Practical Authentication and Access Control for Software-Defined ...conferences.sigcomm.org/sigcomm/2018/files/slides/secson/paper_… · Practical Authentication and Access Control

Practical Authentication and Access Control for Software-Defined Networking over Optical Networks

Joo Yeon Cho and Thomas Szyrkowiec

24 August 2018

SecSoN 2018

© 2018 ADVA Optical Networking. All rights reserved. Confidential.22

Security in Optical Transmission


Tapping of Optical Fiber is Reality

“The Guardian” Report:

… GCHQ was … tapping in to 200

fiber-optic cables to give it the ability

to monitor up to 600 million

communications every day …

… the GCHQ operation codenamed

“Tempora” has been running for 18

months …

… information from Internet and

phone use was stored for up to 30

days to be shifted and

analyzed …UK Government Communications Headquarter

– GCHQ –


Fiber Optic NetworksOptical Tapping Method

Cladding: 125 µm

Core: 9 µm

Lost Light

“For both public and private networks, optical

taps and analytic devices are required and

inexpensive maintenance equipment in

common use worldwide today. Various types

of optical taps […] are also used for

corporate espionage…”

„Clearly, physical protection of optical

transmission media and junction boxes is

essential; in addition, data encryption plays a

role in protecting sensitive data.” [5]

[5] Security Strategies Alert, M.E. Kabay, already in March 2003


OTN (Layer 1) Security


Encryption PerformanceComparison of Maximum Throughput

Framesize / Bytes

Thro

ugh

pu

t

And why on Layer 1?

• Protocol and data rate agnostic

• Lowest Latency

• 100% Throughput

• Operational Simplicity


SDN over Optical Network


Software-Defined Networking over Optical Networks

ROADM

SDN Controller

Log

(A)

Optical Controller / NMS

Application / orchestrator

(C)

Switch

(B)


System Architecture: Example

Key Exchange/

Generation

AES

Encryption/

Decryption

Power

Session key

Random

Number

Generator

Secure

Storage

Tamper

Detection

Store/Erase

keyRandom

number CPU

Security HW

Auth

password

PHY

Traffic

Forwarding

Engine

FPGA

Key exchange

data

Secure

Management

Plaintext data Encrypted data

Battery

Erase


Example: HW block diagram

QSFPClient

Port

Gear

box Transport FPGA CFPNetwork

Port

Micro

controller

ETH

TRNG

Chip

Secure

memory


Security Requirements for SDN

- Encryption: AES-256

- Authentication: password-based, certificate-based

- Integrity: GCM

- Key exchange: Diffie-Hellman, PKI

- Access control

- Accountability

- Etc.


Lightweight AAA solution

- SSL/TLS is a bit heavy.

=> it should be cross-compiled and installed, depending on CPU and OS.

- Traditional signature scheme: vulnerable to the quantum attacks?

=> A lightweight/quantum-secure AAA solution is preferred for optical devices.


Hash-based Signature


Hash-function properties

Collision-Resistance

2nd-Preimage-Resistance

One-way Pseudorandom

Ass

um

pti

on

/ A

ttack

s

stronger /

easier to

break

weaker /

harder to

break


Attacks on Hash Functions

2004 2005 2008

MD5Collisions

(theo.)

SHA1Collisions

(theo.)

MD5 Collisions

(practical!)

2017

MD5 & SHA-1No (Second-) Preimage

Attacks!

SHA1 Collisions

(practical!)


Lamport-Diffie OTS (one time signature) [Lam79]

Message M = b1,…,bm

SK

PK

Sig

sk1,0 sk1,1 skm,0 skm,1

pk1,0 pk1,1 pkm,0 pkm,1

H H H H H H

sk1,b1 skm,bm

*

Muxb1 Muxb2 Muxbm

= n bit

H: one-way function


Security

Theorem:

If H is one-way then LD-OTS is one-time eu-cma-secure.


a10

a00

a11

a20 a21 a22 a23

a30 a31 a32 a33a34 a35 a36 a37

(pk4, sk4)

OTS

PK

σdd

h: hash func.

OTS: one time signature

a34=h(pk4)

e.g.

a11= h(a22||a23)

Merkle’s Hash-based Signature [MSS 1970s]


Security

Theorem:

MSS is eu-cma-secure if OTS is a one-time eu-cma secure signature scheme and H is a random element from a family of collision resistant hash functions.


XMSS: eXtended Merkle Signature Scheme (2018)

• Internet draft: RFC 8391

• Several tricks are applied.

• signature size halved

• OTS: WOTS+

• function families based on SHA2 / SHA3

• Small public key (2n bit)


C Implementation, using OpenSSL

Sign

(ms)

Signature

(kB)

Public Key

(kB)

Secret Key

(kB)

Bit

Security

classical/

quantum

Comment

XMSS 3.24 2.8 1.3 2.2 236 /

118

h = 20,

d = 1,

XMSS 3.59 8.3 1.3 14.6 196 /

98

h = 60,

d = 3

Intel(R) Core(TM) i7 CPU @ 3.50GHz

[HRS16] Huelsing, A., Rijneveld, J., and

F. Song, "Mitigating Multi-Target Attacks

in Hash-based Signatures", Public-Key

Cryptography - PKC, 2016.

XMSS Implementation [HRS16]


id7,b7

MK

id3,b3 id5,b5id6,b6

id0,b0

id2,b2

id8,b8 id9,b9 id11,b11id12,b12 id13,b13

katt1 = h(b4, b11)

katt2 = h(b7)

Encrypt C

K

M

id14,b14id10,b10

id1,b1

id4,b4

EncryptE(katt1,K)

E(katt2,K)

katt1, katt2

K

Attribute-based Access Control

bj = h(bi,idj)


Use case: Auditing log data

(1) “Submit the log data from 2017H2-2018.”

(2) “Here is b7 and b12.“

id6,b6

id11,b11 id13,b13 id14,b14

id7,b7

2017 2018

id12,b12

2017H1 2017H2 2018H1 2018H2

A system admin does not need to search/encrypt/submit the specific log data.


Quantum-safe Security


* Let's Get Ready to Rumble - The NIST PQC "Competition“

- Dustin Moody, NIST, 2018


NIST Post-quantum crypto project


* Let's Get Ready to Rumble - The NIST PQC "Competition“

- Dustin Moody, NIST, 2018


Summary and on-going work

• A lightweight / quantum-secure hash-based authentication and an access control mechanism for optical SDN are presented.

• Proposed schemes are flexible and easily-deployable.

• Suitable for relatively small scale of network.

• The proposed mechanisms are based on Merkle hash tree and the security relies only on hash functions.

• We are working on the integration with open source SDN controller such as ONOS or Ryu.

• A python-based mutual authentication will be performed between a SDN controller and network devices.


Acknowledgements

This work has been performed in the framework of the CELTIC EUREKA project

SENDATE-Secure-DCI (Project ID C2015/3-4), and it is partly funded by the

German BMBF (Project ID 16KIS0477K).

Thank you

IMPORTANT NOTICE

The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited.

The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation.

Copyright © for the entire content of this presentation: ADVA Optical Networking.

[email protected]

http://www.facebook.com/pages/ADVA-Optical-Networking/37630238931?ref=ts#!/pages/ADVA-Optical-Networking/37630238931?v=wall

http://www.linkedin.com/company/adva-optical-networking

http://www.youtube.com/user/ADVAOptical

http://advaopticalnews.tumblr.com/

http://twitter.com/ADVAOpticalNews

https://www.advaoptical.com/en/press-feed

Documents

Practical Authentication and Access Control for Software-Defined ...conferences.sigcomm.org/sigcomm/2018/files/slides/secson/paper_… · Practical Authentication and Access Control