Description
To address the threat quantum computers pose to classical cryptographic protocols, these
protocols need to adapt. The adaptation to quantum-secure protocols is both time critical and
non-trivial. We look toward hybrid solutions to solve this problem.
This thesis presents a proof-of-concept implementation of the combination of the postquantum
key exchange protocol rosenpass and the classical IKEv2 protocol, resulting in a
hybrid key exchange protocol designed to be secure against classical and quantum-capable
attackers. The integration leverages the framework provided by RFC 8784, which introduces
post-quantum preshared keys to IKEv2. To provide these keys, rosenpass is used for their
key exchange, with a lightweight mediator managing communications between IKEv2 and
rosenpass.
The implementation is evaluated in a controlled virtual test environment with a focus
on handshake performance under varying package loss and delay. The results show that
while rosenpass introduces additional overhead during the handshake, due to sequential key
exchanges and increased message complexity, the combined system remains competitive with
existing solutions such as rosenpass and WireGuard. Furthermore, this approach requires
minimal changes to existing IKEv2 infrastructure, introducing PQC while preserving compatibility.
We also explore potential security implications, including perfect forward secrecy and
susceptibility to denial-of-service attacks, and outline areas for future optimization and
standardization. Overall, the proposed implementation demonstrates a practical and efficient
pathway toward quantum-resilient VPN communications.
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching