Graham BartlettSnr Technical Leader
Secure South West 22nd March
A laypersons guide to the impact of quantum computers on secure communication today
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Agenda
Quantum Computer (QC)
Quantum Resistant (QR)Post Quantum Cryptography (PQC)
All the hype & where we are
Challenges of moving to a QR world
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
"Anyone that wants to make sure that their data is protected for longer than 10 years should move to alternate forms of encryption now,” Arvind Krishna, director of IBM Research
"1-in-7 chance that quantum breakthroughs will defeat RSA-2048, a common encryption standard, by 2026” Michele Mosca, Institute for Quantum Computing in Waterloo
”RSA-2048 broken between 2030 and 2040 by a cryptographically relevant quantum computer”
Dr Brian LaMacchia, Microsoft Research
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
When do we need postquantum security?
• People are storing transcripts of encrypted traffic
• At some point, they may develop a Quantum Computer
NowQC
Exists
Time Data Needs to be Secure
We needQR Protocols
Here
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• IoT / Automotive
• Equipment lifetime
• Financial
• Regulations
• HealthCare
• Lifetime of patience records
• Government
• Sensitive data & aggregation
Data security timeline & Verticals
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Commonly used crypto primitives
AES-128-CBC
DH-1024SHA-1
RSA-1024
DH-2048 RSA-2048 SHA2-256
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
NGE/Suite-B (higher security levels)
AES-256-GCM ECDH-P521 SHA-512ECDSA-
P521
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Quantum Bit Strength
11
Algorithm Key Length Classical BitStrength
Quantum Bit Strength
Quantum Algorithm
RSA/DH 1024 1024 bits 80 bits 0 bits ShorRSA/DH 2048 2048 bits 112 bits 0 bits ShorECC/ECDH 256 256 bits 128 bits 0 bits Shor
ECC/ECDH 521 521 bits 256 bits 0 bits Shor
AES 128 128 bits 128 bits 64 bits GroverAES 256 256 bits 256 bits 128 bits Grover
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SA_INIT SA(AES-128, SHA-256, DH19) KEr (7) Nr
SA_INIT SA(AES-128, SHA-256, DH19) KEi (5) Ni
gx mod p= 211 mod 13= 7
9gy mod p
= 29 mod 13= 5
79 mod p= 8
511 mod p= 8
11
IKE_AUTH {IDr=GW.cisco.com Cert Auth TSi TSr}
IKE_AUTH {IDi=R1.cisco.com Cert Auth TSi TSr}
g=2, prime=13
IPsecKEYMAT = prf+(SK_d …)
11, 9 Secret Keys extracted
12
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
NIST PQ Public Key Algorithm “competition” / call for submissions
13
Feb 24-26, 2016
• NIST Presentation at PQCrypto 2016: Announcement and outline of NIST's Call for Submissions (Fall 2016), Dustin Moody
Professor of Physics, University of Waterloo, Institute for Quantum Computing (IQC)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
NIST PQ Public Key Algorithm “competition”
• Security Analysis & Cost (mem/CPU)
• Algorithm Implementation Characteristics (Ease of use/implementation)
15
Dec 2016
Request crypto
algorithms
Round 1 algorithms
(69)
Dec 2017
Round 2 algorithms
(26)
Jan 2019
Round 3 begins or
select algorithms
2020/2021
Draft Standards Available
2022/2024
Time
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What do we to deploy postquantum security?
NowQC
Exists
Time Data Needs to be Secure2019 2030
NISTAlgorithms
2022/2024
Vendorinterop
Audit current crypto
PQC Open Standard
Exchanges
NewHW/SW
DeployQCR
solution
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IKE / IPsec history
• Industry / Academia / NIST
17
1998
IPsecroadmap
ISAKMPOAKLEYSKEMEIPsec..
1998
NATDPDESN
2004
IKEv2v1
2005
IKEv2v3
2014
Time
IKEv2v2
2010
CiscoMicrosoft
2011
AppleClient
2015
AWSS2S
2019
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Moving to using QR algorithms can’t be *that* hard ?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SA_INIT SA KEr (DH) (QRKE1) (QRKE2) Nr
SA_INIT SA KEi (DH) (QRKE1) (QRKE2) Ni
IKE_AUTH {IDr=GW.cisco.com Cert Auth TSi TSr}
IKE_AUTH {IDi=R1.cisco.com Cert Auth TSi TSr}
19
X
IPsecKEYMAT = prf+(SK_d …)
79 mod p
= 8
511 mod p
= 8
SS = QRSS1 |
QRSS2 | 8
SS = QRSS1 |
QRSS2 | 8
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SA_INIT SA KEi (DH) (QRKE1) (QRKE2) Ni
20
Backwards Compatibility
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SA_INIT SA KEi (DH) (Q Frag…
21
Network Fragmentation
Frag1 RKE1) (QR
Frag2 KE2) Ni
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SA_INIT SA KEr (DH) (SUPPORT_ QSKE (Frodo, New Hope)) Nr
SA_INIT SA KEi (DH) (SUPPORT_QSKE (Frodo, SIDH, New Hope)) Ni
IKE_AUTH {IDr=GW.cisco.com Cert Auth TSi TSr}
IKE_AUTH {IDi=R1.cisco.com Cert Auth TSi TSr}
22
IKE_INTER {QSKE1 (Frodo)}
IKE_INTER {QSKE1 (Frodo)}
IKE_INTER {QSKE2 (New Hope)}
IKE_INTER {QSKE2 (New Hope)}
79 mod p= 8
511 mod p= 8
SS = Frodo |
New Hope | 8
SS = Frodo |
New Hope | 8
IPsecKEYMAT = prf+(SK_d …)
X
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Summary
Networks are being compromised today & data exfiltratedA QC could be built in the future
Commodity QC will be a game changer
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Summary
The NIST call for submissions needs to complete before we implement PQC algorithms
Moving to a QCR solution depends on vendorsIt’s not going to be a quick or easy process…