Forgot your password?
typodupeerror
Encryption Networking Security Technology

Behind the First Secure Quantum Crypto Network 51

Posted by Soulskill
from the not-just-really-really-small-keys dept.
schliz writes "Researchers behind the world's largest quantum encrypted network said the technology could secure business networks inside six years. The prototype Quantum Key Distribution network was built by the Secure Communication Based On Quantum Cryptography (SECOQC) group last year. It is described in a journal paper published by the Institute of Physics this week, which includes details on how it is based on the trusted-repeater paradigm."
This discussion has been archived. No new comments can be posted.

Behind the First Secure Quantum Crypto Network

Comments Filter:
  • by Architect_sasyr (938685) on Saturday July 04, 2009 @05:22AM (#28578839)
    If they're getting 1kbps over 25km, I find it hard to believe that they will get it up to metropolitan speeds necessary in a few years. They've got decent funding and obviously have invested a fair bit of money into this, but for those speeds you might as well add tampering sensors to some tempest-rated conduit and run fiber. If they make significant speed improvements within 6 years, then I will be proven wrong, but I've seen nothing in the papers to suggest they can (I've been following this idea for a couple of years now).
    • Re: (Score:3, Interesting)

      by hedwards (940851)
      Not necessarily, it depends what they're doing with it. This strikes me as an excellent way of distributing keys off band. From what I can tell they're just promising to secure the networks in that time, and that's possible with what they've got. Theoretically speaking.

      Well, that and ensuring that the keys are unobserved.
      • Even so (and forgive me if I make a mistake here), 1k is only a 1024 bit key, to be sending anything of any decent size will geometrically increase the keying time. 4 seconds for a 4096 bit key, even if the keying is the only thing that happens on one side it's still a long time. I didn't see whether the system was full or half duplex either, so is it actually 2 seconds to setup the basics for a 1024 bit exchange?
      • Re: (Score:3, Insightful)

        by gweihir (88907)

        There is nothing excellent about it. Perhaps the mort important weakness is that you cannot really route traffic, but need point-to-point links. If you look at what made the Internet great, you can see that this is a show-stopper. In addition the claimed security is wishful thinking. All pysical theories have proven inaccurate so far. This could fall over with one PhD student having a bright idea.

        • by QuantumV (1307135)

          Perhaps the mort important weakness is that you cannot really route traffic, but need point-to-point links.

          Well, the point of the SECOQC network is to demonstrate a network with routing capabilities. It is a network that consists of many point-to-point links.

          All pysical theories have proven inaccurate so far. This could fall over with one PhD student having a bright idea.

          Quantum mechanics has been tested over several decades and has been found to describe the world we live in very accurately. Any post-quantum deviations would be very minor. We cannot exclude the possibility that if someone is able to put the fiber through a wormhole, something strange would happen, but from a bright PhD student imagining this possibility to

          • Re: (Score:3, Interesting)

            by gweihir (88907)

            Quantum mechanics has been tested over several decades and has been found to describe the world we live in very accurately. Any post-quantum deviations would be very minor.

            I agree to that. However a very minor deviation could be enough. Cryptography is very, very sensitive to information leaks, far more than pysical measurements. This could well mean that you can break messages later. And, incidentially, you still have a conventional network and conventional encryption for the actual message. This means yo

            • by QuantumV (1307135)

              Quantum mechanics has been tested over several decades and has been found to describe the world we live in very accurately. Any post-quantum deviations would be very minor.

              I agree to that. However a very minor deviation could be enough. Cryptography is very, very sensitive to information leaks, far more than pysical measurements. This could well mean that you can break messages later. And, incidentially, you still have a conventional network and conventional encryption for the actual message. This means you have to maintain two networks and one of them is pretty expensive.

              During the "hardware phase" of a quantum key exchange there is a certain amount of noise that has to be corrected due to imperfections in the channel and that means that there is in practice always possible with some information leakage. The apparatus therefore estimates the maximum possible amount of information leakage (making sure it is overestimated rather than underestimated) and performs "privacy amplification" to make sure that this information is useless to an eavesdropper (this lowers the key rate

              • by gweihir (88907)

                I agree that creating and securing these HDDs is much cheaper, but a QKD system would fail more gracefully if you have a security breach in some realistic scenarios. Imagine that in month 2 you had an employee with malicious intent at your secure site. If this employee would be able to copy the 1 TB HDD, anyone outside would be able to decrypt anything during the next 31 years. The same person would only be able to leak information from his period of employment if a continuously generated key is used. (Thi

        • There is nothing excellent about it. Perhaps the mort important weakness is that you cannot really route traffic, but need point-to-point links. If you look at what made the Internet great, you can see that this is a show-stopper.

          This isn't much different from how your credit card & ATM transactions are processed.

          You're focusing on the network too much rather than the trust model. Instead of all our banks trusting each other directly and sharing keys with each other (way too many banks in the world, and the key exchange process is nothing to joke about), a bank trusts one or more switches, which trust one or more switches, which trust other banks. AFAIK, the actual network connections are private circuits. Did you know that t

    • by lucat (814182)

      1kbps should be good enough to exchange secret keys for "real world" cryptography.
      This should be used in place of Asymmetric-key cryptography.

      Once you know that the secret key has not been eavesdropped then you can use regular symmetric-key cryptography over faster but unsafe communication channels.

      The goal of secure quantum networks is to substitute asymmetric-key cryptography, non in place of symmetric-key cryptography.

      The length of a symmetric-key for AES-256 is... 256 bits... so 1kbps for that is good e

    • So what? You only need to transfer the *keys*. Not the data! The data is safe, because the keys are safe. I thought that was the point, wasn't it?

  • If one ran the quantum encrypted backbone on one adapter of machines, and normal Internet stuff on another, perhaps the handshakes and the key exchange for large volume data transfers over SSL or ssh be done via the quantum interface, then the session key negotiated be used over the Ethernet link. This way, should a private key be compromised or broken on a host it would not affect future communications (assuming the security hole is patched and the machine re-secured.)

    I can see running these two networks

    • perhaps the handshakes and the key exchange for large volume data transfers over SSL or ssh be done via the quantum interface, then the session key negotiated be used over the Ethernet link.

      Exactly. With an out-of-band channel for the encryption keys, you could build something pretty secure easily. Even timesharing a 1kbps secure key exchange network on a one-transaction-per-minute basis would be pretty useful. Of course, there are tons of issues with trusting that link supplier in the first place, and m

    • If one ran the quantum encrypted backbone on one adapter of machines, and normal Internet stuff on another, perhaps the handshakes and the key exchange for large volume data transfers over SSL or ssh be done via the quantum interface, then the session key negotiated be used over the Ethernet link. This way, should a private key be compromised or broken on a host it would not affect future communications (assuming the security hole is patched and the machine re-secured.)

      The whole point of public key cryptography is that the encryption setup is secure, even if an attacker is able to watch every byte that gets exchanged. If your private keys are compromised, then having transmitted the private keys over an unbreakable quantum link doesn't really matter at that point because the only solution is to revoke the keys and reissue new ones.

      If you really need maximum security, then use 8192 bit public key encryption... nobody's going to be breaking that any time soon.

      • by mlts (1038732) *

        The advantage of the dual link setup is that public key cryptography can be done away with altogether. Public key cryptography as of now is secure, but there are worries about it, from theoretical algorithms that speed up factoring, to very large key sizes and large amounts of computations required for larger keys (Big O for larger key sizes is N^3, so an 8192 bit key would require 64 times as much CPU power as a 2048 bit key.)

        Of course, because the two machines negotiate a key over a secure connection, th

  • Excuse me, but... (Score:5, Informative)

    by kvezach (1199717) on Saturday July 04, 2009 @05:41AM (#28578889)
    ... what's the point of this network? The weakness of current crypto isn't that someone will break it to decrypt in feasible time, but rather what happens outside of the crypto itself. No perfectly secure quantum network can stop worms or social engineering attacks, and as far as cryptographic algorithms themselves go, AES-256 and RSA-3072 is strong enough.

    Now, if suddenly everybody had a quantum computer that could break RSA in polytime, there might be a point to this, but they don't, so there isn't - not that I can see.
    • Re: (Score:3, Insightful)

      by reashlin (1370169)

      Now, if suddenly everybody had a quantum computer that could break RSA in polytime, there might be a point to this, but they don't, so there isn't - not that I can see.

      If suddenly is in say 10 years time. Then doing this research that will be much more feasible in 6 years time seems pretty smart to me. Just because the technology isnt here now doesn't mean it isnt worth preparing for its arrival

    • Re: (Score:2, Funny)

      by Anonymous Coward

      .AES-256 and RSA-3072 is strong enough..

      AES-256?
      You mean AES-110, right?

      • by kvezach (1199717)
        As opposed to AES-128 or AES-192, both of which are permitted by the AES standard. Either of these are probably secure enough, but why not go for the full 256 bits?
        • Re: (Score:1, Informative)

          by Anonymous Coward

          AES-192 and AES-256 are weaker than AES-128:

          https://cryptolux.uni.lu/mediawiki/uploads/1/1a/Aes-192-256.pdf

          • The parent is correct. I have verified this via
            https://cryptolux.org/FAQ_on_the_attacks [cryptolux.org]

            Per that FAQ, AES-128 is in fact stonger.

            PLEASE MOD PARENT UP!!

            --PeterM

            • AES-128 is in fact stonger.

              Well, in some scenarios it is. The attack is a related key attack (sort of like what can be used against WEP). However, it's still quite strong. From the page:

              Q.: Is this attack practical?

              A.: No. Even after improvements we are still over 2^100 encryptions, which is beyond the computational power of the human kind. Moreover this attack works in a related key attack model which assumes a more powerful attacker than the single key model.

    • It can be used against "you must give Microsoft all your master private keys" approaches, such as Palladium turned out to be. (It was later renamed Trusted Computing, and has turned out to have quite a few profound flaws.)
  • Nobody needs quantum key exchange (no, it is not even Cryptography, despite the claims). The data in these links needs to be encrypted with an ordinary cipher anyways, so there really is no need to uses something flashy for the key exchange. In addition, nobody knows whether quantum transmission is really as secure as claimed. These are theoretical predictions from a physical theory, and so far all of these have proven to be only partially accurate.

    Doing this the conventional way is cheap, fast, reliable an

  • by getuid() (1305889) on Saturday July 04, 2009 @08:00AM (#28579281) Homepage

    From what I've been told (I am a physics major, but I don't work in quantum cryptography as my main activity), there's a bunch of other weaknesses inherent to quantum encryption methods.

    For example, qubits are mostly transfered through some optical medium. At the receiving end, at some point, they are detected in one way or the other. "Detecting" means they alter the state of the detector in a measurable way. And there are some ideas (maybe even implementations?) of attacks that try to measure the alteration of the detector immediately after the detection, for example by probing with a laser pulse that follows the qubit pulse.

    Now due to some limitations of the physics of light pulses, this is something that, if implemented, is very difficult to defend against, since the light always goes both ways. It is also a kind of attack that could not be implemented against "classic" information transmission channels...
     
    ...I really find it interesting that every new technology seems to have its inherent weaknisses at one spot or the other -- kinda feels comfortable to know that "There is no silver bullet" [wikipedia.org] still holds... :-)

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Actually, light does not necessarily go both ways: you can have it go only one way using an "isolator". These are cheap fibre components that are used very commonly. Of course there are some implementation weaknesses in quantum cryptogrophy, an article that examines various protocols is: http://arxiv.org/abs/0802.4155

    • by gweihir (88907)

      Interesting. This detector probing could break the whole thing. Just shows my point that the security claims of "Quantum Key Exchange" (no crypto here) are not up to cryptographic standards, despite me being moderated down above for saying so. Some people seem to really, really want their castle in the sky.

      • by QuantumV (1307135)

        Interesting. This detector probing could break the whole thing..

        Yes, it could if if devices allow for this. This has been known for years and no modern device that lets this happen will be taken seriously.

  • Maginot Line [wikipedia.org], folks. Point-to-point encryption is one (important) element of a business network, but it's not sufficient to secure the business network. As such, its implementation would need to be assessed with respect to the total network security budget.

  • by Animats (122034) on Saturday July 04, 2009 @12:34PM (#28580821) Homepage

    This system still assumes the switches are trusted. The point-to-point links have quantum encryption, but that doesn't help in networks with enough stations to need routers.

    From a crypto management point of view, secure links between two fixed points are easy. One time keys will work. Networks are much more difficult.

  • For Those Asking "What's the Point?"... the detail is in the name. This network is being used to distribute encryption keys (not the content), while the network speeds may not look impressive at first glance, current high end RSA key is only 2048 bits long. A key every second on prototype tech really isn't too shabby. A single key can be used for an entire conversation. Someone else also pointed out that the problem with current crypto isn't that it can be broken, rather that there are ways around it. The
    • by owlstead (636356)

      Some remarks:
      - quantum key distro is not safe from side channel attacks, in other words, you can get around quantum cryptography as well
      - key management is much more important than key distribution
      - RSA 2048 is now considered to provide minimum security, not "high end" security
      - using a single key for an unbounded conversation is not safe
      - the key distro does not cover authentication, so some sort of authentication (e.g. asymmetric crypto) is still needed

  • by Anonymous Coward

    All the quantum component of these systems do is generate the same pairs of random bits between exactly two systems. Its no more complicated than this.

    There is an obvious problem in that there is no "quantum trust" scheme possible to know exactly "what" is on either end of the system.

    Thus we must still rely on some form of "classical" secret key to enable either side to trust the other.

    These systems have the benefit that:

    A. Easedropping on an established link can be detected -- in practice active MITM atte

  • Isn't the idea of quantum crypto and even crypto in general seriously in doubt given the advent of the "First Electronic Quantum Processor" (see recent /. posting) Granted, the first processor is only 2qb, but once it's scaled to 8qb won't it be able to crack pretty much any crypto?

FORTRAN is for pipe stress freaks and crystallography weenies.

Working...