New threat models on authentication

Revision as of 16:14, 21 December 2020 by Marc (talk | contribs)



Introduction

Authentication is, with encryption, one of the most important tasks to secure network. Without authentication, any participant in a network could impersonate any other. No security could ever be possible in such a context. The impersonation attack, called man-in-the-middle, is very general, and can even be used to break quantum key distribution protocols.

Authenticating network nodes and their communication is crucial for many network applications: online banking, software updating or e-commerce are common operations that use authentication to establish trustful communication channels. Due to this importance, there exist various mature solutions for authentication. The most common ones use Public Key Infrastructures (PKI), and use trusted authorities to emit certificates that can be used by users to prove their identity. This solution is based on centralized certificates and lead to heavy processes to emit, update or revoke identity credentials. It can be scaled with intermediate authorities, but this inherent centralization limits its range of application.

Authentication in the age of IoT

Recent evolutions in network topologies are pushing to reconsider the authentication problem. With the increase of Internet of things (IoT), more and more devices are being connected to networks. Beside the visible development of consumer’s devices, IoT is spreading in many industries such as transport, maritime, oil and gas, mining or agriculture. These devices may contain critical information, and their security needs to be carefully assessed.

One solution to manage the identity of such devices is to hardcode a master key in them. This key can be used directly, or to derive session keys, but in any case, the security of the device reduces to securing the key stored in the device. While this may be considered a good solution due to the limited computational power of such devices, it does not face well the new threats arising in the world of IoT. Such devices are assumed to be light, and their security should consider situations where their identity credentials get stolen or copied. Handling security in a manner that takes into account this threat model and in such networks is considered a challenge by security experts.

Using quantum networks to address new threat models

This situation could benefit from the power of quantum networks. The challenge is to create a system to manage identity credentials that cannot be cloned, forged and can be revoked instantaneously by a central authority. Quantum money protocols seem to offer the desired properties. The various proposals for quantum money protocols are all based on the idea of producing unforgeable tokens. The security of these construction is derived from the unclonability of quantum states, a physical property that ensures the security of many quantum tasks. Moreover, quantum tokens are, like standard money, issued by a central authority which can revoke them easily. One difference, however, is that when quantum tokens are consumed, they are not available anymore while authentication may be performed several times.

Mobile devices are also used for a lot of transactions that require authentication, such as payment. The main issue here is that the devices are not trusted and the mobile manufacturer may not be willing to collaborate with security companies.

Quantum protocols may also offer solutions to these problems. In particular, Quantum Digital Signatures could be helpful to get long-term security. More advanced concepts, such as Quantum Physically Unclonable Functions are also investigated as potential solutions to identification problems.

Quantum networks will offer new solutions to various challenges related to authentication. Known protocols can be used to develop more secure solutions thanks to the unclonability and unforgeability of quantum tokens, as well as the long-term security that naturally follows from the use of quantum resources.