DOCSIS PKI: A Proposal for a Next-Generation Quantum-Resistant Infrastructure (2020)

By Massimiliano Pala, CableLabs

The broadband industry has been relying on public-key cryptography (PKC) to provide secure and strong authentication across its networks and devices. In particular, the DOCSIS standard [Doc31, Doc40] usesX.509 [Itu509] certificates to verify that a device is a legitimate entity that is authorized to join the network—for example, a cable modem or a Remote PHY (R-PHY) node [Rphy1]. The choice of using digital certificates and public-key infrastructures (PKIs) to protect DOCSIS identities has resulted in a scalable and easy-to-deploy key management system for the entire industry.

Although the DOCSIS PKI has been a success story over the past 20 years (it is one of the largest PKI sever deployed worldwide), things are changing rapidly on both the security side and the broadband industry side.

On the security side, new advancements in traditional and non-traditional computing are threatening our ability to use traditional public-key and key-exchange (KEX) algorithms. On the network infrastructure side, new zero-trust architectures are being designed that require software and hardware entities to securely authenticate to each other (and encrypt traffic) in a distributed environment.

This paper describes our proposal for a backward-compatible quantum-resistant trust infrastructure (or PKI) for the broadband industry. Specifically, our work focuses on the practical aspects of deploying a quantum-resistant trust infrastructure by leveraging our idea—namely, the composite cryptography mechanism [Com20].

The paper is organized as follows: Section 2 provides a description of the quantum threat for the various parts of a PKI; Section 3 describes the composite crypto solution and its two building blocks (i.e., Composite Key and Composite Signature); Section 4 describes how to practically deploy composite crypto in PKIs; Section 5 provides considerations surrounding the use of secure elements and hardware security modules (HSMs); and Section 6 describes a deployment proposal for securing the DOCSIS PKI.

Finally, Section 7 provides our conclusions and envisioned future work.

By clicking the "Download Paper" button, you are agreeing to our terms and conditions.

Similar Papers

Next Generation Video Infrastructure: Media Data Center Architecture
By Gene Cannella, R. Wayne Ogozaly, Cisco Systems
DOCSIS Set-Top Gateway (DSG): Next Generation Digital Video Out-Of-Band Transport
By Sanjay Dhar, Cisco Systems, Inc
Public Key Infrastructure - Using X.509 Certificates For Device Authenication: Here A Cert, There A Cert, Everywhere A Cert
By Doug Jones, YAS Broadband Ventures, LLC.
An Improvement Proposal For The Timing And Scaling Of DOCSIS IP Multicast Services
By William T. Hanks, Tom Cloonan, Amit Eshet, Jeff Howe, John Ulm, Ian Wheelock, ARRIS
Next Generation - Cable Access Network
By M. Emmendorfer, S. Shupe, D. Cummings, T. Cloonan Contributors: Z. Maricevic, M. Schemmann, B. Dawson, V. Mutalik, J.Howe, A. Al-Banna,and F. O'Keeffe, ARRIS
Next Generation Cable Network Architecture
By Stephen D. Dukes, Cable Television Laboratories, Inc.
Deploying and Optimizing the Next Generation Wireless Home
By Steven R. Harris, SCTE / ISBE
Next Generation Cmts Characteristics Including IP Multicast
By Doug Jones, YAS Broadband Ventures
Constructing a Convergence Lab: Lessons Learned From Building a Converged Network at CableLabs
By Matthew Schmitt, CableLabs
Reexamining The Design of Next Generation Video Streams
By Yasser Syed, PhD, Comcast Cable
More Results >>