key: cord-0067766-iftk54gj authors: Mielke, Daniel M.; Mäurer, Nils; Gräupl, Thomas; Bellido-Manganell, Miguel A. title: 1. Quantum Applications - Fachbeitrag: Getting Civil Aviation Ready for the Post Quantum Age with LDACS date: 2021-09-20 journal: Digitale Welt DOI: 10.1007/s42354-021-0401-1 sha: 536e55c3854412c8105570f7f14beb4192bcd5c1 doc_id: 67766 cord_uid: iftk54gj nan One critical aspect in operational aeronautical communications is security: How can it be ensured that confi dential information is only received by authorised parties? How can the origin of a received message be verifi ed? How is it guaranteed that a message has not been modifi ed during transmission? While the fi rst question addresses the cryptographic task of encryption, the second question addresses authentication, and the last question addresses integrity. These three properties are of high importance in a communication system whose messages directly affect fl ight guidance -especially in an environment where an increasing number of tasks is automated. This increasing level of automation is not the only ongoing development that motivates research on security in aeronautical communications: The broad availability of powerful computers and Software Defi ned Radios (SDRs) extends the circle of potential attackers on wireless systems in general and on the communication infrastructure of civil aviation in particular. This makes state-of-the-art cyber-security a must for digital aviation. However, it has been shown that many widely used crypto-systems cannot be considered save anymore, once quantum computers with a suffi cient amount of qubits become available. Hence, there is ongoing research on the topic of post-quantum security, i.e. cryptographic algorithms that are "immune" against quantum computer driven attacks. Luckily, the breakthrough in quantum computation enabling massive attacks on current encryption schemes is not expected to happen tomorrow. Nevertheless, the development of post-quantum secure crypto-systems is already of high relevance -especially for systems used in environments with long technology life spans like civil aviation. Since LDACS is expected to be used for decades, there is a high chance, that sophisticated quantum computers may become available during its life time. Thus, before deploying a 28 DIGITALE WELT 4 | 2021 communication system that is used for critical infrastructure, it must be ensured that it can be operated securely for this duration. LDACS is one of the radio access technologies realising the future aeronautical communications infrastructure that will allow aircraft to be digitally connected to the aeronautical telecommunications network (ATN) during all phases of fl ight [1]. Specifi cally, LDACS shall connect aircraft operating in the continental airspace by deploying a network of ground stations, each one of them covering a part of the airspace. An aircraft carrying an LDACS radio will then be able to connect to the ATN by communicating with the LDACS ground station covering its current location. In this way, it is similar to cellular mobile communication networks. Technically, LDACS is a cellular broadband system based on Orthogonal Frequency-Division Multiplexing (OFDM) technology and supports quality-of-service while taking the requirements of aeronautical services into account [2] . It shares many technical features with 4G wireless communications systems. In addition to communication, LDACS supports navigation with its built-in ranging functionality. Safety and security are deeply interrelated in aviation and fl ight guidance [3, 4] . For this reason, LDACS has been designed with a security architecture relying on state-of-the-art cryptography [5, 6, 7] . However, as we alluded to, this might not be good enough, if recent developments in Post-Quantum Cryptography (PQC) are not taken into account. In general cryptography is "the mathematical science that deals with transforming data to render its meaning unintelligible, prevent its undetected alteration, or prevent its unauthorized use" [8] , or in simpler terms: "Cryptography is loosely the science of encrypting and decrypting secret codes" [9]. Before we go into depth about "Post-Quantum Cryptography (PQC)", we would like to introduce some basic cryptographic operations and terms: First we want to introduce our two communication partners, Alice and Bob 1 . If Alice and Bob want to communicate securely with each other, Alice and Bob can encrypt a message and Bob can decrypt that message. If they want to use a symmetric crypto-system (e.g. Advanced Encryption Standard (AES) [10]), they fi rst have to agree on such a shared secret. A symmetric crypto-system means, Alice and Bob use the same secret as the key to encrypt and decrypt messages. Agreeing on a shared secret over an insecure communication channel is hard and for that purpose key exchange protocols exist, e.g. Diffi e-Hellman Key Exchange (DHKE) [11] . In asymmetric crypto-systems, like Rivest-Shamir-Adleman (RSA) [12] , both Alice and Bob have each a public key and a private key. Thus Alice knows Bob's public key and Bob knows Alice' public key. If Alice wants to encrypt a message for Bob, she encrypts that message with Bob's public key and sends that message to Bob. Since Bob is the only person, that knows his private key, only he can decrypt that message. Another important use of asymmetric crypto-systems are signatures, which can be used to digitally sign messages (e.g. via Digital Signature Algorithm (DSA) [12]) by one of the communication partners. If Alice wants to make sure, that Bob really believes, that she sent a message, she signs that message with her private key. Bob, and everyone else in possession of Alice's public key, can now verify that this message was actually sent by Alice. The term "Post-Quantum Cryptography (PQC)" is used in the context of cryptography to describe the idea that an attacker has access to a quantum-computer, which can calculate the underlying mathematical problems much more effi ciently than a classical computer [13] . Thus cryptographers divide cryptographic security levels in pre-quantum (no practical quantum-computer exists) and post-quantum (a practical quantum-computer does exist). The implication being, that some of today's most relevant cryptographic systems, that are secure in a pre-quantum world, are no longer secure in a post-quantum world. The reason is, that these cryptographic systems' security is based on mathematical problems, that cannot be solved within in a reasonable amount of time using a classical computer. One famous example is the factorization of large integers that cannot be solved by non-quantum computers in any practical way. Thus, cryptographic systems making use of this property, like the RSA public-key system, are considered save (assuming a suffi cient key length) while no quantum computers are available. However, in 1994, Shor [14] introduced Shor's algorithm, which is a fast quantum algorithm to fi nd the prime factorization of any positive integer [15]. Shor's algorithm applied to RSA and combined with a large enough quantum-computer would break RSA. Other cryptographic operations, such as the DHKE key exchange or the DSA signature scheme, or the elliptic curve variations of these schemes would be broken, as well [15] . In 1996, Grover introduced Grover's algorithm [16] , which speeds up searching in unordered data-structures of size N from N operations to √N. Again applied with a large enough quantum computer, Grover's algorithm reduces the security level of the symmetric crypto-system AES with a key length of 128bit to 64bit in a post quantum world, thus effectively halving security levels. Both attacks would require thousands logical and, due to faulty-behavior of qubits, millions of physical qubits [17] . To put his into perspective: In 2021 the IBM Quantum Eagle processor will launch with 127-qubits and IBM plans for a 1121-qubit IBM Quantum Condor processor in 2023 [18] . Both machines would be the most powerful public quantum-computers to date. With that, a million qubit machine could well be decades away [18] . In order to begin defending against the possible threat that quantum-computers pose to the world's most used crypto-systems, post-quantum robust crypto-systems are, however, currently being developed and standardised. Post-quantum crypto-systems are based on mathematical problems that are equally impractical to be solved by quantum computers and classical computers. The National Institute of Standards and Technology (NIST) started its standardisation work in 2017, in search for the most promising post-quantum crypto-systems in a series of three rounds [19] . One of the most promising candidates and fi nalist for public-key crypto-systems and key establishment algorithms is the McEliece crypto-system, that has been invented in 1978 [20] . Every computer and practically all digital communication systems use error correction codes to provide highly reliable services. A straightforward example is a repetition code, where every bit is sent three times to allow the correction of a single bit-fl ip during transmission (e.g. 0 1 → 000 111). There exist many other (and way more effi cient) error correction codes like Reed-Solomon Codes, Convolutional Codes or Goppa Codes. The latter code class is an example for a code that is not only used for error correction, but that can also be used for encryption. This is called code-based cryptography. The security of the McEliece crypto-system is based on the NP-hard problem of decoding a general linear code like the Goppa Code. Currently, the major drawback of McEliece is its very large key size. For example, to reach a similar security level as AES-128, McEliece requires a key size of roughly 1MB. Encryption and decryption, however, are faster than with RSA [19]. In our fl ight trials, we used McEliece keys, that strongly benefi ted from advancements in key size reduction in recent years [21] . The key size could be reduced to 200kB. A successful key exchange is shown in Figure 1 . After years of development and tests in the laboratory and through computer simulations, LDACS was ready to be demons- . We employed four experimental LDACS ground stations and one experimental LDACS airborne station. In order to recreate the expected cellular deployment of LDACS, the four LDACS ground stations were distributed in the south-west of Germany, as it can be seen in Figure 2 . Figures 3a to 3c show the LDACS ground station located in the DLR premises in Oberpfaffenhofen and the LDACS airborne station, respectively. The airborne station was installed into the Dassault Falcon 20E DLR research aircraft shown in Figure 4 . The fl ight trials, which consisted of six fl ights over two consecutive weeks, allowed us to conduct numerous experiments addressing the communication, navigation, and surveillance capabilities of LDACS. Through these experiments, we were able to demonstrate that LDACS can support applications relevant to air traffi c management, such as Controller-Pilot Data Link Communications (CPDLC) communications, audio streaming, as well as general-purpose data transmission and broadcast. Basically, data were generated by the different applications running on laptops connected to either the ground station or the airborne station. The generated data were transmitted over LDACS to its counterpart station, therefore enabling the applications to communicate with each other and to recreate future ATM procedures. The cryptographic protocol used in the MICONAV project follows the common approach of using a combination of an asymmetric and a symmetric crypto-system. The applied proof-of-concept consists of three parts: • The exchange of public keys between Ground Station (GS) and Aircraft Station (AS), denoted by PubKeyGS and PubKeyAS, respectively. • The (asymmetrically encrypted) sharing of a secret session key KAES. • The confi rmation of this session key. The fi rst two parts of the protocol are visualized in Figure 5 in more detail. The mutual exchange of the public keys is performed in step 1) and 2): Both communication partners, i.e. GS and AS, generate their respective McEliece key pair (one private key and one public key) before they send their public key to the other partner. In step 3), the AS generates a random key of length 256bit called session key KAES. This key is then encrypted with the public key of the GS using the McEliece scheme as shown in step 4). Then, the encrypted session key is sent to the GS. Step 5) shows how the GS receives the encrypted key and decrypts it using its private key PrivKeyGS. Finally, the GS stores the decrypted session key KAES. Both communication partners share a secret KAES although this secret has never been transmit in clear-text. Additionally, we have also implemented a confi rmation protocol which guarantees that both parties use the same key [24] . The protocol is based on using a randomly generated number-usedonce "nonce" and a timestamp that are encrypted using the KAES. By mutually exchanging this information, both communication partners can verify that the same session key is used. From now on, all data exchanged between AS and GS can be symmetrically encrypted using the session key KAES. In MICONAV, the AES crypto-system was used for this purpose using a key length of 256bit. The described implementation is a fi rst proof-of-concept and not ready for deployment yet. The key exchange as shown in Figure 5 is vulnerable to Man-in-the-Middle (MITM) attacks: Imagine, an attacker would infi ltrate all communication between GS and AS starting from the very fi rst step by acting as the AS with respect to the actual GS while acting as the GS with respect to the actual AS. In the current setup, neither the actual AS nor the actual GS have a chance to realize this MITM attack and the attacker has access to the symmetric keys -and consequently to all messages encrypted using these keys. This vulnerability can be addressed by performing a signed key exchange; however this requires at least some pre-shared information like certifi cates. Another option would be to perform the exchange of the public keys in advance via a secure side channel, e.g. smart cards. This would also simplify the protocol in Figure 5 , since the fi rst two steps could be skipped. Critical communication systems like the L-band Digital Aeronautical Communications System (LDACS) discussed in this article are potentially used for decades. It is important to take foreseeable cyber-security threats into account that may arise in this time. A particular threat that is expected to materialise within the next decade, is the threat of quantum computers rendering many stateof-the-art cryptography systems vulnerable. We strive therefore to introduce post-quantum secure cryptography into aviation. In a fi rst step of getting civil aviation ready for the post-quantum age, we demonstrated McEliece cryptography for aeronautical communications in fl ight. The fl ights performed in the MICONAV project were the fi rst time that an LDACS demonstrator was fl own aboard an aircraft, confi rming the expected performance of LDACS, and demonstrating post-quantum cryptography in aviation for the fi rst time. Clearly, the results presented in this article are just the fi rst step in realising our vision of postquantum secure aviation, and much work remains to be done. However, our results demonstrate that if recent advances in cryptography and aeronautical communication systems are combined, the goal is already within reach. Miguel A. Bellido-Manganell, in DLR since 2016, is contributing to the further development of LDACS and leading the LDACS Airto-Air Mode design. His research interests include channel modelling, digital signal processing, spectrum compatibility, and medium access for aeronautical ad hoc networks. LDACS: Future Aeronautical Communications for Air-Traffi c Management. Communication Magazine Aeronautical Communication Transition From Analog to Digital Data: A Network Security Survey Towards Successful Realization of the LDACS Cybersecurity Architecture: An Updated Datalink Security Threat-and Risk Analysis RFC 4949 -Internet security glossary, version 2. Technical report, IETF Algorithms for quantum computation: discrete logarithms and factoring Post-quantum cryptography A fast quantum mechanical algorithm for database search Rene Peralta, et al. Status report on the second round of the nist post-quantum cryptography standardization process On decoding schemes for the mdpc-mceliece cryptosystem Flight Trial Demonstration of Secure GBAS via theL-band Digital Aeronautical CommunicationSystem (LDACS). IEEE Aerospace and Electronic Systems Magazine Key confi rmation in key exchange: A formal treatment and implications for tls 1.3