Physical-layer encryption on the public internet: A stochastic approach to the Kish-Sethuraman cipher



Similar documents
A Probabilistic Quantum Key Transfer Protocol

Application of Quantum Cryptography to an Eavesdropping Detectable Data Transmission

On the Effectiveness of Secret Key Extraction from Wireless Signal Strength in Real Environments

Privacy and Security in the Internet of Things: Theory and Practice. Bob Baxley; HitB; 28 May 2015

Introduction To Security and Privacy Einführung in die IT-Sicherheit I

The New Approach of Quantum Cryptography in Network Security

Key Agreement from Close Secrets over Unsecured Channels Winter 2010

24 th IEEE Annual Computer Communications Workshop (CCW)

SFWR 4C03: Computer Networks & Computer Security Jan 3-7, Lecturer: Kartik Krishnan Lecture 1-3

Thwarting Selective Insider Jamming Attacks in Wireless Network by Delaying Real Time Packet Classification

Encrypting Network Traffic

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

RARP: Reverse Address Resolution Protocol

4. Continuous Random Variables, the Pareto and Normal Distributions

Security in Near Field Communication (NFC)

Physical-Layer Security: Combining Error Control Coding and Cryptography

Public Key Cryptography and RSA. Review: Number Theory Basics

Applying Active Queue Management to Link Layer Buffers for Real-time Traffic over Third Generation Wireless Networks


Chapter 4. Probability and Probability Distributions

Chapter 6 CDMA/802.11i

First Semester Examinations 2011/12 INTERNET PRINCIPLES

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Quantum Key Distribution as a Next-Generation Cryptographic Protocol. Andrew Campbell

Chapter 10. Network Security

Traffic Analysis. Scott E. Coull RedJack, LLC. Silver Spring, MD USA. Side-channel attack, information theory, cryptanalysis, covert channel analysis

Performance of networks containing both MaxNet and SumNet links

arxiv:quant-ph/ v1 11 Jul 1996

Midterm Exam CMPSCI 453: Computer Networks Fall 2011 Prof. Jim Kurose

Modeling and verification of security protocols

Level 2 Routing: LAN Bridges and Switches

Note! The problem set consists of two parts: Part I: The problem specifications pages Part II: The answer pages

3-6 Toward Realizing Privacy-Preserving IP-Traceback

Network Security Using Quantum Cryptography N.Kusuma#1, N.Sai Tejaswi#2, T.Anitha,#3, K.V.D Kiran*4

QoS issues in Voice over IP

Network Security. HIT Shimrit Tzur-David

Client Server Registration Protocol

Protocols and Architecture. Protocol Architecture.

Algorithms for Interference Sensing in Optical CDMA Networks

Computer Networks - CS132/EECS148 - Spring

Physical Layer Security in Wireless Communications

One Time Pad Encryption The unbreakable encryption method

EINDHOVEN UNIVERSITY OF TECHNOLOGY Department of Mathematics and Computer Science

1 Message Authentication

Wide Area Network Latencies for a DIS/HLA Exercise

Secure Physical-layer Key Generation Protocol and Key Encoding in Wireless Communications

IN THIS PAPER, we study the delay and capacity trade-offs

Properties of Secure Network Communication

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

TCP over Multi-hop Wireless Networks * Overview of Transmission Control Protocol / Internet Protocol (TCP/IP) Internet Protocol (IP)

Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

LANs. Local Area Networks. via the Media Access Control (MAC) SubLayer. Networks: Local Area Networks

CRYPTOGRAPHY IN NETWORK SECURITY

SecureCom Mobile s mission is to help people keep their private communication private.

Lecture Objectives. Lecture 07 Mobile Networks: TCP in Wireless Networks. Agenda. TCP Flow Control. Flow Control Can Limit Throughput (1)

CS 758: Cryptography / Network Security

The application of prime numbers to RSA encryption

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Mobile IP Network Layer Lesson 01 OSI (open systems interconnection) Seven Layer Model and Internet Protocol Layers

Communications and Computer Networks

Network Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶

CSE/EE 461 Lecture 23

Chapter 8. Network Security

Quantum Cryptography: The Ultimate Solution to Secure Data Transmission?

Message Authentication Code

Performance Monitoring and Control in Contention- Based Wireless Sensor Networks

Transport Layer Protocols

Overview. SSL Cryptography Overview CHAPTER 1

Security in IEEE WLANs

Final for ECE374 05/06/13 Solution!!

The next generation of knowledge and expertise Wireless Security Basics

Voice over IP: RTP/RTCP The transport layer

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

A NEW APPROACH TO ENHANCE SECURITY IN MPLS NETWORK

Polynomial Degree and Lower Bounds in Quantum Complexity: Collision and Element Distinctness with Small Range

CPSC 467b: Cryptography and Computer Security

Performance Analysis of the IEEE Wireless LAN Standard 1

On the Traffic Capacity of Cellular Data Networks. 1 Introduction. T. Bonald 1,2, A. Proutière 1,2

Securing MANET Using Diffie Hellman Digital Signature Scheme

Quantum Network Coding

CHI-SQUARE: TESTING FOR GOODNESS OF FIT

Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay

Lecture 15. IP address space managed by Internet Assigned Numbers Authority (IANA)

CS Final Exam

Synchronization in. Distributed Systems. Cooperation and Coordination in. Distributed Systems. Kinds of Synchronization.

Chapter 1 Introduction

Topology-based network security

Improving the Performance of TCP Using Window Adjustment Procedure and Bandwidth Estimation

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Secret Key Generation from Reciprocal Spatially Correlated MIMO Channels,

Application Layer (1)

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Transcription:

Hot Topics in Physical Information (HoTPI-2013) International Journal of Modern Physics: Conference Series Vol. 33 (2014) 1460361 (7 pages) c The Authors DOI: 10.1142/S2010194514603615 Physical-layer encryption on the public internet: A stochastic approach to the Kish-Sethuraman cipher Lachlan J. Gunn, James M. Chappell, Andrew Allison and Derek Abbott School of Electrical and Electronic Engineering The University of Adelaide, SA 5005, Australia lachlan.gunn@adelaide.edu.au Published 17 September 2014 While information-theoretic security is often associated with the one-time pad and quantum key distribution, noisy transport media leave room for classical techniques and even covert operation. Transit times across the public internet exhibit a degree of randomness, and cannot be determined noiselessly by an eavesdropper. We demonstrate the use of these measurements for information-theoretically secure communication over the public internet. Keywords: KS-cipher; information security; key distribution. PACS numbers: 84.40.Ua, 89.20.Ff, 89.20.Hh, 89.70.Cf, 89.70.Kn 1. Introduction Throughout history claims have abounded of supposedly unbreakable codes and ciphers, however it was not until the 20 th century that the mathematical underpinnings of cryptology gave any of them a degree of credibility. The first truly unbreakable cipher was the one-time-pad 1, invented in the United States in 1918, but independently developed and first put into practice by the German Foreign Office in the early 1920s 2. This scheme, however, is hampered by the need to distribute a key to receiver of the message. This key must be of the same size as the message and delivered in perfect secrecy. This onerous key distribution arrangement ruled it out for all but the most critical applications. Wyner 3, and later Csizár and Körner 4 considered a channel with an eavesdropper who viewed its contents through a second, noisy, channel. It was demonstrated that there exists a rate C s > 0 at which data may be reliably sent in secrecy. However, this depends upon the often unrealistic assumption that the eavesdropper receives the data with more noise the recipient. This is an Open Access article published by World Scientific Publishing Company. It is distributed under the terms of the Creative Commons Attribution 3.0 (CC-BY) License. Further distribution of this work is permitted, provided the original work is properly cited. 1460361-1

L. J. Gunn, et al. Later, Maurer 5 considered a more general case, letting the sender ( Alice hereafter), recipient (Bob), and eavesdropper (Eve) each measure some common quantity. It was demonstrated that, with the aid of a feedback channel, secure information exchange could occur even when Eve experienced less noise than Alice and Bob. Quantum key distribution 6 has received great attention in recent years, promising unconditional security using the no-cloning theorem. The coding and measurement bases are chosen at random for each photon. After the measurement, the recipient reveals his measurement basis, discarding the measurement if chosen incorrectly. As an eavesdropper does not know in advance which basis was used, she cannot reliably copy the photon, and so will increase the bit-error rate (BER). This allows eavesdropping to be detected by the legitimate parties to the transmission. However, these systems are impractical for most users, and a classical alternative would be of great benefit. In 2004, Kish and Sethuraman proposed a classical protocol 7 using commutative one-way encryption operators. If the sender and recipient each apply a layer of encryption to a message, then commutativity allows the sender to reverse her own operation and so produce a ciphertext with key known only to the recipient. In order to overcome the information-theoretic limits given by Maurer 5 we have added a stochastic element to the protocol 7, using the random transit times of the internet in place of its encryption operations this imperfect channel allows secure communication without resort to the one-time pad. 2. Round-trip times as a source of randomness The essence of key distribution is to provide two endpoints with a shared secret that remains unknown to eavesdroppers. A subtle point is that the endpoints need not generate a secret and share it themselves, but could instead obtain it from elsewhere, provided an eavesdropper cannot do the same without error 5. One such source of random data is the transit time between two internetconnected terminals. If Alice and Bob rally information packets back and forth via the internet, the time of each transit is a quantity common to the measurements of both, but measurable only with the addition of noise from the return trip (see Figure 1). An eavesdropper will suffer the same problem, however her noise will differ from that of Alice and Bob. This difference prevents her from taking advantage of the error correction performed by Alice and Bob during the information reconciliation 8 (IR) phase of processing, which discards bits likely to be incorrect, much like in the quantum protocol. We propose to extract random bits from the round-trip times by finding their median and declaring those times greater than the median to be a one, and those less to be a zero. With only one bit per round-trip, we avoid the problem that errors are more likely to fall into a adjacent quantisation bins and so create correlations between bits. While the distribution of round-trip times is actually quite skewed 9, we attempt 1460361-2

Physical-layer encryption on the public internet Alice Eve Bob T A T X T Y T B Fig. 1. Consecutive round-trip measurements, where Bob s response to Alice forms a request for another measurement. Grey circles represent timestamping events. Alice measures the duration T A of the blue round-trip, while Bob measures the duration T B of the red round-trip. The transit time of the intermediate transmission contributes to the round-trip-time measurements of both Alice and Bob, providing a source of mutual information. An eavesdropper (Eve) measures the partial round-trip times T X and T Y. to illustrate the technique theoretically by assuming transit times to be normally distributed and computing an upper limit on the key rate. 2.1. The mutual information rate between endpoints Let us denote the three packet transit times from Figure 1 as T 1, T 2, and T 3 respectively. Then, T A = T 1 + T 2, T B = T 2 + T 3. Suppose T i N (0, 1) for i = 1 to 3. Then, as the distribution (and so the channel) is symmetric, we may calculate the bit error rate as 1 P [T B < 0 T A < 0] = 1 P [T 2 + T 3 < 0 T 1 + T 2 < 0] (1) = 1 = 1 = 1 + + 1 0 2φ(t 2 )P [T 3 < t 2 T 1 < t 2 ] dt 2 (2) 2φ(t 2 )Φ 2 ( t 2 ) dt 2 (3) 2u 2 du (4) = 1 3, (5) where φ(t) and Φ(t) are the probability density and cumulative probability functions respectively of the normal distribution function. It should be noted that the derivation above holds for any zero-median symmetric distribution rather than just for the normal distribution. This BER of 1/3 corresponds to a channel capacity of 0.08 bits/measurement, suggesting that the achievable key rate with this technique may be too low for direct 1460361-3

L. J. Gunn, et al. use as a one-time pad. 2.2. Limitations Despite the allure of an information-theoretically secure key agreement method without specialised hardware, this method is not unconditionally secure and is necessarily dependent on the eavesdropper s inability to timestamp packets with perfect accuracy. This limits its use where an eavesdropper can timestamp packets on the link directly. To illustrate this point, we make use of Maurer s upper bound 5 on the secrecy rate, the maximum rate at which information can be transmitted securely, S(X; Y Z) I(X; Y ). This states that the rate of secure communication is limited to the mutual information rate of the two endpoints. The effect is that no protocol, no matter how clever, can provide secrecy using only independent random number generators at each end. In order to demonstrate the relevance of this inequality, imagine that Eve can timestamp Alice s and Bob s transmissions without error. Then, Eve has the same information as both legitimate parties, making secrecy impossible. Now imagine that we have placed a router between Eve and the two endpoints. This introduces some randomness, but the two parties could achieve the same effect by simply adding a random delay to their transmissions; that is to say, it is as though they used random and independent keys. As discussed, this cannot form the basis for a secure system. Therefore, if Eve can measure without noise, information-theoretic security is not possible. However, there are many cases in which this is not true. If an eavesdropper merely has copies of all traffic forwarded to them (such as by port mirroring), then routing delays and packet reordering provide the necessary source of noise 10. If the eavesdropper uses only a standard PC, uncertainty in the timing routines of its operating system provide an additional source of noise. These factors allow the system to provide security, especially against unsophisticated eavesdroppers using only commodity network hardware without hardware timestamping facilities. 3. Experimental Round-Trip Measurements In order to demonstrate this technique, we have constructed a test system to determine the performance of the method in the presence of an eavesdropper. The test system rallied UDP packets back and forth along a chain of hosts (see Figure 2), with the time of each arrival being timestamped. While the timescales were not synchronised, this information is sufficient to determine the various round-trip times. The effect of information reconciliation (IR) is shown in Figure 3. While the BER of the eavesdropper falls at first, it soon reaches a minimum value of around 2%. This demonstrates that a nonzero secrecy rate is achievable. 1460361-4

Physical-layer encryption on the public internet Bob Alice Eve (via LAN) Fig. 2. The constructed communications link. Alice is located in Adelaide, Australia, in the same room as Eve, to whom she is connected via the local network. The packet is then forwarded to through a relay in Los Angeles, and finally to Bob in Frankfurt. Alice sends a packet to Eve, who forwards it to Los Angeles, and finally to Bob in Frankfurt. The packet is then returned. At each step the arrival of the packet is timestamped, and the packet finally returned to Alice contains a time of arrival for Bob, and two for each intermediate note. The head of the chain in Adelaide, representing Alice, sends a packet which is timestamped at each of the three other hosts. The demonstration system described later does not transmit timestamps over the network, allowing each node to determine only its own round-trip time. Bit Error Rate [%] 15 10 5 0 0 1 2 3 4 5 6 Information reconciliation iterations Eve Bob Fig. 3. The effect of the bit-pair iteration protocol for information reconciliation (IR) upon the BER between Alice/Bob and Alice/Eve. This measurement used approximately 30,000 round-trips AU-US-EU, with the eavesdropper chosen to be the node in the same room as the sender. While the BER of the eavesdropper is improved slightly, it is not reduced to zero, which is evidence that there is sufficient measurement noise to allow secure communication. Error bars are shown for a 2σ confidence level. 4. Demonstration System We have implemented the described protocol, which has been successfully operated over the internet. Round-trip times are measured using UDP packets, whose times of transmission and receipt are determined using operating system routines. If a timeout occurs, due to a dropped packet for instance, the trip is marked as such and 1460361-5

L. J. Gunn, et al. dropped during the reconciliation process. Information reconciliation is performed using the bit-pair iteration 5 protocol. Parameters for the information reconciliation and privacy amplification are determined automatically. A lower bound on eavesdropper BER is given as a parameter, and so their channel capacity is computed and thus the amount of information that they hold. From this, a hashing function is chosen the sum of some number of bits modulo two that will discard sufficient information to eliminate the eavesdropper s knowledge of the secret key. As this process will increase the BER of the legitimate parties also, the target BER for the information reconciliation is reduced to compensate. The BER of the channel is estimated using the error rate of the parity bits. A 2σ Agresti-Coull 11 confidence interval is constructed and back-propagated through the binomial probability mass function 12, yielding a confidence interval for the BER of the underlying channel. Then, the BER of the parity-checked output of each iteration can be predicted recursively in order to determine an interval containing the required number of IR iterations. We succeed in generating keys at a rate of 13 bits/minute over the link shown in Figure 2, the lower bound on the eavesdropper BER set at 10 2, based on the results shown in Figure 3. The 400 ms round-trip time makes the test relatively pessimistic by terrestrial standards, and greater key rates are potentially achievable across shorter distances. 5. Conclusion We have considered the use of packet timing over the internet for informationtheoretically secure key agreement, and demonstrated the feasibility of the technique experimentally. We have developed a practical implementation of the method that is capable of generating shared keys in real-time despite the assumption of an eavesdropper BER equivalent to a man-in-the-middle on the local network. References 1. G. S. Vernam, Cipher printing telegraph systems for secret wire and radio telegraphic communications, Transactions of the American Institute of Electrical Engineers, pp. 295 301, 1926. 2. D. Kahn, The Codebreakers, Weidenfeld and Nicolson, London, 1966. 3. A. D. Wyner, The wire-tap channel, The Bell System Technical Journal, 54, 8, pp. 1355 1387, 1975. 4. I. Csiszár, J. Körner, Broadcast channels with confidential messages, IEEE Transactions on Information Theory, 24, 3, pp. 339 348, 1978. 5. U. Maurer, Secret key agreement by public discussion from common information, IEEE Trans. Inf. Theory, 39, 3, pp. 733 742, 1993. 6. C. H. Bennett and G. Brassard, Quantum cryptography: Public key distribution and coin tossing, in Proceedings of the IEEE International Conference on Computers, Systems, and Signal Processing, Bangalore, 1984. 1460361-6

Physical-layer encryption on the public internet 7. L. B. Kish, S. Sethuraman, Non-breakable data encryption with classical information, Fluctuation and Noise Letters, 4, 2, pp. C1 C5, 2004. 8. S. Liu, H. C. A. van Tilborg, M. van Dijk, A practical protocol for advantage distillation and information reconciliation, Designs, Codes and Cryptography, 30, 39 62, 2003. 9. J. Bolot, End-to-end packet delay and loss behavior in the internet, in Proceedings on Communications Architectures, Protocols and Applications, SIGCOMM 93, pp. 289 298, (San Fransisco, 1993). 10. J. Ziang, A. Moore, Traffic trace artifacts due to monitoring via port mirroring, in Proceedings of the Fifth IEEE/IFIP, E2EMON, pp. 1 8, 2007. 11. A. Agresti and B. Coull, Approximate is better than exact for interval estimation of binomial proportions, The American Statistician, 52, 2, pp. 119 126, 1998. 12. R. J. Larsen, M. L. Marx, An Introduction to Mathematical Statistics and Its Applications, Prentice Hall, p. 104, 1966. 1460361-7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information