Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Quantum Cryptography Now Fast Enough For Video

kdawson posted more than 4 years ago | from the key-frames dept.

Communications 69

cremeglace sends in news of a major advance in the speed of quantum key distribution. "Researchers at the Cambridge Lab of Toshiba Research Europe have solved the problem of transferring highly sensitive data at high speed across a long distance network. The team were able to demonstrate the continuous operation of quantum key distribution (QKD) — a system that allows the communicating users to detect if a third party is trying to eavesdrop on the data communication — at a speed greater than one megabit/sec over a 50 km fibre optic network, thanks to the use of a light detector for high bit rates and a feedback system which maintains the high bit rates during data transfer. ... The faster one megabit/sec data handling will allow the one-time pad to be used for the encryption of video — a vast step forward over the current ability to only encrypt voice data."

Sorry! There are no comments related to the filter you selected.

And if there's a man in the middle? (3, Insightful)

BadAnalogyGuy (945258) | more than 4 years ago | (#31907480)

So if someone is eavesdropping, I won't be able to watch the video?

Re:And if there's a man in the middle? (4, Insightful)

Chrisq (894406) | more than 4 years ago | (#31907542)

That's absolutely correct. For some purposes it is better that you terminate the video session than have someone listening in undetected

Re:And if there's a man in the middle? (3, Interesting)

mooglez (795643) | more than 4 years ago | (#31907584)

Would this be vulnerable to the man in the middle attack on quantum key distribution described in this earlier slashdot article:

http://it.slashdot.org/story/09/12/30/2118250/Quantum-Encryption-Implementation-Broken [slashdot.org]

They seem to be attacking the hardware rather than the software

Re:And if there's a man in the middle? (1)

Chrisq (894406) | more than 4 years ago | (#31907736)

That's a good question, and not answerable from the article. The method given was as you say an attack on the hardware, by sending strong pulses of light the eavesdropper could force the detectors to register ones (and zeros?). The article does not say whether a similar type of detector is being used and whether it is subject to this attack.

Re:And if there's a man in the middle? (1)

zerointeger (1587877) | more than 4 years ago | (#31908028)

Or just keep eves dropping to introduce a denial of service condition unless utilizing a switched environment

Re:And if there's a man in the middle? (1)

onepoint (301486) | more than 4 years ago | (#31910314)

That would give away that there is someone listening. what you are trying to do is stay under the radar and peek inside the line, not disrupt the line.

Re:And if there's a man in the middle? (1)

zerointeger (1587877) | more than 4 years ago | (#31914194)

So development of a secure communications channel utilizing quantum crypto being inherently susceptible to a denial of service condition due to specialized hardware necessary for transmission which would have to wait for someone to stop listening before re-generating key pairs then transmitting?

I hope this is not in development to replace the 911 infrastructure or monetary data transmissions on a winder scale until that is addressed.

Perhaps a fiber switch/router hardware solution to allow switched routes and the necessary attenuation needed?

Re:And if there's a man in the middle? (1)

nospam007 (722110) | more than 4 years ago | (#31911560)

As soon as the MPAA tries to check what you are watching, the connection is closed and they don't know who you are.

Re:And if there's a man in the middle? (1)

xZgf6xHx2uhoAj9D (1160707) | more than 4 years ago | (#31912266)

Yes, but that's no surprise. If they were eavesdropping then necessarily they have to have physical access to the fibre. They could just cut it.

Re:And if there's a man in the middle? (0)

Anonymous Coward | more than 4 years ago | (#31912770)

Exactly, the whole point of Quantum Cryptography was to make the man in the middle more like a door than a window.
As we speak scientists are busy trying to figure out if the reverse can be applied in real life, 'cause that's what everyone's been complaining about since watching videos first became popular.

Re:And if there's a man in the middle? (0)

Anonymous Coward | more than 4 years ago | (#31967614)

Talk about the act of observing (3rd party) disturbs the observed?

Any grammar Nazis around? (0, Troll)

nacturation (646836) | more than 4 years ago | (#31907516)

The team were...

Sorry, but that's just wrong. If they're talking about one team, then it should be "the team was" otherwise clarify it by saying "the team members were".

Re:Any grammar Nazis around? (5, Informative)

Chrisq (894406) | more than 4 years ago | (#31907554)

I think that it is acceptable British English, see American and British English differences: Formal and notional agreement [wikipedia.org]

Re:Any grammar Nazis around? (-1, Offtopic)

luming85 (1793650) | more than 4 years ago | (#31908858)

yeah.. of course... chaise lounge chairs [chaiseloungechairs.org] bookkeeping [affordable...eeping.net] prude [prude.net]

Re:Any grammar Nazis around? (1, Informative)

Anonymous Coward | more than 4 years ago | (#31907614)

I think you need some kind of punctuation mark in between '"the team was"' and 'otherwise'.

Re:Any grammar Nazis around? (1)

Panoptes (1041206) | more than 4 years ago | (#31908092)

Like it or not, "the team were" is now an accepted and widely-used form. The only 'rule' I have come across is that usage depends on whether we think of the team as a single entity, or a group of individuals.

Take the word 'class', for example. "The class was dismissed", vs "The class were interviewed one by one". Or government - "The government was defeated", vs "The government were forced to increase interest rates".

MPAA dream? (2, Insightful)

sznupi (719324) | more than 4 years ago | (#31907574)

I wonder if some interesting contributors could be noticed in founding sources...

Re:MPAA dream? (1)

cheesybagel (670288) | more than 4 years ago | (#31917178)

This "dream" only works for the MPAA if the receiver has a quantum decrypter in the brain. Anything the human eye can see can be recorded as well.

Re:MPAA dream? (1)

sznupi (719324) | more than 4 years ago | (#31917720)

Don't give them any more ideas.

sigh, the "quantum" buzzword (2, Insightful)

FuckingNickName (1362625) | more than 4 years ago | (#31907650)

So, do we still need the magic secondary channel which everyone doing transfers over this "theoretically perfect" channel conveniently forgets?

Re:sigh, the "quantum" buzzword (1)

TheKidWho (705796) | more than 4 years ago | (#31907652)

How cute, someone complaining about buzzwords.

Re:sigh, the "quantum" buzzword (2)

FuckingNickName (1362625) | more than 4 years ago | (#31907704)

If you were to stretch your mind beyond the subject, you'd see I was actually complaining about a fundamental problem with setting up a practical quantum transmission line.

Re:sigh, the "quantum" buzzword (0)

Anonymous Coward | more than 4 years ago | (#31910560)

if you would use clearer and more specific language ACs wouldn't mock you for being obtuse.

Re:sigh, the "quantum" buzzword (0)

Anonymous Coward | more than 4 years ago | (#31907696)

I see no magic channel involved here, it's just cryptography over a long distance network

Re:sigh, the "quantum" buzzword (2, Interesting)

FuckingNickName (1362625) | more than 4 years ago | (#31907726)

And howd'ja verify the integrity of your transmission? In a possibly equivalent formulation, Bob, how do you make sure Alice is the source of your channels, not Eve?

Re:sigh, the "quantum" buzzword (1)

hansraj (458504) | more than 4 years ago | (#31907838)

Problem 1: Bob, are you sure you are talking to Alice, and not Eve?

Problem 2: Bob, even if you were talking to Alice, are you sure Eve is not listening?

Just because problem 1 is tricky does not mean that solving the second one is completely useless.

Re:sigh, the "quantum" buzzword (1)

thrawn_aj (1073100) | more than 4 years ago | (#31907900)

Problem 1: Bob, are you sure you are talking to Alice, and not Eve?

Problem 2: Bob, even if you were talking to Alice, are you sure Eve is not listening?

Sounds like one of those 'Facebook-couple' arguments I see on Lamebook :-). Needs more profanity.

Re:sigh, the "quantum" buzzword (1)

Neoncow (802085) | more than 4 years ago | (#31923096)

My understanding is the quantum cryptography assures you that the person you are communicating with is connected to the receiver side of the "quantum connection". Whether the person sitting there is Alice or Eve depends on how many men with guns you've hired to guard the receiver side of the communication.

If you're satisfied with the security of the receiver side then the quantum connection means you never have to hand-deliver another one-time pad in briefcase.

Re:sigh, the "quantum" buzzword (1)

UnHolier than ever (803328) | more than 4 years ago | (#31907828)

You need a secondary channel, but it doesn't have to be magic. You can use, like, pigeons, or mail, or a phone call, or if you're technologically inclined, the internet.

It is distributing a one-time pad that is difficult. Once you have that, communication is easy.

Re:sigh, the "quantum" buzzword (3, Insightful)

FuckingNickName (1362625) | more than 4 years ago | (#31907868)

The secondary classical channel verifies the integrity of the quantum channel. How are we assured of the integrity of the classical channel? We're back to the same weak point we had in the first place: the integrity of a classical channel. If that's insecure, then there's no hope of being assured that both quantum and classical channels aren't being created by Eve. Unless I'm missing something, but it hasn't been pointed out to me yet.

Your one-time pad distribution problem comes down to the same thing. Every practical implementation of quantum transmission lines relies on a classical transmission line in some way.

Re:sigh, the "quantum" buzzword (1)

UnHolier than ever (803328) | more than 4 years ago | (#31907888)

No, that's the whole point of the protocol. Even if the secondary channel is insecure, it cannot be faked.

-If a spy tries to fool you by taking control of the secondary channel (for example by impersonating Alice), then the protocol will fail as the spy cannot reproduce the correlations you expect to see.
-If the channel is just listened to, it does not matter because no information about the one-time pad is exchanged on it. The only information Eve can get is "It seems their transmission succeeded" or "It seems it didn't".

Re:sigh, the "quantum" buzzword (4, Insightful)

FuckingNickName (1362625) | more than 4 years ago | (#31907916)

(1) Neither of your scenarios covers the case where both the quantum and the secondary channel are created by Eve, not just the secondary channel;

(2) How is the relationship between quantum and classical channels informed to Bob by Alice?

(3) If your solution is to transport a one time pad at some earlier point "by some other means", then you're copping out twice over, as now we need another classical channel to transmit one time pads long enough for message exchanges.

Re:sigh, the "quantum" buzzword (1)

UnHolier than ever (803328) | more than 4 years ago | (#31908128)

(1) Neither of your scenarios covers the case where both the quantum and the secondary channel are created by Eve, not just the secondary channel;

Yes, they do. If Eve eavesdrop on the quantum channel, the correlations will not be there and the OTP will not be established. If the channel is created by Eve, it does not matter. If Eve completely replaces the data sent by Alice, then the correlations will not be there. There is no way to fake these correlations.

(2) How is the relationship between quantum and classical channels informed to Bob by Alice?

You mean, which channel is quantum and which is classical? That can be public knowledge.

(3) If your solution is to transport a one time pad at some earlier point "by some other means", then you're copping out twice over, as now we need another classical channel to transmit one time pads long enough for message exchanges.

There you are right. The protocol must work without being seeded first.

Encryption will only do so much (4, Insightful)

itsdapead (734413) | more than 4 years ago | (#31908330)

(1) Neither of your scenarios covers the case where both the quantum and the secondary channel are created by Eve, not just the secondary channel;

In other news, no encryption system, even some hypothetical mathematically perfect cypher, will guarantee that Bob is not actually Eve with a pair of socks stuffed down her jeans. No encryption system will tell Alice that Bob really is Bob. No encryption system will warn Alice that Bob is shagging Eve and talks in his sleep. No encryption system will warn you that Eve has tampered with your hardware. No encryption system will magically turn Alice and Bob into experienced cryptographers who will spot tampering.

Of course, you can use encryption to set up something like a trust network to validate identity, but at some point in the chain a human being has to positively identify Bob and Alice and hand them their "credentials". Likewise, no encryption system can be secure against arbitrarily sophisticated hardware/software tampering.

When you have a sexy cypher which the math says is uncrackable its easy to forget that the math depends on a whole raft of assumptions and assertions.

Re:Encryption will only do so much (2, Insightful)

dissy (172727) | more than 4 years ago | (#31912402)

Very well said.

The main confusion that could so easily be avoided, is that when using the ABC names of Alice Bob and Carl (+ Dave and Eve if needed), people speak as if these are people, when they should out right and explicitly state those are the names of the key pairs.

Once you realize the encryption only exists between named key-pairs, there shouldn't be confusion as to whom can send/read what.

If I use my Bob key pair to encrypt a message for Alice, I can actually be pretty sure that only the Alice key pair can read my message.

Now, as to what person has the Alice key pair, if it is indeed the person Alice or not, is not something public key cryptology even addresses.

Once that little incorrect link is removed (A key-pair is not a person), the rest falls into place.

Re:sigh, the "quantum" buzzword (1)

manitoba98 (1762454) | more than 4 years ago | (#31908922)

1. If all communication channels are created by an attacker and there is neither pre-shared randomness nor a trusted third party, you cannot guarantee that you're talking to anyone in particular as you have no way of cryptographically verifying their identity. I believe this is unavoidable, quantum crypto or no. 2. However you please. Email, telephone call, in person, etc. Authentication happens during the communication; if the notice of which channel to use were modified, the authentication will fail. 3. I believe the typical approach here is to use a classical authentication scheme (using pre-shared randomness, or some certification system, etc.). All that is needed is to establish the identity of the other entity; encryption is handled using QKD. (Disclaimer: I am not a cryptographer.)

Re:sigh, the "quantum" buzzword (1)

grumbel (592662) | more than 4 years ago | (#31908038)

The secondary classical channel verifies the integrity of the quantum channel. How are we assured of the integrity of the classical channel?

If you distribute the one time pad securely over the quantum channel and then encrypt the secondary channel with the one time pad, then it is secure. That is the beauty of the one time pad encryption, its very simple but also provable 100% secure.

But in the end it is still snake oil. When was the last time an attack worked on breaking strong encryption? It just doesn't happen, security breaks tend to happen at the weakest links, not the strongest one, and classic encryption is pretty damn strong. Also the range limit of quantum cryptography kind of makes it useless for most cases.

Re:sigh, the "quantum" buzzword (1)

FuckingNickName (1362625) | more than 4 years ago | (#31908058)

If you distribute the one time pad securely over the quantum channel and then encrypt the secondary channel with the one time pad, then it is secure.

If you're not sure of the security of the initial send of the one time pad (and you need the classical channel to be sure of it, don't you?), you ought not to use the pad for encrypting further communication. And if you are sure of the security of the initial send, why haven't you gone straight to sending your message by this method?

Re:sigh, the "quantum" buzzword (0)

Anonymous Coward | more than 4 years ago | (#31908510)

you can use a secure but slow method to transfer the first one time pad ie. a nice usb stick

Re:sigh, the "quantum" buzzword (1)

UnHolier than ever (803328) | more than 4 years ago | (#31937162)

Because Eve CAN intercept the message. If she intercepts the OTP, then you will know it, therefore you will not use it and no information is compromised. If you transmit the message directly, however, she can listen in and you will only realize it when it's too late.

Re:sigh, the "quantum" buzzword (1)

russotto (537200) | more than 4 years ago | (#31910912)

When was the last time an attack worked on breaking strong encryption?

Does 64-bit elliptic curve cryptography count as strong?

Re:sigh, the "quantum" buzzword (1)

jibjibjib (889679) | more than 4 years ago | (#31908338)

It's not so much that it relies on a classical transmission line as that it relies on authentication. Obviously, no maths or physics can tell you which human is at the other end of the line. This is inherently true of any cryptosystem, no matter how strong or how quantum. To prevent man-in-the-middle attacks you'll always need to ultimately rely on someone giving you a key through some external channel. The advantage with quantum cryptography is that, once you have this authenticated external channel (e.g someone giving you data in person) then eavesdropping in the middle of the line becomes physically impossible. Whereas with classical cryptography someone might be able to sniff the bits on the line and crack the cipher and eavesdrop.

Re:sigh, the "quantum" buzzword (1)

FuckingNickName (1362625) | more than 4 years ago | (#31908576)

once you have this authenticated external channel (e.g someone giving you data in person) then eavesdropping in the middle of the line becomes physically impossible.

Erm, part of the key quantum key setup process requires a classical channel after transmission in order to exchange information about the quantum bits which were just sent. This isn't just about some password being whispered in advance. If you're talking about some other algorithm, e.g. for general secured data transfer, could you give more specifics?

Regardless, classical crypto is about the strength of encryption, and cares little for people reading ciphertext. The quantum crypto promise is of a totally different flavour, promising physical obscurity. If its response is "well of course we can only guarantee that Eve is not intercepting once we have guaranteed that Eve is not intercepting!" then, etc.

Re:sigh, the "quantum" buzzword (1)

UnHolier than ever (803328) | more than 4 years ago | (#31909098)

Erm, part of the key quantum key setup process requires a classical channel after transmission in order to exchange information about the quantum bits which were just sent. This isn't just about some password being whispered in advance. If you're talking about some other algorithm, e.g. for general secured data transfer, could you give more specifics?

The classical exchange serves to authenticate some of the qubits that were sent, and those qubits are emphatically NOT used to generate the key. The qubits used for that purpose are not exchanged through the classical channel.

Regardless, classical crypto is about the strength of encryption, and cares little for people reading ciphertext. The quantum crypto promise is of a totally different flavour, promising physical obscurity. If its response is "well of course we can only guarantee that Eve is not intercepting once we have guaranteed that Eve is not intercepting!" then, etc.

More specifically, it guarantees that if Eve intercepts the message, you will know it, and therefore you will throw away whatever OTP you have generated without using it. Yes, this means Eve is able to completely break communication (which she could also do, for example, with an axe). What she cannot do is intercept while staying undetected.

Re:sigh, the "quantum" buzzword (1)

onto_dry_land (1346313) | more than 4 years ago | (#31913790)

You are missing something. I don't blame you. Almost every description of quantum cryptography forgets to mention this step, and without it you are indeed vulnerable to a man in the middle attack.

The thing is, there is something similar to a one time pad but for authentication instead of encryption. See universal hashing [wikipedia.org] . You authenticate your messages over the classical channel with universal hashing using a little bit of key generated from a previous round. Eve doesn't have this key so she cannot forge messages. Just like with one time pads you cannot reuse the key, but unlike one time pads you can authenticate large messages using a small key so you can make sure you lose less key material each round than you gain from running the protocol.

Re:sigh, the "quantum" buzzword (1)

drolli (522659) | more than 4 years ago | (#31909040)

Well the point is that QKD only extends a now-existing secure key exchange into the future. This means: if you assume a public key scheme is safe for lets say a few hours for breaking the code then the key which you exchanged at that time using this channel is safe also in the future *even if* the classicla key is broken.

But the simple answer to you question is: yes. usually they conveniently forget it.

Isn't this a waste of time? (1)

Joce640k (829181) | more than 4 years ago | (#31907924)

You only need secure transmission of keys. After that you don't care.

(I guess this is just "research"...)

Re:Isn't this a waste of time? (1)

cc1984_ (1096355) | more than 4 years ago | (#31908446)

You only need secure transmission of keys. After that you don't care.

Almost. Classical cryptography works on the assumption that a brute force attack is impractical (even if possible in pseudo infinite time.)

Quantum cryptography has no such restriction. This means that unless our understanding of the laws of physics change, no increase in computing firepower will help Eve.

Re:Isn't this a waste of time? (3, Interesting)

Joce640k (829181) | more than 4 years ago | (#31910228)

There's no reason to believe a brute force attack on AES128 will ever succeed.

Re:Isn't this a waste of time? (1)

nickco3 (220146) | more than 4 years ago | (#31910362)

There's no reason to believe a brute force attack on AES128 will ever succeed.

Even if I use a quantum computer?

Re:Isn't this a waste of time? (1)

broken_chaos (1188549) | more than 4 years ago | (#31913104)

If you use a quantum computer, it can be brute-forced approximately as though it were AES-64. The only thing needed to 'defeat' a quantum computer (for symmetric encryption) is to double the length of your symmetric key. Algorithms like AES won't be going anywhere (though AES itself, with the theoretical weaknesses in AES-256, probably will be replaced sooner rather than later).

What's actually in danger is RSA (and some other public key algorithms), though the record for factoring on a quantum computer is still somewhere around 20-30 (in decimal), last I heard.

Re:Isn't this a waste of time? (1)

cc1984_ (1096355) | more than 4 years ago | (#31910562)

There's no reason to believe a brute force attack on AES128 will ever succeed.

You use the word "believe". Does that mean you're not 100% certain? That's exactly what I'm trying to say! Quantum cryptography is uncrackable at the physical level.

Re:Isn't this a waste of time? (1)

Viadd (173388) | more than 4 years ago | (#31911396)

There's no reason to believe a brute force attack on AES128 will ever succeed.

There's no reason to believe a brute force attack on AES128 will never succeed.

Are you kidding? (1)

garyisabusyguy (732330) | more than 4 years ago | (#31913484)

A brute force attack will always succeed, it will just take a long time. Never is a very long time and computers just keep getting faster.

Maybe you meant to say that there will never be a shortcut (cipher collisions, back door, etc...) to brute forcing AES128, but that is just a widely held opinion at this point, just waiting to get disproven.

Here's a quote for anybody that wants to live (and die) by their own powers of estimation:
"They couldn't hit an elephant at this dis-"
final words of General John Sedgwick, Union Commander in the U.S. Civil War, who was hit by sniper fire a few minutes after saying them http://en.wikiquote.org/wiki/Last_words [wikiquote.org]

Re:Are you kidding? (1)

rockNme2349 (1414329) | more than 4 years ago | (#31914400)

I wasn't able to find the quote I was looking for, but I remember reading somewhere that even if you made a theoretical computer out of all the matter on earth it would take more time than the universe has existed to crack basic encryption with a brute force method. Here is a similar description on wikipedia [wikipedia.org] .

The amount of time required to break a 128-bit key is also daunting. Each of the 2^128 (340,282,366,920,938,463,463,374,607,431,768,211,456) possibilities must be checked. A device that could check a billion billion keys (10^18) per second would still require about 10^13 years to exhaust the key space. This is a thousand times longer than the age of the universe, which is about 13,000,000,000 (1.3×10^10) years.

Even using only AES128, brute force is impossible. If you use AES256, then it will take the square of that time to crack.

From the same wikipedia article you used (1)

garyisabusyguy (732330) | more than 4 years ago | (#31915570)

"An underlying assumption of this analysis is that the complete keyspace is used to generate keys, something that relies on an effective random number generator. For example, a number of systems that were originally thought to be impossible to crack by brute force have nevertheless been cracked in this way because the key space to search through was found to be much smaller than originally thought, due to a lack of entropy in their pseudorandom number generators. These include Netscape's implementation of SSL (famously cracked by Ian Goldberg and David Wagner in 1995[2]) and a Debian edition of OpenSSL discovered in 2008 to be flawed.[3]"

That is to say, in the case of SSL 56 bit encryption, they used the date as a seed value and did not employ the entire 56 bits (more like 40 if I remember correctly). Deep Crack was built from custom chips built for crypto and fabbed at TSMC. The 'Unbreakable' keys ( they estimated something like the life of the Universe to crack them) were being knocked off in 56 hours.

So, I reserve the right to ignore your 'estimate' of 13 trillion years and maintain the expectation of AES128 being regularly cracked in less than a week before December of 2016

Re:Are you kidding? (1)

cc1984_ (1096355) | more than 4 years ago | (#31919866)

I may be corrected on this, but as I understand it, a classical computer, I agree, would take a very very long time to brute force AES256.

A quantum computer with enough qbits (one doesn't exist yet, but it may do in the future) would crack it before my tea's finished brewing.

Re:Isn't this a waste of time? (1)

gweihir (88907) | more than 4 years ago | (#31917556)

Quantum cryptography has no such restriction. This means that unless our understanding of the laws of physics change, no increase in computing firepower will help Eve.

1. Looking at the history of physics, it seem very likely that our understanding of physics will change
2. The devices implementing these exchanges are still hardware and subject to faults and bad design

Only fools will use this technology, when other technology is available that gives both better assurances and far better cost.

Re:Isn't this a waste of time? (1)

cc1984_ (1096355) | more than 4 years ago | (#31919856)

1. Looking at the history of physics, it seem very likely that our understanding of physics will change

I agree, which is why I didn't ignore the issue. However, if we were to invent a devise in which all the quantum states of an object could be simultaneously extracted, our /entire/ understanding of the world would fall like a pack of cards (the philosophical problem of determinism would rear its ugly head again.)

2. The devices implementing these exchanges are still hardware and subject to faults and bad design

Only fools will use this technology, when other technology is available that gives both better assurances and far better cost.

Well, yes, it's still prone to go wrong, but I would be very surprised if any brand new technology could appear with bulletproof reliability these days. Refining it might be tricky, but I'm sure the people working on it are well aware of that.

Still purely academic (4, Interesting)

gweihir (88907) | more than 4 years ago | (#31907994)

And will remain so. Key exchange is not the issue. The issue is the symmetric encryption used afterwards (and that is present with quantum key exchange as well). Even if you disregard that, Quantum key Exchange will never be economically or security wise superior to existing solutions.

If you spend what this quantum BS costs on distributing one-time pads, you are a) provable secure b) need no new infrastructure and network links c) have no problems with routing (Quantum key exchange can only be routed optically and only for a limited distance, signal amplification is not possible) and d) spend a lot less money.

This comparison is unfair, you say, because one-time pads for n participants have size n*n? Unfortunately that is what you likely will end up for the infrastructure for Quantum Key Exchange as well, unless you have a very low number of participants. In that case the one-time pad becomes very cheap too.

Let me give you an example:
Say, we have 10 participants. Say we need 100'000 keys a day. Say a key has 256 bit, i.e. 32 bytes. A single DVD-ROM of random bits can then last for about 4 years. Generating 5GB of high-quality randomness can be done relatively cheaply, I would estimate that a generator using junction-noise can be built that gives you about 50kB/sec of random bits for less than $5000 (32 junction generators at $100 each, one 32 bit digital I/O card, one standard PC. My prototype for a junction generator is about $2 in parts, but has no shielding or filtering). That one takes a bit more than a day for the DVD. Say $10'000 overall, including labor. Then you have costs of couriering the DVDs to the destination. Say something like $100'000 per year. For a larger net, say 100 participants, use 1TB HDDs for 31 years at 1'000'000 keys/day. Or 3 years at 10'000'000 keys/day for 1000 participants.

While this is simplified, the numbers are realistic. They are several orders or magnitude cheaper than any quantum solution. Do not forget that this quantum stuff only works with people you know and that have the right (expensive) hardware already installed and are on a direct optical or optically routed link with you that is below a certain length.

And here is the killer: There are working key exchange solutions that can be made far more secure than the symmetrical encryption and that do not need any change to the network infrastructure at all. In addition, they do not have the risk that the physical theory (and it is just a theory, not fact) has a slight error that then leaks key material.

In short: This technology makes no sense whatsoever form a security or economic point of view and very likely never will.

Re:Still purely academic (0)

Anonymous Coward | more than 4 years ago | (#31908840)

I fail to see how that uses laser to solve the problem.

For a few users, it does matter. (1)

DrYak (748999) | more than 4 years ago | (#31911848)

Then you have costs of couriering the DVDs to the destination.

Let me fix that for you :

Then you have costs of securely couriering the DVDs to the destination.

It's not a matter of just slipping the OTP DVD in a normal envelope and shipping it. You should be 100% trusting the whole route the DVD is taking, and you should be 100% trusting your storage and on-site security for the next 4 years of that DVD's useful time. This even more so as there will be a lot of DVD being transported around in your solution. You always need a secure channel, no mater what.
The trick is, with quantum key exchange, the quantum channel is inherently secure due to the laws of physic (well some attacks might still be possible depending on hardware implementation - but on the average, it's much more secure than trusting that your DVD will safely reach its destination and remain stored untampered). The other (non)-quantum channel(s) can safely be public, the quantum can't be compromised due to the way correlation work.

For average users like you this small difference is too subtle to be worth given the increases in costs.
For a small network of banks (or, in the case of another pilot project in Switzerland : for the security and privacy while routing vote results) this 100% guarantee supported by the law of quantum physics DO matter.

However slight the risk, if a OTP DVD could be compromised that's unacceptable for a small specific subset of users. And luckily, these users (banks and government) happen to be wealthy customers for quantum technology with lots of money to throw in its research. Thus even if 99.99% users out there like you and me don't give a fuck about it, the 0.01% are lucrative enough for the whole research to keep going on and for the technology to be deployed in pilot projects (between a few swiss banks and government services)

Re:For a few users, it does matter. (1)

gweihir (88907) | more than 4 years ago | (#31917506)

Quite obvious that this meant dedicated couriers under your control. Otherwise I would have said "shipping". Also note that "tamper evident" transportation is quite enough. And in addition, of course you would encrypt these DVDs. So, no, getting them distributed is not a problem and not that expensive. And as to secure storage, you do know that breaking into computers allows you to access data stored there, even if it was transported encrypted?

A second problem is that these "laws of physics" you quote are not laws at all. They are working pypotheses with errors and inaccuracies. Ask a physicist about that sometime. (I have.) So, no, this is not a 100% guarantee. For one, these "laws" are quite incompatiple with relativity, which is by now well-tested. For anothe thing, look at all the "laws" of physics discoverd in the past. All proved to have loopholes and extreme conditions under which they do not hold anymore. My take is that there is about a 100% chance that Quantum Key Exchange can be broken. Using an untried technology with a not well established theory that does not make a lot of sense as basis for a security technology is at best foolish and at worst criminal. However there are enough snake-oil vendors in the security business, so I am not surprised that people sell this technology and give assurances for which there is absolutely no sufficient basis.

Since you mention banks: These people know how to securely get things from one place to another.

What happened in the Swiss installation is a combination of politics, marketing and absence of a thorough security analysis. Stupid.

Ridiculous (1)

Ancient_Hacker (751168) | more than 4 years ago | (#31908300)

Ridiculous.

The quantum-cryptography part is almost indubidably used for the preliminary exchange of keys.

  The actual data is then sent by normal, non-quantum channels.

Hold on a minute... (0)

Anonymous Coward | more than 4 years ago | (#31908400)

How many attacks have been successfully executed on victims with a rock solid network? All it takes is a new bug, no patch, and a little motive... A crypto-bloated pipe would just help things because I doubt IPS technology will keep pace with this technology in the short term. Nice idea for military use, perhaps? If only secure communication is the goal it makes sense, but how is it going to solve any of today's security challenges? Feel free to prove me wrong here, I'm an Anonymous Coward after all ;)

Comcast can encrypt video (1)

BrentRJones (68067) | more than 4 years ago | (#31908794)

And make sure that nobody can steal it. Isn't that the point?

The first thing I will watch via Quantum Video? (1)

cparker15 (779546) | more than 4 years ago | (#31911062)

Quantum Leap, of course. What else?

Re:The first thing I will watch via Quantum Video? (1)

Intron (870560) | more than 4 years ago | (#31911156)

In the Quantum Star Wars, Han shot first and second.

Certs will still be vulnerable (1)

professorguy (1108737) | more than 4 years ago | (#31912500)

I agree with the math wizards here: It hardly matters whether this channel is secure or not since the attack will come in the form of a man-in-the-middle with both parties (incorrectly) convinced they are talking to the other. This is an attack on the certification system, not the encryption system.

With CAs already caught handing out faked certs to the authorities so they can MITM an SSL channel, the ship has already sailed on any encryption system where remote trust is required.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?