Fiber optics has traditionally been viewed as a more secure way to transmit information than other alternatives. Copper wire can be tapped or monitored for electromagnetic emissions, and wireless can be intercepted rather easily. So it was somewhat surprising when recent revelations in the press revealed wide-scale tapping of fiber-optic trunk lines between data centers. It turns out tapping fiber is much easier than one would think.
While transportinga network’s information is predominately handled by fiber, securing the network has traditionally been the job of higher application layers. The most common method is IPsec, which forms the foundation of the Internet economy. When configured to AES-256, it would take an almost infinite time to try out every possible code within its key space. However, the trick is you do not have to try every key, just every potential password, and today a password mining rig costing <$10,000 can try every 8-digit password in under 3 hours. That is why when you enter a new password into a web tool today, it grades your password’s strength.
With the revelations of breaches everywhere, content providers and data center operators responded predictably – they added even more higher layer encryption. While on the surface this seems reasonable, in matters of security, one cannot necessarily trust one’s self or gut feelings. Consider what I call “mathematical sleight of hand.” When faced with a very big number, one larger than our brains can comprehend, we think solving must be impossible. The opposite happens in the lottery, where astronomical odds are presented as a simple matter of picking three or four numbers in order to appear easy to win. If AES-256 did not secure your data, odds are the next gee-whiz algorithm will not either.
So, where can optical make a play?
One way of improving transport security is intrusion detection. A good analogy would be home security systems. Rather than only relying on fancy locks on all doors and windows, motion and glass breakage sensors are used to detect intruders. Similarly, channel monitors already in use today can be used to detect power fluctuations. OTDRs that are currently sold by test equipment vendors can identify discontinuities in the fiber and reflections caused by taps.
Another way optical can help is by introducing encryption at lower layers in the network stack, not higher. Optical transport equipment typically has access to everything below the MAC layer, including PMA sublayers, PCS, and PHYs. An additional level of encryption can be added here; the lower the layer, the higher the throughput. And, by using bulk transport encryption, the full header and checksum can be included inside the encrypted container. Including the checksum prevents manipulation of the data, something standard payload-only encryption cannot.
While still deemed somewhat esoteric, Quantum Key Distribution (QKD) is gradually making its way into real network use. QKD offers many benefits that are too tempting to be ignored:
- Since the key generation and transmission are based upon quantum mechanics, any act of measurement disturbs the system, thus providing built-in intrusion detection. In fact, QKD assumes there is always an intruder listening in!
- The keys cannot be copied without degrading them. If enough information is copied from the key to be useful, then not enough information remains in the original key to be viable. In other words, the key is copy proof.
- The rate of random bit generation is fast enough (over 1 Mbps) to allow continuously rolling truly random keys, rather than fixed pseudorandom keys with an expiration date.
- And, perhaps best of all, the keys generated have high entropy – they are truly random and resistant to the types of password mining machines that are common today. When coupled with QKD, standard AES-256 becomes more than sufficient to guarantee confidentiality.
In short, all the optical technologies needed to contribute to network security are already available today. All that is left to do is the repurposing. The answer to improving network security is not fancier keys, but rather optics.
Jim Theodoras is senior director of technical marketing at ADVA Optical Networking