1、 ETSI GR QSC 004 V1.1.1 (2017-03) Quantum-Safe Cryptography; Quantum-Safe threat assessment Disclaimer The present document has been produced and approved by the Quantum-Safe Cryptography (QSC) ETSI Industry Specification Group (ISG) and represents the views of those members who participated in this
2、 ISG. It does not necessarily represent the views of the entire ETSI membership. GROUP REPORT ETSI ETSI GR QSC 004 V1.1.1 (2017-03) 2 Reference DGR/QSC-004 Keywords quantum cryptography, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 9
3、3 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/
4、or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print
5、 of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at
6、https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means
7、, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. Europe
8、an Telecommunications Standards Institute 2017. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partner
9、s. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI GR QSC 004 V1.1.1 (2017-03) 3 Contents Intellectual Property Rights 4g3Foreword . 4g3Modal verbs terminology 4g3Introduction 4g31 Scope 5g32 References 5g32.1 Normative references . 5g32.2 Informative refe
10、rences 5g33 Abbreviations . 6g34 Overview of approach to threat assessment . 6g35 Assessment of Quantum Computing timetable 8g35.1 Overview 8g35.2 QC requirements for Shors algorithm 9g35.3 QC requirements for Grovers algorithm 9g36 Threat assessment against aspects of QC deployments 9g36.1 Algorith
11、m vulnerabilities . 9g36.1.1 Overview 9g36.1.2 Symmetric algorithms . 10g36.1.3 Public key cryptography . 10g36.1.4 Random number generation 10g36.2 Security Protocols. 11g36.2.1 Introduction. 11g36.2.2 Transport Layer Security (TLS) 11g36.2.3 Internet Protocol Security (IPSec)/Internet Key Exchange
12、 (IKE) 11g36.2.4 Secure/Multipurpose Internet Mail Exchange (S/MIME) . 12g36.2.5 Public Key Infrastructure (PKI) 12g36.2.6 Application of security protocols 12g37 Industry specific issues . 13g37.1 Banking and e-commerce . 13g37.2 Intelligent Transport Systems . 13g37.3 eHealth . 15g37.4 Trusted Pla
13、tform Modules 17g37.5 Digital Media and Content Protection 18g37.5.1 System overview . 18g37.5.2 Digital Transmission Licensing Authority (DTLA) . 18g37.5.3 Digital Living Network Alliance (DLNA) 18g37.5.4 Advanced Access Content System Licensing Authority (AACSLA) . 18g38 Summary, conclusions and r
14、ecommendations . 19g3Annex A: Authors Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation,
15、 including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Group Report (GR) has bee
16、n produced by ETSI Industry Specification Group (ISG) Quantum-Safe Cryptography (QSC). Modal verbs terminology In the present document “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal
17、 forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. Introduction Quantum Computers (QC) represent a paradigm shift in computing and the result of having any quantum computer of reasonable size, and availability, is
18、 that the existing hard problems upon which the asymmetric cryptography domain is built will not be considered hard anymore. The simple result is that asymmetric cryptography, using Elliptic Curves, or number factorization, will be invalidated. Similarly, there will be an impact on the security leve
19、l afforded by symmetric cryptographic schemes. Much of the this is well known and documented in ETSIs White Paper i.2, and in the ETSI Guide on the impact of quantum computing on business continuity i.4 and many other places. The purpose of the present document is to expand a little on the previous
20、publications in this field but with a general reflection that the concern (worry) regarding a quantum computing attack is not going to have the same impact across all users of quantum vulnerable cryptography. The present document gives a very simplified consideration of the attack likelihood for whe
21、n a viable QC exists and reflects that risk against the business sectors requirements, in order to know how to use cryptographic technology in the sector. This is used to assist industry in determining how long they have to respond to the availability of QC and retain trust and security in their ope
22、rations. ETSI ETSI GR QSC 004 V1.1.1 (2017-03) 5 1 Scope The present document presents the results of a simplified threat assessment following the guidelines of ETSI TS 102 165-1 i.3 for a number of use cases. The method and key results of the analysis is described in clause 4. The present document
23、makes a number of assumptions regarding the timescale for the deployment of viable quantum computers, however the overriding assertion is that quantum computing will become viable in due course. This is examined in more detail in clause 5. The impact of quantum computing attacks on the cryptographic
24、 deployments used in a number of existing industrial deployment scenarios are considered in clause 7. 2 References 2.1 Normative references Normative references are not applicable in the present document. 2.2 Informative references References are either specific (identified by date of publication an
25、d/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of
26、 publication, ETSI cannot guarantee their long term validity. The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 ETSI White Paper Quantum Safe Cryptography V1.0.0 (2014-10): “Quantum
27、Safe Cryptography and Security; An introduction, benefits, enablers and challenges“; ISBN 979-10-92620-03-0. i.2 Selecting Cryptographic Key Sizes, Arjen K. Lenstra and Eric R. Verheul, Journal Of Cryptology, vol. 14, p. 255-293, 2001. i.3 ETSI TS 102 165-1: “Telecommunications and Internet converge
28、d Services and Protocols for Advanced Networking (TISPAN); Methods and protocols; Part 1: Method and proforma for Threat, Risk, Vulnerability Analysis“. i.4 ETSI EG 203 310 (V1.1.1): “ CYBER; Quantum Computing Impact on security of ICT Systems; Recommendations on Business Continuity and Algorithm Se
29、lection“. i.5 ISO/HL7 21731:2014 Health informatics - HL7 version 3 - Reference information model - Release 4. i.6 Digital Living Network Alliance: DNLA Guidelines. NOTE: Available from http:/www.dlna.org/guidelines/ i.7 Advanced Access Content System (AACS): Introduction and Common Cryptographic El
30、ements. NOTE: Available from http:/ i.8 ETSI TS 102 940: “Intelligent Transport Systems (ITS); Security; ITS communications security architecture and security management“. ETSI ETSI GR QSC 004 V1.1.1 (2017-03) 6 3 Abbreviations For the purposes of the present document, the following abbreviations ap
31、ply: AACS Advanced Access Control System AACSLA Advanced Access Content System Licensing Authority AEAD Authenticated Encryption with Associated Data AES Advanced Encryption Standard CA Certificate Authority CAM Co-operative Awareness Message CIA Confidentiality Integrity AvailabilityDEM Event Notif
32、ication Message DH Diffie Hellman DHCP Dynamic Host Configuration PRotocol DLNA Digital Living Network Alliance DSA Digital Signature Algorithm DTCP Digital Transmission Content Protection DTLA Digital Transmission Licensing Authority DTS Datagram TLS EAP Extensible Authentication Protocol EC Ellipt
33、ic Curve ECC Elliptic Curve Cryptography ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithms EV Extended Validation (Certificate) HRNG Hardware Random Number Generator ICT Information & Communication Technology IKE Internet Key Exchange IP Internet Protocol ITS Intel
34、ligent Transport System ITS-S Intelligent Transport System Station LAN Local Area Network MAC Message Authentication Code PKI Public Key Infrastructure QC Quantum Computer or Quantum Computing QSC Quantum-Safe Cryptography RSA Rivest Shamir Adleman TCP Transmission control Protocol TLS Transport Lay
35、er Security TPM Trusted Platform Module UDP User Datagram Protocol VPN Virtual Private Network WAP Wi-Fi Protected Access XML eXtensible Markup Language 4 Overview of approach to threat assessment Threat assessment in most environments consider 2 metrics: Likelihood of an attack and impact of the at
36、tack. Underlying these metrics are a further set of metrics addressing such issues as availability requirements (i.e. time needed to access the vulnerability), equipment (i.e. the complexity or cost of equipment needed to launch the attack) and so forth which are described in some detail in ETS TS 1
37、02 165-1 i.3. The calculation of risk is taken most often as the product of likelihood and impact and categorized as high, medium or low (different risk management systems may use more than 3 classifications but ETSIs approach has only considered 3 with a view to defining countermeasures against hig
38、h and medium risk vulnerabilities). The considerations behind the security of most cryptographic systems is that the security strength of an algorithm is optimal when the only feasible attack is brute force evaluation of the key space. ETSI ETSI GR QSC 004 V1.1.1 (2017-03) 7 ETSI EG 203 310 i.4 stat
39、es (with some editorial extensions): “ if the promise of quantum computing holds true then the following impacts will be immediate on the assumption that the existence of viable quantum computing resources will be used against cryptographic deployments: Symmetric cryptographic strength will be halve
40、d, e.g. AES with 128 bit keys giving 128 bit strength will be reduced to 64 bit strength (in other words to retain 128 bit security will require to implement 256 bit keys). Elliptic curve cryptography will offer no security. RSA based public key cryptography will offer no security. The Diffie-Hellma
41、n-Merkle key agreement protocol will offer no security. NOTE: The common practice is to refer to the key agreement protocol developed by Messrs Diffie, Hellman and Merkle as simply the Diffie-Hellman or DH protocol as the formal recognition of Merkles role was made after DH became the accepted term.
42、 With the advent of realizable Quantum Computers, everything that has been transmitted or stored and that has been protected by one of the known to be vulnerable algorithms, or that will ever be stored or transmitted, will become unprotected and thus vulnerable to public disclosure.“ The purpose of
43、threat assessment is, in part, to identify where protective measures should be applied for countering the threat. The quantification of risk assists this by addressing those parts of the system most vulnerable and recommending where countermeasures should be applied. For the specific case of the imp
44、act of quantum Computing on the security of ICT systems as addressed by ETSI EG 203 310 i.4 the broad assertion for business continuity is that systems have to be developed and deployed to be crypto-agile. The intent is to ensure that processes are in place that allow algorithms and keys to be chang
45、ed across the business quickly enough to counter the viable introduction of quantum computers. The factors to be considered in assessment of the likelihood element in determining the potential of an attack are the following: System knowledge: For the majority of crypto-systems under consideration, i
46、t should be assumed that the algorithms are public knowledge (e.g. RSA, ECC (various modes). Time: For those systems open to attack by quantum computing, it is assumed that no new vulnerability is exposed, rather than a quantum computer invalidates the core assertion of a solution to the underlying
47、problem is infeasible without access to the key itself. Thus the time factor for access to material to retrieve the private key of an asymmetric pair is treated as essentially null (using the formulation given in ETSI TS 102 165-1 i.3 the term is “an attack can be identified or exploited in less tha
48、n an hour“). Expertise: There is comparatively little expertise in the programming of quantum computers even if some algorithms, like Shors and Grovers, have been well described. However, the ability to take the data from a public key certificate and feed it into a well-defined instance of Shors alg
49、orithm and to retrieve the private key is likely to be trivial and to tend towards the laymen end of the expertise scale. Opportunity: Only access to the public key certificate is required and this is public by default, hence there is no barrier to opportunity to the input data to an attack. Equipment: Assuming access to the input data, the barrier to breaking existing asymmetric cryptography is the existence of a viable quantum computer. For the cur
