The Cryptographic community has been watching the development of Quantum Computing for many years now. The looming specter of computation power able to break our current asymmetric algorithms such as RSA and ECC is of great concern. In this article we wish to identify solutions for effective user authentication and message security in the light of the risks posed by quantum computing.
The search for replacement asymmetric algorithms has begun. We have been exposed to new algorithms such as lattice, multivariate, hash-based and supersingular elliptic curve whose stated goal is that of quantum resistance. The only certainty is that it will take many years for this effort to fully mature.
Any current solution that makes use of RSA or ECC may be attackable in the future simply by recording messages for delayed attack once quantum computing comes of age. Forward secret solutions prevent the decryption or modification of earlier messages when long term static asymmetric private keys are compromised. Ephemeral Elliptic Curve Diffie Hellmann (ECDH) combined with Asymmetric Static Signature schemes offer some comfort as the attacker has to re-attack each session which significantly drives up the cost of the attack but does not offer a truly quantum resistant solution.
To properly protect data in transit, we need both message secrecy and message authenticity. It is helpful to note that there are several existing and popular symmetric algorithms that are believed to be quantum resistant. For message encryption AES is acceptable if we use 256-bit keys. For message authentication we can make use of Hash-based Message Authentication Code (HMAC) based on either SHA2 or SHA3 as long as we make use of either the 384 or 512-bit versions (NSA suggests use of SHA2-384).
Assuming we can establish session keys, there are three schools of thought to draw from:
- Encrypt-then-authenticate. We can use AES in the more secure counter or block cypher modes (CTR or CBC modes), followed by HMAC or AES in CMAC (Cipher-based Message Authentication Code) for authentication.
- Authenticate-then-encrypt. Typically, this is HMAC followed by AES encryption in CBC mode as currently used by TLS 1.2. Other variations use AES in CTR or CTS (Ciphertext Stealing) modes.
- AEAD, both AES-GCM and AES-CCM are suitable single key solutions.
Well and good, but the real question that we need to answer is that of session key establishment. In essence: Are we able to identify solutions that make exclusive use of symmetric cryptography in order to avoid vulnerability to quantum computing?
Experience has taught us that cryptography and cryptographic protocol design is hard, even when done by very clever people. Recent history has many examples of failed or broken solutions. However, there are several successful “pre-shared key” systems on which we can build symmetric solutions:
- Kerberos is a good practical implementation of the academic Needham-Schroeder protocols with the addition of time stamps to grant time sensitive access control to networks and data. (Time stamps also help solve some replay problems).
We would suggest that Kerberos is suitable for corporate entities to use for their internal networking security given the small scale of the key sharing problem.
- TLS PSK is an example of a pre-shared key scheme where HMAC is used as a Key Derivation Function (KDF) when challenge-response nonces are used in conjunction with the pre-shared HMAC key to diversified session keys. Such solutions seem best suited for use in IoT and other solutions where machines are interacting with each other.
If these protocols turn out to be quantum computing resistant as expected, then even if an attacker records them the attacker will not gain any significant advantage (assuming we have used algorithms of the correct key size or output length). To attack these types of solutions the attacker must determine the symmetric key. The easiest point of attack at that point is to try and extract the key itself from the device.
White-Box Cryptography is well positioned to secure the pre-shared symmetric key from attack on the device.
The size of the pre-shared symmetric key is relatively small. This allows for the computation strength of the white-box cryptographic algorithms to be relatively large, thereby allowing the designers of such algorithms considerable freedom to implement rigorous defenses against many modern and very powerful attacks, such as: Differential Computational Analysis (DCA) and Differential Fault Injection (DFA). The same can be said for the key derivation functions, as relatively small amounts of data are used to diversify the pre-shared symmetric key.
The resultant session keys also need protection. Clearly the value of the session is somewhat less, given the transient nature of the session key, so somewhat computationally-light protection schemes can be used to allow for better performance.
The use of cryptographically sound key derivation functions, that have been well-designed and audited over many years, gives the user of this type of technology the confidence that the pre-shared symmetric key cannot be discovered even if the resultant session keys are compromised.
As long as we use control mechanisms to ensure that the derived session key(s) time out, we have a fit for purpose solution that will allow early adopters sound sleep and enjoyable vacations in the future!
One of the features built into Irdeto’s Cloakware Transcoding technology is the ability to create diverse build instances thereby increasing the time it takes for an attacker to reverse engineer our solutions. This allows users of our technology improved defenses in our turbulent world of constant upgrades and adaptation to ongoing security threats. The coupling of White-Box Cryptography, Obfuscation and build diversity by Cloakware is a powerful ally in Cybersecurity.
Note: Irdeto provides a range of software security products and services based off of our Cloakware Software Protection suite of tools and technologies. All of the solutions, including Cloakware’s Secure Environment, adopt a multi-layered, self-protecting approach to software security.