Skip to main content
SpringerLink
Log in

Quantum-Resistant MACsec and IPsec for Virtual Private Networks

  • Conference paper
  • First Online:
Security Standardisation Research (SSR 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13895))

Included in the following conference series:

Abstract

Despite considerable progress in theoretical post-quantum cryptography we have yet to see significant advances in its practical adoption. The necessary protocol modifications need to be identified, implemented and tested; good solutions need to be standardized and finally adopted in the real world.

This work executes the first steps needed to standardize quantum-proof Virtual Private Networks (VPNs) on Layers 2 and 3 of the OSI model employing the MACsec/MKA and IPsec/IKEv2 protocols, respectively. We identify requirements and assemble a list of ideal features, discuss difficulties and possible solutions, point out our standardization efforts, and provide the results of some sample implementations for both layers.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 44.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 59.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    We use quantum“-proof”/“-safe”/“-resistant” (and, where this is not ungrammatical, “post-quantum”) interchangeably.

  2. 2.

    https://security.googleblog.com/2016/07/experimenting-with-post-quantum.html.

  3. 3.

    https://blog.cloudflare.com/the-tls-post-quantum-experiment/.

  4. 4.

    https://aws.amazon.com/blogs/security/post-quantum-tls-now-supported-in-aws-kms/.

  5. 5.

    https://tinyssh.org/.

  6. 6.

    https://www.openssh.com/.

  7. 7.

    https://csrc.nist.gov/News/2016/Public-Key-Post-Quantum-Cryptographic-Algorithms.

  8. 8.

    https://www.openbsd.org/openiked/.

References

  1. ADVA Optical Networking: FSP 150 ProVMe Series. https://www.adva.com/en/products/packet-edge-and-aggregation/edge-computing/fsp-150-provme-series

  2. Alagic, G., et al.: Status report on the third round of the NIST post-quantum cryptography standardization process. Technical report, National Institute of Standards and Technology, Gaithersburg, MD (2022). https://doi.org/10.6028/NIST.IR.8413

  3. Alagic, G., et al.: Status report on the third round of the NIST post-quantum cryptography standardization process (2022). https://doi.org/10.6028/NIST.IR.8413-upd1. https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=935591

  4. Alkim, E., et al.: FrodoKEM learning with errors key encapsulation algorithm specifications and supporting documentation. NIST Submissions (2019)

    Google Scholar 

  5. Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange: a new hope. In: Proceedings of the 25th USENIX Conference on Security Symposium, SEC 2016, pp. 327–343. USENIX Association (2016)

    Google Scholar 

  6. Aragon, N., et al.: BIKE. Submission to the NIST Post-Quantum Cryptography Standardization (2017)

    Google Scholar 

  7. Avanzi, R., et al.: CRYSTALS-Kyber. Submission to the NIST Post-Quantum Cryptography Standardization (2017)

    Google Scholar 

  8. Barker, E., Chen, L., Davis, R.: Recommendation for Key-Derivation Methods in Key-Establishment Schemes. NIST Special Publication 800-56C Revision 2 (2020). https://csrc.nist.gov/publications/detail/sp/800-56c/rev-2/final

  9. Bernstein, D., Hülsing, A., Kölbl, S., Niederhagen, R., Rijneveld, J., Schwabe, P.: The SPHINCS+ Signature Framework, pp. 2129–2146 (2019). https://doi.org/10.1145/3319535.3363229

  10. Bernstein, D.J., et al.: Classic McEliece: conservative code-based cryptography. Submission to the NIST Post-Quantum Cryptography Standardization (2017)

    Google Scholar 

  11. Bernstein, D.J., Lange, T., Chuengsatiansu, C., van Vredendaal, C.: NTRU Prime. NIST Submissions (2017)

    Google Scholar 

  12. Beullens, W.: Breaking rainbow takes a weekend on a laptop. Cryptology ePrint Archive, Report 2019/482 (2022). https://eprint.iacr.org/2019/482

  13. Campagna, M., Crockett, E.: Hybrid Post-Quantum Key Encapsulation Methods (PQ KEM) for Transport Layer Security 1.2 (TLS). Internet-Draft draft-campagna-tls-bike-sike-hybrid-07, Internet Engineering Task Force (2021). https://datatracker.ietf.org/doc/html/draft-campagna-tls-bike-sike-hybrid-07. Work in Progress

  14. Castryck, W., Decru, T.: An efficient key recovery attack on SIDH (preliminary version). Cryptology ePrint Archive, Paper 2022/975 (2022). https://eprint.iacr.org/2022/975

  15. Celi, S., et al.: Implementing and measuring KEMTLS. In: Longa, P., Ràfols, C. (eds.) LATINCRYPT 2021. LNCS, vol. 12912, pp. 88–107. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-88238-9_5

    Chapter  Google Scholar 

  16. Cho, J.Y., Sergeev, A.: Post-quantum MACsec key agreement for ethernet networks. In: Proceedings of the 15th International Conference on Availability, Reliability and Security, ARES 2020. Association for Computing Machinery, New York (2020). https://doi.org/10.1145/3407023.3409220

  17. Cho, J.Y., Sergeev, A.: TLV-to-MUC express: post-quantum MACsec in VXLAN. In: Asplund, M., Nadjm-Tehrani, S. (eds.) NordSec 2020. LNCS, vol. 12556, pp. 127–141. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-70852-8_8

    Chapter  Google Scholar 

  18. Cisco: Configuring Post-Quantum MACsec in Cisco Switches (2020). https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/configuring-post-quantum-macsec-in-cisco-switches.pdf

  19. Cremers, C.: Key exchange in IPsec revisited: formal analysis of IKEv1 and IKEv2. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 315–334. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23822-2_18

    Chapter  Google Scholar 

  20. Crockett, E., Paquin, C., Stebila, D.: Prototyping post-quantum and hybrid key exchange and authentication in TLS and SSH. Cryptology ePrint Archive, Report 2019/858 (2019). https://eprint.iacr.org/2019/858

  21. DPDK documentation: Kernel NIC Interface. https://doc.dpdk.org

  22. Eronen, P., Tschofenig, H.: Pre-shared Key Ciphersuites for Transport Layer Security (TLS). RFC 4279, RFC Editor (2005). http://www.rfc-editor.org/rfc/rfc4279.txt

  23. Feo, L.D., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014). https://doi.org/10.1515/jmc-2012-0015

  24. Fluhrer, S., Kampanakis, P., McGrew, D., Smyslov, V.: Mixing Preshared Keys in IKEv2 for Post-quantum Security (2020). https://draft-ietf-ipsecme-qr-ikev2-11

    Google Scholar 

  25. Fouque, P.A., Hoffstein, J., Kirchner, P., et al.: Falcon: Fast-Fourier Lattice-Based Compact Signatures over NTRU. NIST Submissions (2020)

    Google Scholar 

  26. Gazdag, S.L., Grundner-Culemann, S., Guggemos, T., Heider, T., Loebenberger, D.: A formal analysis of IKEv2’s post-quantum extension. In: Annual Computer Security Applications Conference, ACSAC, pp. 91–105. Association for Computing Machinery, New York (2021). https://doi.org/10.1145/3485832.3485885

  27. Herzinger, D., Gazdag, S.L., Loebenberger, D.: Real-world quantum-resistant IPsec. In: 2021 14th International Conference on Security of Information and Networks (SIN), vol. 1, pp. 1–8 (2021). https://doi.org/10.1109/SIN54109.2021.9699255

  28. Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054868

    Chapter  Google Scholar 

  29. IEEE: Local and metropolitan area networks-Media Access Control (MAC) Security. 802.1AE: MAC Security (MACsec). https://1.ieee802.org/security/802-1ae/

  30. IEEE: Local and metropolitan area networks-Port-Based Network Access Control. IEEE Std 802.1X-2010 (Revision of IE EE Std 802.1X-2004), pp. 1–205 (2010)

    Google Scholar 

  31. Kampanakis, P., Stebila, D., Hansen, T.: Post-quantum Hybrid Key Exchange in SSH. Internet-Draft draft-kampanakis-curdle-ssh-pq-ke-00, Internet Engineering Task Force (2022). https://www.ietf.org/id/draft-kampanakis-curdle-ssh-pq-ke-00.html. Work in Progress

  32. Kaufman, C.: Internet Key Exchange Protocol Version 2 (IKEv2). RFC 4306 (2005). https://datatracker.ietf.org/doc/html/rfc4306

  33. Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., Kivinen, T.: Internet Key Exchange Protocol Version 2 (IKEv2). RFC 7296 (2014). https://doi.org/10.17487/RFC7296. https://datatracker.ietf.org/doc/html/rfc7296.txt

  34. Kent, S.: IP Authentication Header. RFC 4302 (2005). https://doi.org/10.17487/RFC4302. https://www.rfc-editor.org/info/rfc4302

  35. Kent, S.: IP Encapsulating Security Payload (ESP). RFC 4303 (2005). https://doi.org/10.17487/RFC4303. https://www.rfc-editor.org/info/rfc4303

  36. Lyubashevsky, V., et al.: CRYSTALS-Dilithium. Submission to the NIST Post-Quantum Cryptography Standardization (2017)

    Google Scholar 

  37. McEliece, R.: A public-key cryptosystem based on algebraic coding theory. Coding Thv 4244, 114–116 (1978)

    Google Scholar 

  38. Melchor, C.A., et al.: Hamming quasi-cyclic (HQC). Submission to the NIST Post-Quantum Cryptography Standardization (2017)

    Google Scholar 

  39. Ninet, T.: Formal verification of the Internet Key Exchange (IKEv2) security protocol. Theses, Université Rennes 1 (2020). https://tel.archives-ouvertes.fr/tel-02882167

  40. Paquin, C., Stebila, D., Tamvada, G.: Benchmarking post-quantum cryptography in TLS. In: Ding, J., Tillich, J.-P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 72–91. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44223-1_5

    Chapter  MATH  Google Scholar 

  41. Pauly, T., Smyslov, V.: TCP Encapsulation of Internet Key Exchange Protocol (IKE) and IPsec Packets. RFC 9329 (2022). https://doi.org/10.17487/RFC9329. https://www.rfc-editor.org/info/rfc9329

  42. Pazienza, A., Lella, E., Noviello, P., Vitulano, F.: Analysis of network-level key exchange protocols in the post-quantum era. In: 2022 IEEE 15th Workshop on Low Temperature Electronics (WOLTE), pp. 1–4 (2022). https://doi.org/10.1109/WOLTE55422.2022.9882818

  43. Perlner, R., Kelsey, J., Cooper, D.: Breaking category five SPHINCS+ with SHA-256. Cryptology ePrint Archive, Paper 2022/1061 (2022). https://eprint.iacr.org/2022/1061

  44. Schwabe, P., Stebila, D., Wiggers, T.: Post-quantum TLS without handshake signatures, pp. 1461–1480. Association for Computing Machinery, New York (2020). https://doi.org/10.1145/3372297.3423350

  45. Shor, P.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev. 41(2), 303–332 (1999). https://doi.org/10.1137/S0036144598347011

    Article  MathSciNet  MATH  Google Scholar 

  46. Smyslov, V.: Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation. RFC 7383, Internet Engineering Task Force (2014). https://doi.org/10.17487/RFC7383. https://datatracker.ietf.org/doc/html/rfc7383.txt

  47. Smyslov, V.: Intermediate Exchange in the Internet Key Exchange Protocol Version 2 (IKEv2). RFC 9242, Internet Engineering Task Force (2022). https://doi.org/10.17487/RFC9242. https://www.rfc-editor.org/info/rfc9242

  48. Stebila, D., Fluhrer, S., Gueron, S.: Hybrid key exchange in TLS 1.3. Internet-Draft draft-ietf-tls-hybrid-design-01, Internet Engineering Task Force (2020). https://datatracker.ietf.org/doc/html/draft-ietf-tls-hybrid-design. Work in Progress

  49. Stebila, D., Fluhrer, S., Gueron, S.: Hybrid key exchange in TLS 1.3. Internet-Draft draft-ietf-tls-hybrid-design-04, Internet Engineering Task Force (2022). https://datatracker.ietf.org/doc/html/draft-ietf-tls-hybrid-design-04. Work in Progress

  50. Tao, C., Petzoldt, A., Ding, J.: Improved Key Recovery of the HFEv- Signature Scheme. Cryptology ePrint Archive, Paper 2020/1424 (2020). https://eprint.iacr.org/2020/1424

  51. Tao, C., Petzoldt, A., Ding, J.: Efficient key recovery for all HFE signature variants. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12825, pp. 70–93. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84242-0_4

    Chapter  Google Scholar 

  52. Team, T.T.: Tamarin-Prover Manual (2016). https://tamarin-prover.github.io/manual/tex/tamarin-manual.pdf

  53. Tjhai, C., Heider, T., Smyslov, V.: Beyond 64KB Limit of IKEv2 Payloads. Internet-Draft draft-tjhai-ikev2-beyond-64k-limit-03, Internet Engineering Task Force (2022). https://datatracker.ietf.org/doc/html/draft-tjhai-ikev2-beyond-64k-limit-03. Work in Progress

  54. Tjhai, C., et al.: Multiple Key Exchanges in IKEv2. Internet-Draft draft-ietf-ipsecme-ikev2-multiple-ke-06, Internet Engineering Task Force (2022). https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-ikev2-multiple-ke-06. Work in Progress

  55. Wilhelm, F., et al.: Status of quantum computer development (2020). https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Studien/Quantencomputer/P283_QC_Studie-V_1_2.pdf

  56. Zalka, C.: Grover’s quantum searching algorithm is optimal. Phys. Rev. A 60, 2746–2751 (1999). https://doi.org/10.1103/PhysRevA.60.2746

    Article  Google Scholar 

Download references

Acknowledgements

This research was co-funded by the Federal Ministry of Education and Research of Germany under the QuaSiModO project (Grant agreement No 16KIS1051). We thank Robin Lösch for his support and the anonymous reviewers for their valuable comments.

Author information

Authors and Affiliations

  1. Ludwig-Maximilians-Universität, Munich, Germany

    Sophia Grundner-Culemann & Tobias Guggemos

  2. Fraunhofer AISEC, Weiden in der Oberpfalz, Germany

    Felix Schärtl & Daniel Loebenberger

  3. ADVA Optical Networking, Munich, Germany

    Joo Yeon Cho

  4. genua GmbH, Kirchheim near Munich, Germany

    Stefan-Lukas Gazdag, Tobias Heider & Daniel Herzinger

Authors
  1. Stefan-Lukas Gazdag
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sophia Grundner-Culemann
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tobias Heider
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Daniel Herzinger
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Felix Schärtl
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Joo Yeon Cho
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Tobias Guggemos
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Daniel Loebenberger
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Stefan-Lukas Gazdag , Sophia Grundner-Culemann , Felix Schärtl or Daniel Loebenberger .

Editor information

Editors and Affiliations

  1. ETH Zurich, Zurich, Switzerland

    Felix Günther

  2. IBM Research Europe - Zurich, Rüschlikon, Switzerland

    Julia Hesse

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Gazdag, SL. et al. (2023). Quantum-Resistant MACsec and IPsec for Virtual Private Networks. In: Günther, F., Hesse, J. (eds) Security Standardisation Research. SSR 2023. Lecture Notes in Computer Science, vol 13895. Springer, Cham. https://doi.org/10.1007/978-3-031-30731-7_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-30731-7_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-30730-0

  • Online ISBN: 978-3-031-30731-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation