Slashdot Mirror
Simple Comm Technique Beats Quantum Crypto
Atario wrote us with a link to a New Scientist article about an innovative new way of encrypting communications. An engineer at Texas A&M may have a way to exploit the thermal properties of a wire to create a secure channel. The result could be an effectively impenetrable way of securing communications, possibly outperforming quantum cryptography keys. "In their device, both the sender Alice and the receiver Bob have an identical pair of resistors, one producing high resistance, the other low resistance. The higher the total resistance on the line, the greater the thermal noise. Both Alice and Bob randomly choose which resistor to use ... Half the time ... they will choose different [resistances], producing an intermediate level of thermal noise, and it is now that a message can be sent. If Bob turns on his high resistor, and records an intermediate level of noise, he instantly knows that Alice has chosen her low resistor, in essence sending a bit of information such as 1 or 0. Kish's cipher does this many times, sending a random series of 1s and 0s that can form the basis of an encryption key, the researchers say."
But if I understand correctly, and I want to do this over ethernet, for example, that means that it is a) unroutable and b) my ethernet endpoints would have to be aware of my security preferences ?
Religion is what happens when nature strikes and groupthink goes wrong.
Try this:
5 5.300?DCMP=NLC-nletter&nsref=mg19426055.300
http://www.newscientist.com/channel/tech/mg194260
Seems to me to be a dupe of http://it.slashdot.org/article.pl?sid=05/12/10/171 4256
Hey don't blame me, IANAB
From what I can gather from the summary (the New Scientist domain seems to be blocked by the PRC to those in China, so I can't RTFA), the security of this lies in the fact that Eve cannot seperate the message from the inherent thermal noise of the channel. However, wouldn't she be able to decode the message by trial and error by hooking her own resistors? Surely she doesn't have to have identical resistance just around 10 or 100 Ohms of the average.
Could someone correct me if I'm wrong (which I think I am)?
The system works because the sender and receiver have a direct electrical connection. If you have such a connection, that means that you have an unbroken wire between the two with nothing else connected to the line. You usually don't even get such a connection if you lease cables from the telephone company. The only way such a connection exists is if the wire is owned by the organization that employs the sender and receiver.
Under the conditions stated above, cryptography isn't very important. The most important thing is to ensure the physical integrity of the wire.
The cryptography isn't as unassailable as they think. Given two taps on the line, I can tell who switched which resistor when. For instance, if station A switches in a low resistance, the tap nearer to station A will detect the effect (low noise) of the switch first.
Maybe I'm missing something important but this idea doesn't seem as smart as they think it is.
Although I don't recall seeing anything about it on his website. Bruce knows a lot more than I do, but this just sounds weird.
And not just Ethernet. Any wire that has a repeater or relay or amplifier sounds like it would break this.
And don't forget man in the middle attacks. If Eve or Mallory get to the wire first, then the "normal" wire state that Alice and Bob see will include their taps.
This is a secure way to agree to agree on a one-time pad, or other key, but it is subject to man in the middle attacks. How does fred know that it is alice other end of the line switching resistors, or is it darth the man in the middle swiching resistors?
SPYING is big business, and avoiding being spied on an even bigger one. So imagine if someone came up with a simple, cheap way of encrypting messages that is almost impossible to hack into? American computer engineer Laszlo Kish at Texas A&M University in College Station claims to have done just that. He says the thermal properties of a simple wire can be exploited to create a secure communications channel, one that outperforms quantum cryptography keys. His cipher device, which he first proposed in 2005, exploits a property called thermal noise. Thermal noise is generated by the natural agitation of electrons within a conductor, which happens regardless of any voltage passed through it. But it does change depending on the conductor's resistance. Kish and his collaborators at the University of Szeged in Hungary say this can be used to securely pass information, or an encryption key, down any wire, including a telephone line or network cable. In their device, both the sender Alice and the receiver Bob have an identical pair of resistors, one producing high resistance, the other low resistance. The higher the total resistance on the line, the greater the thermal noise. Both Alice and Bob randomly choose which resistor to use. A quarter of the time they will both choose the high resistor, producing a lot of noise on the line, while a quarter of the time they will both choose the low resistor, producing little noise. If either detect a high or a low amount of noise in the line, they ignore any communication. Half the time, however, they will choose differently, producing an intermediate level of thermal noise, and it is now that a message can be sent. If Bob turns on his high resistor, and records an intermediate level of noise, he instantly knows that Alice has chosen her low resistor, in essence sending a bit of information such as 1 or 0. Kish's cipher does this many times, sending a random series of 1s and 0s that can form the basis of an encryption key, the researchers say (http://www.arxiv.org/abs/physics/0612153). That message is also secure. For a start, as Kish notes, it takes an "educated eavesdropper" to even realise information is being sent when there seems to be just low-level noise on the line. If they do try to eavesdrop, they can only tell a message is being sent, not what it is, because it's impossible to tell whether Alice has a high or low resistor turned on, and whether the bit of information is a 1 or a 0. What's more, eavesdropping on the line will naturally alter the level of thermal noise, so Alice and Bob will know that someone is listening in. Kish and his team have now successfully built a device that can send a secure message down a wire 2000 kilometres long, much further than the best quantum key distribution (QKD) devices tried so far. Tests show a signal sent via Kish's device is received with 99.98 per cent accuracy, and that a maximum of just 0.19 per cent of the bits sent are vulnerable to eavesdropping. The error rate is down to the inherent resistance of the wire, and choosing a larger wire in future models should help reduce it further. However, this level of security already beats QKD. What's more, the system works with fixed lines, rather than the optical fibres used to carry photons of light at the heart of quantum encryption devices. It is also more robust, as QKD devices are vulnerable to corruption by dust, heat and vibration. It is also much cheaper. "I guess it's around a hundred dollars, at most," Kish says. "This is a system that should be taken seriously," says security specialist Bruce Schneier, who founded network security firm BT Counterpane. He says he was seduced by the simplicity of the idea when it was first proposed by Kish, and now wants to see independent tests of the working model. "I desperately want someone to analyse it," he says. "Assuming it works, it's way better than quantum."
Man wird am besten für seine Tugenden bestraft.
It can be attacked passively: http://arxiv.org/pdf/physics/0601022
This can only be applied where there's a direct electrical connection, hence ruling out it's usefulness in any real application. even IF this were applied via some software protocol it does nothing to validate that alice is actually alice and not the feds.
If you mod me down, I will become more powerful than you can imagine....
This reminds me of another crypto method where the receiver adds noise to the line. The theory is that they know what the noise is, so they can remove it, but Eve can't get it because she doesn't know what the noise was. It falls down under the same attack because the signal is only propagated at the speed of light, not instantaneously.
Identical pairs of resistors.
I read it the same way you did at first; it's poorly worded.
This sounds like it's someone trying to think outside the box, given a basic knowledge of quantum cryptography. "Well, what else sort of works like light polarization? What is there that, if intercepted, doesn't give the interceptor any more information than said polarization does in the case of quantum cryptography?"
Of course, one of the advantages of quantum is that you can Detect eavesdroppers, because if they listen to more than a few bits they flip more of your bits than probability would reasonably allow for. It isn't only about how much information the eavesdropper can obtain--it's about whether or not you'll realize they're there.
'nuff said :)
--
Slashcode bug # 497457 - unfixed since December 2001 - Go look it up!
o/~ Join us now and share the software
... or better: is Kish any electrical engineer ? ...
... . Furthermore, if Eve1 and Eve2 listen in a distance of only a few meters, they can auto-correlate the signal(s) and find the direction from which it travels. No, that is even simple, because the levels - as we know - are H and L. So the autocorrelation of H can be found out without much ado; either H travels right-to-left or left-to-right. Voilà. L doesn't disturb the autocorrelation function. Along the line, any line, higher spectral components are reduced; another rule all electrical engineers know: any practical system is by default a lowpass. When Eve1 and Eve2 simply record the signal, close to Alice and close to Bob, they can find out where the higher spectral components are to be found. Meaning, the sender of H is known.
...
To me, this whole matter with his formulae of the noise of a resistor is just hocus pocus; as much as the math is correct. But any reasonable electrical engineer knows these
What Kish rather seems to propose, is the injection of noise into a link; noise at two levels, nevermind if they are derived from a resistor, short-circuited or not, or any other noise generator.
Over. What he then says is the following:
If Alice sends high noise level ('H'), Bob will send low ('L') noise level; and vice versa.
The man-in-the-middle will have tri-state noise: LL,LH/HL,HH. LL and HH are out. The assumption in that paper, hidden behind a lot of barrage, is: LH and HL will appear identical to the eaves-dropper. Alice. however, when sending L, can pass an information quantum (since Bob will switch to H, knowing Alice sends L); while Alice sending H, Bob will switch to L, knowing Alice sends H).
The theory of Kish is, that Eve will have no clue if she intercepts HL or LH. Which only works in theory.
Because any electrical engineer deserving his title will tell you that those sources won't produce noise of identical spectrum in the first place. Therefore, the spectra will change, giving you a sequence of jumps. The maximum you have to do is toggling
Much ado about nothing, me thinks
What would this or quantum cryptography be good for in practical terms? From what I understand they only work for a single connection, i.e. when Alice wants to talk to Bob they have to have a wire running from one to another. Which means that range is rather limited and it also means it would be easy to attack. Somebody could simply cut the wire and thus forcing Alice and Bob to fall back to other insecure means of communication or to not communicate at all.
Are there ways to use these secure channels to build a real redundant network where traffic could be rerouted when lines fail? Or would the routers end up being the weak spot? Making it just as insecure as every other network?
Are there any other types of uses where those connections might be useful or are they no more theoretical toys?
When I read this, I had a flash back to a Dr. Who episode.(paraphrasing)
Army General: Trust me doctor this place is impenetrable.
Doctor: The problem with impenetrable is that it sounds too much like unsinkable.
Army General: Well whats wrong with that?
Doctor: Ask the passengers of the Titanic.
I always get a little bit itchy whenever people start throwing superlatives around like unbreakable, impenetrable, etc. Nature, Human ingenuity, or Human stupidity all have a nasty habit of proving us wrong.
"I'm making perfect sense, you're just not keeping up."
FTA the reasoning is: "...
[a] it takes an "educated eavesdropper" to even realise information is being sent when there seems to be just low-level noise on the line.
[b] If they do try to eavesdrop, they can only tell a message is being sent, not what it is, because it's impossible to tell whether Alice has a high or low resistor turned on, and whether the bit of information is a 1 or a 0.
[c] What's more, eavesdropping on the line will naturally alter the level of thermal noise, so Alice and Bob will know that someone is listening in."
a.) is security-by-obscurity, so is b.); and we all know what to say about that little assertion.
c.) is simply rubbish, I can place a tap on the line with a high impedence buffer that will be indetectable to both Bob and Alice but which allows me to measure the noise and recover the signal.
Quantum encryption is quite different, the tap actually disrupts the signal so that both Bob and Alice know immediately they're being listened to even if though don't know how. This scheme seems to be arguing that Bob and Alice will hear the equivalent of clicks-on-the-line aka mid 20thC techniques and be able to deduce tapping. I don't think that's been possible since the digitization of the phone system during the 80's and 90's.
In fact, let's get serious. This guy is talking about "level of noise" aka amplitude modulation as used in AM radios, but using the background noise as the carrier signal. This as got more in common with steganography than quantum encryption.
At being hyped beyond its true usefulness!
I belive congrats are in order.
TLF
I do not respond to cowards. Especially anonymous ones.
You are incorrect... If Eve gets to the wire first, then Alice and Bob may not know that there is a tap, but the tap is still worthless. Only the party at an enpoint would know what resistor THEY have put in, allowing them to deduce the resistor used at the other end. The person in the middle would only have the (worthless) piece of information that Alice and Bob differed in the resistor that they chose.
Noise endpoint 1 endpoint 2
High high high
Medium high low
Medium low high
Low low low
You throw out the high/low noise cases. In order to know what the other person is doing in the medium case you need to know what resistor YOU put in!
-Tom
P.S. one of my professors proposed this method during a casual conversation a few years back. It's and idea that has been kicked around for a while, and in my opinion is very solid.
P.P.S. there is no directionality to the signal here.
I read Schneier's page because I respect the guy, and I figured he'd know what he was talking about. It already seemed trivially vulnerable to a man-in-the-middle attack, but I wanted to see if I was the only one.
Looks like I'm right:
He actually details a few more problems:
But then, I guess it's the best we've got:
Don't thank God, thank a doctor!
The original article was published (and talked about in /., see Related Article link) back in 2005. The paper you cited claiming a break was replied to by the original author, and there have been a number of other papers back and forth since. The technique has credibility. As Bruce Schneier pointed out this technique if it works is no worse than quantum cryptography and is a lot simpler and cheaper, but it has all the other deficiencies of quantum cryptography. The author claims no more than that. He rebuts the arguments in the paper you linked to by showing that the amount of information leakage is less than that from a practical (as opposed to theoretically ideal) quantum cryptography system, and so can be dealt with using the same privacy-enhancing post-processing that has to be used with quantum crypto.
I agree with Schneier's assessment of quantum crypto as a solution in search of a problem, and this appears the same, although much cheaper to implement.
The most recent paper on the topic was a plenary talk given by the author last week at a conference in Italy. The references in that paper will give you the complete list of papers arguing with his results and his responses to those arguments.
But how do they put in those resistors? With switches. Switches that inject charge onto the output wire when their state changes. Switches with their own resistance and temperature coefficient of resistance. And that is detectable.
Alas, real resistors cannot be perfectly matched; the real wire state table has 16 rows. I estimate that if you pull out all the stops, you might be able to match them to one part in 10e-7 (0.1 parts per million), which is not sufficient for security work.
This technique is worse. Quantum cryptography** lets you know the extent to which your shared key has been decloaked, providing a rational basis for reusing chunks of the (expensive) one-time pad.
**A bad name. It really ought to be called quantum exposure detection.