Abstract
Despite considerable progress in theoretical post-quantum cryptography we have yet to see significant advances in its practical adoption. The necessary protocol modifications need to be identified, implemented and tested; good solutions need to be standardized and finally adopted in the real world.
This work executes the first steps needed to standardize quantum-proof Virtual Private Networks (VPNs) on Layers 2 and 3 of the OSI model employing the MACsec/MKA and IPsec/IKEv2 protocols, respectively. We identify requirements and assemble a list of ideal features, discuss difficulties and possible solutions, point out our standardization efforts, and provide the results of some sample implementations for both layers.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
We use quantum“-proof”/“-safe”/“-resistant” (and, where this is not ungrammatical, “post-quantum”) interchangeably.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
References
ADVA Optical Networking: FSP 150 ProVMe Series. https://www.adva.com/en/products/packet-edge-and-aggregation/edge-computing/fsp-150-provme-series
Alagic, G., et al.: Status report on the third round of the NIST post-quantum cryptography standardization process. Technical report, National Institute of Standards and Technology, Gaithersburg, MD (2022). https://doi.org/10.6028/NIST.IR.8413
Alagic, G., et al.: Status report on the third round of the NIST post-quantum cryptography standardization process (2022). https://doi.org/10.6028/NIST.IR.8413-upd1. https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=935591
Alkim, E., et al.: FrodoKEM learning with errors key encapsulation algorithm specifications and supporting documentation. NIST Submissions (2019)
Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange: a new hope. In: Proceedings of the 25th USENIX Conference on Security Symposium, SEC 2016, pp. 327–343. USENIX Association (2016)
Aragon, N., et al.: BIKE. Submission to the NIST Post-Quantum Cryptography Standardization (2017)
Avanzi, R., et al.: CRYSTALS-Kyber. Submission to the NIST Post-Quantum Cryptography Standardization (2017)
Barker, E., Chen, L., Davis, R.: Recommendation for Key-Derivation Methods in Key-Establishment Schemes. NIST Special Publication 800-56C Revision 2 (2020). https://csrc.nist.gov/publications/detail/sp/800-56c/rev-2/final
Bernstein, D., Hülsing, A., Kölbl, S., Niederhagen, R., Rijneveld, J., Schwabe, P.: The SPHINCS+ Signature Framework, pp. 2129–2146 (2019). https://doi.org/10.1145/3319535.3363229
Bernstein, D.J., et al.: Classic McEliece: conservative code-based cryptography. Submission to the NIST Post-Quantum Cryptography Standardization (2017)
Bernstein, D.J., Lange, T., Chuengsatiansu, C., van Vredendaal, C.: NTRU Prime. NIST Submissions (2017)
Beullens, W.: Breaking rainbow takes a weekend on a laptop. Cryptology ePrint Archive, Report 2019/482 (2022). https://eprint.iacr.org/2019/482
Campagna, M., Crockett, E.: Hybrid Post-Quantum Key Encapsulation Methods (PQ KEM) for Transport Layer Security 1.2 (TLS). Internet-Draft draft-campagna-tls-bike-sike-hybrid-07, Internet Engineering Task Force (2021). https://datatracker.ietf.org/doc/html/draft-campagna-tls-bike-sike-hybrid-07. Work in Progress
Castryck, W., Decru, T.: An efficient key recovery attack on SIDH (preliminary version). Cryptology ePrint Archive, Paper 2022/975 (2022). https://eprint.iacr.org/2022/975
Celi, S., et al.: Implementing and measuring KEMTLS. In: Longa, P., Ràfols, C. (eds.) LATINCRYPT 2021. LNCS, vol. 12912, pp. 88–107. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-88238-9_5
Cho, J.Y., Sergeev, A.: Post-quantum MACsec key agreement for ethernet networks. In: Proceedings of the 15th International Conference on Availability, Reliability and Security, ARES 2020. Association for Computing Machinery, New York (2020). https://doi.org/10.1145/3407023.3409220
Cho, J.Y., Sergeev, A.: TLV-to-MUC express: post-quantum MACsec in VXLAN. In: Asplund, M., Nadjm-Tehrani, S. (eds.) NordSec 2020. LNCS, vol. 12556, pp. 127–141. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-70852-8_8
Cisco: Configuring Post-Quantum MACsec in Cisco Switches (2020). https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/configuring-post-quantum-macsec-in-cisco-switches.pdf
Cremers, C.: Key exchange in IPsec revisited: formal analysis of IKEv1 and IKEv2. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 315–334. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23822-2_18
Crockett, E., Paquin, C., Stebila, D.: Prototyping post-quantum and hybrid key exchange and authentication in TLS and SSH. Cryptology ePrint Archive, Report 2019/858 (2019). https://eprint.iacr.org/2019/858
DPDK documentation: Kernel NIC Interface. https://doc.dpdk.org
Eronen, P., Tschofenig, H.: Pre-shared Key Ciphersuites for Transport Layer Security (TLS). RFC 4279, RFC Editor (2005). http://www.rfc-editor.org/rfc/rfc4279.txt
Feo, L.D., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014). https://doi.org/10.1515/jmc-2012-0015
Fluhrer, S., Kampanakis, P., McGrew, D., Smyslov, V.: Mixing Preshared Keys in IKEv2 for Post-quantum Security (2020). https://draft-ietf-ipsecme-qr-ikev2-11
Fouque, P.A., Hoffstein, J., Kirchner, P., et al.: Falcon: Fast-Fourier Lattice-Based Compact Signatures over NTRU. NIST Submissions (2020)
Gazdag, S.L., Grundner-Culemann, S., Guggemos, T., Heider, T., Loebenberger, D.: A formal analysis of IKEv2’s post-quantum extension. In: Annual Computer Security Applications Conference, ACSAC, pp. 91–105. Association for Computing Machinery, New York (2021). https://doi.org/10.1145/3485832.3485885
Herzinger, D., Gazdag, S.L., Loebenberger, D.: Real-world quantum-resistant IPsec. In: 2021 14th International Conference on Security of Information and Networks (SIN), vol. 1, pp. 1–8 (2021). https://doi.org/10.1109/SIN54109.2021.9699255
Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054868
IEEE: Local and metropolitan area networks-Media Access Control (MAC) Security. 802.1AE: MAC Security (MACsec). https://1.ieee802.org/security/802-1ae/
IEEE: Local and metropolitan area networks-Port-Based Network Access Control. IEEE Std 802.1X-2010 (Revision of IE EE Std 802.1X-2004), pp. 1–205 (2010)
Kampanakis, P., Stebila, D., Hansen, T.: Post-quantum Hybrid Key Exchange in SSH. Internet-Draft draft-kampanakis-curdle-ssh-pq-ke-00, Internet Engineering Task Force (2022). https://www.ietf.org/id/draft-kampanakis-curdle-ssh-pq-ke-00.html. Work in Progress
Kaufman, C.: Internet Key Exchange Protocol Version 2 (IKEv2). RFC 4306 (2005). https://datatracker.ietf.org/doc/html/rfc4306
Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., Kivinen, T.: Internet Key Exchange Protocol Version 2 (IKEv2). RFC 7296 (2014). https://doi.org/10.17487/RFC7296. https://datatracker.ietf.org/doc/html/rfc7296.txt
Kent, S.: IP Authentication Header. RFC 4302 (2005). https://doi.org/10.17487/RFC4302. https://www.rfc-editor.org/info/rfc4302
Kent, S.: IP Encapsulating Security Payload (ESP). RFC 4303 (2005). https://doi.org/10.17487/RFC4303. https://www.rfc-editor.org/info/rfc4303
Lyubashevsky, V., et al.: CRYSTALS-Dilithium. Submission to the NIST Post-Quantum Cryptography Standardization (2017)
McEliece, R.: A public-key cryptosystem based on algebraic coding theory. Coding Thv 4244, 114–116 (1978)
Melchor, C.A., et al.: Hamming quasi-cyclic (HQC). Submission to the NIST Post-Quantum Cryptography Standardization (2017)
Ninet, T.: Formal verification of the Internet Key Exchange (IKEv2) security protocol. Theses, Université Rennes 1 (2020). https://tel.archives-ouvertes.fr/tel-02882167
Paquin, C., Stebila, D., Tamvada, G.: Benchmarking post-quantum cryptography in TLS. In: Ding, J., Tillich, J.-P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 72–91. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44223-1_5
Pauly, T., Smyslov, V.: TCP Encapsulation of Internet Key Exchange Protocol (IKE) and IPsec Packets. RFC 9329 (2022). https://doi.org/10.17487/RFC9329. https://www.rfc-editor.org/info/rfc9329
Pazienza, A., Lella, E., Noviello, P., Vitulano, F.: Analysis of network-level key exchange protocols in the post-quantum era. In: 2022 IEEE 15th Workshop on Low Temperature Electronics (WOLTE), pp. 1–4 (2022). https://doi.org/10.1109/WOLTE55422.2022.9882818
Perlner, R., Kelsey, J., Cooper, D.: Breaking category five SPHINCS+ with SHA-256. Cryptology ePrint Archive, Paper 2022/1061 (2022). https://eprint.iacr.org/2022/1061
Schwabe, P., Stebila, D., Wiggers, T.: Post-quantum TLS without handshake signatures, pp. 1461–1480. Association for Computing Machinery, New York (2020). https://doi.org/10.1145/3372297.3423350
Shor, P.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev. 41(2), 303–332 (1999). https://doi.org/10.1137/S0036144598347011
Smyslov, V.: Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation. RFC 7383, Internet Engineering Task Force (2014). https://doi.org/10.17487/RFC7383. https://datatracker.ietf.org/doc/html/rfc7383.txt
Smyslov, V.: Intermediate Exchange in the Internet Key Exchange Protocol Version 2 (IKEv2). RFC 9242, Internet Engineering Task Force (2022). https://doi.org/10.17487/RFC9242. https://www.rfc-editor.org/info/rfc9242
Stebila, D., Fluhrer, S., Gueron, S.: Hybrid key exchange in TLS 1.3. Internet-Draft draft-ietf-tls-hybrid-design-01, Internet Engineering Task Force (2020). https://datatracker.ietf.org/doc/html/draft-ietf-tls-hybrid-design. Work in Progress
Stebila, D., Fluhrer, S., Gueron, S.: Hybrid key exchange in TLS 1.3. Internet-Draft draft-ietf-tls-hybrid-design-04, Internet Engineering Task Force (2022). https://datatracker.ietf.org/doc/html/draft-ietf-tls-hybrid-design-04. Work in Progress
Tao, C., Petzoldt, A., Ding, J.: Improved Key Recovery of the HFEv- Signature Scheme. Cryptology ePrint Archive, Paper 2020/1424 (2020). https://eprint.iacr.org/2020/1424
Tao, C., Petzoldt, A., Ding, J.: Efficient key recovery for all HFE signature variants. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12825, pp. 70–93. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84242-0_4
Team, T.T.: Tamarin-Prover Manual (2016). https://tamarin-prover.github.io/manual/tex/tamarin-manual.pdf
Tjhai, C., Heider, T., Smyslov, V.: Beyond 64KB Limit of IKEv2 Payloads. Internet-Draft draft-tjhai-ikev2-beyond-64k-limit-03, Internet Engineering Task Force (2022). https://datatracker.ietf.org/doc/html/draft-tjhai-ikev2-beyond-64k-limit-03. Work in Progress
Tjhai, C., et al.: Multiple Key Exchanges in IKEv2. Internet-Draft draft-ietf-ipsecme-ikev2-multiple-ke-06, Internet Engineering Task Force (2022). https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-ikev2-multiple-ke-06. Work in Progress
Wilhelm, F., et al.: Status of quantum computer development (2020). https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Studien/Quantencomputer/P283_QC_Studie-V_1_2.pdf
Zalka, C.: Grover’s quantum searching algorithm is optimal. Phys. Rev. A 60, 2746–2751 (1999). https://doi.org/10.1103/PhysRevA.60.2746
Acknowledgements
This research was co-funded by the Federal Ministry of Education and Research of Germany under the QuaSiModO project (Grant agreement No 16KIS1051). We thank Robin Lösch for his support and the anonymous reviewers for their valuable comments.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Gazdag, SL. et al. (2023). Quantum-Resistant MACsec and IPsec for Virtual Private Networks. In: Günther, F., Hesse, J. (eds) Security Standardisation Research. SSR 2023. Lecture Notes in Computer Science, vol 13895. Springer, Cham. https://doi.org/10.1007/978-3-031-30731-7_1
Download citation
DOI: https://doi.org/10.1007/978-3-031-30731-7_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-30730-0
Online ISBN: 978-3-031-30731-7
eBook Packages: Computer ScienceComputer Science (R0)