Behind the First Secure Quantum Crypto Network 51
Posted
by
Soulskill
from the not-just-really-really-small-keys dept.
from the not-just-really-really-small-keys dept.
schliz writes "Researchers behind the world's largest quantum encrypted network said the technology could secure business networks inside six years. The prototype Quantum Key Distribution network was built by the Secure Communication Based On Quantum Cryptography (SECOQC) group last year. It is described in a journal paper published by the Institute of Physics this week, which includes details on how it is based on the trusted-repeater paradigm."
Re:Not at those speeds (Score:3, Interesting)
Well, that and ensuring that the keys are unobserved.
Re:Excuse me, but... (Score:3, Interesting)
That leaves the case where the channel is insecure. Doing the quantum transmission in one go falls to the man-in-the-middle attack I've detailed: I establish a computer in between, receive A's photons and send my own photons in its stead. I can't clone the photons, but I don't need to: I simply establish one OTP with A (A thinks he's sending that OTP to B), and another OTP with B (B thinks this is A's OTP), and transparently decrypt/encrypt what comes later.
Your countermeasure is to break the protocol into two steps. As far as I understand, you're saying that because the photons are sent ahead of time, you can't tinker with them because entanglement happens without a connection. But this too falls to the MITM attack. Say A sends a bunch of entangled photons to B, then waits a week, then sets their states according to the QC protocol. What I do, as a man in the middle, is to accept A's photons, send my own to B, and wait a week. When the second stage commences, I read off the states, just like B would do with A's photons, then set the states (using entanglement) of the photons I sent to B.
In order to know that I'm not B, you have to send something in advance, securely. The key doesn't have to be very long - password-authenticated key agreement methods work very well for this purpose, as they can't be cracked offline (usual caveats regarding quantum computers applying). The same holds for quantum crypto: you have to send at least some photons to B in such a way that you know they reach B and not myself. Quantum crypto detects if I'm fiddling with the photons themselves, but in the man-in-the-middle attack I've shown above, I'm not doing that. The photons that A sends to me, thinking I'm B, are never tinkered with except by the recipient (me). The photons I send to B, making B think I'm A, are never tinkered with except by the recipient (B) either.
The switches are still trusted (Score:3, Interesting)
This system still assumes the switches are trusted. The point-to-point links have quantum encryption, but that doesn't help in networks with enough stations to need routers.
From a crypto management point of view, secure links between two fixed points are easy. One time keys will work. Networks are much more difficult.
What is the value of OTP in modern secure systems? (Score:1, Interesting)
All the quantum component of these systems do is generate the same pairs of random bits between exactly two systems. Its no more complicated than this.
There is an obvious problem in that there is no "quantum trust" scheme possible to know exactly "what" is on either end of the system.
Thus we must still rely on some form of "classical" secret key to enable either side to trust the other.
These systems have the benefit that:
A. Easedropping on an established link can be detected -- in practice active MITM attempts with a recovered secret key can likely be cloaked as some sort of network issue or sneaked into a maintenance window.
B. Crptoanalysis is more difficult because the OTP data is mixed with the classical source out of band.
However the security of any system is always dependent on its weakest link. Assuming the quantum part of the system works exactly as advertised (There have already been a number of oversights in this department) the system is hardly infallable or unbreakable because secrets are still managed using the same "classical" methods they always have.
A modern zero-knowledge system share many of the same benefits of quantum crypto without dedicated fibre rings. Heck if people really wanted this for secure communications all they need to do is put the same random bits on a few TB disk drives and ferry them back and forth under armed guard once a year. You can talk 24/7 for years and not get close to reusing any bits, have MORE security and save quite a lot of money in the process.
Re:Not at those speeds (Score:3, Interesting)
Quantum mechanics has been tested over several decades and has been found to describe the world we live in very accurately. Any post-quantum deviations would be very minor.
I agree to that. However a very minor deviation could be enough. Cryptography is very, very sensitive to information leaks, far more than pysical measurements. This could well mean that you can break messages later. And, incidentially, you still have a conventional network and conventional encryption for the actual message. This means you have to maintain two networks and one of them is pretty expensive.
Here is a thought experiment for the key exchange: Say you can exchange 1kB of key material per second. Alternatively, say you have 1TB disks with one-time pads as key sources. This gives you enough key material for 31 years at the speed of the quantum link. Now, do you suppose creating these HDDs is cheaper or building and operating the quantum link is cheaper? I would say the pre-arranged one-time pads are several orders of magnitude cheaper. In addition, they are more reliable, easier to secure, well understood and use only proven technology.
If you really, really need high security, one-time pads do the job relatively cheap and with known properties. If you need more regular security, conventional encryption is fine. Quantum key exchange has no place in this.