Re: [saag] Security considerations in draft-irtf-qirg-quantum-internet-use-cases-08
"Hemmert, Tobias" <tobias.hemmert@bsi.bund.de> Tue, 15 February 2022 15:26 UTC
Return-Path: <tobias.hemmert@bsi.bund.de>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 8790F3A0D66;
Tue, 15 Feb 2022 07:26:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001,
RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001,
URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral
reason="invalid (unsupported algorithm ed25519-sha256)"
header.d=bsi.bund.de header.b=8T4wwZsv; dkim=pass (2048-bit key)
header.d=bsi.bund.de header.b=TWAiqqFN
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id yy_gLqGemdrF; Tue, 15 Feb 2022 07:26:47 -0800 (PST)
Received: from m2-bn.bund.de (m2-bn.bund.de [77.87.228.74])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 0A4243A0D71;
Tue, 15 Feb 2022 07:26:45 -0800 (PST)
Received: from m2-bn.bund.de (localhost [127.0.0.1])
by m2-bn.bund.de (Postfix) with ESMTP id AB5E3729873;
Tue, 15 Feb 2022 16:26:42 +0100 (CET)
Received: (from localhost) by m2-bn.bund.de (MSCAN) id
4/m2-bn.bund.de/smtp-gw/mscan; Tue Feb 15 16:26:42 2022
X-NdB-Source: NdB
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=bsi.bund.de;
s=211014-e768-ed25519; t=1644938802;
bh=V7y1NoJlSkeDihv8CPWysFX26Wp9C9h2+DyXqGK7tzo=;
h=From:To:CC:Subject:Date:References:In-Reply-To:Content-Type:
MIME-Version:Autocrypt:Cc:Content-Transfer-Encoding:Content-Type:
Date:From:In-Reply-To:Mime-Version:Openpgp:References:Reply-To:
Resent-To:Sender:Subject:To;
b=8T4wwZsvOFFD3d/5BKsDzcU78W0+fNAAJKG6Q/5Gg8EMJ0h79hRWERuxSVSfiviRu
byzeD0A4gHZpdkTU68RBA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bsi.bund.de;
s=211014-e768-rsa; t=1644938802;
bh=V7y1NoJlSkeDihv8CPWysFX26Wp9C9h2+DyXqGK7tzo=;
h=From:To:CC:Subject:Date:References:In-Reply-To:Content-Type:
MIME-Version:Autocrypt:Cc:Content-Transfer-Encoding:Content-Type:
Date:From:In-Reply-To:Mime-Version:Openpgp:References:Reply-To:
Resent-To:Sender:Subject:To;
b=TWAiqqFNnCoGwfrdNS4JD5XvSjaUWvAyo8aFr0zy3BU+8eXQkaxRsFUscB2bVVbu3
dhmL7vNQfj85SREzmM4/ypiqY4DF99uu0b9NxQwJdgikZzvQ0chxMQXJa3FQf2bDwE
uUXDcbJPRsQtjT7fqz97Z0w1ECYHPRBsSq5Vsa+cnW5i8THQ6pSotmEuc1OztiZzjJ
c/YOHKceU+avCd684xPSvl/VRO0PBY0c9K3cde3DYvlz5CrK+8npMCdTdx/aIg4snM
5nMWJJARB+93cqKAQqzFihBXoZlE/M6i9KJ+szRAdbpEa7DeYl936Sa3giaF7ZWVnm
gSYPyZO/Zo1eg==
X-P350-Id: 105e319257ce45d6
X-Virus-Scanned: amavisd-new at bsi.bund.de
From: "Hemmert, Tobias" <tobias.hemmert@bsi.bund.de>
To: Chonggang Wang <Chonggang.Wang@InterDigital.com>, "qirg@irtf.org"
<qirg@irtf.org>
CC: "cfrg@ietf.org" <cfrg@ietf.org>, saag <saag@ietf.org>
Thread-Topic: Security considerations in
draft-irtf-qirg-quantum-internet-use-cases-08
Thread-Index: AQHYIAwH8zEQdGvQAkOzECXdhs8fp6yP3bVggAS1jqA=
Date: Tue, 15 Feb 2022 15:26:36 +0000
Message-ID: <b66c8a9e456445948a2e9a62b5388705@bsi.bund.de>
References: <HE1PR0701MB3050021E796FA47455C7BFB689319@HE1PR0701MB3050.eurprd07.prod.outlook.com>
<BN0PR10MB5096558FEF15C44C9C9672F2F8319@BN0PR10MB5096.namprd10.prod.outlook.com>
In-Reply-To: <BN0PR10MB5096558FEF15C44C9C9672F2F8319@BN0PR10MB5096.namprd10.prod.outlook.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-esetresult: clean, is OK
x-esetid: 37303A29C0E90D5360746B
Content-Type: multipart/related;
boundary="_005_b66c8a9e456445948a2e9a62b5388705bsibundde_";
type="multipart/alternative"
MIME-Version: 1.0
X-Rusd: domwl, Pass through domain bsi.bund.de
X-Rurd: query_ok, Pass through domain irtf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/sxGYqWC93l6Reie6vQWVguK4ako>
X-Mailman-Approved-At: Mon, 21 Feb 2022 15:54:55 -0800
Subject: Re: [saag] Security considerations in
draft-irtf-qirg-quantum-internet-use-cases-08
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>,
<mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>,
<mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Feb 2022 15:26:54 -0000
Dear all, for your information, adding to the references that have already been provided, I would like to point out two more quite recent publications on QKD security. The German BSI has recently published an extensive document on the migration to quantum-safe cryptography [1] (unfortunately only available in German at the moment, an English version is in preparation). This also includes a chapter on QKD that points out some of the limitations and discusses security properties of QKD. Sections 4.5 and 4.6 on page 54 contain a concise summary of some of the main points and some recommendations. Furthermore, the NLNCSA has also recently published recommendations on the quantum threat that also contain a short section on QKD [2]. Maybe these are of interest to you as well. All best Tobias [1] BSI, Kryptografie quantensicher gestalten, December 2021. www.bsi.bund.de/PQ-Migration<http://www.bsi.bund.de/PQ-Migration> [2] NLNCSA, Prepare for the threat of quantum computers, January 2022. https://english.aivd.nl/publications/publications/2022/01/18/prepare-for-the-threat-of-quantumcomputers Von: Qirg <qirg-bounces@irtf.org> Im Auftrag von Chonggang Wang Gesendet: Samstag, 12. Februar 2022 13:50 An: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>rg>; qirg@irtf.org Cc: cfrg@ietf.org; saag <saag@ietf.org> Betreff: Re: [Qirg] Security considerations in draft-irtf-qirg-quantum-internet-use-cases-08 Hi John, Thanks for your feedback. We will incorporate your suggested texts to the next version of this document. Best regards, Chonggang From: Qirg <qirg-bounces@irtf.org> On Behalf Of John Mattsson Sent: Saturday, February 12, 2022 7:36 AM To: qirg@irtf.org Cc: cfrg@ietf.org; saag <saag@ietf.org> Subject: [Qirg] Security considerations in draft-irtf-qirg-quantum-internet-use-cases-08 Hi, I think this document is progressing nicely, but the security considerations are severely lacking. I don't think the document can be published without additions to the security considerations. The document mostly focuses on that fact that QKD is information-theoretically secure but misses a lot of practical security weaknesses. Only relying on QKD would catastrophically decrease the security of modern networks and augmenting modern networks with QKD does not make a significant difference. I think the security consideration has to mention zero-trust as well as referring to the very good overviews given in [3][4][5]. Suggested text: " Modern networks are implemented with zero trust principles where classical cryptography is used for confidentiality, integrity protection, and authentication on many of the logical layers of the network stack, often all the way from device to software in the cloud [1]. The cryptographic solutions in use today are based on well-understood primitives, provably secure protocols and state-of-the-art implementations that are secure against a variety of side-channel attacks. In contrast to conventional cryptography and PQC, the security of QKD is inherently tied to the physical layer, which makes the threat surfaces of QKD and conventional cryptography quite different. QKD implementations have already been subjected to publicized attacks [2] and the NSA notes that the risk profile of conventional cryptography is better understood [3]. The fact that conventional cryptography and PQC are implemented at a higher layer than the physical one means PQC can be used to securely send protected information through untrusted relays. This is in stark contrast with QKD, which relies on hop-by-hop security between intermediate trusted nodes. The PQC approach is better aligned with the modern technology environment, in which more applications are moving toward end-to-end security and zero-trust principles. It is also important to note that while PQC can be deployed as a software update, QKD requires new hardware. Regarding QKD implementation details, the NSA states that communication needs and security requirements physically conflict in QKD and that the engineering required to balance them has extremely low tolerance for error. While conventional cryptography can be implemented in hardware in some cases for performance or other reasons, QKD is inherently tied to hardware. The NSA points out that this makes QKD less flexible with regard to upgrades or security patches. As QKD is fundamentally a point-to-point protocol, the NSA also notes that QKD networks often require the use of trusted relays, which increases the security risk from insider threats. The UK's National Cyber Security Centre cautions against reliance on QKD, especially in critical national infrastructure sectors, and suggests that PQC as standardized by the NIST is a better solution [4]. Meanwhile, the National Cybersecurity Agency of France has decided that QKD could be considered as a defense-in-depth measure complementing conventional cryptography, as long as the cost incurred does not adversely affect the mitigation of current threats to IT systems [5]. " [1] NIST, Zero Trust Architecture, August 2020 [2] Physical Review A 78, Experimental demonstration of time-shift attack against practical quantum key distribution systems, October 28, 2008, Zhao, Y.; Fung, C.; Qi, B.; Chen, C.; Lo, H. [3] NSA, Post-Quantum Cybersecurity Resources [4] National Cyber Security Centre, Quantum security technologies, March, 2020 [5] ANNSI, Should quantum key distribution be used for secure communications?, May 2020 [Das Bild wurde vom Absender entfernt. Banner] [Das Bild wurde vom Absender entfernt. Banner]<https://www.interdigital.com/features/sustainability-in-a-wireless-world> Sustainability in a Wireless World: Research dedicated to understanding the impact of our technologies on the planet.<https://www.interdigital.com/features/sustainability-in-a-wireless-world> This e-mail is intended only for the use of the individual or entity to which it is addressed, and may contain information that is privileged, confidential and/or otherwise protected from disclosure to anyone other than its intended recipient. Unintended transmission shall not constitute waiver of any privilege or confidentiality obligation. If you received this communication in error, please do not review, copy or distribute it, notify me immediately by email, and delete the original message and any attachments. Unless expressly stated in this e-mail, nothing in this message or any attachment should be construed as a digital or electronic signature. Java, JavaScript sowie aktive Inhalte wurden aus dieser E-Mail herausgefiltert.
- [saag] Security considerations in draft-irtf-qirg… John Mattsson
- Re: [saag] Security considerations in draft-irtf-… Chonggang Wang
- Re: [saag] [Qirg] Security considerations in draf… Joseph D Touch
- Re: [saag] Security considerations in draft-irtf-… Hemmert, Tobias