First Bank Transfer via Quantum Cryptography

An anonymous reader writes with today's announcement that "the Austrian project for Quantum Cryptography made the world's first Bank Transfer via Quantum Cryptography Based on Entangled Photons; see also Einstein-Podolski-Rosen Paradoxon." (For more background, see the recent Slashdot post "Quantum Cryptography Leaving the Lab.")

Proof of Concept

[radoni]

..but why do we need this?

The biggest hole in security is usually the people operating technology. Ever want something, call up and ask for it.

What does the ability to have uncrackable encryption do to thwart social engineering tactics?

Re:Proof of Concept

[onion2k]

Firstly, the security this sort of thing provides is at a different stage in the process to anything a social attack would work on, so the two concepts are unrelated.

Secondly, even if they were related, you're appear to be suggesting we might as well not bother patching one future security hole because a different one also exists? Thats crazy. We should tackle all security risks, not just one particular one.

Lastly, socially engineered attacks are most often people giving up a PIN or forging a signature. That affects one account per attack. If a cracker gets past the sort of stage that Quantum Cryptography protects they have the opportunity to automate and reap every transaction the bank carries out.

Now which is the bigger problem?

Re:Proof of Concept

I can't believe this got a +5.

It's ridiculous reasoning.

Should deadbolts not have been developed because most people break in through windows?

Should we stop working on vaccines to deadly viruses just because most people die of heart disease or cancer?

It's called progress. People work on improving their own peice of the puzzle and the whole system improves as a whole by the sum of the efforts.

Re:Proof of Concept

[onion2k]

Note that I did say "one future security hole". While the crypto we have know, with "a sufficiently large key", they *will* become trivial to break in the future. If (when) quantum computing becomes available to anyone with a decent bank roll then we'll need quantum crypto to remain secure. I don't think waiting until that time is a good idea. Getting a head start is.

Re:Proof of Concept

[gumbi+west]

No, a social attack can work on a much higher level than this would work (think the master password to the accounts). Social attack is far and away the most serious security holes that anyone has.

Secondly, even if they were related, you're appear to be suggesting we might as well not bother patching one future security hole because a different one also exists? Thats crazy. We should tackle all security risks, not just one particular one.

No, the question is one of resource allocation. At present, there is no known (implementable for less than billions within 50 years) method of factoring these large prime numbers that are used to store the keys, so why spend money on this when you could actualy prevent a security hole. Your right, if money was ininite, all security holes should be worked on. As is, we should work on holes that have a possibility of causing a leak in the next 50 years.

Lastly, socially engineered attacks are most often people giving up a PIN or forging a signature.

It's not what is most common, it is what costs the bank the most after it happened. That is social engeneering.

And finaly, you say it best.

Now which is the bigger problem?

How does it defeat repeaters?

[Thinkit4]

What I don't understand is why can't you cut the line and put in something like a repeater. When you read a bit, you change that photon, but then you just transmit a clean one with the same value (or maybe even change it to confuse).

snake oil

[Kallahar]

Bruce Schneier covered why quantum cryptography doesn't solve any security/secrecy problems in his December 15, 2003 Crypto-Gram.

"It's like defending yourself against an approaching attacker by putting a huge stake in the ground. It's useless to argue about whether the stake should be fifty feet tall or a hundred feet tall, because the attacker is going to go around it. Even quantum cryptography doesn't "solve" all of cryptography: the keys are exchanged with photons, but a conventional mathematical algorithm takes over for the actual encryption."

Why MIM doesn't work

[gevmage]

I've seen a few presentations/demos on this. Basically the idea is the transmission runs on probability. Each photon has a certain probability of being lost. So the receiving station knows what the general frequency that it can expect, and if its not, the signal is being tampered with.

The reason that the man-in-the-middle attack doesn't work is that by doing so, you introduce two sets of attenuation rather than one. If the message is intercepted and then re-transmitted, the message has now been sent through the attenuation cycle twice. This means that instead of the signal being modified by the original attenuation function, it's modified by the attenuation function squared, which is easy to distinguish.

Entertaining but Not Useful

[billstewart]

Quantum crypto is an entertaining concept for securing data on locations connected by a single dedicated piece of fiber, but from a cryptographical standpoint, it's not really very useful - you can already do uncrackable crypto at much lower costs, and quantum crypto still needs you to run reliable communication protocols. It's kind of like using an armored car service to carry your credit card receipt from the front of the restaurant to the office in the back next to the unlocked door - you get a really secure feeling about how strongly you've protected the strongest link in the chain, but it doesn't do anything to help the weakest link.

So it's really about social-engineering potential customers.

(not any less oily than others)

[griffjon]

First, Schneier really loves his stake-in-the-ground idea. He used it to describe cryptography in general in his "Secrets and Lies" book (which, IMHO, doesn't hold a candle to the quality of his applied crypto books. In fact, it feels more like a book-long commercial for his managed security business)

Anyway, sure. QC alone ain't gonna help you. But if it's a stake in a ground that's part of a fence, it damn well matters if it's 100 ft tall vs 1 ft tall, or even 10 ft tall.

Does it 'solve' security problems? No, of course not, because as many many many people have already said, in this post and in many other places, the way to defeat the best crypto in the world is to look under a keyboard and copy down the relevant password/phrase that the user wrote on a sticky-note there. (or other social engineering tricks)

It does make security easier, as it prevents MITM attacks, requires (for now) specialized hardware, and provides really-tough-to-decode crypto. So, if you have the rest of your process working, yes, QC can help by being a more secure technology.

But think of the inverse. OK, so, crypto is like a stake in the ground, it doesn't matter what size or where it is. So, let's all use DES, because it's an established standard!

You are only as secure as your weakest link, obviously. You'd be stupid if crypto turns out to be your weakest link, as even not counting QC, there's lots of good, secure crypto processes available.

It seems impractical

[Orthogonal+Jones]

OK, I am not a believer in quantum cryptography for one big reason -- fiber loss. Someone please enlighten me if I'm wrong.

The loss of standard single-mode fiber is about 0.1-0.2 dB/km. Therefore, unless the distance is short (as in this demonstration), the transmitter must send multiple photons to ensure a decent probability of providing the receiver with one photon.

For example, if the span is 100 km long (20 dB loss), then on average only 1 out of every 100 transmitted photons will reach the receiver.

The situation is worse for autocompensating quantum-crypto systems (e.g., polarization-based encoding), because the photons must survive a round trip through the fiber.

Therefore, the relatively high power at the transmitter implies that an attacker can tap into the fiber near the transmitter, subtract (on average) only 1 photon, and remain undetected by the receiver.

Furthermore, typical optical amplifiers add noise (3 dB noise figure for your standard erbium-doped amplifier). The added noise photons would screw up the link, so amplifiers are out.

In the end, it seems to me that quantum crypto is good for table-top demos, and maybe for short jaunts across a metro area. But it is NOT absolutely perfect, at which point computationally difficult encryption is more attractive.

Re:Hype

[janbjurstrom]

I came away with a different understanding of what they did (granted, I only read the press release, pdf link; and I have just about no knowledge in quantum mechanics, so chances are I don't get it right).

From the press release (emphasis mine):

The measuring results are then converted into a string of 0s and 1s the cryptographic key. The sequence of the numbers 0 and 1 is, due to the laws of quantum physics, completely random. Identical strings of random numbers, used as the key for encoding the information, are produced both in the bank and the City Hall.

The information is encoded using the so-called "one time pad" procedures. Here, the key is as long as the message itself. The message is linked with the key bit by bit and then transferred via the glass fibre data channel.

I read this as, they not only exchanged keys, but in fact transmitted an encrypted message as well(?)

On the interception/security issue, the press release says (again, my emphasis):

Eavesdropping can be detected already during the production of the key before the transfer of the encoded message has even started. Any intervention into the transfer of the photons changes the sequence of the number strings at the measuring stations. In case of eavesdropping, both partners receive an unequal sequence. By comparing part of the key, any eavesdropping effort can be discerned. Though the eavesdropper is able to prevent the transfer of the message, he is unable to gain any information contained in the message!

From what I read, a message cannot be stolen. If I understand this correctly, communication can be prevented (which is a weakness of course), but cannot be intercepted and decrypted by an eavesdropper. Am I misunderstanding, and/or are they possibly mixing theory with their actual accomplishment?

Re:Entanglement

Lets say I make two boxes. I put one penny in one box, and I close them behind my back.

Now, I give you one of the boxes. I walk Reallly far away, and you open your box. Now, if you see a penny in yours, you know mine doesn't have a penny. You know this immediately when you open your box.

Does this somehow violate the speed of light? No.

Re:Hype

[meringuoid]

The message can be cracked without the key of course. Just takes a while.

Not if the key is as long as, or longer than, the message. In that case there's no way to crack it by cryptanalysis - your only hope is in more cloak-and-dagger methods like having a spy at one end of the channel.

As a practising geek I can suppose that you're familiar with ROT13. This is, of course, trivially cracked. An attacker knows in advance - because it is a USENET standard and has been for many years - that your key is 13 and can easily read your message.

You might step up your security by switching to another key at random, but that's still easily cracked. Just try all 26 possibilities.

Now perhaps you get a little clever. Suppose you pick a key of 14-22-8, or something like that. Then the first letter of your message is encoded with ROT14, the second with ROT22, the third with ROT8, the fourth with ROT14 again, and so on. That'll fox 'em!

Unfortunately it won't. This cipher was considered secure for a long time, but with sufficient statistical analysis it can be broken, especially for short keys. A three-character key is particularly bad because it's very likely to encode 'the' to the same string several times over - and if the attacker sees a repeating string of three characters he'll surely try 'the' first.

However, repeating patterns like this are less frequent as the key length approaches the message length. If the key is as long as the message then there's no way to crack it by analysis - sure, if their brute-force attack guesses the right key they'll read your message, but they'll also find the key that decrypts your message to a shopping list, or to a pornographic short story, or in fact to every possible message of that length. Assuming your key was truly random (which is a separate problem, but also solvable by quantum mechanics, which gives us randomness par excellence!), then they have no possible way of knowing which of this vast array of possible communications is the real one.

The trouble with this is the old problem of key distribution. One solution is to meet in person, or use a trusted courier - then hand over a DVD full of keys and use those, one at a time, and never, ever reuse one. Here's the chance for your attacker: get hold of that disc and copy it! And that's what quantum crypto solves. You create the key, make it as long as you want, communicate it using the quantum connection. If it was compromised, you'll know about it and you won't use it - generate another one and try again (and send some security goons to check the line and try to catch the foolish spy who tried to listen in!) If it wasn't, you can be sure of its security and use it to transmit your _real_ message over classical channels.