JOURNAL OF TELECOMMUNICATIONS, VOLUME 3, ISSUE 1, JUNE 2010 84

Implementation of an Extension of the CHAP Protocol based on Quantum Key Distribution Mohamed Elboukhari, Mostafa Azizi, and Abdelmalek Azizi Abstract— Quantum key distribution (QKD) is a technique that permits the secure distribution of a bit string, used as key in cryptographic protocols. Extensive studies have been undertaken on QKD since it was noted that quantum computers could break public key cryptosystems based on number theory. QKD offers unconditionally secure communication based on quantum mechanics. Now there is a strong need of research to exploit this technology in the existing communication networks. In this paper, we explore the possibility of using QKD for authentication for Local Area Networks (LANs). Precisely, we have elaborated a scheme to integrate the new technique of QKD in the CHAP protocol (Challenge Handshake Authentication Protocol) to enhance the security of the authentication service. Also, we describe in detail an example demonstrating the practical use of our scheme’s implementation. Index Terms — cryptography, quantum cryptography, quantum key distribution, security.

——————————
——————————

1 INTRODUCTION

O

ne time pad (OTP) cryptosystems have been in use since the 1910s. The OTP crypto-key length is the same as the length of the plain text. If the key is truly random, never reused, and kept secret, the OTP can be proven to be unbreakable. However, the difficulty of securing the key sharing has prevented it from becoming practical. Quantum Cryptography or Quantum key distribution (QKD) [1] is an innovative new technology that allows a more practical implementation of the classic one-time pad. This is because QKD enables two distant parties (say Alice and Bob) to generate a secret key that has guaranteed privacy due to the use of quantum physics. The secret key thus provides perfect security when it is used in a OTP cryptosystem. Unlike conventional cryptographies that rely on the conjectured difficulty of computing certain functions, the security of QKD is guaranteed by the postulate of quantum mechanics. In the B92 protocol, the participants (Alice and Bob) agree on a secret key about which any eavesdropper (say Eve) can obtain little information. The security proof of this protocol against arbitrary eavesdropping strategies was proved by Tamaki [2]-[3]. What was initially a theoretical novelty quickly generated more interest after the first practical demonstration over 30 cm of free space employing polarisation coding [4]. QKD is attracting a lot of attention these days as a promising candidate that could guarantee the confidentiality of messages by quantum physics. Many groups have been striving to make this technique practicable. Actually several QKD protocols ————————————————

• M.Elboukhari is with the dept. of Mathematics & Computer Science, University Mohamed First, Oujda, Morocco. • M.Azizi is with the dept. Applied Engineering, ESTO, University Mohamed First, Oujda, Morocco. • A.Azizi with the Academy Hassan II of Sciences & Technology, Rabat, Morocco.

have been developed, and some that transmit keys through tens of kilometers in both fiber and free space have been experimentally demonstrated [5]-[6]. A hot issue of research is to exploit the QKD technology in the existing networks to achieve highest degree of security. The purpose of practically realizing the QKD is to find ways to establish a QKD network. The Local Area Networks (LANs) present many interests relating to the use of quantum cryptography. First, the limited coverage of LANs is suitable to implement QKD because quantum cryptography is actually experimented over tens of kilometers. Second, Wireless LANs are usually used to provide Internet access; this kind of application is critical from a network security point of view because users can realize e-commerce or banking transactions via the Internet. These applications need a very strong security that Quantum Cryptography can offer. In this paper, we treat the task of integrating QKD in LANs; we have proposed a technique of integrating QKD in the CHAP protocol. Using B92 protocol, we defined an extended CHAP protocol which enhances the security of CHAP protocol as it has described in [7]. The organization of the remainder of the paper is as follows. In section 2, we describe in detail the CHAP protocol. The B92 protocol, which we use in the integration, will be presented in section 3. In section 4, we introduce our novel extension of CHAP protocol integrating the mechanism of QKD. Finally, we conclude the paper in section 5 by giving the main results.

2 CHALLENGE HANDSHAKE AUTHENTICATION PROTOCOL (CHAP) CHAP protocol is a protocol of authentication. It has been standardized by IETF [8] in August 1996 as RFC 1994 and used by several others protocols as iSCSI [9]. For its operation, CHAP supposes that the Peer and the

© 2010 JOT http://sites.google.com/site/journaloftelecommunications/

JOURNAL OF TELECOMMUNICATIONS, VOLUME 3, ISSUE 1, JUNE 2010 85

Authenticator share the possession of the same shared secret S (the divided secret key). CHAP protocol, described in Fig. 1, is based on the resolution of a challenge which stages are the following ones: 1) After the completion of the link establishment phase, the Authenticator sends a "challenge" H message to the Peer. 2) The Peer responds with a value calculated using a oneway hash function HASH . 3) The Authenticator checks the response against its own calculation of the expected hash value. If the values match, the Authenticator acknowledges the authentication; otherwise it should terminate the connection. At random intervals, the Authenticator sends a new challenge to the Peer and repeats steps 1 through 3. CHAP provides protection against playback attack by the Peer through the use of an incrementally changing identifier and of a variable challenge-value. CHAP requires that both the Peer and Authenticator know the plaintext of the secret, although it is never sent over the network. Microsoft has implemented a variant of the Challenge-handshake authentication protocol, called MSCHAP, which does not require either Peer to know the plaintext.

Authenticator

Peer

The Peer computes HA SH ( H , S )

H

HASH ( H , S )

Quantum Cryptography to assure security relies on the foundations of quantum mechanics, in contrast to traditional public key cryptography which relies on the computational difficulty of certain mathematical functions. Traditional public key cryptography cannot provide any indication of eavesdropping or guarantee of key security. QKD has an important and unique properly; it is the ability of the two communicating users (Alice and Bob) to detect the presence of any third party (Eve) trying to gain knowledge of the key. Eve trying to eavesdrop on the key must in some way measure it, thus introducing detectable anomalies. By using quantum superpositions or quantum entanglement and transmitting information in quantum states over a quantum channel (such as an optical fiber or free air), a communication system can be implemented which detects eavesdropping. The B92 protocol is based on the on Heisenberg’s Uncertainty Principle. It is surely a famous and realized Quantum Cryptography protocol. This scheme uses polarised photons as information carriers. The polarizations of the photons are two states, and are grouped together in two different non orthogonal basis

⊕ and ⊗ of a two-dimensional Hilbert space H 2 . We suppose that the polarization of a photon can be modelled by a state of this space. The two basis ⊕ and ⊗ are defined as follows: -The basis ⊕ is formed by the horizontal (0°) and the vertical polarization (+90°). We represent the base states with the intuitive notation:

The Authenticator computes his own value of HASH and compares it with HA SH ( H , S )

0

and

⊕ ={ 0 , 1 }. -The basis ⊗ is constructed by the diagonal polarizations (+45°) and (+135°). The two different base states are + and −

1

with

+ =

( 0 + 1 ) and

1 − =

2

Fig. 1. Message flow for a full CHAP protocol.

3 THE PROTOCOL OF QUANTUM KEY DISTRIBUTION: B92 PROTOCOL Algorithms of classical cryptography are based on mathematical functions. The robustness of a given cryptosystem is based essentially on the secrecy of its private key and the difficulty with which the inverse of its one-way function(s) can be calculated. Unfortunately, there is no mathematical proof that will establish whether it is not possible to find the inverse of a given one-way function. On the contrary, Quantum Cryptography is a method for sharing secret keys, whose security can be formally demonstrated. So, Quantum Cryptography is N only used to produce and distribute a key K = {0,1} , not to transmit any message data. This key can then be used with any chosen encryption algorithm to encrypt (and decrypt) a message, which can then be transmitted over a standard communication channel (classical channel).

1 . We have

We have

( 0 − 1 ).

2

⊗ = { + , − }.

In this protocol, the association between the information bit (taken from a random number generator) and the basis are described in Table 1. TABLE 1 CODING SCHEME FOR THE B92 PROTOCOL

Bit 0

⊕

⊗

0

+

1

1

−

B92 protocol supposes that the two legitimate users, Alice and Bob, communicate through two specific channels, which the enemy (Eve) has also access to: -A classical channel, which can be public; Eve can listen passively (without being detected); -A quantum channel that (by its nature) Eve cannot listen passively. The first phase of B92 involves transmissions over the

JOURNAL OF TELECOMMUNICATIONS, VOLUME 3, ISSUE 1, JUNE 2010 86

quantum channel, while the second phase takes place over the classical channel. The B92 protocol can be described as follows [10]-[11][12]: 1) First phase (Quantum Transmissions) a) Alice chooses a random vector of n

bits A ∈ {0,1} , n > N . If

0

A i = 0 Alice sends to Bob

over the quantum channel and if A i = 1 , she

transmits to him + , for all i ∈ {0,1, … , n} . b) Bob randomly generates in its turn a vector of bits B ∈ {0,1}n , n > N . If Bi = 0, Bob chooses the basis ⊕ and if Bi = 1 Bob chooses the basis ⊗ , for all

i ∈ {0 ,1, … , n } . c) Bob measures each quantum state sent by Alice ( 0 or + ) in the selected basis ( ⊕ or ⊗ ). d) Bob elaborates the vector test T ∈ {0 ,1} n , n > N by complying the following rule: if the measurement of Bob produces 0

or

+

then, Ti = 0 and if it

produces 1 or − ), Ti = 1 , for all i ∈ {0,1, … , n} . 2) Second phase (Public Discussion) a) Bob transmits the vector T to Alice over the classical channel. b) Alice and Bob keep only the bits of the vectors A and B for which Ti = 1 . In such case and in absence of the enemy Eve, we have:

A i = 1 − B i and the

shared raw key is formed by A i (or 1 − B i ). c) Alice randomly chooses a sample of the bits of the raw key and reveals them to Bob over the classical channel. If it exists i such as A i ≠ 1 − B i , then Eve is detected and the communication is aborted. d) The common shared secret key K ∈ {0,1} N is formed by the raw key after elimination of the samples of the step 2c). To understand B92 protocol it very important to describe how we measure a qubit in the field of quantum physics; if we have a qubit as q u b it = e c + f g so the measure of this state in the basis { c , g } produces the state c

g

2

with the probability of | e | and the state of

with the probability of

|f |

2

and of course

2

| e | 2 + | f | 2 = 1 ( | e | is the absolute square of the amplitude of e). So, measuring with the incorrect basis yields a random result, as predicted by quantum theory. Thus, if Bob chooses the ⊗ basis to measure a photon in state 0 , the classical outcome will be either the bit 0 or 1 with equal probability because 0 = 1 ( + + − ) ; if the 2

⊕ basis was chosen instead, the classical outcome would be 0 with certainty because 0 = 1 0 + 0 1 . Also, there are three points to understand the protocol B92 perfectly. Firstly, if the test of Bob is equal to 0 for a measure, then Bob does not know what Alice sent to him. Thus if Bob chooses the basis ⊕ (resp. ⊗ ), he can obtain as result of his measure 0 (resp. + state sent by Alice ( 0

) for any quantum

or + ). Secondly, if the test of

Bob is equal to 1 then Bob knows with exactitude what Alice sent to him, for example if Bob chooses the basis ⊗ (resp. ⊕ ), he will obtain after measure the state − (resp.

1 ) and Alice surely sent to him 0 (resp. + ). Thirdly, in the step 2b), Alice and Bob test the presence of Eve; the idea is that if it exists i such as T i = 1 then A i = 1 − B i , if not an external disturbance is produced or there is noise in the quantum channel, we suppose all noise is caused by Eve.

4 INTEGRATION OF QUANTUM KEY DISTRIBUTION IN CHAP PROTOCOL 4.1 Why using QKD in the CHAP protocol? One of the weakness of the CHAP protocol is the sharing of the same secret ( S ) between the Peer and the Authenticator for a long time. In such case, the attacker (Eve) who knows the function HASH , the number H and the value of HASH ( H, S ) can by the brute attack deduct the value of the secret s by using different value of its test S eve in the equation HASH ( H, S ) = HASH ( H, S eve ) until he finds S = S eve . Here, we suppose the attacker has a powerful technology to do so, as having a quantum computer which is much faster than any of our current classical computers. To overcome this type of attack, the Peer and the Authenticator can use the same secret s for a short time only and thus they exchange different values of the secret s . But this solution demands to exchange each time the secret with a guaranted security which is impracticable. To generate such secrets, we use some protocols of key distribution as Diffie-Hellman protocol but the security of such protocols is computational, which means it depends on mathematical assumptions and then it is not an unconditional security. In our proposed solution, we don’t need to exchange the secret s several times between the Peer and the Authenticator but the secret is shared only one time. Instead, in the value of HASH ( H, S ) implicated in CHAP protocol, we replace the secret s by the key generated by the mechanism of QKD noted QS (Quantum Secret) which is exchanged with an unconditional security due to the application of the law of quantum physics. Also, to render the task of the attacker more complicated, the value of the secret QS is modified at every session of the CHAP protocol. Finally, our extension of CHAP protocol provides a mutual authentication.

JOURNAL OF TELECOMMUNICATIONS, VOLUME 3, ISSUE 1, JUNE 2010 87

4.2 Description of the novel extension of CHAP protocol Our main objective is to present a novel extension of CHAP protocol that significantly facilitates the integration of quantum key distribution (QKD) with the already-existing Internet security infrastructure. The development of this extended version of CHAP protocol makes flexible architecture that enables the deployment of practical quantum cryptographic-based security applications. Indeed, the extend version of CHAP protocol efficiently supports unconditionally secure authentication (based on universal hashing). Fig. 2 summarizes how different messages are performed between the Peer and the Authenticator during our extended version of CHAP protocol: 1) After having received the number H the Peer which plays the role of Alice begins the first phase of B92 protocol by sending photons one by one to the Authenticator (Bob) over the quantum channel. 2) After the emission of the photons, the Peer (Alice) and the Authenticator begin the second phase of B92 protocol. As in this phase all the messages are public and as B92 protocol is vulnerable to the attack “man in the middle” [13], we have to face such risk. For that we propose that all the messages exchanged during this phase are protected by the hash function HASH as MD5 [14] and with the initial secret S to ensure the integrity and the authenticity of the messages. For example if Alice sends to Bob the information INFO, she sends to him the couple (INFO, HASH (INFO, S)). Receiving this couple, Bob computes its own value of HASH (INFO, S) using the information received INFO and the shared secret S (HASH is a public data) and then he verifies the authenticity (and the integrity) of the information INFO. We note here even the mutual authentication is completed our scheme will improve the security by modifying continuously the secret S used in the function HASH at each new session of CHAP protocol. Once this phase is finished, Alice and Bob share the possession of a secret key K = {0,1}

N

if

there is no attack on quantum channel, we give it the name of quantum secret: K = QS . 3) Then Alice calculates HASH(H, QS) and sends it to Bob, receiving this value, Bob calculates its own value HASH(H, QS) and compares the two values and then decides in the end if the authentication succeeds or not. In the next regular interval, Alice and Bob use the common secret QS like a new secret instead of the secret S and repeat the stages 1), 2) and 3). By doing this QS is used to assure the authenticity and integrity of the public messages of B92 protocol and another secret key QS2 generated by the current execution of the B92 protocol is

employed in the value of HASH(H 2 , QS2 ) sent by Alice, here H 2 is the value emitted by Bob during this next session of CHAP protocol. This scenario modifies the secret S implicated in the value of the hash function HASH at each session of CHAP protocol.

Authenticator (Bob)

Peer (Alice)

H

Alice computes HA SH ( H , QS )

B92 Protocol

HASH ( H , QS )

Bob computes his own value of HASH and compares it with HA SH ( H , QS )

Fig. 2. Message flow for a full extended CHAP protocol.

4.3 An example demonstrating the practical use of the extended CHAP protocol To implement our extension of CHAP protocol in practice we need some requirement to be satisfied [15]. a) Protocol of QKD: in order to achieve unconditional security, we use a protocol of QKD which is very easy to implement. We choose B92 protocol because it has been proven to be secure and it is mostly used in practice. b) Quantum channel: B92 protocol uses a quantum channel to carry photons. There are now two medium to transport photons: the optical fiber and the free space [16]. In our solution we use the optical fiber because it transports photons for a long distance than the free space. c) Optical modem: the optical modem has to polarize, send and detect photons. It includes a photon detector and a laser with a single photon emitter and photon polarizer. This types of modems are used to exchange the quantum key but they are used also to exchange data depending on how encoding the information. Such modems are now commercialized and many techniques are exploited. The B92 protocol is implemented between two optical modems and the key generated once its execution finished is stored in a flash memory. In our implementation of the novel extension of CHAP protocol, we consider two LAN networks C and D connected via two optical modems linked by an optical fiber and we focused on the specific points A (Peer) and B (Authenticator) as illustrated in Fig. 3. We suppose A and B share a secret S . There are four phases to be executed to render our solution operational. Phase 1: When A receives the number H , the execution of the B92 protocol started and during the second

JOURNAL OF TELECOMMUNICATIONS, VOLUME 3, ISSUE 1, JUNE 2010 88

phase, all messages are protected (and authenticated) with the secret S and the hash function HASH . Phase 2: The B92 protocol is executed between the two optical modems over the optical fiber (quantum channel). The quantum key generated is stored in a flash memory in both sides of A and B. Using the key QSA stored in A’s flash memory, A calculates HASH ( H, QSA ) and sends it to the point B over the optical fiber. Phase 3: B uses the key QSB from its own flash memory and calculates the value HASH ( H, QS B ) and compares it with the value received from the Peer: if QSA = QS B than HASH ( H, QS A ) = HASH ( H, QSB ) and A in the end is authenticated. If HASH ( H, QS A ) ≠ HASH ( H, QS B ) this implies that QSA ≠ QSB and we deduct that an attacker is trying to gain some knowledge about the quantum key or there is a noise on quantum channel (optical fiber). In this case, B terminates the connection. Phase 4: in case QSA = QS B , both A and B uses the QSA as the secret S and during the next session of CHAP protocol, they use it to protect (and to authenticate) the public messages of B92 protocol and the next quantum key generated by B92 protocol is used in the hash function HASH to authenticate finally A. Network C

to the use of Quantum Cryptography which uses the principles of quantum physics to achieve the unconditional security.

REFERENCES [1] [2]

[3]

Tamaki.K, Lütkenhaus.N, Koashi.M, and Batuwantudawe.J, “Unconditional security of the Bennett 1992 quantum keydistribution scheme with strong reference pulse , “ Quantum Physics Archive: arXiv:quant-ph/0607082v1, 2006.

[4]

Bennett, C.H., et al.: ‘Experimental quantum cryptography’, J. Cryptol., 1992, 5, pp. 3–28 C.Z. Peng et al., “Experimental free-space distribution of entangled photon pairs over 13 km: Towards satellite-based global quantum communication,” Phys. Rev. Lett., vol. 94, no. 15, pp. 150501-1– 150501-4, Apr. 2005. D. Stucki, N. Gisin, O. Guinnard, G. Ribordy, and H. Zbinden, “Quantum key distribution over 67 km with a plug & play system,” New J. Phys., vol. 4, pp. 41.1–41.8, Mar. 2002. W. Simpson, “PPP Challenge Handshake Authentication Protocol (CHAP)“ , RFC 1994, August 1996. [8] http://www.ietf.org/ Satran, J., Meth, K., Sapuntzakis, C., Chadalapaka, M., and E. Zeidner, "Internet Small Computer Systems Interface (iSCSI)", RFC 3720, April 2004. M. Elboukhari, M. Azizi, A. Azizi.(2008) “Security Oriented Analysis of B92 by Model Checking”, in Proc. IEEE Int. Conf. new technology, mobility and security (NTMS), page 454-458, 2008 M. Elboukhari, M. Azizi, A. Azizi, “Analysis of Quantum Cryptography Protocols by Model Checking”, IJUCS, Vol 1, pp. http://www.hypersciences.org/IJUCS/Iss.134-40, 2010. 2010/IJUCS- 4-1-2010.pdf M. Elboukhari, M. Azizi, A. Azizi, “Quantum Key Distribution Protocols: A Survey”, IJUCS, Vol 1, pp. 59-67, 2010. http://www.hypersciences.org/IJUCS/Iss.2-2010/IJUCS-2-22010.pdf C. H. Bennett, Phys. Rev. Lett, 68, 3121 (1992). R.Rivest, “The MD5 message-Digest Algorithm”, RFC 1321, April 1992. M. Elboukhari, M. Azizi, A. Azizi “Integration of Quantum Key Distribution in the TLS Protocol”, IJCSNS, Vol. 9 No. 12 pp. 2128, 2009. R.Hughes,J.Nordholt,D.Derkacs,C.Peterson, (2002). ”Practical free-space quantum key distribution over 10km in daylight and at night”. New journal of physics 4 (2002)43.1-43.14.URL: http://www.iop.org/EJ/abstract/1367-2630/4/1/343/ Idquantique : www.idquantique.com magiQ : www.magiqtech.com

[5]

[6]

[7] [8] [9]

Optical fiber Network D

[10]

A B Optical modem Fig. 3. An implementation of the extension of CHAP protocol using Quantum Cryptography.

[11]

[12]

5 CONCLUSION In our article we have presented a scheme which integrates Quantum cryptography to enhance the security of the authentication process. Precisely, we have integrated the B92 protocol in the standardized solution of CHAP protocol. Our novel extension of CHAP provides several advantages: 1. The secret S shared between the Peer and the Authenticator is exchanged only one time. 2. The secret S is modified in each new session of CHAP protocol, this complicate the task of an attacker. 3. The security of the secret used in the hash function is unconditional due to the quantum physics. 4. Our extension provides a mutual authentication during the exchanging of the public messages of B92 protocol. 5. Our schema is practicable because the devices used our example are now commercialized (optical modem and optical fiber). So, the service of the authentication of CHAP protocol is more secure when we add the technique of QKD. This is due

Gisin, N., et al.: ‘Quantum cryptography’, Rev. Mod. Phys., 2002, 74, pp. 145–195 Tamaki.K , Lütkenhaus.N, “Unconditional Security of the Bennett 1992 quantum key-distribution over lossy and noisy channel,“ Quantum Physics Archive: arXiv:quantph/0308048v2, 2003.

[13] [14] [15]

[16]

[17] [18]

Mohamed elboukhari received the DESA (diploma of high study) degree in numerical analysis, computer science and treatment of signal 2005 from the University of Science, Oujda, Morocco. He is currently a PhD student in the University of Oujda in the field of computer science. His research interests include cryptography, quantum cryptography and wireless network security.

Mostafa azizi received the diploma of engineer in automatic and

JOURNAL OF TELECOMMUNICATIONS, VOLUME 3, ISSUE 1, JUNE 2010 89

computer industry in 1993 from school Mohammadia of engineers, Rabat, Morocco. He received the Ph. D in computer science in 2001 from the university Montreal, Canada. He is currently professor at university of Mohamed first, Oujda, Morocco. His main interests include aspect of real time, embedded system, security and communication and management of the computer systems in relation with process industry Abdelmalek azizi received the Ph. D in theory of numbers in 1993 from university Laval, Canada. He is professor at department of mathematics in university Mohamed first, Oujda, Morocco. He is interested in history of mathematics in Morocco and in the application of the theory of number in cryptography.