Time-based Hash-Based Signature CAs Enable Secure VPN-Authentication with Four-Hour Certificate Validity

The increasing need for robust security in digital communications drives the development of new cryptographic methods, and researchers are now focusing on adapting these methods for widespread use in technologies like VPN authentication. Daniel Herzinger from genua GmbH, Linus Heise, Daniel Loebenberger, and Matthias Söllner from OTH Amberg-Weiden propose a novel system that integrates time-based state management with hash-based signatures, specifically the XMSS scheme, to enhance VPN security. This design addresses a gap in current standards by utilising hash-based signatures, which offer small signature sizes and long-term security, while also minimising computational demands and bandwidth usage. The team’s work culminates in a practical OpenBSD implementation, offering a highly flexible and resilient VPN authentication system that promises significantly improved security against evolving cyber threats and represents a substantial step towards post-quantum cryptography.

Scientists addressed the complexities of managing the state of the XMSS signature scheme by linking its state directly to time, simplifying the process and enhancing security by ensuring predictable and deterministic state updates. The system incorporates a pre-defined, time-based schedule for updating the XMSS state, digitally signing this schedule to guarantee its integrity and authenticity. To ensure reliable timekeeping, the design utilises triple-redundant NTP servers and combines relative and absolute timers for enhanced robustness. This novel design offers a robust and practical solution for quantum-secure VPN authentication, addressing a critical challenge in the transition to a quantum-resistant internet.

VPN Authentication via Stateful Hash Signatures

Recognizing the growing vulnerability of current cryptographic systems to quantum computer attacks, scientists pioneered a new VPN authentication approach using hash-based signatures. They developed a system centered around stateful hash-based signatures managed by a Certificate Authority (CA) per VPN device, leveraging the long-term security of this approach while mitigating its impracticality for high-volume connections. Researchers implemented a time-based state-management system, assigning each VPN device a CA that issues classical certificates valid for four hours, balancing security and efficiency. The team selected a four-hour certificate lifetime, anticipating the possibility of shortening this further should quantum computers pose a more immediate threat to classical algorithms.

This design also allows for future migration to fully quantum-secure leaf certificates, as the CA provides a strong trust anchor and cryptographic agility. To ensure resilience against time manipulation, scientists integrated redundant timers and Network Time Protocol (NTP) servers, combining these with counter-based stateful hash-based signature management. The entire system was validated through an implementation within OpenIKED, an IPsec key exchange implementation of the OpenBSD project, demonstrating its resistance to state-tampering attempts with only limited performance costs.

XMSS Signatures Secure Post-Quantum VPN Authentication

This work presents a breakthrough in secure VPN authentication by integrating hash-based signatures into a post-quantum cryptographic system, addressing vulnerabilities to future quantum computing threats. Researchers developed a design utilising the XMSS signature scheme, a stateful hash-based signature, to establish a quantum-resistant chain of trust for VPN devices. The core innovation lies in a time-based state-management system, assigning each VPN device a certificate authority (CA) rooted in the XMSS scheme, which then issues short-lived leaf certificates, valid for just four hours. This approach ensures long-term security, as breaking the cryptographic scheme would require significantly more computational power than currently available.

The team successfully implemented this design within OpenIKED, OpenBSD’s IPsec key exchange implementation, demonstrating its feasibility and resilience. Tests confirm the system withstands various state-tampering attempts while introducing only limited performance costs. The research establishes a shallow chain of trust, consisting of a single CA and one layer of leaf certificates per VPN device, simplifying management and enhancing security.

XMSS Signatures Enhance VPN Security

This work presents a new design for secure VPN authentication that migrates away from traditional methods towards post-quantum cryptography. The team developed a system utilising hash-based signatures, specifically the XMSS scheme, alongside time-based state management to issue short-lived certificates. This approach reduces bandwidth and computational resource requirements compared to existing VPN authentication protocols, while maintaining a high level of security against emerging quantum computing threats. The researchers implemented several strategies to improve the resilience of the system against time manipulation attacks, including utilising a triple-redundant set of NTP servers, verifying time against a pre-defined schedule, and employing separate timers to detect anomalies. The system is designed to halt certificate issuance if time discrepancies are detected, alerting administrators to potential issues.