1、 ETSI EG 203 310 V1.1.1 (2016-06) CYBER; Quantum Computing Impact on security of ICT Systems; Recommendations on Business Continuity and Algorithm Selection ETSI GUIDE ETSI ETSI EG 203 310 V1.1.1 (2016-06)2 Reference DEG/CYBER-0008 Keywords algorithm, quantum cryptography, security ETSI 650 Route de
2、s Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/
3、standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in co
4、ntents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of stat
5、us. Information on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx C
6、opyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI.
7、The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks o
8、f ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI EG 203 310 V1.1.1 (2016-06)3 Contents Intellectual Property Rights 4g3Foreword . 4g3Modal verbs terminology 4g31 Scope
9、 5g32 References 5g32.1 Normative references . 5g32.2 Informative references 5g33 Definitions and abbreviations . 6g33.1 Definitions 6g33.2 Abbreviations . 6g34 Outlining the problem 6g35 Business continuity considerations 7g35.1 Overview 7g35.2 Existing standards (ISO 22301) 8g35.3 Algorithm change
10、 . 9g35.4 Redistribution of symmetric keys . 10g35.5 Redistribution of asymmetric public keys and certificates . 10g35.6 Impact on EU Qualified Certificates in regulation 910/2014/EU . 10g3Annex A: Overview of Quantum Computing 11g3Annex B: Shors algorithm 12g3Annex C: Grovers algorithm 13g3History
11、14g3ETSI ETSI EG 203 310 V1.1.1 (2016-06)4 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
12、 in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Poli
13、cy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This ETSI
14、 Guide (EG) has been produced by ETSI Technical Committee Cyber Security (CYBER). Modal verbs terminology In the present document “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal form
15、s for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. ETSI ETSI EG 203 310 V1.1.1 (2016-06)5 1 Scope The present document addresses business continuity arising from the concern that Quantum Computing (QC) is likely to inv
16、alidate the problems that lie at the heart of both RSA and ECC asymmetric cryptography. The present document considers the transition to the post-quantum era of how to re-assert CAs in a PKI, the distribution of new algorithms, and the distribution of new keys, and advises that business continuity p
17、lanning addresses the impact of QC on ICT. The current assumptions that underpin the security strength of RSA and ECC are that the solution to the prime factoring, and the discrete logarithm problems are infeasible without prior knowledge. It has been widely suggested that the application of quantum
18、 computing to these problems removes the assertion of infeasibility. Whilst it is not known when quantum computing will arrive or how long it will be until the factorisation and discrete logarithm problems are themselves solved the present document reviews the nature of the algorithms when subjected
19、 to QC attack and why they become vulnerable. The present document applies to ETSI TBs undertaking work in the selection and definition of cryptographic algorithms, and to non-ETSI members who have deployed cryptographic algorithms and need to be aware of the impact of QC on ICT. 2 References 2.1 No
20、rmative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments
21、) applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The follo
22、wing referenced documents are necessary for the application of the present document. Not applicable. 2.2 Informative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version
23、applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are not
24、 necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 ISO 22301: “Societal security - Business continuity management systems - Requirements“. i.2 ETSI White Paper Quantum Safe Cryptography V1.0.0 (2014-10): “Quantum Safe Cryptog
25、raphy and Security; An introduction, benefits, enablers and challenges“; ISBN 979-10-92620-03-0. i.3 ETSI ISG QSC work programme. NOTE: Available at https:/portal.etsi.org/tb.aspx?tbid=836 in some cases, there is time for a well-ordered transition. However, the window of opportunity for orderly tran
26、sition is shrinking and with the growing maturity of QC research, for data that needs to be kept secret for decades into the future, the window for transitioning may already be closed. 5 Business continuity considerations 5.1 Overview A very simple equation outlines the extent of the problem of evol
27、ution to a QC safe deployment of cryptography: X = the number of years the public-key cryptography needs to remain unbroken. Y = the number of years it will take to replace the current system with one that is quantum-safe. Z = the number of years it will take to break the current tools, using quantu
28、m computers or other means. If “X + Y Z“ any data protected by that public key cryptographic system is at risk and immediate action needs to be taken. Thus if Z is estimated as 15 years then both X and Y have to be significantly less than 15 years, and the sum of X and Y also has to be less than 15
29、years, to be safe. ETSI ETSI EG 203 310 V1.1.1 (2016-06)8 Whilst the advent of quantum computing will represent a step change in the ability of attackers to directly attack encrypted data, or to determine a collision for existing hash functions, the normal development of computing power and cryptana
30、lysis suggests that there is no status quo and that reasonable steps have to be taken in the normal course of events to counter this continual development. The threat of quantum computing is significant only insofar as existing algorithms for e-commerce, digital signature and authentication will be
31、immediately weakened or invalidated whereas with non-quantum computing development an organisation can make longer term maintenance level plans to re-key and re-secure their assets. The conventional case may be considered by evolving from a DES like solution through 3DES, AES-128 to AES-256 on a lon
32、g term cycle. The level of threat formed by quantum computing is inconsistent as purely algorithmic measures are not going to be the only security level deployed. A physically isolated and cryptographically protected database is probably at less risk of compromise than an open data store on a cloud
33、service provider. However, any user of asymmetric cryptography cannot afford to be complacent and has to acknowledge as a first step that cryptographic protection cannot be applied once and forgotten. For data that has been encrypted once with a non-quantum safe algorithm that data would need to be
34、re-encrypted with a new quantum safe algorithm and key. Identification of candidate data in this case is non-trivial and as shown in clause 5.3 there is no consensus to date on suitable algorithms. The immediate concern here is that industry has to develop trust in quantum safe algorithms before qua
35、ntum computers are available and deploy them in advance of the threat vector being realisable. It takes a number of years to validate an algorithm and to build trust through reliable cryptanalysis in its capability. This has to be factored into the deployment and business continuity model. In the si
36、mplified equation given at the start of this clause an additional variable has to be added: T = the number of years it will take to develop trust in quantum safe algorithms This modifies the equation to determine safety to (X + Y + T Z). The obvious view is that Y is a function of T. It is suggested
37、 in clause 4 that security should not be dependent only on the algorithm and as Kerchoffs i.6 has stated “A cryptosystem should be secure even if everything about the system, except the key, is public knowledge“ but this pre-supposes that the first clause of his statement is true and quantum computi
38、ng defeats this pre-condition. Where quantum computing works is that whilst in conventional systems there is no way to get the private key from knowledge of the public key and some crypto-text, this is not true for a quantum computing attack. Thus knowledge of the public key and some crypto-text wil
39、l allow an adversary to recover the private key, hence all the security of the system is broken. For conventional symmetric cryptography where Grovers algorithm comes into play the security of the system still lies in the key although the strength of the cryptosystem is reduced with recovery to the
40、same cryptographic strength requiring a doubling of key size (e.g. from 128 bits to 256 bits). Grovers algorithm is also claimed to significantly impact the strength and trust of hashing algorithms. Key generation schemes and the provision of entropy in the system may also be impacted by quantum com
41、puting based attacks. There is still debate and research in this field but generally for the creation of randomness the Shannon based measure that with knowledge of what has happened in the past I cannot predict the next value with greater than 50 % reliability (in a two state system) then the outpu
42、t is random. Pending further study the general rules for random number generation should be followed and the rule of thumb that the source of entropy should be random over a similar range to the expected output is critical (i.e. do not rely on achieving 128-bit security when the source of randomness
43、 for the system is only within (say) a 4-bit range). In short, good randomness that leads to high entropy, or sources of entropy that lead to true randomness, cannot be ignored. If the underlying source of randomness is weak (i.e. not really random or random over a very small range) then any depende
44、nt security function is going to be weakened. The attacker is not going to try and break the crypto engine and the protocols if he can use weak randomness as an attack vector. 5.2 Existing standards (ISO 22301) Business Continuity Management (BCM) in the face of an attack to the cryptographically pr
45、otected assets of the organisation has to be considered as part of the planning and risk analysis aspects of ISO 22301 i.1. The extension to be highlighted is that whilst BCM and Security Management frameworks such as those from ISO 27001 i.5 apply it is essential that where cryptographic technologi
46、es are applied in the business appropriate review of the continuing validity of such technologies should be built into the risk analysis and planning, and that process should review such issues as key transition, algorithm transition and trust management. The worst case scenario in BCM from the evol
47、ution of QC is that variable Z is met before the organisation has managed to satisfy variable Y. In such a case the business and its partners can no longer trust the cryptographically protected assets of the business. ETSI ETSI EG 203 310 V1.1.1 (2016-06)9 5.3 Algorithm change There are many candida
48、tes for quantum safe algorithms in the asymmetric crypto domain but there is no consensus on their suitability. Irrespective of what is ultimately determined to be the QSC algorithms of choice the systems that require cryptographic protection require to be crypto-agile. The purpose of crypto-agility
49、 is that the entire set of business processes that rely on cryptographic security are able to do the necessary management to change keys and algorithms. NOTE: If symmetric algorithms are used the ability of the algorithm to work in a new mode with longer keys is not guaranteed and if longer keys are not supported (e.g. moving from 80 to 160 bits, or 128 to 256 bits) a new algorithm suited to the new key size should be selected. Support of QSC algorithms has a significant impact on processing and memory resource for the authentication, signature and