[MA] Automated Post-Quantum Certificate Management for Industrial Internet of Things Infrastructures

  • Name:

    [MA] Automated Post-Quantum Certificate Management for Industrial Internet of Things Infrastructures

  • Venue:

    Geb. 50.34 SR 252 and BBB: https://i62bbb.tm.kit.edu/b/mic-7xx-rfr

  • Date:


  • Speaker:

    Kiron Mirdha

  • Time:


  • The Industrial Internet of Things (IIoT) is characterized by its high interconnectedness enabling data exchange across private and public networks. In order to protect the authenticity of industrial devices and applications against cyber attacks, current best practices typically involve Public Key Infrastructures (PKIs). While PKI solutions are well established in the Web, recent studies suggest that their realization in industrial applications is often insufficient.
    Moreover, the long lifespan of IIoT devices necessitates protecting them against future threats, such as attacks aided by quantum computers. Especially the ongoing standardization efforts of post-quantum cryptography (PQC) by the National Institute of Standards and Technology (NIST) motivate research on its applicability in industrial networks.
    In this thesis, we reduce the complexity of certificate management for IIoT devices by automating administrative PKI tasks. Furthermore, we addressed the quantum threat by incorporating post-quantum algorithms from NIST’s standardization process. Our approach instantiates a use case specific version of the Lightweight Certificate Management Protocol (CMP) Profile for X.509 digital certificates. It considers the requirements of industrial networks and provides an automation concept for the main functions of certificate management: certificate request, renewal, and revocation. We analyzed the authentication of the proposed protocol in the symbolic model using the formal verification tool Verifpal and proofed that the exchanged messages are secure against a Dolev-Yao attacker under the notion of injective agreement. Our impact assessment showed that using the post-quantum signature scheme Dilithium2 instead of Elliptic Curve Digital Signature Algorithm (ECDSA) with the curve P-384 results in shorter execution times at the cost of larger message sizes. In particular, the execution time for generating request messages is reduced by a factor of ∼ 7, and for
    validating their corresponding responses by a factor of ∼ 120. Overall, we concluded that Dilithium is a viable post-quantum alternative – even for time-sensitive industrial applications.