Documente Academic
Documente Profesional
Documente Cultură
Sufyan T. Faraj
M IEEE, Associate Prof., College of Computers, University of Anbar, Iraq
Email: sufyantaih@yahoo.com
ABSTRACT
It is well believed now that there are many advantages of integrating quantum
cryptography (QC) with the already-existing Internet security infrastructure.
SSL/TLS is the protocol that is used for the vast majority of secure transactions over
the Internet. However, this protocol needs to be extended in order to create a
promising platform for the integration of QC into the Internet infrastructure. In order
to facilitate such type of integration, this paper presents a novel extension of
SSL/TLS, which called QSSL (Quantum SSL). During the development of QSSL, a
concentration has been made on the creation of a simple, efficient, general, and
flexible architecture that enables the deployment of practical quantum cryptographic-
based security applications. Indeed, QSSL efficiently supports unconditionally
secure encryption (one-time pad) and/or unconditionally secure authentication (based
on universal hashing). A simplified version of QSSL based on BB84 (Bennett-
Brassard 84) quantum key distribution (QKD) protocol has been implemented and
experimentally tested. This has enabled us to experimentally assess our protocol
design based on software simulation of the quantum channel events used for QKD.
future requirements, if it can reach a stage of a In [9], a performance analysis for a proposal
sufficient maturity. Hence, in order to facilitate the that integrates QKD into IPSec was presented.
evolution of QC towards a practical "quantum Also, a scheme integrating QC in 802.11i security
information security era" in which QC becomes mechanisms for the distribution of encryption keys
more closely integrated with conventional was outlined in [10]. Some issues of authentication
information security systems and communication and routing in simple QKD networks were
networks infrastructures, a more collaborated addressed in [11], [12].
scientific research among specialists from several Despite that the use of SSL/TLS as the
fields is required. In particular, this research consumer of random secret bits obtained from QKD
activity has to bring together theoretical and has been already suggested in [4] and [13], the
experimental physicists, computer scientists and author is not aware of any specific proposal or
electrical engineers, and communications and design explicitly dealing with the extension of
information security specialists. SSL/TLS for QKD integration. To the best of
Throughout this paper, a focus is maintained on author knowledge, this work represents the first
the subfield of QKD. QKD basically enables two explicitly proposed design and implementation of
parties (traditionally referred to as Alice and Bob) SSL/TLS extensions for use in various QKD
to produce the shared secret keys required for networks.
secure communications, through a combination of
quantum and conventional communication steps. 2 QKD NETWORKS
Today QKD systems can be operated over metro-
area distances on optical fibers, and across multi- In securing a PTP link, QKD can be used to
kilometer line-of-sight "free-space" paths. Thus, in achieve unconditional security over that link. In this
addition to stand-alone point-to-point (PTP) case, keys established by QKD are used for one-
systems, QKD can be integrated within optical time pad (OTP) encryption and for information-
communication networks at the physical layer, and theoretically secure authentication (based on
with key-management infrastructures. However, universal hashing). This unconditional security over
there are several issues to be explored by research the PTP link can be proven because of the fact that
in this direction. Among these issues are [2]: the security of QKD can be expressed in the
1- Investigation of network support concerns framework of universal composability [7], [14].
beyond PTP connectivity. This definitely is one of the most important
2- Integration of QKD with conventional applications of QKD.
cryptographic and secure communications Alternatively, it is possible to compose
infrastructures. keys obtained from QKD with a classical
3- Exploration of system-level security computationally secure encryption scheme (such as
attributes of QKD. AES). In this case, it would be possible to encrypt
large rates of classical data over the PTP link.
The work presented in this paper addresses all However, the final security of the data exchanged
of the above issues. It proposes a novel extension of over such a link cannot be stronger than the security
SSL/TLS (Secure Socket Layer/Transport Layer of the encryption scheme. Nevertheless, it is still
Security) that we call QSSL (Quantum SSL). QSSL possible to show that QKD has important
allows the integration of QKD capabilities within advantages over other key distribution techniques in
the Internet (or intranet) security architecture. This terms of key security and key renewal rate [2], [7].
significantly facilitates applications in the In spite of these advantages obtained from
environments of "QKD networks". applying QKD over PTP links, such an application
Some aspects of QKD networks have been also has important weaknesses. These include
recently addressed in the literature. The "world's vulnerability to denial of service attacks,
first" QKD network that is composed of trusted vulnerability to traffic analysis, distance- and
relays and/or untrusted photonic switches had been location-dependence, and the insufficient key
continuously running since June 2004 under the delivery in certain situations [3]. The recent work in
sponsorship of the US DARPA [3], [4], [5], [6]. building practical QKD networks is aiming to
This network uses a modification of IPSec to strengthen the performance of QKD in these
integrate it with QKD. weaker areas. Also, its goal is to overcome all
In Europe, the SECOQC project has recently limitations inherited by PTP links and to obtain the
demonstrated information-theoretically secure full advantages of networking environments.
QKD over a fiber-based MAN in 2008. In this It is possible to define a QKD network as
project, a dedicated key distribution network an infrastructure composed of quantum links
infrastructure has been adopted. It is the so-called connecting multiple distant nodes that have the
"network of secrets" [7], [8]. capability of performing QKD. Regarding the
hardware of QKD networks, it is convenient to
characterize different QKD network models by the network software on the pre-existing conventional
functionality that is implemented within the nodes. network security infrastructure. We shall name
Thus, beyond stand-alone QKD PTP links, it is these two strategies as: tightly-coupled protocol
possible from this perspective to differentiate three stack strategy and loosely-coupled protocol stack
main categories of QKD networks [3], [7]: strategy. They are explained as follows:
a) Optically switched QKD networks: In this A. Tightly-coupled protocol stack strategy: In this
category, some classical optical functions like beam strategy, secret random bits obtained from QKD
splitting, switching, multiplexing, etc., can be (which is mainly a physical layer technology) are
applied at the network nodes on the quantum merged directly somehow into a conventional
signals sent over quantum channels. These optical higher-layer security protocol suite. Thus, the
functions can be used to achieve multi-user QKD. consumer security protocol has to be modified to
One-to-many connectivity between QKD devices enable the integration of QKD within it. The work
has already been demonstrated at gigahertz clock- of DARPA QKD network is a good representative
rate over passive optical access networks [15]. of such an approach where IPSec is used as the
Active optical switching can also be used to enable consumer protocol. Indeed, the work presented in
selective connection of any QKD nodes, as in this paper can also be considered under this
DARPA network [6]. One important advantage of category with SSL/TLS being used as the consumer
this category is that the corresponding nodes (which higher-layer protocol. The advantage of this
perform classical optical functions) need not to be strategy is that it greatly facilitates direct
trusted. However, due to the extra mount of optical implementation of QKD on private intranets (with
losses introduced, this network model cannot be an open possibility of a practical Internet
used to increase the distance of QKD. implementation at some later mid-term stage). This
is mainly because that we make use of already
b) Trusted relays QKD networks: In this category, existing capabilities of networking and security
local keys are generated over QKD links and then protocols with some modifications.
stored in nodes that are placed on both ends of each
link. Global key distribution is performed over a B. Loosely-coupled protocol stack strategy: The
QKD path, i.e. a one-dimensional chain of trusted focus here is to develop original multi-layer
relays connected by QKD links, establishing a protocol infrastructures that are dedicated to QKD
connection between two end nodes. Hence, secret networks. In such a case, the QKD network
keys are forwarded in a hop-by-hop fashion along infrastructure can be viewed as a "new
the QKD path. This concept of classical trusted cryptographic primitive" that is completely
relays can be used to significantly increase the independent of the way by which random secret bits
distance of QKD, provided that the intermediate obtained from QKD would be used. This is the
nodes can be trusted. Thus, this network model has approach adopted by the SECOQC project. Of
been exploited by the DARPA QKD network and course, this approach may get the more of network
also adopted by the SECOQC network. environments by developing original routing and
network management techniques. Hence, this
c) "Full" quantum networks: These are networks strategy can be considered as a rather longer-term
that aim to extend the distance of QKD by using version of QKD networks.
"quantum repeaters", which can be used to an
effective perfect quantum channel by overcoming 3 SSL/TLS OVERVIEW
propagation losses. In this scheme, it is not
necessary to trust the intermediate network nodes. SSL was originally developed by Netscape.
However, quantum repeaters cannot be realized SSLv3 was designed with public review and input
with current technologies. In addition, it was shown from industry [17]. Then, the TLS working group
in [16] that another form of quantum nodes called was formed within IETF (Internet Engineering Task
"quantum relays" can be used to extend the distance Force) and published TLSv1.0 [18] that is very
of QKD. Quantum relays are simpler to implement close to SSLv3 and can be viewed as SSLv3.1.
than quantum repeaters; however, they remain Later, TLSv1.1 [19], which is a minor modification
technologically difficult to build. of TLSv1.0, had been proposed.
The "socket layer" lives between the application
As far as the QKD network software is layer and the transport layer in the TCP/IP protocol
concerned, we can notice that there are two main stack. SSL/TLS (or just simply SSL) contains two
strategies that are globally considered in building layers of protocols. The SSL Record Protocol
practical QKD networks. It is possible to provides basic security services to various higher-
differentiate between them on the basis of the layer protocols and defines the format used to
degree of dependence of the developed QKD transmit data. Also, SSL defines three higher-layer
protocols that use the SSL Record Protocol. These method, and the cipher suite. They also exchange
three protocols are used in the management of SSL random structures to serve as nonces. A cipher suite
exchanges. The first is the Change Cipher Spec defines a key exchange algorithm and a
Protocol, which updates the cipher suite (list of a CipherSpec, which includes encryption algorithm,
combination of cryptographic algorithms) to be MAC algorithm, and some other related
used on SSL connection. The second is the Alert information. The exchange methods supported by
Protocol that is used to convey SSL-related alerts to SSL/TLS are: RSA, fixed DH (Diffie-Hellman),
the peer entity. The third is the Handshake Protocol, ephemeral (temporary) DH, and anonymous DH.
which is the most complex part of SSL and it is
briefly described later in this section. Phase 2- Server authentication and key exchange:
An SSL connection is a transport (in the OSI In the beginning of this phase, the server sends
layering model definition) that provides a peer-to- its certificate (if it needs to be authenticated). This
peer type of service. SSL connections are transient certificate message is required for any agreed-on
and each connection is associated with one SSL key exchange except anonymous DH. Next, a
session. An SSL session is an association that is server-key-exchange message can be sent (if
created by the Handshake Protocol. The session required). This message is not needed if an RSA
defines a set of cryptographic security parameters key exchange is used or if the server has sent a
that can be shared among multiple connections. certificate with fixed DH parameters. Then, a
Thus, it is possible to avoid the expensive nonanonymous server can request a certificate from
negotiation of new security parameters. Once a the client by sending the certificate-request
session is established, there is a "current" operating message. Finally, this phase ends with a server-
state for both read and write (i.e. receive and send). done message.
"Pending" read and write states are created during
the handshaking. Then, upon a successfully Phase 3- Client authentication and key exchange:
completed handshaking, pending states become the The client begins this phase by sending a
current states. certificate message (if the server has requested it).
The SSL Record Protocol provides the services Next, it sends the client-key-exchange message
of confidentiality and data integrity for SSL whose purpose is to enable the client and the server
connections. On transmission, the SSL Record to create a pre-master-secret. The content of this
Protocol takes an application message, fragments it message depends on the key exchange method. The
into manageable blocks, optionally compresses the exchanged pre-master-secret is to be used later by
data, applies a MAC (message authentication code), both parties to calculate the shared master-secret,
encrypts, adds a header, and finally transmits the which is a 384-bit value that is generated for each
resulting unit in TCP segments. On reception, session. Then, CipherSpec parameters are generated
received data are decrypted, verified, from the master-secret using a certain hashing
decompressed, reassembled, and then delivered to technique. These parameters are a client write MAC
higher-level users. secret, a server write MAC secret, a client write
Four content types are defined by the Record key, a server write key, a client write IV
Protocol. These are the three SSL-specific protocols (initialization vector), and a server write IV.
(change-cipher-spec, alert, and handshake) and Finally, the client may send a certificate-verify
application-data, which corresponds to any message to provide explicit verification of its
application that might use SSL. certificate.
The Handshake Protocol allows the two
communicating parties (client and server) to Phase 4- Finish:
authenticate each other. It also enables them to The client sends a change-cipher-spec message
negotiate an encryption algorithm, a MAC, and and copies the pending (CipherSpec) states into the
cryptographic keys required to protect data sent in current states (Note that this message is sent using
SSL. The Handshake Protocol consists of a series the Change Cipher Spec Protocol). Then, it sends
of messages exchanged by client and server, as the finished message under the new algorithms,
shown in Fig. 1. This exchange can be viewed as keys, and secrets. Finally, the server sends its
having four phases [17]: change-cipher-spec, transfers the pending to the
current CipherSpec, and sends its finished message.
Phase 1- Establish security capabilities:
This phase is used to initiate a logical
connection and to establish the associated security
capabilities. It starts by a client-hello message and
ends with a server- hello message. During this
phase, the client and server negotiate the SSL
version to be used, session ID, compression
secure authentication codes for protecting Cryptography Protocol is shown in Fig. 2. Each
public channel discussions of QKD. message of the Quantum Cryptography Protocol
6- Network initialization: To achieve has the following fields:
unconditional security (which is the main
reason for the deployment of QKD networks),
QKD networks need initially pre-distributed
secret keys. These keys are required to perform
the first rounds of unconditionally-secure
authentication for the QKD public channel.
However, there is another possibility of using
public-key cryptography for the initialization
of the network by authenticating only the first
rounds of QKD. Then, unconditionally-secure
authentication can be used for subsequent
QKD sessions. Despite the fact that such kind
of hybrid authentication and network
initialization technique does not offer Figure 2: Message Format of the QSSL
unconditional security in a strict sense, they Quantum Cryptography Protocol.
still present a security advantage over any other
conventional key distribution technique, as
argued in [7]. Thus, both of these QKD • Type (2 bytes): Indicates one of the messages
network initialization modes are supported by used in the public exchange phase of the QC
QSSL. protocol. Some of the messages defined for
7- Applicability: In a contrast with classical open QKD are listed in Table 1.
networks (such as the Internet), QKD networks • Protocol (1 byte): The QC protocol used (e.g.
can be considered as "closed" networks, the BB84 QKD protocol due to Bennett and
especially at this early development stage. This Brassard [23]).
is mainly due to the physical limitations they • Version (1 byte): Enables the use of more than
have. Thus, QSSL is more suitable (at least for one version of a certain QC protocol. Thus,
the time being) for application in private components of different characteristics can be
intranets rather than the public Internet. used to implement any phase of that protocol.
However, as such private networks are already For example, different techniques for sifting,
used by many organizations; the deployment of reconciliation, estimating eavesdropper's (Eve)
QSSL would bring a considerable security information, and/or privacy amplification may
advantage for these intranets. be used for implementing the BB84 protocol.
• Length (4bytes): The length of the message in
Various aspects of QSSL are described in the bytes.
following subsections. Note that for a reason of • Job no. (2 bytes): Enables the operation of
clarity, QSSL handshake is described as two multiple QC protocol jobs (or instances), all
modes. Mode-1 is based on the traditional public- belonging to a one QSSL session.
key initialization of SSL/TLS. Mode-2 is based on • Authentication (1 byte): Indicates whether this
PSK cipher suites. Otherwise, it is straight forward message is authenticated. It may also contain
to only describe a single QSSL handshake mode by some additional information about this
just labeling some messages as situation dependent authentication (if any).
and specifying the use of suitable cipher suites. The • Encoding (1 byte): Indicates if a certain
protocol version to be initially used for QSSL is 3.5 encoding technique is used for the content field
(remember that SSLv3 uses 3.0, TLSv1.0 uses 3.1, of the message. It may also contain some
and TLSv1.1 uses 3.2). additional information about this encoding (if
any). For example, a form of run-length
4.1 Introducing a new SSL/TLS content type encoding is used for the (sparse) messages of
A fifth content type is introduced for the SSL the QKD sifting phase.
Record Protocol. This new type is to be called • Content ( ≥ 0 bytes): The parameters and data
quantum-cryptography and it is related to any QC associated with this message. Table 1 contains
protocol to be integrated within SSL/TLS. By some representative contents of QKD
defining this content type, the QC protocol (e.g. messages.
QKD) is to be considered as an additional higher- • Tag: If the message is authenticated, this field
layer SSL/TLS protocol just like the Handshake, would contain the corresponding authentication
the Change Cipher Spec, and the Alert protocols. tag. Its size depends on the used authentication
The message format of the QSSL Quantum code.