From a8d123f571ddc4957e9028e1db54d63853555f91 Mon Sep 17 00:00:00 2001 From: jaseg Date: Tue, 27 Aug 2024 19:30:32 +0200 Subject: [PATCH] QKD mesh passthrough implementation WIP --- chapter-qkd/chapter.tex | 61 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) diff --git a/chapter-qkd/chapter.tex b/chapter-qkd/chapter.tex index 8b846d5..8f4b483 100644 --- a/chapter-qkd/chapter.tex +++ b/chapter-qkd/chapter.tex @@ -107,6 +107,7 @@ \addtolength{\headwidth}{-1cm} \newcommand{\todo}[1]{ + \ifdefined\thesispreviewmode \marginpar{ \setlength{\fboxsep}{2mm} \shadowbox{ @@ -120,8 +121,11 @@ } } } + \fi } +\newcommand{\todoplaceholder}[1]{\textbf{TODO}\todo{#1}} + % https://tex.stackexchange.com/questions/30720/footnote-without-a-marker \newcommand\blfootnote[1]{% \begingroup @@ -607,6 +611,63 @@ provides a combined power and multi-fiber passthrough that is sufficient for QKD \subsection{Multi-fiber passthrough with active secondary mesh} +The primary weak spot of a simple IHSM is its axis of rotation. While the stationary axis allows for wired data and +power connections to penetrate the mesh, it also provides an easy target for an attacker who wants to insert some sort +of physical probe into the IHSM's security envelope. While to a certain extent this attack vector can be made more +difficult though simple construction techniques such as making the shaft as thin as possible, and getting the mesh as +close to it as possible, as well as using a solid steel shaft on the motor end of the mesh, the level of security that +these mitigations provide is much below that of the rest of the mesh. Thus, a better solution is needed. + +Previously, in Chapter \todoplaceholder{provide link to mesh protection overview from OG IHSM paper} we have alluded to +several \emph{shielding} methods that use a second, independently rotating mesh on the inside of the primary mesh, +located right next to the primary mesh's axis opening. In this section, we will go into some more detail on three +variations of this solution. In order of increasing complexity, these variations are a simple disc cover, offset +labyrinth meshes, and interlocking gear meshes. We will demonstrate a functional prototype of the simple disc cover, +present a design and mechanical prototypes of the offset labyrinth meshes, and provide details on the design of a +interlocking gear mesh. + +\subsection{Simple disc cover} + +In Chapter \todoplaceholder{Provide link to single-board IHSM chapter here}, we have shown how an IHSM that has been +shrunk to a single, disc-shaped PCB is still useful because we can delegate key management functionality to the mesh +monitoring circuit's microcontroller or a separate processor sitting next to it on the rotating mesh PCB, yielding a +solution close in both its cryptographic capabilities and its security level to commercial traditional HSMs, and +exceeding those of a smartcard. In the following paragraphs, we will show how we can deploy the same single-board IHSM +(SB-IHSM) as a mitigation for through-axis attacks, exploiting its mechanical shape and its simple, low-cost +implementation. + +By placing an adapted single-board IHSM close to the primary mesh's axis opening, an attacker is forced to either first +circumvent the single-board IHSM through the primary mesh's axis opening, then remove enough of it to gain direct access +ot the payload behind it, or to conduct their attack while bending their tool by approximately \qty{90}{\degree} at +least twice, once to avoid the SB-IHSM mesh, and once more to re-orient the tool towards the payload. The distance +between the inside of the primary mesh and the SB-IHSM is limited by the tolerance in mechanical alignment between the +two axes of rotation, by the space necessary for a sufficiently stable mount of the payload cage to the hollow shaft, +and by the minimum bend radius of the power and data wiring that needs to pass through the shaft. In QKD applications, +the fibers' minimum bend radius is the largest contributor with a minimum distance of \qty{10}{\milli\meter}, equal to +the minimum bend radius specification that is common in telecom fiber optics.\todo{cite bend radius spec} + +\todoplaceholder{Finish this part.} + +\subsection{Offset labyrinth meshes} + +In QKD applications, the simple disc cover design shown above has two main limitations. First, the distance between the +primary and secondary meshes must be large enough to allow for the fibers' minimum bend radius, resulting in more than +\qty{10}{\milli\meter} of space available to an attacker. Second, the attacker only has to bend their tool twice to +reach the payload. In this section, we will show a design and a mechanical prototype of an offset labyrinth mesh design +that improves both of these quantities by a large margin. + +Our offset labyrinth mesh design combines an offset of the secondary mesh's axis of rotation with a three-dimensional +surface structure on both the inside of the primary mesh, and the facing side of the secondary mesh to create a series +of narrow, \qty{180}{\degree} turns that an attacker would have to overcome with their tool to reach the payload. +Structural support is provided using a CNC machined or 3D printed part, which also serves as a conduit for electrical +connections from the shaft to the payload using Flexible Flat Cable (FFC). While the FFC can easily conform to the +offset labyrinth's sharp corners, an optical fiber can not. Thus, instead of passing it straight through the labyrinth, +the payload's fiber optic connections are passed through the labyrinth in a three-dimensional spiral shape, avoiding the +meshes while simultaneously keeping the fibers' bend radii large. + +\subsection{Interlocking gear meshes} + + \begin{figure} \centering \subcaptionbox[Offset labyrinth mesh assembly render]{\figureattrib{render_side_1.png}}{\includegraphics[width=\textwidth]{\scaledgraphics{render_side_1.png}}}