DOCSIS PKI: A Proposal for a Next-Generation Quantum-Resistant Infrastructure (2020)

By Massimiliano Pala, CableLabs

The broadband industry has been relying on public-key cryptography (PKC) to provide secure and strong authentication across its networks and devices. In particular, the DOCSIS standard [Doc31, Doc40] usesX.509 [Itu509] certificates to verify that a device is a legitimate entity that is authorized to join the network—for example, a cable modem or a Remote PHY (R-PHY) node [Rphy1]. The choice of using digital certificates and public-key infrastructures (PKIs) to protect DOCSIS identities has resulted in a scalable and easy-to-deploy key management system for the entire industry.

Although the DOCSIS PKI has been a success story over the past 20 years (it is one of the largest PKI sever deployed worldwide), things are changing rapidly on both the security side and the broadband industry side.

On the security side, new advancements in traditional and non-traditional computing are threatening our ability to use traditional public-key and key-exchange (KEX) algorithms. On the network infrastructure side, new zero-trust architectures are being designed that require software and hardware entities to securely authenticate to each other (and encrypt traffic) in a distributed environment.

This paper describes our proposal for a backward-compatible quantum-resistant trust infrastructure (or PKI) for the broadband industry. Specifically, our work focuses on the practical aspects of deploying a quantum-resistant trust infrastructure by leveraging our idea—namely, the composite cryptography mechanism [Com20].

The paper is organized as follows: Section 2 provides a description of the quantum threat for the various parts of a PKI; Section 3 describes the composite crypto solution and its two building blocks (i.e., Composite Key and Composite Signature); Section 4 describes how to practically deploy composite crypto in PKIs; Section 5 provides considerations surrounding the use of secure elements and hardware security modules (HSMs); and Section 6 describes a deployment proposal for securing the DOCSIS PKI.

Finally, Section 7 provides our conclusions and envisioned future work.

By clicking the "Download Paper" button, you are agreeing to our terms and conditions.

Similar Papers

Future Of Cryptography: Understanding Quantum-Safe Timelines and Deployments
By Massimiliano Pala, CableLabs Inc.
Enabling Encryption and Algorithm Revocation for Post-Quantum DOCSIS Certificates
By Dr. Massimiliano Pala, Cable Television Laboratories, Inc.
DOCSIS 4.0 Security: A Comprehensive Guide to Successful Deployments
By Massimiliano Pala, Doug Jones, Yuan Tian, Craig Pratt; CableLabs
Navigating the Transition to a Post-Quantum World
By Chujiao Ma & Vaibhav Garg, Comcast Cable
Next Generation Video Infrastructure: Media Data Center Architecture
By Gene Cannella, R. Wayne Ogozaly, Cisco Systems
DOCSIS Set-Top Gateway (DSG): Next Generation Digital Video Out-Of-Band Transport
By Sanjay Dhar, Cisco Systems, Inc
Public Key Infrastructure - Using X.509 Certificates For Device Authenication: Here A Cert, There A Cert, Everywhere A Cert
By Doug Jones, YAS Broadband Ventures, LLC.
An Improvement Proposal For The Timing And Scaling Of DOCSIS IP Multicast Services
By William T. Hanks, Tom Cloonan, Amit Eshet, Jeff Howe, John Ulm, Ian Wheelock, ARRIS
Next Generation - Cable Access Network
By M. Emmendorfer, S. Shupe, D. Cummings, T. Cloonan Contributors: Z. Maricevic, M. Schemmann, B. Dawson, V. Mutalik, J.Howe, A. Al-Banna,and F. O'Keeffe, ARRIS
Next Generation Neighbor Interference Prediction Tools
By John Chrostowski, Comcast; Richard Primerano, Comcast; Kang Lin, Comcast; Jay Zhu, Comcast; Javed Nazim, Comcast; Jon-En Wang, Comcast; Dustin Tracy, Comcast
More Results >>