Skip to main content

The Distributed Symmetric Key Establishment (DSKE) Protocol
draft-mwag-dske-00

Document Type Active Internet-Draft (individual)
Authors Mattia Montagna , Manfred von Willich , Melchior Aelmans , Gert Grammel
Last updated 2024-05-17
RFC stream (None)
Intended RFC status (None)
Formats
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-mwag-dske-00
Network Working Group                                        M. Montagna
Internet-Draft                                            M. von Willich
Intended status: Standards Track        Quantum Bridge Technologies Inc.
Expires: 18 November 2024                                 M.D.F. Aelmans
                                                              G. Grammel
                                                        Juniper Networks
                                                             17 May 2024

      The Distributed Symmetric Key Establishment (DSKE) Protocol
                           draft-mwag-dske-00

Abstract

   The Distributed Symmetric Key Establishment (DSKE) protocol
   introduces an approach to symmetric key distribution that enables
   robust, scalable, and future-proofed security without reliance on
   asymmetric encryption.  This document delineates the protocol's
   specifications, security model, and architectural integration.

Note

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 18 November 2024.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

Montagna, et al.        Expires 18 November 2024                [Page 1]
Internet-Draft  The Distributed Symmetric Key Establishm        May 2024

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Abstract  . . . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Status of this Memo . . . . . . . . . . . . . . . . . . . . .   3
   3.  Copyright Notice  . . . . . . . . . . . . . . . . . . . . . .   3
   4.  Introduction and background . . . . . . . . . . . . . . . . .   3
   5.  Requirements Language . . . . . . . . . . . . . . . . . . . .   5
   6.  DSKE System Overview  . . . . . . . . . . . . . . . . . . . .   6
   7.  Security Hub  . . . . . . . . . . . . . . . . . . . . . . . .   7
   8.  DSKE Client . . . . . . . . . . . . . . . . . . . . . . . . .   8
   9.  Secure Application Entity (SAE) . . . . . . . . . . . . . . .   9
   10. PSRD Generation, Delivery and Storage . . . . . . . . . . . .  10
     10.1.  PSRD Delivery from Local Distributor to Security
            Server . . . . . . . . . . . . . . . . . . . . . . . . .  10
     10.2.  PSRD Delivery from Local Distributor to DSKE Clients . .  11
     10.3.  PSRD Storage . . . . . . . . . . . . . . . . . . . . . .  12
   11. DSKE Protocol Specification . . . . . . . . . . . . . . . . .  13
     11.1.  Client Registration  . . . . . . . . . . . . . . . . . .  13
     11.2.  PSRD Generation and Distribution . . . . . . . . . . . .  14
     11.3.  Peer Identity Establishment  . . . . . . . . . . . . . .  15
     11.4.  Key Establishment  . . . . . . . . . . . . . . . . . . .  15
     11.5.  Key Validation . . . . . . . . . . . . . . . . . . . . .  17
     11.6.  Error Handling and Security Considerations . . . . . . .  18
   12. Security Model  . . . . . . . . . . . . . . . . . . . . . . .  19
   13. Implementation and Integration  . . . . . . . . . . . . . . .  19
     13.1.  Case Studies . . . . . . . . . . . . . . . . . . . . . .  19
   14. Conclusion  . . . . . . . . . . . . . . . . . . . . . . . . .  20
   15. References  . . . . . . . . . . . . . . . . . . . . . . . . .  20
   Appendix A.  Appendix . . . . . . . . . . . . . . . . . . . . . .  21
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  23

1.  Abstract

   The Distributed Symmetric Key Establishment (DSKE) protocol
   introduces an approach to symmetric key distribution that enables
   robust, scalable, and future-proofed security without reliance on
   asymmetric encryption.  This document delineates the protocol's
   specifications, security model, and architectural integration.

Montagna, et al.        Expires 18 November 2024                [Page 2]
Internet-Draft  The Distributed Symmetric Key Establishm        May 2024

2.  Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress".

   This Internet-Draft will expire on 22 April 2024.

3.  Copyright Notice

   Copyright (c) 2023 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

4.  Introduction and background

   Symmetric and asymmetric cryptographic schemes employed for digital
   communication often assume that a hypothetical adversary is
   computationally constrained.  A classic example is the widely used
   RSA asymmetric scheme, which assumes that factoring a large integer
   into its two prime factors is computationally infeasible.  For an
   adversary in possession of the factors, the communication between the
   parties involved would be completely insecure.  In particular,
   asymmetric cryptographic schemes cannot achieve so-called
   information-theoretical security, and their security will always be
   mined by computational advancements.

   Peter Shor discovered an efficient quantum algorithm for factoring
   large integers [2], named Shor's algorithm.  When run on a quantum
   computer, it can break the RSA scheme, Diffie–Hellman key exchange,
   and elliptic curve cryptography, and consequently poses a serious

Montagna, et al.        Expires 18 November 2024                [Page 3]
Internet-Draft  The Distributed Symmetric Key Establishm        May 2024

   threat to Public Key Infrastructure (PKI).  Although a
   cryptographically relevant commercial quantum computer is not yet
   available, a malicious eavesdropper can readily store data being
   transmitted today for when new breaches of a protocol are developed,
   or technological advances make existing theoretical exploits
   practical.

   The advancement of classical and quantum computers, together with the
   development of new code-breaking algorithms, will have an important
   impact on long-term security, and threaten political, social and
   economic stability.  For these reasons, several governments and
   international organizations are planning a transition to quantum-safe
   cryptography solutions, and NIST is currently standardizing post-
   quantum asymmetric cryptography [6], also known as Post-Quantum
   Cryptography (PQC).

   Besides security, asymmetric cryptographic schemes also come with
   non-negligible operational and computational costs.  For example, in
   SD-WAN networks, before a pair of routers can exchange data traffic,
   they establish an IPsec connection between them, which they use as a
   secure communications channel.  In a traditional IPsec environment,
   key establishment is handled by the Internet Key Exchange (IKE)
   protocol [5].  IKE first sets up secure communications channels
   between devices and then establishes security associations (SAs)
   between each pair of devices that want to exchange data.

   While a lot of effort has been invested in the standardization of
   asymmetric cryptographic schemes and their integration into the
   Internet, symmetric key distribution systems did not achieve a
   similar level of international standardization.  The Distributed
   Symmetric Key Establishment (DSKE) protocol is introduced here to
   allow for interoperability in symmetric key distribution systems.
   DSKE relies on pre-shared random numbers between DSKE clients and a
   set of so-called 'Security Hubs'.

   Any group of DSKE clients can use the DSKE protocol to distill a
   secret key from pre-shared numbers.  The clients are protected from
   compromise of Security Hubs by a secret sharing scheme that allows
   the creation of the final key without the need to trust individual
   Security Hubs.  Precisely, if the number of compromised Security Hubs
   does not exceed a certain threshold, confidentiality is guaranteed to
   DSKE clients and, at the same time, robustness against denial-of-
   service (DoS) attacks is assured.

Montagna, et al.        Expires 18 November 2024                [Page 4]
Internet-Draft  The Distributed Symmetric Key Establishm        May 2024

   DSKE can be proved to achieve information-theoretical security, and a
   very high level of scalability, both discussed in detail in this
   document.  Other advantages include computational efficiency and
   potentially the limited amount of code needed to implement DSKE,
   reducing the surface attack.

   Furthermore, the intrinsic trust distribution of the DSKE backend
   provides a further level of redundancy against network failures and
   removes the single point of trust.  The DSKE system can be used in
   situations where asymmetric cryptographic schemes are not suitable,
   for example:

      Quantum-secure communication, including government communication,
      national security systems and critical infrastructure, which may
      have security requirements that asymmetric cryptographic schemes
      cannot deliver.  National security agencies in many countries
      recommend the use of symmetric Pre-Shared Keys (PSKs) instead of
      or in addition to asymmetric public/private key pairs to provide
      quantum-resistant cryptography.

      Large meshed networks, where the use of IKE and PKI can become a
      computational bottleneck, or can require the management of a large
      number of certificates, which increase network complexity and
      reduce scalability.  Such networks include large meshed SD-WAN and
      Border Gateway Protocol (BGP) routers, among others.

      Cross domain communication, where a single authority or service
      provider (like a CA) cannot be fully trusted.  Instead, multiple
      parties can establish their own Security Hubs and build an
      infrastructure in which the trust is distributed among them.

      Constrained devices, where key establishment via asymmetric
      cryptographic schemes is challenging due to the high computational
      requirements.  Examples of these networks include sensor networks
      [7].

      Cloud authentication services, where a customer or cloud service
      provider wishes to ensure that the connections to specific cloud
      services are assured to be quantum-secure.

5.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

Montagna, et al.        Expires 18 November 2024                [Page 5]
Internet-Draft  The Distributed Symmetric Key Establishm        May 2024

6.  DSKE System Overview

   In a DSKE system there are two primary actors involved: Security Hubs
   and DSKE clients (or simply clients).  A DSKE system usually includes
   multiple Security Hubs, for reasons that will be clear later, but it
   can in principle work with only one Security Hub.

                    +---------------------+         +---------------------+
                    | DSKE Security Hub X |         | DSKE Security Hub Y |
                    +---------------------+         +---------------------+
                           |         \                   /         |
                           |        +-------------------+          |
                           |       /   \                           |
                           |      /     +-------------------+      |
                           |     /                           \     |
                     +---------------+                   +---------------+
                     | DSKE Client A |                   | DSKE Client B |
                     +---------------+                   +---------------+
                             |                                    |
                      +-------------+                     +--------------+
                      |   SAE A     |                     |    SAE B     |
                      +-------------+                     +--------------+

   Clients join a DSKE system to establish shared cryptographic keys
   with each other.  When a client joins a DSKE system, each Security
   Hub generates a certain amount of high quality random numbers,
   referred to as Pre-Shared Random Data (PSRD), and delivers them to
   the client.  Each PSRD set is uniquely shared between the client and
   the Security Hub that generated that specific PSRD set.  Once the
   client receives PSRD from all the Security Hubs, it is on-boarded in
   the system and can start to establish mutual cryptographic keys with
   any other on-boarded DSKE client.

   More specifically, when a client wants to establish a key with one or
   more others, she communicates this to the set of Security Hubs.  Each
   Security Hub, in response, sends a key instruction message to the
   other client(s), who then use these to distill keys from the PSRD
   that was pre-shared with them by the Security Hubs when they joined
   the system.  After the distribution of PSRD, which can be done via
   physical delivery, the subsequent communication between DSKE clients
   and the Security Hubs can take place over unsecure, public channels.

Montagna, et al.        Expires 18 November 2024                [Page 6]
Internet-Draft  The Distributed Symmetric Key Establishm        May 2024

   DSKE clients usually do not consume cryptographic keys themselves,
   but rather pass them to external applications, referred to as Secure
   Application Entity (SAE).  SAEs can connect to DSKE clients in
   different ways, which are discussed later in this document.  The key
   established by DSKE clients can then be consumed at will by the SAEs,
   for example to seed symmetric encryption algorithms or authentication
   schemes.

   In the following we provide an overview of the role of each party in
   a DSKE system.  The next section will then describe the details of
   the DSKE protocol.

7.  Security Hub

   DSKE is supported by a set of independently operated Security Hubs.
   The role of the Security Hubs, in a nutshell, is to: (i) generate
   high-quality random numbers (PSRD) and distribute those to DSKE
   clients, while keeping a local private copy; (ii) act on requests
   from DSKE clients by providing key instruction messages that allow
   the clients to establish a key.

   Each Security Hub is composed by one Security Server, and one or more
   Local Distributors.  The purpose of multiple Local Distributors is to
   be able to easily provide PSRD to DSKE clients in diverse geographic
   regions.  A Local Distributor generates a large amount of unallocated
   PSRD as or before it is needed, i.e. PSRD that has not yet been
   allocated to any DSKE client.  The Local Distributor then delivers a
   copy of this PSRD to its Security Server, while keeping a local copy.
   The PSRD delivery is usually performed via physical shipping,
   although other possibilities are discussed later.  When a DSKE client
   requests PSRD from the Security Hub, one of it Local Distributors
   fulfills the request by allocating a part of the unallocated PSRD to
   that client, delivering it to the client, and informing its Security
   Server about which range of the unallocated PSRD was allocated to any
   given client.  The final result is that the Security Server has some
   PSRD in common with the DSKE client.  Note that the Local Distributor
   does not keep a copy of the allocated PSRD, and PSRD always exists
   only in exactly two copies.

Montagna, et al.        Expires 18 November 2024                [Page 7]
Internet-Draft  The Distributed Symmetric Key Establishm        May 2024

   The Local Distributor, when delivering PSRD to a client, also
   performs the important task of validating the client's identity,
   coupled to the delivery of secret data to be used for later
   authentication.  The authentication of a client to a Security Hub
   provides, at a later stage, the basis for authentication between
   clients.  Indeed, once two clients have correctly authenticated with
   a common set of Security Hubs, they will be able to authenticate with
   each other with the same level of security.  DSKE guarantees
   information-theoretically secure authentication between clients,
   relying upon the authentication of each client with the Security Hub
   during the PSRD delivery phase.

   DSKE clients, once on-boarded in the system, can send key requests to
   the Security Hub. These requests can be sent over an insecure
   channel, i.e. the Internet, and they are processed by the Security
   Server.  If a first client, Alice, is requesting a key with a second
   client, Bob, the Security Server has to build key instructions
   consuming some of the PSRD in each Alice and Bob private PSRD tables.
   These computations must be done locally in order to guarantee
   information theoretical security for DSKE, and for this reason PSRD
   with clients must be maintained in a single location within the
   Security Hub, i.e. the Security Server.  Once the key instructions
   are computed, these can be delivered to Alice and Bob over an
   insecure channel.

   The internal structure of the Security Hub allows for a very high
   level of scalability of the system.  This scalability is mainly due
   to the simplification of the logistic operations associated with the
   PSRD delivery.  In a DSKE system with a single-entity Security Hub,
   clients from any region of the world shall receive the PSRD from a
   single location (i.e. the location of the Security Hub).  As the cost
   and the risk associated with the PSRD delivery is proportional to the
   distance between a single-entity Security Hub and the client, costs
   and risk can be largely reduced with the introduction of the Local
   Distributors.  In this scenario, the large distance between a
   Security Server and its clients are only covered once, when the Local
   Distributor for that specific region is set up, and unallocated
   (aggregate) PSRD is delivered from the Local Distributor to the
   Security Server.  PSRD delivery to local clients happens over way
   shorter distances, provided that the client is close to any Local
   Distributor.

8.  DSKE Client

   A client joins the DSKE system by sending a request to each Security
   Hub. Each Security Hub, after associating a unique DSKE client ID to
   the new client, delivers to the DSKE client some PSRD and, at the
   same time, performs authentication of the client.

Montagna, et al.        Expires 18 November 2024                [Page 8]
Internet-Draft  The Distributed Symmetric Key Establishm        May 2024

   The multiple Security Hubs in the system are separately operated
   entities.  When the first client, Alice, wants to establish a key
   with a second client, Bob, she sends a key request to each Security
   Hub over a public channel.  Key requests contain information about
   Bob's ID, the size of the key requested, and other information needed
   to produce the key at Bob's side.  These key requests are sent
   independently to each Security Hub, which computes key instructions
   based on the PSRD they have in common with Alice and Bob. The key
   instructions are then sent to Bob via a public channel.  For each
   Security Hub, Bob uses its PSRD and the key instruction to build a
   key share.  Each key share is known to only Alice, Bob, and one
   Security Hub. Alice and Bob implement a (k, n)-secret sharing scheme
   to build a final key, where k is the number of shares necessary to
   build the final key, and n is the total number of Security Hubs that
   Alice chooses to use.  Alice and Bob can choose k and n, as well as
   the set of n Security Hubs that are to be used, dynamically.

   Note that, in a similar way, the DSKE system allows a client to
   request a multi-recipient key, i.e. a key that is to be established
   with two or more other clients.

9.  Secure Application Entity (SAE)

   A DSKE key is usually consumed by another entity, for example, a
   Secure Application Entity (SAE) as specified in the standard ETSI GS
   QKD 014, which can use the key to secure any of a variety of
   communications.  For example, DSKE keys can be integrated in IPSec
   via RFC 8784, in TLS via RFC 4279, and can be integrated in other
   applications that allow for the specification of a pre-shared key.
   The key is usually employed for encryption, authentication, or both.

   In a typical DSKE deployment, a DSKE client is interfaced to a SAE
   via a secure link, either because the DSKE client is co-hosted in the
   same device with the SAE, or it is connected to the SAE over a secure
   Local Area Network (LAN).  For example, for site-to-site security, a
   DSKE client can be installed on a device co-located with one or more
   network appliances, and the network appliances can send key requests
   to the DSKE client via a standard API interface such as ETSI GS QKD
   014.  On a mobile device, the DSKE client can be directly run on the
   device itself, and expose an API for other applications to request
   DSKE keys.

Montagna, et al.        Expires 18 November 2024                [Page 9]
Internet-Draft  The Distributed Symmetric Key Establishm        May 2024

10.  PSRD Generation, Delivery and Storage

   A general deployment of a Security Hub consists of a single Security
   Server, which can be operated from the cloud or a private colocation,
   and multiple Local Distributors, that can be operated in different
   locations depending on the use case.  Each Local Distributor can be
   operated fully independently of the others; it depends on only its
   associated Security Server.

   Whenever a new Local Distributor is created, some amount of
   unallocated PSRD is generated, and a copy is shipped to the Security
   Server.  This is the first PSRD delivery that must be completed by
   the Local Distributor in order to become operational.  The generation
   of the PSRD is performed by the Local Distributor, and can happen in
   different ways.  Usually, either a Pseudo-Random Number Generator
   (PRNG) is employed, a Hardware Random Number Generator (HRNG), a
   Quantum Random Number Generator (QRNG), or a combination.  The
   difference between the three methods lies in the source of
   randomness.  PRNG are chaotic processes with a very long period, but
   they require an initial seed.  The seed is usually taken from a HRNG,
   leveraging some physical processes of the machine where the PRNG is
   hosted.  QRNGs, on the other hand, leverage quantum-mechanical
   processes to generate randomness, and they usually come with a
   theoretical security proof about the quality of the outcome they
   produced.  The DSKE protocol is agnostic to the type of random number
   generator used for the PSRD; its security does however depend on its
   entropy.

   Once a Local Distributor is operational, it can fulfill a DSKE
   client's requests to deliver PSRD, i.e. a portion of the unallocated
   pool is allocated to that DSKE client, shipped to it and deleted
   locally.  There are, generally speaking, two types of PSRD delivery:
   unallocated PSRD from a Local Distributor to its Security Server; and
   allocated PSRD from a Local Distributor to a DSKE Client.

10.1.  PSRD Delivery from Local Distributor to Security Server

   A typical PSRD delivery between a Local Distributor and a Security
   Server can involve a large amount of unallocated PSRD (gigabytes,
   terabytes, or more).  A single shipment can provide enough PSRD for
   several years of operations of a Local Distributor, depending on
   demand.  However, organization-specific security policies may require
   unallocated PSRD to be deleted and generated afresh regularly, e.g.
   every six months.

   The following is a list of some possible methods for moving the PSRD
   from a Local Distributor to its Security Server:

Montagna, et al.        Expires 18 November 2024               [Page 10]
Internet-Draft  The Distributed Symmetric Key Establishm        May 2024

      Physical delivery using Hardware Security Modules (HSMs).  Off-
      the-shelf devices, for example encrypted USB keys, can be used as
      well.

      In case the Security Server is operated in the cloud, the cloud
      service provider may offer a service to upload data by physical
      delivery.

10.2.  PSRD Delivery from Local Distributor to DSKE Clients

   Note that each use case may place specific requirements on PSRD
   delivery.  However, the DSKE protocol is agnostic to the method used
   for PSRD delivery.  This means that two DSKE Clients can receive PSRD
   in two different ways, and they would still be able to establish keys
   over DSKE.  The same Local Distributor can also distribute PSRD using
   different methods for different DSKE Clients.

   The following is a list of possible methods for the PSRD distribution
   for Site-to-Site security, i.e. for the delivery from Security Hub to
   Quantum Bridge KME:

      Physical delivery using secure Hardware Security Modules (HSMs).
      Off-the shelf devices, for example Kingston encrypted USB keys,
      can be used.

      For military purposes, specialized key fillers can be utilized,
      for example the KYK-13.

      In case the client is operated in the cloud, the cloud service
      provider may offer a service to upload data by physical delivery
      on secure hardware that is owned by the cloud service provider.

      Quantum Key Distribution: note that, because the number of Local
      Distributors for a Security Hub is not limited and these may be
      placed in locations convenient to QKD, the latter's distance
      limitations do not constrain the deployment of DSKE.  QKD can be
      effectively deployed within DSKE.

   The following is a list of possible methods for the PSRD distribution
   for endpoint security, i.e. for the delivery from Local Distributor
   to portable devices such as tablets and mobile phones:

Montagna, et al.        Expires 18 November 2024               [Page 11]
Internet-Draft  The Distributed Symmetric Key Establishm        May 2024

      QR codes: The Local Distributors are equipped with a feature to
      print small amounts (approximately 1 kB) of PSRD as QR codes when
      allocated to a client.  This small amount can be used to initially
      encrypt (using AES-256) and transfer a larger amount of PSRD over
      the Internet.  In a large organization, one could position Local
      Distributors in the IT room and ask personnel to import PSRD by
      scanning QR codes.  Content secrecy of, and hence access to, these
      QR codes must therefore be strictly controlled.

      SIM or eSIM cards for mobile phones usually come with pre-
      installed pre-shared keys with the service provider.  These keys
      can be used to encrypt and deliver a larger amount of PSRD to the
      mobile phone.

      NFC (Near Field Communication).

      Encrypted USB memories or key loaders can also be used for
      portable devices like mobile phones or laptops.

10.3.  PSRD Storage

   The security of PSRD is critical to the security of the DSKE
   protocol.  Every implementation of a DSKE component (including
   Security Server, Local Distributor, DSKE client, or PSRD transfer
   mechanism) MUST manage the secrecy and number of copies of the PSRD
   to meet the system security requirements for the context.  Though
   such requirements are outside the scope of this document, some
   idealized considerations are listed here:

      Only two copies: After generation of the random data to be used as
      PSRD, two and only copies should exist, and each destroyed when
      used.  This implies that upon transfer of a copy to a new medium
      (e.g. loading into RAM from disk, or transferring it to an
      encrypted form), the source copy must be securely destroyed.

      Storage security: The security of the storage should be managed so
      as to ensure the security level demanded of the context.
      Particularly, security of software, system isolation,
      electromagnetic emanation and physical access should meet the
      requirements.

      Processing security: Processes that access and manipulate PSRD and
      derived data should be designed to ensure that there is no leakage
      of PSRD.  Although it is generally infeasible to avoid temporary
      duplication, every process should end with one copy only of the
      PSRD or data that is derived from it.  For example, in moving data
      from RAM into a register or vice versa, or if data is combined
      with other data through an operation (e.g.  XOR), a copy is

Montagna, et al.        Expires 18 November 2024               [Page 12]
Internet-Draft  The Distributed Symmetric Key Establishm        May 2024

      created.  The process should ensure that the source copy is always
      overwritten, and never remains for some other process to possibly
      access it.

      Removable storage of PSRD (including forms used for transferring
      PSRD between DSKE entities) presents a significant security
      challenge.  Ensuring the security of DSKE forces the same
      principles to be applied.  For example, if a QR code is used to
      transfer PSRD, this QR code must be transferred in a way that
      prevents copying in transit, or at a minimum ensures that any
      possibility of having been copied is detected and managed before
      use; relatedly, the QR code itself must be securely destroyed upon
      loading at the destination.

11.  DSKE Protocol Specification

   The DSKE protocol defines a method for generating and distributing
   symmetric keys across a network of clients in a secure, efficient,
   and scalable manner.  For the purpose of this document, the Security
   Hub will be treated as a single entity, i.e. there will be no
   separation between Security Server and Local Distributors.  We now
   discuss each phase of the protocol in detail.

11.1.  Client Registration

   When a client registers with a Security Hub, the following happens:

      A representative of the client that is acceptable to the Security
      Hub submits an application to the Security Hub to register the
      client.

      The Security Hub determines whether it will accept the client,
      including whether it has a suitable mechanism for securely
      delivering initial keys and subsequent PSRD to the correct entity.
      If not, it aborts the registration.

      The Security Hub assigns an ID to the client that is unique
      between clients at that Security Hub – an assignment that may
      happen at any time prior to this point, and may be independently
      linked to a real-world identity.  There is no link between this ID
      and IDs allocated by other Security Hubs to this client: the
      uniqueness requirement applies only within the set of IDs
      allocated by that Security Hub.

Montagna, et al.        Expires 18 November 2024               [Page 13]
Internet-Draft  The Distributed Symmetric Key Establishm        May 2024

      The Security Hub produces the necessary initial keys, and arranges
      for secure delivery of the initial keys and the allocated ID to
      the client.  Secure delivery includes two necessary factors: a
      validation of the correct real-world identity of the recipient,
      and a proof to the recipient of the identity of the sending
      Security Hub.

      The client receives the ID and initial keys, and it transfers them
      from the form in which they are sent into its internal storage.

      Optional: An "I'm here" message may be sent to alert the Security
      Hub that the client has received the initial key, which may
      include a proof that it has been correctly received.

      Note: The first PSRD shipment may accompany this delivery;
      however, separating these deliveries improves security, as the
      interception of both the initial keys and the PSRD by an adversary
      is made more difficult, and the two deliveries become independent
      authentication factors in the registration process.

   At the end of the registration process with a Security Hub, the DSKE
   Client will have a unique DSKE ID assigned to it, together with the
   initial key(s) shared with the Security Hub.

11.2.  PSRD Generation and Distribution

      The SH determines that a validated client is to receive additional
      PSRD, through a request, schedule, tracking of PSRD exhaustion, or
      other means.

      The SH locally allocates the required quantity of unallocated PSRD
      to the client, determines the PSRD index range within its
      unallocated PSRD store to package and ship to the client.

      The SH transfers the indexed PSRD to a secure shipment for the
      client, encrypted and authenticated using the PSRD encryption
      protocol.

      SH securely ships the PSRD to the client; each side uses a secure
      mechanism to validate the real-world identity of the other party,
      coupled to the delivery.  The actual mechanism used is out of
      scope here.

Montagna, et al.        Expires 18 November 2024               [Page 14]
Internet-Draft  The Distributed Symmetric Key Establishm        May 2024

11.3.  Peer Identity Establishment

   Peer identities in the form of their DSKE Client IDs as assigned by
   each Security Hub must be established between DSKE clients, validated
   against their real-world identities.  The system may be designed to
   build on trust placed by a client in the identity validation
   performed by each of the Security Hubs.

   The mechanism employed for this purpose is out scope for this
   document.

11.4.  Key Establishment

   Refer to Appendix A for protocol specifics relating to key
   establishment.

   The sending DSKE client (Alice) requesting the key establishment:

      determines with whom a key is to be established, and associated
      security parameters that will be acceptable to both sender and
      recipients for the establishment of the specific secret.  This
      includes k, n, the identities of n SHs that both it and the
      intended recipient(s) are all registered with.  The choices are
      determined by security constraints that the clients require.

      determines the secret ID, which is unique for the sender (some
      relaxation of this requirement is possible, but not used here).

      determines the length of the secret.

      selects whether it will be:

      -  (a) DSKE secret transmission: a provided secret, or

      -  (b) DSKE key establishment: a random secret.

      selects and reads the needed amount of PSRD from each of the n
      SHs, deleting it from its PSRD store.

      DSKE client generates shares (with parameters k, n).  This may be,
      for example, in a Shamir scheme by using PSRD from the n SHs.  The
      PSRD from the first (a) k − 1 or (b) k SHs respectively is
      unaltered as shares of the secret, and the remaining n − k + 1 or
      n − k respectively shares are derived.

      generates a message to each of the SHs.  Each message contains:

Montagna, et al.        Expires 18 November 2024               [Page 15]
Internet-Draft  The Distributed Symmetric Key Establishm        May 2024

      -  The encrypted share (which will be zeros for the first k shares
         if the optional share randomization is not used)

      -  Authentication tag for the secret and critical associated data

      -  PSRD index range (metadata describing the range of the PSRD
         used in the operation, start index + length with enough PSRD to
         encrypt the shares and to produce the secret tag and message
         tag)

      -  The coordinate xi used in the share for the Security Hub

      -  The parameters (k, n)

      -  The secret ID

      -  Additional Associated Data: handed to the DSKE client by the
         application layer [not encrypted nor hidden to the SH]

      -  Sender's DSKE client ID [TBD: whether this is inferred or
         explicitly included in the message], as assigned by the SH that
         the share will be sent through

      -  Vector of DSKE client IDs for which the key is intended, as
         assigned by the SH that the share will be sent through.

      Sign the entire foregoing using the DSKE message MAC algorithm,
      using PSRD from the SH, appended to the package

      Wrap the message using an AES key with an AEAD mode

      key request package = (package, Alice DSKE ID (inferred or
      explicit), a nonce that was used in the AEAD mode, and an
      identifier for its key)

      Key request package is sent to SH

      May receive and validate the SH response; this is not part of the
      DSKE protocol, but may be desirable for status management
      depending on the context

      The sender may separately alert the recipient(s) to expect the
      key; this is not part of the DSKE protocol, but may smooth
      operation.

   Security Hub key instruction generation (after receiving a request
   from Alice):

Montagna, et al.        Expires 18 November 2024               [Page 16]
Internet-Draft  The Distributed Symmetric Key Establishm        May 2024

      Verify the secure transport authentication, and decrypt as needed

      Verify the DSKE MAC (using PSRD) in the inner package

      Decrypt the share using the PSRD and the (start index + length)

      Store the share

      The SH may send an acknowledgement back to Alice.  This is not
      part of the DSKE protocol, but may facilitate operation.

   Each DSKE client receiving the established key:

      [TBD: two variants may be considered: an offline-compatible
      variant in which the SH controls the PSRD indices for the key
      instructions, and an online-only variant in which each recipient
      controls the PSRD indices.]

      Retrieval of key instructions:

      -  Offline variant: DSKE client retrieves available or requested
         specific wrapped key instructions from the required SHs.  How
         the availability thereof is determined (e.g. batch retrieval,
         or notification by the sender or the SH) is not specified here.

      -  Online variant: Bob prepares a message for each SH.  Each
         message includes:

      -  o  Sender DSKE client ID and secret IDs that Bob wants

         o  Message is then wrapped with AEAD mode under the key for use
            in this mode, which includes adding any nonce and key
            identifier, and sent

         o  Unwrap the retrieved AEAD messages with the AEAD key.

         o  For each message, check the message tag (MAC) using selected
            PSRD (see Appendix A for detail)

         o  Attempt recovery of the secret (see Appendix A for detail).

11.5.  Key Validation

   The key validation phase of the DSKE protocol is through validation
   of the DSKE secret tag in Section 3.4.

Montagna, et al.        Expires 18 November 2024               [Page 17]
Internet-Draft  The Distributed Symmetric Key Establishm        May 2024

11.6.  Error Handling and Security Considerations

   The following transport mechanisms may be used for transmission error
   management without impacting the security of the DSKE protocol
   (assuming an authentication layer with the required properties):

      TCP-like retries and delivery

      Error detection and correction protocols

      Cryptographic authentication and encryption protocols

   The following is premised on these assumptions:

      The sending and recipient(s) are honest, without security
      compromise, and functioning correctly;

      The number of the Security Hubs that the receiver will accept key
      instructions from is not below the minimum k_min that is placed by
      the receiver on the threshold k of the secret sharing scheme.

      The size of the predetermined set of Security Hubs that the
      receiver will accept key instructions from is not above the
      maximum nmax that is placed by the receiver on the number n of
      shares the secret sharing scheme.

      The protocol is secure against transmission errors, in the sense
      that these will be detected and discarded by the recipient of the
      messages, being either a Security Hub or a recipient DSKE client.

      The protocol is secure against re-sending of messages once these
      have been received, which might have been expected to result in
      the same secret being reconstructed by a recipient for a second
      time.  It does not inherently prevent the protocol from completing
      after a delay as a result of delaying or re-ordering the messages,
      though this can be controlled (if desired) through other
      mechanisms such as including an expiry time.

      The protocol is secure against compromise, in the sense that an
      adversary with control of all communication links (excluding
      initial identity validation and PSRD delivery) will not be able
      to:

      -  obtain any information about the secret, other than its length;
         or

      -  induce the recipient(s) to reconstruct a secret other than that
         which is sent by the purported sender.

Montagna, et al.        Expires 18 November 2024               [Page 18]
Internet-Draft  The Distributed Symmetric Key Establishm        May 2024

      The DSKE protocol, in itself, is not robust against denial of
      service attacks that deplete one-time authentication keys, as is
      used for authenticating the key request and key instruction
      messages.  To protect against this, a wrapping authentication
      protocol with reusable keys must be employed.

      The protocol is robust and will function correctly provided that
      the number of shares that reach the receiver successfully is not
      below the threshold k of the secret sharing scheme.

12.  Security Model

   DSKE's security model is anchored in its resistance to both classical
   and quantum computational attacks, leveraging the distributed trust
   established through pre-shared keys and the one-time-pad principle
   for packet encryption.  The model is resilient against known attacks
   such as eavesdropping, man-in-the-middle, and replay attacks.

   Detailed security proofs should be provided to demonstrate the
   protocol's resistance to various attack vectors (based on
   https://arxiv.org/abs/2304.13789).

13.  Implementation and Integration

   The DSKE protocol is designed to be implemented in various network
   environments, including but not limited to traditional data centers,
   cloud services, SD-WAN infrastructures, BGP router networks, and
   others.  Its integration is facilitated by its design, which allows
   it to be adapted for use with a variety of network devices and
   software platforms.

13.1.  Case Studies

   IPsec: Illustrating the implementation of DSKE within a VPN
   environment, demonstrating how DSKE keys are utilized to establish
   secure communication tunnels, exercising the multiple options for
   symmetric key use in IPsec.

   SD-WAN Deployment: Exploring the benefits of DSKE in an SD-WAN setup,
   particularly focusing on the economic and operational efficiencies
   gained by using DSKE over traditional PKI-based systems.

   BGP and Routing Security: Discussing the methods for incorporating
   DSKE into BGP to enhance routing security between autonomous systems.

   Cloud Authentication Services: Detailing the process of integrating
   DSKE into cloud-based authentication services to provide robust
   security without the overhead associated with PKI.

Montagna, et al.        Expires 18 November 2024               [Page 19]
Internet-Draft  The Distributed Symmetric Key Establishm        May 2024

14.  Conclusion

   The DSKE protocol represents a significant step forward in the field
   of practical cryptographic key establishment.  It addresses the
   current and future challenges faced by network security
   professionals, particularly in the face of the quantum computing
   threat.  By providing a secure, efficient, and scalable method for
   symmetric key establishment, DSKE can advance as a standard in the
   space of symmetric key establishment.

15.  References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", RFC 2119, March 1997,
              <https://www.rfc-editor.org/rfc/rfc2119.txt>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", RFC 8174, May 2017,
              <https://www.rfc-editor.org/rfc/rfc8174.txt>.

   [RFC8784]  Tschofenig, H., "Using Pre-Shared Keys in the Context of
              TLS", RFC 8784, May 2020,
              <https://www.rfc-editor.org/rfc/rfc8784.txt>.

   [RFC4279]  Eronen, P., "Pre-Shared Key Ciphersuites for Transport
              Layer Security (TLS)", RFC 4279, December 2005,
              <https://www.rfc-editor.org/rfc/rfc4279.txt>.

   [NIST.SP.800-38D]
              Dworkin, M., "Recommendation for Block Cipher Modes of
              Operation: Galois/Counter Mode (GCM) and GMAC", NIST SP
              800-38D, 2007,
              <https://nvlpubs.nist.gov/nistpubs/Legacy/SP/
              nistspecialpublication800-38d.pdf>.

   [RFC8452]  Gueron, S., "AES-GCM-SIV: Nonce Misuse-Resistant
              Authenticated Encryption", RFC 8452, September 2019,
              <https://www.rfc-editor.org/rfc/rfc8452.txt>.

   [RFC5996]  Kaufman, C., "Internet Key Exchange Protocol Version 2
              (IKEv2)", RFC 5996, September 2010,
              <https://www.rfc-editor.org/rfc/rfc5996.txt>.

   [arxiv2304.13789]
              Lin, J., von Willich, M., and H. Lo, "Composable Security
              of Distributed Symmetric Key Exchange Protocol",
              arXiv 2304.13789, 2023,
              <https://arxiv.org/abs/2304.13789>.

Montagna, et al.        Expires 18 November 2024               [Page 20]
Internet-Draft  The Distributed Symmetric Key Establishm        May 2024

   [FOCS.1994]
              Shor, P.W., "Algorithms for quantum computation: Discrete
              logarithms and factoring", IEEE Comput. Soc. Press 35th
              Annual Symposium on Foundations of Computer Science, 1994,
              <https://doi.org/10.1109/SFCS.1994.365700>.

   [NIST.PQC.2016]
              Chen, L., "Report on post-quantum cryptography",
              NIST Report on Post-Quantum Cryptography, 2016,
              <https://csrc.nist.gov/publications/detail/nistir/8105/
              final>.

   [SENSOR.2003]
              Chan, H., Perrig, A., and D. Song, "Random key
              predistribution schemes for sensor networks", IEEE
              Symposium on Security and Privacy 2003, 2003,
              <https://doi.org/10.1109/SECPRI.2003.1199337>.

Appendix A.  Appendix

   This appendix provides detail of specific choices of secret sharing
   scheme and authentication function for generating the secret tag,
   with the purpose of allowing prototyping the core key establishment
   protocol of section 3.4.  It does not cover management of the PSRD
   distribution and of managing the AEAD key used in the message
   wrapper.  The protocol is varied slightly from that in Appendix A of
   reference [1].

   In this appendix, 'word' means a 128-bit quantity, and 'byte' means
   an 8-bit quantity.  Concatenating (symbol '||') 16 bytes produces a
   word.  Concatenation places the first quantity in the least-
   significant position.  Thus, hex_10 || hex_32 || hex_54 || hex_76 =
   hex_67452310.  The prefix 'hex_' denotes hexadecimal (i.e. base 16),
   and the prefix 'F_' denotes an element of the field F in a polynomial
   basis expressed in hexadecimal.  Intermediary zeros are abbreviated
   '…'.  An underscore '_' is used as a digit-grouping separator.  The
   caret symbol (‘^’) indicates the operation of taking a power, and
   indexing is indicated in trailing brackets (‘[...]’).  Where the
   index is A, it indicates that the variable relates to Alice, and B
   relates to Bob.

   We use the field F = GF(2^128) expressed in a polynomial basis modulo
   the irreducible polynomial 1 + x + x^2 + x^7 + x^128.

   The LSB of a word holds the coefficient of the lowest-degree term
   (x^0).  Thus, the polynomial 1 + x^6 + x^7 + x^126 as an element of F
   as

Montagna, et al.        Expires 18 November 2024               [Page 21]
Internet-Draft  The Distributed Symmetric Key Establishm        May 2024

   F_40000000_00000000_00000000_000000C1 or F_40…0C1

   Addition is standard exclusive-or (F_40…0C + F_60…0A = F_20…06).

   Multiplication is as polynomials modulo the given irreducible
   polynomial (identity element F_0…01; F_80…0 × F_0…02 = F_0…087)

   Message hash function: h(c,d,y[1],…,y[m]) := d + ∑1=1..m c^i y[i]

   Secret hash function: h(c,d,e,y[1],…,y[m])

   Note that these are the same variadic function, with either two or
   three leading parameters being considered to be the hashing key.
   Operations (addition, summation, multiplication, integer power) are
   all in the field F.

   k-of-n secret sharing scheme: Shamir secret sharing scheme applied to
   each word in the sequence in turn, using the same nonzero
   'coordinate' x[i] for every word of a given share.  That is, given
   the corresponding word y[i] of k of the n shares, we can solve for
   the k variables c[i] in the k simultaneous linear equations y[i] =
   ∑j=0,...,k−1 c[j] x[i]^j, and derive the remaining y[i] by using the
   equations directly.  Alternatively, apply this process at the byte
   level over GF(2^8) with irreducible polynomial 1 + x + x^3 + x^4 +
   x^8.

   Alice

   Assume key establishment is required (transferring a secret is
   similar).

   Given: m (secret length in words), n, k, list of recipient
   SH+receiver client ID pairs, plus a distinct nonzero word
   "coordinate" per SH (may be assigned per protocol execution, e.g. the
   share index i, interpreted as an element of F).

   Read 2 + 3 + m (128-bit) words of PSRD from each of the n PSRD tables
   associated with a SH.  Retain the first two words as the key for the
   massage authentication.

   Select k of the n SHs (e.g. randomly).  For each of these k SHs, the
   next 3 + m words of these k strings of 3 + m words become the
   unencrypted share R[A][i] of the secret Y[A][0].  Derive the secret
   from these shares using the Shamir sharing scheme (the y[0] = c[0]
   for the c[i]) that, given the k pairs (x[i], y[i]), solve the
   simultaneous equations y[i] = ∑j=0..k−1 c[j] x[i]^j, all operations
   being in F).  Find the y[i] for the remaining n − k SHs.

Montagna, et al.        Expires 18 November 2024               [Page 22]
Internet-Draft  The Distributed Symmetric Key Establishm        May 2024

   Divide the words of the secret, in order, are c, d, e, y1, …, ym used
   calculating secret authentication tag σ[A] = h(c,d,e,y[1],…,y[m]).
   Adjust an input share for the word d so that σ[A] = 0.

   [Note: Consider concatenating an encoding of k, n, m, K[A], AB, BA*
   to the data that is authenticated; these IDs are not transmitted.
   Here, Bob* assigns an ID AB to Alice that is unique among the IDs
   that he assigns to other DSKE clients, and vice versa for BA; for
   multi-recipient networks, such IDs may need to be globally
   allocated.]

   Message format (TBD: bit-lengths of fields, ordering):

   M[A][i] = A[i] || B[i]* || K[A] || j[A][i] || k || n || m || x[i] ||
   Z[A][i]

   [The SH identity is implied both by t[A][i] and the AEAD wrapping
   (P[i], A[i]) for every i for which the recipient has established this
   for Alice's identity, and similarly for any DSKE client's identity.

   Note that there is no feedback in the reverse direction in the
   protocol.  This is left to higher-level protocols.

Authors' Addresses

   Mattia Montagna
   Quantum Bridge Technologies Inc.
   108 College Street
   Toronto  M5G0C6
   Canada
   Phone: +1-249-225-5099
   Email: mattia.montagna@qubridge.io

   Manfred von Willich
   Quantum Bridge Technologies Inc.
   108 College Street
   Toronto  M5G0C6
   Canada
   Phone: +1-249-225-5099
   Email: manfred.vonwillich@qubridge.io

   Melchior Aelmans
   Juniper Networks
   1133 Innovation Way
   Sunnyvale,  94098
   United States

Montagna, et al.        Expires 18 November 2024               [Page 23]
Internet-Draft  The Distributed Symmetric Key Establishm        May 2024

   Phone: +1 888-JUNIPER
   Email: maelmans@juniper.net

   Gert Grammel
   Juniper Networks
   1133 Innovation Way
   Sunnyvale,  94098
   United States
   Phone: +1 888-JUNIPER
   Email: ggrammel@juniper.net

Montagna, et al.        Expires 18 November 2024               [Page 24]