Paper-Conference

A Lot of Data and Added Complexity. How Does PQC Affect the Performance of My TLS Connection?

Abstract

In a previous study, Henrich et al. (ISC ‘23) demonstrate how TLS handshake performance is affected not only by different Post Quantum Cryptography (PQC) Key Encapsulation Mechanisms KEMs and security levels, but also by varying physical network conditions. In particular, they show that prior to selecting a PQC scheme replacement for TLS, it is important to conduct an analysis of the anticipated network conditions for applications that require a high level of responsiveness. In this paper, we build upon the afore mentioned work and complement the previous experiments to include digital signature PQC schemes and hybrid variants, as well as various compositions of certificate chains. Moreover, an analysis is conducted on the effects of deploying real physical servers and varying the underlying network stack configuration. Our results show that incorporating PQC signature schemes does not negatively impact the overall transmission time as substantially as poor network conditions. However, operating at high security levels frequently results in delays using PQC schemes. These findings are consistent across hybrid schemes as well. We conclude that migrating TLS to PQ-only or hybrid usage can generally be undertaken with a high degree of confidence. However, considering suboptimal network conditions or the use of higher security levels, a cautious transition is recommended. In such cases, the configuration of certificate chains or increasing the TCP Congestion Window might prove beneficial.

Johanna Henrich, Nicolai Schmitt, Nouri Alnahawi, Andreas Heinemann

Simulation-based Software Leakage Evaluation for the RISC-V Platform

Abstract

Side-channel attacks are critical as they, despite the mathematical security of the algorithm, break the security assumption that private data stays hidden from the adversary. Developing secure hardware can be expensive, as multiple iterations of prototyping may be required to achieve a satisfactory level of security against side-channel attacks. Currently, the fairly new and open-source CPU-platform RISC-V is gaining traction by entering the IoT- and consumer market and also gains interest in security oriented projects such as OpenTitan. In case of security-critical applications, especially when the hardware is exposed to third party, the implementations of cryptographic algorithms must be secure against side-channel attacks. For the RISC-V platform currently only a small number of tools exist to assess the probing security. Further, we could identify a lack of simulation-based tooling to do so, with the ability to analyze larger implementations as e.g., full ciphers. To address this demand, we use PROLEAD_SW as a starting point and extend it to support the RISC-V platform. By analyzing micro-architectural leakage effects on the RISC-V platform we show that the CPU-independent leakage model used by PROLEAD_SW for the ARM architecture is suitable for the RISC-V platform. To verify the correctness of the new tooling, test-vectors are executed with the new tooling. In a final step, the performance of the new tooling is compared to the performance of the original version of PROLEAD_SW by analyzing two masked AES C implementations with both tools.

Nicolai Schmitt, Jannik Zeitschner, Andreas Heinemann

How to Respect Bystanders' Privacy in Smart Homes - A Co-Creation Study

Abstract

As technology advances, homes become more digitalized and evolve into smart homes. Bystanders, e.g. guests in smart homes, are often unaware of the smart home devices and the associated privacy risks that make them especially vulnerable. However, so far there is limited research on how the guests can be made aware of smart home devices in the household and how their resulting privacy preferences can be addressed while respecting the smart home owners’ preferences as well. To close this gap, we conducted three co-creation workshops with ten participants (N=10) developing various design solutions. Through a thematic analysis of our data, we identified design solutions for smart home devices and beyond, like higher-level applications for regulating privacy and inherent responsibility. We recommend a multi-modal approach focusing not only on the design of the devices but also on the higher-level management of privacy in smart homes.

Sara Hahn, Nusaibah Al-Amrani, Sara Allagah, He Rong Huang, Eva Kircher, Cornelia Rehs, Joachim Vogt, Karola Marky, Nina Gerber

PMMP-PQC Migration Management Process

Abstract

Organizations have to plan on migrating to quantum-resilient cryptographic measures, also known as PQC. However, this is a difficult task, and to the best of our knowledge, there is no generalized approach to manage such a complex migration for cryptography used in IT systems that explicitly integrates into organizations’ steering mechanisms and control systems. We present PMMP, a risk-based process for managing the migration of organizations from classic cryptography to PQC and establishing crypto-agility. Having completed the initial design phase, as well as a theoretical evaluation, we now intend to promote PMMP. Practitioners are encouraged to join the effort in order to enable a comprehensive practical evaluation and further development.

Nils Von Nethen, Alexander Wiesmaier, Nouri Alnahawi, Johanna Henrich

Ways for confidential and authenticated hop-by-hop key establishment in QKDN

Abstract

Asymmetric cryptography, specifically key exchange and digital signatures, enables secure digital communication. However, sufficiently powerful Quantum Computers, which could be available within a few years , would be able to break classical primitives like Elliptic-Curve Diffie–Hellman (ECDH) and RSA in polynomial time. Moreover, the „harvest-then-decrypt“-attack poses the danger that stored encrypted data can be decrypted later. Thus, alternative approaches are urgently needed. Besides Post Quantum Cryptography (PQC), which is based on mathematical problems, Quantum Key Distribution (QKD) uses quantum effects, to establish keys in an information-theoretically secure way. Nevertheless, there are no reliable QKD modules that bridge distances of more than 150 km. Therefore, a QKD Network (QKDN) uses a concatenation of QKD links. End users are connected to each other via a series of QKD nodes performing a hop-by-hop key forwarding. All nodes involved have access to the final shared secret. If a node cannot be trusted the security of the system is no longer guaranteed. Physical protection or key hybridization can mitigate this risk, where hybridization refers to the combination of QKD and PQC. By using both schemes appropriately, the security objectives are met as long as at least one of the schemes used has not been compromised. Nonetheless, there is a lack of concrete concepts and analyzes to enable a secure and efficient key forwarding process. In the following, ’secure’ implies the security objectives of confidentiality and authenticity. ’Efficient’ refers to the time taken to complete the process, the amount of data transferred and the amount of computing required. The analyses available often only consider specific sub-processes, e.g., forwarding between two directly adjacent nodes. The integration into the entire system and its resulting effects are disregarded. A systematic comparison of different options is missing. When implementing a QKDN, it is unclear which variant is suitable for one’s own intentions. This PhD project aims to address the problem by defining the key establishment process, analyzing security requirements, designing and implementing corresponding schemes, and evaluating these approaches.

Johanna Henrich

On Criteria and Tooling for Cryptographic Inventories

Abstract

When cryptography becomes insecure, a migration to new schemes is required. Often the migration process is very complicated, but the time available is very limited. Only if the used cryptographic algorithms, protocols and configurations are known can a system be efficiently and fully adapted to changed security situations. This creates the need for a crypto-inventory that gathers this knowledge. Consequently, the question arises what criteria a crypto-inventory must fulfill to support this adaptation. It also highlights the need for tools to assist compilation. We therefore conducted a literature survey and extracted key requirements. Missing content was supplemented by expanding existing requirements or adding new ones. Furthermore, appropriate metrics were assigned to assess the fulfillment of the requirements for a certain crypto-inventory implementation. Regarding the tooling, we identified five major areas of interest — installed software, connected hardware, communication, stored data and source code scanning — and provide prototypes for semi-automatic creation of crypto-inventories for three of them. This provides organizations with a starting point to understand their cryptographic landscape as a prerequisite for crypto-agility and crypto-migration. However, theoretical design and prototypes have not yet been evaluated. This will be done as a follow-up to this work. All types of organizations are invited to participate.

Nicolai Schmitt, Johanna Henrich, Dominik Heinz, Nouri Alnahawi, Alexander Wiesmaier

Performance Impact of PQC KEMs on TLS 1.3 Under Varying Network Characteristics

Abstract

Widely used asymmetric primitives such as RSA or Elliptic Curve Diffie Hellman (ECDH), which enable authentication and key exchange, could be broken by Quantum Computers (QCs) in the coming years. Quantum-safe alternatives are urgently needed. However, a thorough investigation of these schemes is crucial to achieve sufficient levels of security, performance, and integrability in different application contexts. The integration into Transport Layer Security (TLS) plays an important role, as this security protocol is used in about 90% of today’s Internet connections and relies heavily on asymmetric cryptography. In this work, we evaluate different Post Quantum Cryptography (PQC) key establishment schemes in TLS 1.3 by extending the framework of Paquin et al.. We analyze the TLS handshake performance under variation of network parameters such as packet loss. This allows us to investigate the suitability of PQC KEMs in specific application contexts. We observe that Kyber and other structured lattice-based algorithms achieve very good overall performance and partially beat classical schemes. Other approaches such as FrodoKEM, HQC and BIKE show individual disadvantages. For these algorithms, there is a clear performance decrease when increasing the security level or using a hybrid implementation, e.g., a combination with ECDH. This is especially true for FrodoKEM, which, however, meets high security requirements in general. It becomes clear that performance is strongly influenced by the underlying network processes, which must be taken into account when selecting PQC algorithms.

Johanna Henrich, Andreas Heinemann, Alexander Wiesmaier, Nicolai Schmitt

Crypto-Agile Design and Testbed for QKD-Networks

Johanna Henrich, Andreas Heinemann, Martin Stiemerling, Fabian Seidl

Towards a maturity model for crypto-agility assessment

Crypto-agility promises agile replacement of cryptographic building blocks and therewith supports context-aware and long-term security. …

Julian Hohm, Andreas Heinemann, Alexander Wiesmaier

cryptolib: comparing and selecting cryptography libraries

Abstract

Selecting a library out of numerous candidates can be a laborious and resource-intensive task. We present the cryptolib index, a tool for decision-makers to choose the best fitting cryptography library for a given context. To define our index, 15 library attributes were synthesized from findings based on a literature review and interviews with decision-makers. These attributes were afterwards validated and weighted via an online survey. In order to create the index value for a given library, the individual attributes are assessed using given evaluation criteria associated with the respective attribute. As a proof of concept and to give a practical usage example, the derivation of the cryptolib values for the libraries BouncyCastle and Tink are shown in detail. Overall, by tailoring the weighting of the cryptolib attributes to their current use case, decision-makers are enabled to systematically select a cryptography library fitting best to their software project at hand in a guided, repeatable and reliable way.

Jan Wohlwender, , Andreas Heinemann, Alexander Wiesmaier