Paper - DOCSIS PKI: A Proposal for a Next-Generation Quantum-Resistant Infrastructure

DOCSIS PKI: A Proposal for a Next-Generation Quantum-Resistant Infrastructure (2020)

By Massimiliano Pala, CableLabs

The broadband industry has been relying on public-key cryptography (PKC) to provide secure and strong authentication across its networks and devices. In particular, the DOCSIS standard [Doc31, Doc40] usesX.509 [Itu509] certificates to verify that a device is a legitimate entity that is authorized to join the network—for example, a cable modem or a Remote PHY (R-PHY) node [Rphy1]. The choice of using digital certificates and public-key infrastructures (PKIs) to protect DOCSIS identities has resulted in a scalable and easy-to-deploy key management system for the entire industry.

Although the DOCSIS PKI has been a success story over the past 20 years (it is one of the largest PKI sever deployed worldwide), things are changing rapidly on both the security side and the broadband industry side.

On the security side, new advancements in traditional and non-traditional computing are threatening our ability to use traditional public-key and key-exchange (KEX) algorithms. On the network infrastructure side, new zero-trust architectures are being designed that require software and hardware entities to securely authenticate to each other (and encrypt traffic) in a distributed environment.

This paper describes our proposal for a backward-compatible quantum-resistant trust infrastructure (or PKI) for the broadband industry. Specifically, our work focuses on the practical aspects of deploying a quantum-resistant trust infrastructure by leveraging our idea—namely, the composite cryptography mechanism [Com20].

The paper is organized as follows: Section 2 provides a description of the quantum threat for the various parts of a PKI; Section 3 describes the composite crypto solution and its two building blocks (i.e., Composite Key and Composite Signature); Section 4 describes how to practically deploy composite crypto in PKIs; Section 5 provides considerations surrounding the use of secure elements and hardware security modules (HSMs); and Section 6 describes a deployment proposal for securing the DOCSIS PKI.

Finally, Section 7 provides our conclusions and envisioned future work.

Download Paper

By clicking the "Download Paper" button, you are agreeing to our terms and conditions.

Similar Papers

Future Of Cryptography: Understanding Quantum-Safe Timelines and Deployments By Massimiliano Pala, CableLabs Inc.	2023
Enabling Encryption and Algorithm Revocation for Post-Quantum DOCSIS Certificates By Dr. Massimiliano Pala, Cable Television Laboratories, Inc.	2021
DOCSIS 4.0 Security: A Comprehensive Guide to Successful Deployments By Massimiliano Pala, Doug Jones, Yuan Tian, Craig Pratt; CableLabs	2022
Navigating the Transition to a Post-Quantum World By Chujiao Ma & Vaibhav Garg, Comcast Cable	2021
Next Generation Video Infrastructure: Media Data Center Architecture By Gene Cannella, R. Wayne Ogozaly, Cisco Systems	2011
DOCSIS Set-Top Gateway (DSG): Next Generation Digital Video Out-Of-Band Transport By Sanjay Dhar, Cisco Systems, Inc	2004
Public Key Infrastructure - Using X.509 Certificates For Device Authenication: Here A Cert, There A Cert, Everywhere A Cert By Doug Jones, YAS Broadband Ventures, LLC.	2002
An Improvement Proposal For The Timing And Scaling Of DOCSIS IP Multicast Services By William T. Hanks, Tom Cloonan, Amit Eshet, Jeff Howe, John Ulm, Ian Wheelock, ARRIS	2014
Next Generation - Cable Access Network By M. Emmendorfer, S. Shupe, D. Cummings, T. Cloonan Contributors: Z. Maricevic, M. Schemmann, B. Dawson, V. Mutalik, J.Howe, A. Al-Banna,and F. O'Keeffe, ARRIS	2011
Next Generation Neighbor Interference Prediction Tools By John Chrostowski, Comcast; Richard Primerano, Comcast; Kang Lin, Comcast; Jay Zhu, Comcast; Javed Nazim, Comcast; Jon-En Wang, Comcast; Dustin Tracy, Comcast	2023
More Results >>