuBZHfh3bMdofJnos=; b=GTWSZQQf3N7HnobnaW2Lt0+s5H8DRm/iQ8+nHN83TRxD4RgMkKxFpqVAuTnUt70vpV VikGUS0l2xss+/5wQYh3VJKhq34WgULGgJ6Kf2xq2qSjLX87uIIqCLRpBr01mMrx6y47 pErrtVHR0yxcqo6Zx0QrZlbypk8fDnCDIcR9IqKWADe2L87SygRIBOpDbPXM3e5zeF3X a4RPI1XBsgwSZ40GNnXUae2L+0OAqCBMXwUj9Bq9kNoKQ4FwSGuDERMB3O6mfOaEkLa5 5jbpSAk8YWKBYozSIoGEosmtU2TTwn+59MUqCXwSX7Fqm8bbb77tcywx4gWK4UOF99ER 3fZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=YRs9Pb0OG3sndn9x2uoVZSk91jMuBZHfh3bMdofJnos=; b=AXA1XMqbXuR8MDArvvNGKAdOX61aaEcNVkC53qw+2YCAGL4SNpWC3XgSKDeEgvi5gn Wcmvza1xPTR6N+yBSuPUkIL2fIv2N1zp08ltEbkqsS8mVlXJVUgCsrAd82L5P8tk8S1j UZ2QSz3S/ViQMZs8Xi/1UjJsDjqPV97Z+q4jZyDa1kuCPzPJtYGyeOlEuu7/a7Fj4oon THbONe1Ue8mzH3iNfEmm3VuEJZ/gpHpEllcL2mknPlAwrenNQYPlHAYhF8AVWKIevORc FMBsGIjseOne8hVGVKk9fNifzsm78YNkbKmiPrfvR6csm5MhYJHyZ6yu8660cfkezutK H0cA==
X-Gm-Message-State: APjAAAVXUrl+DGip44DnuvDWGspyRmPQSXyjuOs/eIi7VxkpwaE2SrvJ KL2YaoZ/QdR8due9CA4e8nA=
X-Google-Smtp-Source: APXvYqycnvr7qdIjQUs83PC8MNYKt/2UZ+i7e5YBDtEVfKoidxsn4pDzjwUPKuy1JAnEC5L6rN1s2w==
X-Received: by 2002:a05:6000:49:: with SMTP id k9mr28423259wrx.43.1574060924754; Sun, 17 Nov 2019 23:08:44 -0800 (PST)
Received: from [192.168.1.116] (ip53-87-176-143.adsl2.static.versatel.nl. [143.176.87.53]) by smtp.gmail.com with ESMTPSA id 62sm24659655wre.38.2019.11.17.23.08.43 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 17 Nov 2019 23:08:44 -0800 (PST)
From: Bruno Rijsman <brunorijsman@gmail.com>
Message-Id: <A18993AF-F31A-4B4F-BEF6-E9CC474241D2@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D47671B3-5B9F-470D-B4D7-910490F3BAE6"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Mon, 18 Nov 2019 08:08:43 +0100
In-Reply-To: <9E1CC1FD-A06E-4996-A2A7-EEE618BBFB78@sfc.wide.ad.jp>
Cc: qirg@irtf.org
To: Rodney Van Meter <rdv@sfc.wide.ad.jp>
References: <331F2FAA-6B26-40E7-BE68-379943AECF8F@gmail.com> <9E1CC1FD-A06E-4996-A2A7-EEE618BBFB78@sfc.wide.ad.jp>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/qirg/Y8BRpqAolruG7o_PFm8kcuE0Q3w>
Subject: Re: [Qirg] QKD in OpenSSL
X-BeenThere: qirg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Quantum Internet \(proposed\) RG" <qirg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/qirg>, <mailto:qirg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/qirg/>
List-Post: <mailto:qirg@irtf.org>
List-Help: <mailto:qirg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/qirg>, <mailto:qirg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2019 07:08:49 -0000

Yes, this is something that has always bothered me about QKD.

In classical key exchange (e.g. Diffie-Hellman), if an eavesdropper Eve passively observes a key exchange (e.g. by passively tapping a fiber), then Alice and Bob neither need to know nor care that Eve is doing that. Alice and Bob can just use the key “knowing” that Eve (if she is present) cannot determine the shared key by just observing the key exchange (assuming Eve doesn’t have a quantum computer).

But in QKD, if Eve passively observes the key exchange, then Alice and Bob will detect that Eve has “observed" the key exchange and by doing so Eve has invalidated the key exchange. Hence, Alice and Bob cannot use the shared key and must start over or fall back to classical key exchange, just because Eve was there “observing" the key exchange.

Just as you say, just “passively observing” a fiber constitutes a Denial-of-Service attack.

Of course, the terminology “passively observing” is kind of meaningless in quantum mechanics, because observing = interfering. 

But still, this bothered me a lot, and made me feel that QKD is more “vulnerable” than classical key exchange to DoS attacks.

The standard defense that I always read in the QKD literature is that if Eve is in a position to passively monitor a link, then she is also in a position to initiate a DoS attack by simply cutting the fiber. So, the argument goes, QKD is no more vulnerable to a DoS attack than classical key exchange.  I am not sure if I agree with that — it does not feel quite right to me.

— Bruno

> On Nov 18, 2019, at 7:00 AM, Rodney Van Meter <rdv@sfc.wide.ad.jp> wrote:
> 
> Very cool.
> 
> You might check out some of the work we did five years ago that never made it to RFC.
> https://tools.ietf.org/html/draft-nagayama-ipsecme-ipsec-with-qkd-01 <https://tools.ietf.org/html/draft-nagayama-ipsecme-ipsec-with-qkd-01>
> 
> One interesting, and controversial, topic is what to do when an eavesdropper *does* interfere with a QKD connection.  It’s a great, and easy, DOS attack.  So, should the rekeying stop, and the connection depending on the rekeying be killed when the key lifetime expires?  Or should there be a fallback mechanism of potentially lower security?
> 
> This is more of an issue for IPsec, which has rekeying and explicit lifetimes, than for SSL.
> 
> Rodney Van Meter
> Professor, Faculty of Environment and Information Studies
> Keio University, Japan
> rdv@sfc.wide.ad.jp <mailto:rdv@sfc.wide.ad.jp>
> 
> 
> 
>> On Nov 13, 2019, at 21:47, Bruno Rijsman <brunorijsman@gmail.com <mailto:brunorijsman@gmail.com>> wrote:
>> 
>> For those interested, I just posted a report on how we added support for Quantum Key Distribution (QKD) to OpenSSL during the RIPE Pan-European Hackathon at QuTech last week. 
>> 
>> http://bit.ly/openssl-qkd <http://bit.ly/openssl-qkd>
>> 
>> — Bruno
>> _______________________________________________
>> Qirg mailing list
>> Qirg@irtf.org <mailto:Qirg@irtf.org>
>> https://www.irtf.org/mailman/listinfo/qirg
>

v2.23.0 | Report a Bug | By Email