Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Commercial Quantum Cryptography System Hacked

Soulskill posted more than 4 years ago | from the superposition-of-safe-and-unsafe dept.

Encryption 117

KentuckyFC writes "Any proof that quantum cryptography is perfect relies on idealized assumptions that don't always hold true in the real world. One such assumption is related to the types of errors that creep into quantum messages. Alice and Bob always keep a careful eye on the level of errors in their messages because they know that Eve will introduce errors if she intercepts and reads any of the quantum bits in a message. So a high error rate is a sign that the message is being overheard. But it is impossible to get rid of errors entirely, so Alice and Bob have to tolerate a small level of error. This level is well known. Various proofs show that if the quantum bit error rate is less than 20 percent, then the message is secure. However, these proofs assume that the errors are the result of noise from the environment. Now, physicists have come up with an attack based on the realization that Alice also introduces errors when she prepares the required quantum states to send to Bob. This extra noise allows Eve to intercept some of the quantum bits, read them and then send them on, in a way that raises the error rate to only 19.7 percent. In this kind of 'intercept and resend attack,' the error rate stays below the 20 percent threshold and Alice and Bob are none the wiser, happily exchanging keys while Eve listens in unchallenged. The physicists say they have successfully used their hack on a commercial quantum cryptography system from the Geneva-based startup ID Quantique."

cancel ×

117 comments

Breaking news! (0, Troll)

2.7182 (819680) | more than 4 years ago | (#32245674)

The primary application, which was preventing first posters, has been compromised.

Re:Breaking news! (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32245764)

do you have a big cock? if so can you plunder my tight little asshole with it?

Re:Breaking news! (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#32247644)

Faggots must die!

Wouldn't it be better... (3, Funny)

jd (1658) | more than 4 years ago | (#32245692)

...to e-mail Alice and Bob, rather than advertise that their love-letters are being snooped on?

Re:Wouldn't it be better... (3, Funny)

SomeJoel (1061138) | more than 4 years ago | (#32245728)

I'm not even sure why Eve cares... unless she is Bob's wife, or Alice's husband (Alice still calls "her" Steve).

Re:Wouldn't it be better... (1)

ta bu shi da yu (687699) | more than 4 years ago | (#32245768)

Alice is a man.

Re:Wouldn't it be better... (2, Informative)

SomeJoel (1061138) | more than 4 years ago | (#32245794)

Alice is a man.

I disagree, as per TFS:

Alice also introduces errors when she prepares the required quantum states to send to Bob

Re:Wouldn't it be better... (2, Interesting)

obarel (670863) | more than 4 years ago | (#32245882)

It's about Alice Cooper.

"she" is a typo (extra 's').

Bob is Bob Ezrin.

Re:Wouldn't it be better... (2, Funny)

WrongSizeGlass (838941) | more than 4 years ago | (#32245924)

Excellent 70's rock reference. You deserve a point for "great memory" ;-)

Re:Wouldn't it be better... (0, Offtopic)

ls671 (1122017) | more than 4 years ago | (#32246524)

Here is more for you then. The lyrics mentioning Alice Cooper from "What Kind Of Girl Do You Think We Are?" written by Frank Zappa. It seems on topic with this thread ;-)

http://www.lyricstime.com/frank-zappa-what-kind-of-girl-do-you-think-we-are-lyrics.html [lyricstime.com] ...
Mark:
Well, I'll tell ya
Well I get off bein' juked
With a baby octopus
And spewed upon with creamed corn . . .
An' my girlfriend, she digs it
With a hot Yoo-hoo bottle
While somebody's screamin':
CORKS 'N SAFETIES
PIGS 'N DONKEYS
ALICE COOPER, baby . . .
WAAAAH!

Bob:
Well, it gets me so hot
I could scream

Chorus:
ALICE COOPER, ALICE COOPER! WAAAAH!
ALICE COOPER, ALICE COOPER! WAAAAH! ...

Re:Wouldn't it be better... (0)

Anonymous Coward | more than 4 years ago | (#32249884)

Anyone with a great memory of the '70s wasn't really there.

Re:Wouldn't it be better... (1)

jd (1658) | more than 4 years ago | (#32246358)

And here I was thinking that it was the Alice you're supposed to ask when she's ten feet tall.

Re:Wouldn't it be better... (1)

silentcoder (1241496) | more than 4 years ago | (#32249926)

Smokie would just ask: Alice ? Who the fuck is Alice ?

Which (for some obscure reason - possibly the incurable lack of good taste of mankind) remains the best selling song ever with "Fuck" in the title.

Re:Wouldn't it be better... (1)

Mal-2 (675116) | more than 4 years ago | (#32247922)

Time to apply the Crocodile Dundee test [urbandictionary.com] !

Mal-2

Re:Wouldn't it be better... (1)

davester666 (731373) | more than 4 years ago | (#32249370)

She just so happens to be a slut AND bi.

Re:Wouldn't it be better... (1)

WrongSizeGlass (838941) | more than 4 years ago | (#32245944)

...to e-mail Alice and Bob, rather than advertise that their love-letters are being snooped on?

Why not just post it on one of their Facebook pages?

Re:Wouldn't it be better... (1)

martin-boundary (547041) | more than 4 years ago | (#32247540)

Well, it depends. If Alice doesn't patch her love letters within two days of receiving the warning email, I think it's fair to post the snooped letters all over the 'net, don't you?

the less sensational headline... (0)

Anonymous Coward | more than 4 years ago | (#32245708)

is probably that the cumulative error rate (channel + noise introduced by each party) is over the threshold. i imagine if they just lower the threshold for attacks they will catch the MITM. Of course it may necessitate using a less noisy channel (to keep the false-positive rate down)

Re:the less sensational headline... (3, Funny)

Ethanol-fueled (1125189) | more than 4 years ago | (#32245840)

They could develop more sophisticated measurement techniques, similar to those utilized in modern data/telecom, as error thresholds become lower.

They could call it the Quantum Bit Error Rate Test, or Q-BERT for short.

Re:the less sensational headline... (1)

fishexe (168879) | more than 4 years ago | (#32250092)

They could call it the Quantum Bit Error Rate Test, or Q-BERT for short.

Once we come up with a way to justify replacing a hyphen with an asterisk in an acronym, we'll be all set. Hmmm...

Re:the less sensational headline... (2, Insightful)

palegray.net (1195047) | more than 4 years ago | (#32245962)

The ability to control external noise in real-world operating environments, at least to the degree necessary to mitigate this issue, would seem to represent a rather nasty challenge. This may be a severely constraining factor on the potential for practical usefulness of quantum cryptography, at least for the time being.

Re:the less sensational headline... (2, Interesting)

bertok (226922) | more than 4 years ago | (#32248668)

The ability to control external noise in real-world operating environments, at least to the degree necessary to mitigate this issue, would seem to represent a rather nasty challenge. This may be a severely constraining factor on the potential for practical usefulness of quantum cryptography, at least for the time being.

Can someone explain to me why anybody is even bothering with this technology?

Are existing cryptographic algorithms so untrustworthy that it's better to use an untested technology that a) makes the already very expensive line equipment significantly more expensive, b) may prevent the use of certain kinds of repeaters or active splices, c) is so insanely complex that nobody except a select few physicists understand the details.

Also, unlike current cryptographic techniques, quantum cryptography is strictly one hop instead of end-to-end, which is a big issue in many cases, like when one ISP tunnels their data over another ISP's link.

More importantly, it doesn't actually encrypt any of the data in the traditional sense. The data goes across the wire unencrypted, the quantum system just detects a man-in-the-middle attack. If someone comes up with a technique for reading the data without interference (like the article says), then you're screwed. With a traditional crypto solution, it might be sufficient to just increase the key size parameter in a config file somewhere!

I don't see how this can compete with standard crypto. If someone is that paranoid, it should be more than enough to just nest a couple of different algorithms together, and use the maximum keysizes for all of them. There's just no way anybody is breaking that at 2Tbps line rates any time soon, no matter what conspiracy theories you subscribe to about the NSA's capabilities!

Think about it this way: with traditional crypto, it's at least possible, in principle, for an end-user to use an open source software stack using an open, publicly tested algorithm, and completely verify the implementation. With quantum crypto, you get a black box with some physics in it that no IT administrator will understand and be able to test. It'll send data unencrypted across a wire that you now hope is hack proof. For all anybody knows, it'll be sending data as-is with no protection, and nobody will be able to even tell. If you were the NSA and wanted access to fibre optic links, wouldn't this be the best thing ever?

The juicy secrets are safe. (0)

Anonymous Coward | more than 4 years ago | (#32249348)

The data goes across the wire unencrypted, the quantum system just detects a man-in-the-middle attack. [...] If someone comes up with a technique for reading the data without interference (like the article says), then you're screwed.

Not really: this is why they only transmit the key across the quantum crypto link. Any bits that are intercepted are known and are simply not used. The actually interesting information is then transmitted across a classical link of any type and is encrypted using the quantum link-exchanged key. If you transmit a OTP-sized key across the quantum link and discard any bits that were intercepted, then there is no theoretical (or practical) way to decrypt the subsequent OTP-encrypted data exchange. That is to say, there is no way to intercept any of their juicy, juicy secrets.

PS. The commonly accepted mental image to associate with juicy secrets is a multi-colored wad of saliva-soaked chewing gum, approximately fifty pieces in mass, each piece from a different person. Now, imagine squeezing it in your hand and feeling the saliva running through your fingers and down your arm in a lukewarm manner somewhat evocative of mucus. Observe the rivulets of drool as they run together and eventually start to drip off your elbow in a slightly viscous manner. This is why people always have the urge to share juicy secrets!

Re:the less sensational headline... (4, Funny)

WrongSizeGlass (838941) | more than 4 years ago | (#32245982)

A 20% error rate isn't good enough to launch a missile, but it's better than a weatherman's accuracy. This tells us that Alice, Bob and Eve don't work for NORAD or the National Weather Service. That narrows down the field considerably. It won't be long before their identities are discovered, posted on TMZ and they won't need these silly quantum encrypted messages anymore.

I seem to remember... (2, Insightful)

razathorn (151590) | more than 4 years ago | (#32245828)

...stopping reading the blurb on slashdot last week about the new position based system being secure because the people who previously said it wasn't secure changed their mind and said it was provably secure and then proceeded to use the words "cannot easily" to justify it being secure. Now, this week I see a commercial system that has been cracked because some how thresholds of likely hood were once again used. Anyone else see a trend?

So, quantum cryptography is fundamentally flawed? (2, Insightful)

Anonymous Coward | more than 4 years ago | (#32245832)

If this article is correct, all an eavesdropper has to know is the proper error threshold to stay under to remain undetected.

Doesn't seem so secure to me.

Re:So, quantum cryptography is fundamentally flawe (1)

Interoperable (1651953) | more than 4 years ago | (#32247460)

It's hardly fundamentally flawed. Even if the eavesdropper knows the error threshold and can intercept a few bits without detection thanks to errors in the system, the information gain is very minimal. You might be able to get a few percent of the transmitted bits in a key. Three out of every hundred bits in a one-time pad isn't going to break the encryption. The parties can always XOR some bits until the information that an eavesdropper could extract is negligible.

Re:So, quantum cryptography is fundamentally flawe (4, Insightful)

TheLink (130905) | more than 4 years ago | (#32248362)

Thing is nowadays TB drives are quite cheap. Generate a huge OTP, spread it over three drives at A, spread it over another three drives and send all three to B via three different couriers/paths. Add ECC if you want.

If they all made it safely without interception. You've got your secure channel. 1TB/128kbps = 2 years. 1TB/256kbps = 1 year.

You could send more than one set of drives. When they all arrive, you tell the "B" let's start with drive set #5.

Re:So, quantum cryptography is fundamentally flawe (1)

Interoperable (1651953) | more than 4 years ago | (#32252536)

Quantum cryptography really isn't being proposed as a practical solution right now (hush, don't tell Id Quantique) but what's fun about it is that it's theoretically secure. If the person whose wrist your briefcase of disks is handcuffed to is bought out, you'd never know it and your enemies just gained access to all your secure communications. Two to four decades from now quantum cryptography might be practically competitive with carrying disks around, but for now, it's just for fun.

Re:So, quantum cryptography is fundamentally flawe (0)

Anonymous Coward | more than 4 years ago | (#32253650)

Problem is, the drives could be intercepted and copied without your knowledge. Roughly speaking, this is a problem quantum cryptography does not have, due to the no-cloning theorem.

Re:So, quantum cryptography is fundamentally flawe (1)

MoeDumb (1108389) | more than 4 years ago | (#32249630)

Screw quantum, I'm sticking with ROT-13.

Quantum Bullshit (2, Interesting)

sexconker (1179573) | more than 4 years ago | (#32245900)

The core idea of using quantum communication security (or, in general, quantum communication) is that you'll be able to tell when the message has been altered.

All a man in the middle attack has to do is read the message, recreate it, and send out a spoofed message instead of the original message.

Reading the message is trivial.

Recreating the message, while introducing tolerable levels of noise is trivial once you have the key. Alice does it all the time.

Blocking the original message is not trivial, but it is also not hard. It just requires physical access to the network. Be it jamming a wireless signal, splicing your attack node between two routers, whatever.

Sending out the spoofed message is trivial. The internet is slow and laggy. You can easily read, alter, and resend the message without the delay being noticed.

The only thing stopping a man in the middle attack is the need to have the key to resign an altered message as to make it appear that it came from Alice. This is a key-sharing problem. All digital security problems boil down to a key-sharing problem.

The only thing the quantum nature of communication adds is the ability to detect when people might be listening. This only gets around eavesdropping, not an actual MITM attack.
Indeed, the quantum nature of the "security", as this paper shows, actually opens the door to attacks, as the communication medium is not perfect and there is now a threshold for tolerable noise. Attacks can play around in that threshold all day long.

Re:Quantum Bullshit (2, Informative)

arndawg (1468629) | more than 4 years ago | (#32245932)

It's not just that you can tell when a message have been altered. It's that you can tell if someone have been eavesdropping.

Re:Quantum Bullshit (1)

sexconker (1179573) | more than 4 years ago | (#32246048)

Uh, read my entire post please?
And someone has to successfully eavesdrop for that protection to kick in. You can't control when they'll eavesdrop, so information can still get out, so it's far from a "secure" communication channel.

And with a noise tolerance of X, eavesdropping without being detected is not only possible, but likely very easy. Remember that Alice has to generate noise-free signals in the first place. Alice isn't made of magic. Eve can do anything Alice can.

And if you have a perfect network and zero tolerance, all eavesdropping attacks simply become denial of service attacks.

Alice: Hey Bob, let's talk.
Eve: Looks like Alice and Bob are gonna talk.
Bob: Sorry Alice, can't talk. Someone might be listening in. Maybe try again later?

Re:Quantum Bullshit (0)

Anonymous Coward | more than 4 years ago | (#32246178)

Alice isn't made of magic.

You've obviously never read Alice in Wonderland.

Re:Quantum Bullshit (2, Insightful)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#32246342)

In a sense, though it is called "cryptography", quantum crypto is basically about link integrity detection, rather than anything resembling cryptography in the classical sense.

Basically, if you have a fiber run that you want to make sure nobody is tapping, you can either station trustworthy guys with guns every few yards along its length or you can put a quantum crypto box at each end. Given that the guys-with-guns approach is largely impractical(especially for buried or undersea lines) the potential to get the same effect just by putting a pricey network box on each end is rather attractive. Almost wholly unlike classical crypto, which is designed around keeping information useless without the key, even across known-untrusted links.

Re:Quantum Bullshit (1)

Lehk228 (705449) | more than 4 years ago | (#32247004)

or you can use strong encryption on the line with the assumption that 5000 years from now your messages won't be terribly important

Re:Quantum Bullshit (1)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#32247056)

And endure the outside chance that the prime factorization guys will come up with something useful in the real world in 10...

Obviously, for the vast majority of applications it is total overkill. Quick quiz: Do you own/seriously lease the actual fiber over which you are transmitting? If not, you are definitely not a candidate. If so, you are probably not a candidate.

There are, though, probably some applications where the risk of future disclosure is simply unacceptable.

Re:Quantum Bullshit (1)

cashdot (954651) | more than 4 years ago | (#32249896)

A key is also involved in quantum cryptography, and not having it renders the message useless just as with classical cryptography.
The only difference is that with classical crypto you can guess infinitely, while with quantum crypto you can guess only once.

Re:Quantum Bullshit (1)

arndawg (1468629) | more than 4 years ago | (#32246362)

Communication is usually two-ways and each packet in it's own is useless. It's not like your sending the entire library of congress in one packet.

Re:Quantum Bullshit (1)

cashdot (954651) | more than 4 years ago | (#32249922)

What you are saying doesn't make much sense for me. Are you just trolling?
If you have have physical access to the communication line, and you want to inhibit the communication between Alice and Bob, you can just as well cut the cable.

Re:Quantum Bullshit (1)

sexconker (1179573) | more than 4 years ago | (#32253974)

The intertrons is a switching network, not a mass of dedicated circuits.

If you want to take someone down, you probably want to make sure that they can't re-route around your cut, and you probably want to do it without taking yourself down.

Are you proposing that quantum communication gets adopted and we actually have dedicated circuits for every host pair?

Re:Quantum Bullshit (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32250108)

I think his point is that traditional MITM will always succeed. Say Alice wants to talk to Bob, using QC. Evil Mallory sits in the middle, posing as Bob for Alice and Alice for Bob. When Alice sends the quanta to what she thinks is Bob, she's actually negotiating a connection with Mallory; and so is Bob. Thus, Alice encrypts, sends to "Bob" (Mallory), Mallory decrypts, re-encrypts, and sends to Bob.

No system, quantum or classical, can protect against this unless Alice and Bob have a shared secret. If they do, they can negotiate a key that Mallory doesn't know, and so his interception is pointless. In the quantum world, this might be prior entangled particles in a Penning trap or something like that.

Thus, quantum encryption can't do anything that classical public key encryption can't -- except provide provable security for the "key". The entire quantum crypto setup can be considered akin to a key that cannot be broken (at least not in ideal systems - some current implementations may leak photons and so let Eve infer the superpositions or add noise below the threshold like what's being shown here).
  If you have a public key system whose keys cannot be broken, you can still intercept communication between two parties who haven't exchanged any keys yet; you just make yourself look like the other party to each of them so they'll exchange keys with you.

Re:Quantum Bullshit (2, Informative)

Hurricane78 (562437) | more than 4 years ago | (#32246560)

All a man in the middle attack has to do is read the message, recreate it, and send out a spoofed message instead of the original message.

Reading the message is trivial.

You don’t understand quantum physics AT ALL, do you? Or you’re just a troll.

Read up on entanglement.

There is no way to recreate the message. Because you can’t entangle the photons again. It’s literally physically impossible.

Re:Quantum Bullshit (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32247150)

My Heisenberg compensator says otherwise...

Re:Quantum Bullshit (3, Informative)

Interoperable (1651953) | more than 4 years ago | (#32247514)

Sending out the spoofed message is trivial.

No it isn't. It's impossible to do it with better than 50% accuracy, which will make the man-in-the-middle very, very detectable. None of the useful information is ever sent using quantum bits, it's only one-time-pad style key. If a man-in-the-middle is detected, the key is not used and no secure information is breached. I mentioned it in an above post, but the best that a "hacker" could ever do is get a few random bits of information out of every hundred, even with this attack. That isn't enough information about the key to extract any information about the message.

Alice and Bob compare measurement results before send the message. There is theoretically no way to intercept and resend bits or eavesdrop without introducing errors.

Re:Quantum Bullshit (1)

selven (1556643) | more than 4 years ago | (#32250776)

50% accuracy? Isn't that just transmitting random data?

Re:Quantum Bullshit (1)

Interoperable (1651953) | more than 4 years ago | (#32251178)

Ah, 75% accuracy I suppose. 50% of the data is would be retransmitted correctly, 50% would be random so 75% of the bits would end up appearing correct.

Re:Quantum Bullshit (1)

radtea (464814) | more than 4 years ago | (#32252594)

Alice and Bob compare measurement results before send the message. There is theoretically no way to intercept and resend bits or eavesdrop without introducing errors.

There's something here that one of us isn't understanding. Either you're missing the OP's point, or I'm missing yours.

The OP's point seems to me to be that the exchange between Alice and Bob necessarily goes like this:

1) Get individual quanta from an entangled source such that they have a shared secret that cannot have been interfered with.

2) Use that shared secret to encrypt in a conventional way and communicate.

The OP is pointing out that the MTM attack is just as practical against step 1 as step 2 by having Eve use two separate sources of entangled pairs, one for Alice and one for Bob. This requires that Eve have physical access to the source that Alice and Bob are using, so she can pretend to be Alice for Bob and Bob for Alice.

This is equivalent to Eve having both Alice and Bob's private keys in a public key scheme, but rather than requiring access to Alice and Bob's secrets individually, it requires instead access to the source of entangled quanta they are using, or rather the fiber that links them to that source.

One imagines a network setup for Alice and Bob to "compare meeasurement results before sending the message" that looks like:

Alice----------Source---------Bob

And for an MTM attack on the quantum key exchange becoming:

Alice-------ESA-Eve-ESB-------Bob

where "ESA" and "ESB" are both sources of entangled quanta.

You can argue that Eve getting physical access to the source is unlikely or unrealistic. You cannot argue that it is physically impossible. The communication between Alice and Bob is only as secure as the source, which is somewhat less secure than the laws of physics.

Selling quantum crytography as being "as secure as the laws of physics" is extremely misleading. Systems are only as secure as their weakest component, and one could easily argue that the entangled source is considerably more easily hacked than discoverying Alice and Bob's private keys would be.

Unless, of course, I'm missing something...

Re:Quantum Bullshit (2, Informative)

Interoperable (1651953) | more than 4 years ago | (#32253988)

I was basing my description on the BB84 cryptographic protocol. That protocol does not use an entangling source, rather it sends single q-bits along a quantum channel to be detected by Bob. I interpreted a man-in-the-middle attack to be an intercept-resend attack in that channel. So:

Ideal: Alice --------> Bob

MITM: Alice ------> detect - read - resend ------> Bob

If the channel is noise-free, the detectors are ideal and the states are prepared perfectly, this is theoretically secure against if error rates are lower than 20%. The article exploits imperfectly prepared states in a first-generation commercial system to gain full access to information using an elaborate intercept resend attack.

A system that uses entangled sources is employed to boost transmission distances by sending entangled pairs to Alice and Bob from a central source, thus reducing distances:

Alice ------- Pair Source -------> Bob

In simple schemes, the source has to be trusted because it is vulnerable to MITM attacks; however, the scheme can be secured using more elaborate techniques. For example, if Alice and Bob each generate an entangled pair and send one side of those pairs to a central location, then no party at that location can break into the information. This is called entanglement swapping.

The system developed by Id Quantique is a very simplistic implementation of the BB84 protocol using time-bin encoded q-bits. It uses no entangled pairs, just a source at Alice and a detector at Bob. It uses imperfect sources, detectors and channels and is in no way theoretically secure against all attacks.

I once attended a presentation made by an Id Quantique representative to a room of experts (among them was Brassard, one of the "B"s of the BB84 protocol). The representative made a list of what was needed to build a quantum cryptography system. It included: books on TCP/IP protocols, Linux driver manuals and fiber optic cable. Absent was a source of quantum light (they use weak lasers, not true quantum sources), or a text on quantum optics.

The point was that the commercial systems are not attempting to implement the elaborate privacy-increasing techniques that are being thought out by the academics in quantum information. They are simple, first-generation devices that aren't trying to keep up with attacks devised by the academic community.

Quantum cryptography absolutely can be theoretically secure if proper sources and detectors are used. Such sources are difficult to build and are very expensive at the moment but much effort is being directed towards that goal. The other side of the coin is that much effort is going into determining exactly what attacks can be leveled against particular imperfections in equipment and how those attacks can be countered.

Re:Quantum Bullshit (0)

Anonymous Coward | more than 4 years ago | (#32247904)

the paper is definitely a view to a kill.

i suppose its a quantum of solace that only highly sophisticated, high-level operatives are able to use hacks like this...

ill die another day when its released as a plugin for meta-sploit...

in the meantime, live and let die.
-0.

Re:Quantum Bullshit (1)

cashdot (954651) | more than 4 years ago | (#32249878)

No.
The core idea of quantum communication security is that it is impossible to decipher a quantum message unless you destroy the quantum state nature of the communication media (photons, electron, ... whatever).
Unlike with classical communication you just have *one* try to decrypt the message. If the wrong key is used, the message is lost, forever. That even Bob (with the correct key) wont be able to decrypt/read the message afterward (and hence will notice the eavesdropping) is just a side effect.

Re:Quantum Bullshit (1)

sexconker (1179573) | more than 4 years ago | (#32254038)

Read my post.

The entire point of it being quantum means nothing.

If someone has the key, you won't know.

If someone doesn't have the key, you often won't know because they can fudge around in that tolerance level, and you'll just resend your message anyway because the network is not reliable, etc.

The only practical application which would give you any benefit from the quantum nature would be a dedicated circuit for each host pair. That is simply not feasible.

All.
Digital.
Security.
Ever.
Boils.
Down.
To.
A.
Key.
Sharing.
Problem.

Re:Quantum Bullshit (1)

DrXym (126579) | more than 4 years ago | (#32251372)

It seems that anyone capable of tampering with a quantum link (i.e. they know where the equipment and the cable are), it seems they have a simpler solution. Just "accidentally" run a digging machine through the link, or otherwise damage the connection and then just wait for the sender & recipient to use a less secure method of communication.

Sure, sure, paint me as the bad one again (5, Funny)

Anonymous Coward | more than 4 years ago | (#32245916)

Really, is a little fidelity in this relationship too much to ask for? I've caught Bob kissing that skank Alice so many fucking times and he always says he's sorry and he'll stop seeing her, but still I can tell they're exchanging information through hidden channels.

But what I really hate is when people act like I'm so unreasonable by trying to find out what is going on and who my allegedly significant other is seeing behind my back. What the fuck.

-
Cryptographically Signed,

Eve.

(Inspired by xkcd [xkcd.com] , of course.)

Guess I don't read enough crypto talk (0)

Anonymous Coward | more than 4 years ago | (#32252052)

I guess I don't read crypto examples enough the first time I read this, I didn't get what the reference was.

I... I feel dumb now.

I don't think "prove" means what you think... (4, Interesting)

pla (258480) | more than 4 years ago | (#32245940)

Various proofs show that if the quantum bit error rate is less than 20 percent, then the message is secure. However, these proofs assume that the errors are the result of noise from the environment.
Then they do not "prove" anything.

When you start from a false premise, you produce "garbage", not "proofs" (Actually, you can produce some really useful counterfactuals that way, but you wouldn't present it in the context of a proof of the original concept). Particularly when talking about security, what moron would assume any sources of error come from the environment rather than the attacker???

Re:I don't think "prove" means what you think... (0)

Anonymous Coward | more than 4 years ago | (#32246152)

So your system would only work in a lab setting, if even there.

Errors are everywhere.

Re:I don't think "prove" means what you think... (1)

divisionbyzero (300681) | more than 4 years ago | (#32246452)

Various proofs show that if the quantum bit error rate is less than 20 percent, then the message is secure. However, these proofs assume that the errors are the result of noise from the environment.

Then they do not "prove" anything.

When you start from a false premise, you produce "garbage", not "proofs" (Actually,
you can produce some really useful counterfactuals that way, but you wouldn't present it in the context of a proof of the
original concept). Particularly when talking about security, what moron would assume any sources of error come from
the environment rather than the attacker???

Wow, it's obvious you have no idea what you are talking about. The premise may have been non-physical but that doesn't affect the proof. The proof is fine. It just happens not to be true. There's only a problem here, if you assume proof means true or more specifically physically true.

Errors are inevitable. It's a little something called the Heisenberg Uncertainty Principle. Have you heard of it? No?

Re:I don't think "prove" means what you think... (4, Funny)

Opportunist (166417) | more than 4 years ago | (#32246756)

Errors are inevitable. It's a little something called the Heisenberg Uncertainty Principle. Have you heard of it? No?

I guess the correct answer is maybe. But only possibly so.

Re:I don't think "prove" means what you think... (0)

Anonymous Coward | more than 4 years ago | (#32247546)

It's a little something called the Heisenberg Uncertainty Principle. Have you heard of it? No?

Have you? This is not what the Uncertainty Principle is about, and has nothing to do with your comment on the post. The GPP is right in that this 'proof' is damn near useless in real-life; if you assume the interference is from the environment then you're really not secure. It'd be like seeing many mal-formed packets being received by your router, and writing it off as a fluke instead of a deliberate attempt to alter the system.

Re:I don't think "prove" means what you think... (1)

Dthief (1700318) | more than 4 years ago | (#32247518)

The Physical device they hacked works under this 20% assumption.....this 20% is due to limitations between reality and the ideal-world

If you RTFA you will see they openly discuss that this attack works only for this real world device, and that it is easy to stop:

Moreover, in our attack, Eve only sends two states to Bob. Alice and Bob can detect this attack by estimating the statistics of the four BB84 states. Note that, once a security loophole has been found, it is often easy to develop countermeasures. However, the unanticipated attacks are the most fatal ones.

Re:I don't think "prove" means what you think... (3, Insightful)

Interoperable (1651953) | more than 4 years ago | (#32247570)

Those "morons" have doctorates in math and physics. What do you have?

The idea is that if you can account for all known systemic noise sources then anything left will be from the attacker. The proofs set bounds for what error thresholds rule out the possibility of an attacker under given, known sources of noise in the system. The proofs are not wrong, they were simply done using particular sets of assumptions. If those assumptions are not applicable to a particular system, then obviously those calculations wouldn't be used.

It astounds me that people think they know better than an entire discipline and even more so that they get modded up for doing it. But then again...it is the internet.

Re:I don't think "prove" means what you think... (2, Interesting)

pla (258480) | more than 4 years ago | (#32247746)

It astounds me that people think they know better than an entire discipline and even more so that they get modded up for doing it. But then again...it is the internet.

Funny thing about the internet... Believe it or not, some of us do actually count as experts in the domain of knowledge in question, fully capable of calling BS even on all those magically-always-right PhDs out there.

In this case, I can't claim myself an expert (merely have a minor in math, concentrating on, of all things, proof theory). But I stand by my statement - A proof with easily violated premises doesn't "prove" anything. It may remain valid for some subset of input sets, but validity does not equal truth. And when your input set equals the real world, you can't just arbitrarily constrain it and still call it true.

Re:I don't think "prove" means what you think... (4, Informative)

Interoperable (1651953) | more than 4 years ago | (#32248248)

I happen to have have read a number of such papers because it is related to the field that I work in and I have some idea of what is involved in determining bounds on error rates. They are absolutely proofs in the very strictest sense of the word. They state up-front what the assumptions are and derive rigorous proofs within the conditions that were laid out.

The mathematical premises are completely sound. The only question is what physical system the assumptions used to arrive at those premises apply to. The idealized system is clearly laid out in the paper and can be assessed for how applicable it is to a given physical system. To say that the premises are unsound because the simplifying assumptions may not apply to real systems is to reject any mathematical analysis of the physical world.

You are confusing the ideas of a premise in mathematics and an assumption in physics. What has been done is the different between a correct analysis of an idealized system. What you claim is that an incorrect analysis of a realistic model has occurred, which is incorrect.

Re:I don't think "prove" means what you think... (1)

radtea (464814) | more than 4 years ago | (#32252640)

What you claim is that an incorrect analysis of a realistic model has occurred, which is incorrect.

And yet for reasons that escape me these correct analyses of unrealistic models have been used in the marketing of quantum cryptography as a realistic solution to the problem of secure communication.

Can you provide any insight into how that situation has come about?

Re:I don't think "prove" means what you think... (1)

silentcoder (1241496) | more than 4 years ago | (#32249996)

You know what's sad... I actually agree with your conclusion but your entire argument consists of a call-to-authority. A fallacy.

Don't you think it's a bit of an insult to the discipline that your best defense for it is a false argument ?

Especially since history (even RECENT history) is filled with examples of untrained outsiders spotting a fatal flaw in the work of a discipline, which then needs to be corrected leading to a paradigm shift. Scientists consider the call-to-authority one of the worst fallacies of all, and a hell of a lot of the scientific method is specifically designed to root it out.

Your actual points about how proofs work are informative and accurate. Prepending them with a declaration about how one shouldn't question the authority of the scientists weakens that argument, and if those scientists are any good - they would consider it an insult to be cited as authorities, science by it's very nature despises authority.

Re:I don't think "prove" means what you think... (2, Insightful)

Interoperable (1651953) | more than 4 years ago | (#32251154)

It's not the questioning of conclusions that I disagree with. Scientists love informed debate, but don't appreciate being called "morons." Anyone with the insight about the discipline to make a shrewd observation about the correctness of the work would recognize that the people involved are not morons.

It's important to keep an open mind, but the vast, vast majority of "OMG, how can you sheeple be so stupid?" posts about quantum physics can be safely ignored without any loss to the body of knowledge.

Isn't this obvious? (5, Funny)

mrsteveman1 (1010381) | more than 4 years ago | (#32245950)

Eve is a fucking spy, arrest her.

I'm not too sure about Alice and Bob either, seems they're always around when these things happen.

Re:Isn't this obvious? (2, Funny)

Actually, I do RTFA (1058596) | more than 4 years ago | (#32246026)

Eve is a fucking spy, arrest her.

Eve is clearly spying on fucking, but it's not clear that she herself is fucking to do so.

Re:Isn't this obvious? (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#32246034)

It's not that easy.

She wears a mask.

Re:Isn't this obvious? (4, Funny)

MRe_nl (306212) | more than 4 years ago | (#32246154)

It's not that easy.

She's only called Eve online.

Re:Isn't this obvious? (0)

Anonymous Coward | more than 4 years ago | (#32246418)

Eve is a fucking spy, arrest her.

Indeed... and NOW she is here to f**k us! So listen up, boy, or pornography starring your mother will be the SECOND worst thing that happens to you today...

Re:Isn't this obvious? (0, Troll)

Hurricane78 (562437) | more than 4 years ago | (#32246610)

But she’s also insanely hot. I can haz hawt bittsecks wif her??

Re:Isn't this obvious? (1)

mrsteveman1 (1010381) | more than 4 years ago | (#32248126)

Remember buddy, eve is the spy...she knows all about your life size furry porn dolls and hello kitty sex toy collection.

Re:Isn't this obvious? (1)

youn (1516637) | more than 4 years ago | (#32248232)

What the heck is alice doing out of wonderland anyway?

shouldn't it be Alice & Bunny?

any lock made by a man (4, Insightful)

circletimessquare (444983) | more than 4 years ago | (#32246162)

can be broken by a man

depending upon your current situation in life, this is either a wonderfully hopeful or horribly depressing realization

Re:any lock made by a man (1)

Opportunist (166417) | more than 4 years ago | (#32246774)

I was thinking the same. But my train of thought was more along the lines of "no matter how secure a system, some doofus will stick a post-it with his key next to the monitor".

The weakest link in almost all security systems is still the human.

Re:any lock made by a man (1, Funny)

Anonymous Coward | more than 4 years ago | (#32249332)

It's obvious then we need to get rid of the weakest link.

Hardware Arms Race (1, Interesting)

Anonymous Coward | more than 4 years ago | (#32246224)

The third paragraph from the end of TFA is the key. Alice/Bob will be in an arms race with Eve. Alice/Bob will need better single-photon detectors and generators to stay ahead of Eve. As Alice/Bob improve the quality of their hardware and increase the probability of being to emit and then detect a single photon increase, Eve has to keep pace with the quality of her hardware. Over time as Alice/Bob increase the quality of their hardware, the attack surface available to Eve shrinks, and it will take her longer to intercept without being discovered. Eve will also need an accurate assessment of Alice/Bob's hardware capability to mount a credible threat.

Quantum waste-of-money (1, Troll)

eBisnaes (1636575) | more than 4 years ago | (#32246228)

I don't get why anyone even bother with the so-called quantum encryption*, a simple pre shared key scheme is perfectly safe, a lot cheaper, well understood and well tested.

*The quantum part has nothing to do with encryption, it's just an over the top high tech attempt at preventing wire taps.

Re:Quantum waste-of-money (0)

Anonymous Coward | more than 4 years ago | (#32246344)

You're overlooking the obvious problem that sharing a OTP through some kind of secure side-channel doesn't scale well, whether we are talking about carrier pigeons, sneaker-net USB keys, or secure-courier DVDs.

Re:Quantum waste-of-money (1)

eBisnaes (1636575) | more than 4 years ago | (#32247066)

One time pads are not required for safe encryption, with modern computer cryptography that method is obsolete. A short key string can be used to initiate a scrambling function that generates an endless pseudo-random string. Which effectively cannot be distinguished from random without knowing the key used.

Re:Quantum waste-of-money (0)

Anonymous Coward | more than 4 years ago | (#32247404)

Where by "knowing" you apparently mean "guessing" -- even if your scrambling function is _perfect_, the "short key string" had better not _really_ be short, or you're hosed. And keys of a given length are shorter and shorter as technology advances, even if no cryptographic advances break the system.

This is markedly unlike a OTP, because only one key will decode to plaintext, and once you can read the message, you know it's decrypted. With OTP, there's one OTP to make that message into any message of the same length, so you never know when you've got it right.

Re:Quantum waste-of-money (1)

eBisnaes (1636575) | more than 4 years ago | (#32248308)

"Short" as in you can transfer it once and be done with it. Given current computers 128 bit will suffice. If you want it unbreakable for eternity use 512 bits. While it is hard to predict how fast computers will be in distant future, it is easy to tell how fast they will not be, there are simple physical limits dictating how many state changes a particle may go through in a given time, current estimates are around 10^40 per second. By that figure, a 1000 000 000 ton computer would in 1000 000 000 years only be able to undergo ~2^300 state changes, where more than 2^512 is required to break a 512 bit encryption.

As clever as the advances of OTP may seem, they are only theoretical relative to a strong key based encryption.

Re:Quantum waste-of-money (1)

ghjm (8918) | more than 4 years ago | (#32248798)

More than 2^512 state changes are required ON AVERAGE to break 512 bit encryption USING BRUTE FORCE.

Are we at the end of cryptographic history? What are the odds that in your notional billion years of computation, some weakness or new technique will be discovered that makes our current methods trivially breakable?

For that matter, are we at the end of physics? Are "current estimates" guaranteed not to later turn out to be wildly incorrect, as they have done many times before? Are these estimates making the assumption that all the state changes are to be observed, and if so, why is it impossible to build a computational device that relies on non-observed phenomena, which (as I understand it) are not subject to such limits?

Over a timeframe like a billion years, is it not possible that the owners of our universe could show up and say "hey guys, quantum physics is weird because it exposes all the shortcuts we took when creating the simulator that runs your universe, sorry about that, by the way here's the key to your encrypted code?"

Show a little humility. IT'S A BILLION YEARS. Our understanding of physical reality has been altered dramatically in just a couple hundred years. There's no reason to suppose that we are today at the end of that process.

Re:Quantum waste-of-money (1)

eBisnaes (1636575) | more than 4 years ago | (#32251120)

I'd say that all the assumptions I have made are far more likely to hold than the assumptions you need to make for quantum key sharing to be safe. That is not to say that I find the quantum key sharing technique highly likely to be broken, but many new discoveries in the field of quantum mechanics are yet to be made.

Why is it impossible to build a computational device that relies on non-observed phenomena, which (as I understand it) are not subject to such limits?

We simply can't tell what limits apply to non-observed phenomena, that doesn't mean there ain't limits, but since we can't observe non-observed phenomena it is quite hard to know their exact nature. That said, it doesn't really matter how many of them there may be, for computation a non-observed phenomena is as good as a TTL gate with no output pins, even if it is doing the right thing on the inside, we have no way of obtaining the generated data.

Quantum key sharing by the way builds on non-observed phenomena, if the so-called non-observed phenomena should somehow prove observable, and thus theoretically useful in computers, quantum key sharing would be broken.

I have already shown humility by saying 512 bits, I highly doubt that 256 bits will ever be breakable, and certainly not within a time frame where encrypted information snatched now would be useful, but the 512 bits argument is a lot easier to lead.

By the way, for anyone not totally into the concept of non-observed phenomena, it is not non-observed as in "We didn't bother to look.", but as in "It is only physically possible to retrieve one piece of data from this dataset, when we retrieve a piece of data the rest is lost, nothing has been influenced by that data, and nothing ever will be, it might as well never have existed.".

NIST achieved 99% detection efficiency last month (4, Interesting)

ortholattice (175065) | more than 4 years ago | (#32247222)

One the main contributors to the error rate is the photon detection efficiency, where 80% or better is considered "good". In a major breakthrough last month, NIST (yes, the National Institute of Standards and Technology, not some startup company's marketing hype) has achieved a record single-photon detection rates of 99% [sciencedaily.com] - and possibly better, since there currently exists no metrology to test that level of efficiency. So in terms of that source of error, things are looking up.

Re:NIST achieved 99% detection efficiency last mon (1)

Interoperable (1651953) | more than 4 years ago | (#32247580)

But at what dark-count rate? There are always trade-offs.

Re:NIST achieved 99% detection efficiency last mon (2, Informative)

ortholattice (175065) | more than 4 years ago | (#32247706)

But at what dark-count rate? There are always trade-offs.

The dark count is essentially zero. That's what makes this breakthrough so impressive.

FTA I linked:

"When these detectors indicate they've spotted a photon, they're trustworthy. They don't give false positives," says Nam, a physicist with NIST's Optoelectronics division. "Other types of detectors have really high gain so they can measure a single photon, but their noise levels are such that occasionally a noise glitch is mistakenly identified as a photon. This causes an error in the measurement. Reducing these errors is really important for those who are doing calculations or communications."

Re:NIST achieved 99% detection efficiency last mon (1)

Interoperable (1651953) | more than 4 years ago | (#32248156)

Oh wow, I'll have to grab a hold of the publication. That is impressive.

Re:NIST achieved 99% detection efficiency last mon (0)

Anonymous Coward | more than 4 years ago | (#32248682)

Unfortunately this only detects if the photon hits. It does not measure anything like spin. So while useful, it does not seem directly transferable to a quantum cryptography application.

Re:NIST achieved 99% detection efficiency last mon (1)

ortholattice (175065) | more than 4 years ago | (#32249272)

Unfortunately this only detects if the photon hits. It does not measure anything like spin.

No photon detector "measures anything like spin". The polarization is determined by a filter prior to detection. Which direction the filter should be oriented is part of the quantum cryptography protocol, and the filter is followed by a detector that needs only to determine the presence or absence of a photon passing through the filter.

Re:NIST achieved 99% detection efficiency last mon (1)

ortholattice (175065) | more than 4 years ago | (#32249318)

I should clarify that by "filter" I mean a birefringent filter such as calcite, where the photon decides on one of two paths based on its polarization. Two detectors, one in each path, determines which was taken by the photon. So the compound setup of filter + 2 detectors is in effect the "detector that measures spin" that you refer to.

A flaw....but fixable.... (2, Informative)

Dthief (1700318) | more than 4 years ago | (#32247470)

Insightful FTA:

Moreover, in our attack, Eve only sends two states to Bob. Alice and Bob can detect this attack by estimating the statistics of the four BB84 states. Note that, once a security loophole has been found, it is often easy to develop countermeasures. However, the unanticipated attacks are the most fatal ones.

Beat Bob with a shovel (1)

ghjm (8918) | more than 4 years ago | (#32248716)

until he tells you what was in the message.

Of course you can't beat Alice because she's a girl. If Alice had sent the message to Eve then you'd be out of luck.

you fail it=?! (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32248808)

Dump Alice (2, Funny)

fyoder (857358) | more than 4 years ago | (#32248820)

I say Bob should dump Alice and go with Eve. Bad girls are hot.

Though dumped good girls can be trouble as well, so the original problem remains.

Sadly, as long as Eve (or Alice) are sufficiently determined to intercept Bob's communications, he's got problems. The only answer may be to become a celibate monk in a monastery committedly observing a vow of silence.

Re:Dump Alice (0)

Anonymous Coward | more than 4 years ago | (#32249968)

The only answer may be to become a celibate monk...

Or join Slashdot.

Who the f#ck is Alice? (1)

slashmojo (818930) | more than 4 years ago | (#32249096)

Does she live next door to Bob?

Had to be asked.. ;)

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...