Secure Message Relay over Networks with QKD-Links Stefan Rass † and Mohammed Ali Sfaxi + and Solange Ghernaouti-H´ elie ∗ and Kyandoghere Kyamakya † † Institute for Smart-System Technologies, Klagenfurt University, Austria + ADHOC PES AG 4123 Allschwil Switzerland ∗ ISI - University of Lausanne 1015 Switzerland {stefan.rass, kyandoghere.kyamakya}@uni-klu.ac.at, mohamed-ali.sfaxi@adhoc.ag, sgh@unil.ch Abstract—This paper presents extensions to the classical point- to-point protocol PPP [RFC1661] and IPSEC [RFC 2401] in order to build networks that can do unconditionally secure message relay. Our work addresses the problem of how to integrate quantum key distribution (QKD) in networks such that little effort needs to be put on protocol engine adaption and network topology design. This article demonstrates how to ensure correct routing and secure authentication between adjacent QKD-capable nodes, in particular, it is demonstrated how a person-in-the-middle attack can be countered using universal hash functions. I. INTRODUCTION The last two decades have witnessed the rise of a new technology of secure message transmission, which is called quantum cryptography or quantum cryptographic key distribution (QKD). The first such protocol BB84, given in 1984 by Charles Bennett and Gilles Brassard can be proven to be unconditionally secure (see, for instance, [Shor and Preskill, 2000]), however, by definition, this ap- proach can only realize key establishment between directly connected nodes. Due to physical reasons, the distance over which photons can successfully be transmitted is way too much limited to have it applicable between cities or across the ocean. It is technically no problem to define networks which perform packet-forwarding over QKD-secured links, however, the plaintext necessarily shows up at each intermediate node along the message-path. Another problem is related to the authentication, since QKD itself cannot ensure the identity of the other party. This paper aims at addressing the following problems, while proposing solutions which can be implemented by nowadays available technological means. Moreover, we explicitly do not consider nor confine ourselves to any specific form of QKD (several of which exist). We explicitly treat QKD as a primitive, which lets us secure links in an information- theoretically secure manner, and we demonstrate how to create networks inheriting the capability of unconditionally secure message relay from their links. In detail, we shall give ideas on how to solve the following issues that naturally arise when building a practical QKD-based network: 1) How to perform key distribution over multi-hop connec- tions? 2) How to secure the corresponding routing process? 3) How to authenticate adjacent nodes in an uncondition- ally secure manner? The advantage of our approach is twofold: First, it relies on QKD-extended versions of existing protocols. It has been demonstrated how to create advanced point-to-point protocols using QKD and how to extend the capabilities of IPSEC in order to benefit from the new technology. The wide acceptance and implementation of these protocols make them natural candidates for augmentation with QKD, and thus for being building blocks of future unconditionally secure networks. Second, we explicitly aim at using the simplest possible form of QKD to achieve maximum security. We consider QKD itself as a black box without relying on specific features of a certain QKD method. Our protocols thus work with BB84 equally well as with more complicated (and thus more expensive) forms of QKD, which may be still in the experimental stage. This paper is organized as follows: Section II motivates the need for securing transmission within the link layer (layer 2) of the Open Systems Interconnection (OSI) reference model 1 , and sections II-A and II-B summarize the extensions to PPP and IPSec based on QKD. Section III contains our results concerning the construction of suitable networks and the protocols for multi-hop secret distribution. Secure routing algorithms and authentication schemes are sketched in that context. The paper closes with a discussion of related work. II. INTEGRATING QKD IN OSI LAYER 2 PROTOCOLS Securing layer 2 transmission is fundamental because this service is common and necessary to all kinds of nodes’ connections. The security processing is done transparently to the users and to the other protocols. Securing the link layer is more optimized than securing the upper OSI layers since neither additional encapsulation nor header is required in level 2. The Point to Point Protocol [RFC1661] is a link layer pro- tocol, widely used to connect adjacent nodes. The service of data confidentiality during transmission is not offered by the original protocol, but it has been introduced later by supporting the Encryption Control Protocol [RFC1968]. This protocol uses the classical cryptography (algorithms such as 1 ISO International standard IS 7498 and X.200 ITU Recommendation Second International Conference on Quantum, Nano and Micro Technologies 0-7695-3085-0/08 $25.00 © 2008 IEEE DOI 10.1109/ICQNM.2008.14 10 Second International Conference on Quantum, Nano and Micro Technologies 0-7695-3085-0/08 $25.00 © 2008 IEEE DOI 10.1109/ICQNM.2008.14 10 Second International Conference on Quantum, Nano and Micro Technologies 0-7695-3085-0/08 $25.00 © 2008 IEEE DOI 10.1109/ICQNM.2008.14 10 Second International Conference on Quantum, Nano and Micro Technologies 0-7695-3085-0/08 $25.00 © 2008 IEEE DOI 10.1109/ICQNM.2008.14 10 Second International Conference on Quantum, Nano and Micro Technologies 0-7695-3085-0/08 $25.00 © 2008 IEEE DOI 10.1109/ICQNM.2008.14 10 Second International Conference on Quantum, Nano and Micro Technologies 0-7695-3085-0/08 $25.00 © 2008 IEEE DOI 10.1109/ICQNM.2008.14 10