Slashdot Mirror

← Back to Stories (view on slashdot.org)

Behind the First Secure Quantum Crypto Network

Posted by Soulskill on from the not-just-really-really-small-keys dept.

schliz writes "Researchers behind the world's largest quantum encrypted network said the technology could secure business networks inside six years. The prototype Quantum Key Distribution network was built by the Secure Communication Based On Quantum Cryptography (SECOQC) group last year. It is described in a journal paper published by the Institute of Physics this week, which includes details on how it is based on the trusted-repeater paradigm."

51 comments

  1. Not at those speeds by Architect_sasyr · · Score: 3, Insightful

    If they're getting 1kbps over 25km, I find it hard to believe that they will get it up to metropolitan speeds necessary in a few years. They've got decent funding and obviously have invested a fair bit of money into this, but for those speeds you might as well add tampering sensors to some tempest-rated conduit and run fiber. If they make significant speed improvements within 6 years, then I will be proven wrong, but I've seen nothing in the papers to suggest they can (I've been following this idea for a couple of years now).

    --
    Me failed English...
    FreeBSD over Linux. If my comments seem odd, this may explain...
    1. Re:Not at those speeds by hedwards · · Score: 2, Interesting

      Not necessarily, it depends what they're doing with it. This strikes me as an excellent way of distributing keys off band. From what I can tell they're just promising to secure the networks in that time, and that's possible with what they've got. Theoretically speaking.

      Well, that and ensuring that the keys are unobserved.

    2. Re:Not at those speeds by Architect_sasyr · · Score: 1

      Even so (and forgive me if I make a mistake here), 1k is only a 1024 bit key, to be sending anything of any decent size will geometrically increase the keying time. 4 seconds for a 4096 bit key, even if the keying is the only thing that happens on one side it's still a long time. I didn't see whether the system was full or half duplex either, so is it actually 2 seconds to setup the basics for a 1024 bit exchange?

      --
      Me failed English...
      FreeBSD over Linux. If my comments seem odd, this may explain...
    3. Re:Not at those speeds by Anonymous Coward · · Score: 0

      Not if they increase speed. Yes, you noted that option in your original comment but spoke mostly of getting it up to metropolitan speeds. If they can get the speed to 2kbps it already changes the time from 4 seconds to two. If they manage to speed things up to 10kbps in six years (which sounds very doable), it would be well enough for key exchange.

    4. Re:Not at those speeds by gweihir · · Score: 2, Insightful

      There is nothing excellent about it. Perhaps the mort important weakness is that you cannot really route traffic, but need point-to-point links. If you look at what made the Internet great, you can see that this is a show-stopper. In addition the claimed security is wishful thinking. All pysical theories have proven inaccurate so far. This could fall over with one PhD student having a bright idea.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    5. Re:Not at those speeds by lucat · · Score: 1

      1kbps should be good enough to exchange secret keys for "real world" cryptography.
      This should be used in place of Asymmetric-key cryptography.

      Once you know that the secret key has not been eavesdropped then you can use regular symmetric-key cryptography over faster but unsafe communication channels.

      The goal of secure quantum networks is to substitute asymmetric-key cryptography, non in place of symmetric-key cryptography.

      The length of a symmetric-key for AES-256 is... 256 bits... so 1kbps for that is good enough.

    6. Re:Not at those speeds by QuantumV · · Score: 1

      Perhaps the mort important weakness is that you cannot really route traffic, but need point-to-point links.

      Well, the point of the SECOQC network is to demonstrate a network with routing capabilities. It is a network that consists of many point-to-point links.

      All pysical theories have proven inaccurate so far. This could fall over with one PhD student having a bright idea.

      Quantum mechanics has been tested over several decades and has been found to describe the world we live in very accurately. Any post-quantum deviations would be very minor. We cannot exclude the possibility that if someone is able to put the fiber through a wormhole, something strange would happen, but from a bright PhD student imagining this possibility to this becoming realistic there is probably a span of several decades.

      Also, a quantum cryptography protocol will have to be broken at the time of the key exchange. If someone realizes two minutes later how it could have been broken it's too late. With modern cryptography the encrypted messages may be intercepted and stored until some bright PhD student in computer science makes a breakthrough, so that all messages sent in the past can be decrypted.

    7. Re:Not at those speeds by ToasterMonkey · · Score: 1

      There is nothing excellent about it. Perhaps the mort important weakness is that you cannot really route traffic, but need point-to-point links. If you look at what made the Internet great, you can see that this is a show-stopper.

      This isn't much different from how your credit card & ATM transactions are processed.

      You're focusing on the network too much rather than the trust model. Instead of all our banks trusting each other directly and sharing keys with each other (way too many banks in the world, and the key exchange process is nothing to joke about), a bank trusts one or more switches, which trust one or more switches, which trust other banks. AFAIK, the actual network connections are private circuits. Did you know that those financial transactions need to be complete within a certain number of milliseconds? That guarantee is not possible using the Internet.

      You seem to be suggesting we should use a different trust model, and not use new crypto technology... for the sake of the Internet. An Internet that is probably not appropriate considering the nature of the information that would use this crypto system.

      The Internet is just a means to an end, don't get so attached.

    8. Re:Not at those speeds by gweihir · · Score: 2, Interesting

      Quantum mechanics has been tested over several decades and has been found to describe the world we live in very accurately. Any post-quantum deviations would be very minor.

      I agree to that. However a very minor deviation could be enough. Cryptography is very, very sensitive to information leaks, far more than pysical measurements. This could well mean that you can break messages later. And, incidentially, you still have a conventional network and conventional encryption for the actual message. This means you have to maintain two networks and one of them is pretty expensive.

      Here is a thought experiment for the key exchange: Say you can exchange 1kB of key material per second. Alternatively, say you have 1TB disks with one-time pads as key sources. This gives you enough key material for 31 years at the speed of the quantum link. Now, do you suppose creating these HDDs is cheaper or building and operating the quantum link is cheaper? I would say the pre-arranged one-time pads are several orders of magnitude cheaper. In addition, they are more reliable, easier to secure, well understood and use only proven technology.

      If you really, really need high security, one-time pads do the job relatively cheap and with known properties. If you need more regular security, conventional encryption is fine. Quantum key exchange has no place in this.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    9. Re:Not at those speeds by QuantumV · · Score: 1

      Quantum mechanics has been tested over several decades and has been found to describe the world we live in very accurately. Any post-quantum deviations would be very minor.

      I agree to that. However a very minor deviation could be enough. Cryptography is very, very sensitive to information leaks, far more than pysical measurements. This could well mean that you can break messages later. And, incidentially, you still have a conventional network and conventional encryption for the actual message. This means you have to maintain two networks and one of them is pretty expensive.

      During the "hardware phase" of a quantum key exchange there is a certain amount of noise that has to be corrected due to imperfections in the channel and that means that there is in practice always possible with some information leakage. The apparatus therefore estimates the maximum possible amount of information leakage (making sure it is overestimated rather than underestimated) and performs "privacy amplification" to make sure that this information is useless to an eavesdropper (this lowers the key rate and is one of the reasons it is only 1 kbps). Now say an eavesdropper finds a new source of information leakage. This is only a problem if the total information leakage is greater than the estimated maximum leakage.

      Here is a thought experiment for the key exchange: Say you can exchange 1kB of key material per second. Alternatively, say you have 1TB disks with one-time pads as key sources. This gives you enough key material for 31 years at the speed of the quantum link. Now, do you suppose creating these HDDs is cheaper or building and operating the quantum link is cheaper? I would say the pre-arranged one-time pads are several orders of magnitude cheaper. In addition, they are more reliable, easier to secure, well understood and use only proven technology.

      I agree that creating and securing these HDDs is much cheaper, but a QKD system would fail more gracefully if you have a security breach in some realistic scenarios. Imagine that in month 2 you had an employee with malicious intent at your secure site. If this employee would be able to copy the 1 TB HDD, anyone outside would be able to decrypt anything during the next 31 years. The same person would only be able to leak information from his period of employment if a continuously generated key is used. (This is a somewhat oversimplified version of an argument made by a MagiQ representative)

      If you really, really need high security, one-time pads do the job relatively cheap and with known properties. If you need more regular security, conventional encryption is fine. Quantum key exchange has no place in this.

      QKD probably has a place in niche markets (companies like MagiQ and IdQuantique actually have customers). An intersting observation regardig the cost of QKD devices is that the cost of a full system is not much higher than the single photon detectors they contain. This means that if somebody finds a way to manufacture single photon detectors cheaply, the cost of QKD devices will drop drastically. If the devices are not very expensive and you already have fibers, why not use them?

      Disclaimer: I have benefited from SECOQC funding, but have not worked on anything related to the implemented network or any other QKD implementations.

    10. Re:Not at those speeds by gweihir · · Score: 1

      I agree that creating and securing these HDDs is much cheaper, but a QKD system would fail more gracefully if you have a security breach in some realistic scenarios. Imagine that in month 2 you had an employee with malicious intent at your secure site. If this employee would be able to copy the 1 TB HDD, anyone outside would be able to decrypt anything during the next 31 years. The same person would only be able to leak information from his period of employment if a continuously generated key is used. (This is a somewhat oversimplified version of an argument made by a MagiQ representative)

      True. Of course you use a traditional key exchange in addition to the one-time pad, as it comes almost for free. But this does not count as you can do the same for QKD.

      This type of attack is the well-known primary risk for one-time pads. It is also (mathematically proven) the only real risk and it should be controllable with conventional crupto and physical security. You can also split the pad so each part is worthless. Now for the QKD: The employee can manipulate the pysical device to leak information. This may or may not be much harder, but would people even be looking for it?

      And one more thing: It seems to me QKD is very vulnerable to denial of service. Cut the fiber, damage the endpoint. For conventional networking, you just use alternate routing or connectivity, which is available and you have very low requirements. For QKD, you allways need to repair the original thing. This may be effort (and cost) enough for a DoS degradation attack: Cut the cables often enough so people go back to conventional means.

      QKD probably has a place in niche markets (companies like MagiQ and IdQuantique actually have customers). An intersting observation regardig the cost of QKD devices is that the cost of a full system is not much higher than the single photon detectors they contain. This means that if somebody finds a way to manufacture single photon detectors cheaply, the cost of QKD devices will drop drastically. If the devices are not very expensive and you already have fibers, why not use them?

      Well, as a niche market, it is a possibility. Security concerns aside, I still think this does not make ecconomic sense in most cases, as you need to maintain two different technologies for a link and have a length constraint.

      Disclaimer: I have benefited from SECOQC funding, but have not worked on anything related to the implemented network or any other QKD implementations.

      As long as it was for research, I am fine with that.

      I am just offended by the claims made of these vendors. I think the science is too shaky for commercialisation. I also think ecconomically this does typically not make sense, as well understood cheaper solutions exist. Also QKD does not solve the whole problem. At the moment a vulnerability in the symmetric ciper used after it or the protocols used in data transfer seem a much higher risk than risks with the key exchange. And QKD is advertised as the think that solves it all, while it only solves one part and the system can break in numerous other places. I think that is dishonest.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    11. Re:Not at those speeds by Hurricane78 · · Score: 1

      So what? You only need to transfer the *keys*. Not the data! The data is safe, because the keys are safe. I thought that was the point, wasn't it?

      --
      Any sufficiently advanced intelligence is indistinguishable from stupidity.
  2. 1kbps is low throughput but... by mlts · · Score: 1

    If one ran the quantum encrypted backbone on one adapter of machines, and normal Internet stuff on another, perhaps the handshakes and the key exchange for large volume data transfers over SSL or ssh be done via the quantum interface, then the session key negotiated be used over the Ethernet link. This way, should a private key be compromised or broken on a host it would not affect future communications (assuming the security hole is patched and the machine re-secured.)

    I can see running these two networks in parallel for a network that spans companies, say for credit card validation from businesses to banks, inter-bank communication, or communication between hospitals. The regular backbone would be used for bulk file transmissions encrypted with a negotiated key via the quantum link, or if a small file needs maximum security, it can be sent along the low bandwidth link.

    1. Re:1kbps is low throughput but... by CarpetShark · · Score: 1

      perhaps the handshakes and the key exchange for large volume data transfers over SSL or ssh be done via the quantum interface, then the session key negotiated be used over the Ethernet link.

      Exactly. With an out-of-band channel for the encryption keys, you could build something pretty secure easily. Even timesharing a 1kbps secure key exchange network on a one-transaction-per-minute basis would be pretty useful. Of course, there are tons of issues with trusting that link supplier in the first place, and more if you share it as a network, and still more with all the related technology and whether it's a good idea to be on the bleeding edge etc.

      I'd hate to see only big businesses etc. having something like this though. Much of the greatness of the web (and indeed the internet) is that roughly the same security** and communication ability is available to everyone.

      ** Assuming they listen when you tell them to stop using IE ;)

    2. Re:1kbps is low throughput but... by nacturation · · Score: 1

      If one ran the quantum encrypted backbone on one adapter of machines, and normal Internet stuff on another, perhaps the handshakes and the key exchange for large volume data transfers over SSL or ssh be done via the quantum interface, then the session key negotiated be used over the Ethernet link. This way, should a private key be compromised or broken on a host it would not affect future communications (assuming the security hole is patched and the machine re-secured.)

      The whole point of public key cryptography is that the encryption setup is secure, even if an attacker is able to watch every byte that gets exchanged. If your private keys are compromised, then having transmitted the private keys over an unbreakable quantum link doesn't really matter at that point because the only solution is to revoke the keys and reissue new ones.

      If you really need maximum security, then use 8192 bit public key encryption... nobody's going to be breaking that any time soon.

      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
    3. Re:1kbps is low throughput but... by mlts · · Score: 1

      The advantage of the dual link setup is that public key cryptography can be done away with altogether. Public key cryptography as of now is secure, but there are worries about it, from theoretical algorithms that speed up factoring, to very large key sizes and large amounts of computations required for larger keys (Big O for larger key sizes is N^3, so an 8192 bit key would require 64 times as much CPU power as a 2048 bit key.)

      Of course, because the two machines negotiate a key over a secure connection, there is no PKI needed to protect against man-in-the-middle attacks. No certificates, CRLs, worries about a CA compromise, or expired keys. The two machines set up a session key via the secure connection by themselves, and then use it over the insecure connection. Barring a machine (or admin) compromise, an attacker would have to either attack the quantum system, or brute force session keys; both very difficult to do. When it comes to security, the simpler the better (ceteris paribus).

  3. Excuse me, but... by kvezach · · Score: 4, Informative

    ... what's the point of this network? The weakness of current crypto isn't that someone will break it to decrypt in feasible time, but rather what happens outside of the crypto itself. No perfectly secure quantum network can stop worms or social engineering attacks, and as far as cryptographic algorithms themselves go, AES-256 and RSA-3072 is strong enough.

    Now, if suddenly everybody had a quantum computer that could break RSA in polytime, there might be a point to this, but they don't, so there isn't - not that I can see.

    1. Re:Excuse me, but... by reashlin · · Score: 3, Insightful

      Now, if suddenly everybody had a quantum computer that could break RSA in polytime, there might be a point to this, but they don't, so there isn't - not that I can see.

      If suddenly is in say 10 years time. Then doing this research that will be much more feasible in 6 years time seems pretty smart to me. Just because the technology isnt here now doesn't mean it isnt worth preparing for its arrival

    2. Re:Excuse me, but... by gweihir · · Score: 0, Redundant

      In addition there is no need to believe Quantum key exchange is really secure. This is a theoretical claim from Physics, and their theories so far have all proven to be only partially accurate. For me the risk in this stuff is far higher than with conventional key exchange. An the security level is less (if at all) scalable.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:Excuse me, but... by Anonymous Coward · · Score: 0

      You don't seem to understand quantum crypto. It does not attempt to address 'breaking current crypto to decrypt in feasible time'. Quantum crypto does not use larger or somehow unbreakable keys. Quantum crypto is designed to counter interception and forgery of keys at the time of exchange.

    4. Re:Excuse me, but... by Anonymous Coward · · Score: 2, Funny

      .AES-256 and RSA-3072 is strong enough..

      AES-256?
      You mean AES-110, right?

    5. Re:Excuse me, but... by kvezach · · Score: 1

      As opposed to AES-128 or AES-192, both of which are permitted by the AES standard. Either of these are probably secure enough, but why not go for the full 256 bits?

    6. Re:Excuse me, but... by Anonymous Coward · · Score: 1, Informative

      AES-192 and AES-256 are weaker than AES-128:

      https://cryptolux.uni.lu/mediawiki/uploads/1/1a/Aes-192-256.pdf

    7. Re:Excuse me, but... by kvezach · · Score: 1

      I do understand quantum crypto, and I know that it is theoretically secure (that is, if the lasers only generate a single photon at a time, etc).

      But say you have two black boxes. The first uses Diffie-Hellman to exchange a key for subsequent AES encryption; the second exchanges a one time pad using quantum cryptography. What's the advantage of the second? In a passive attack (snooping alone), the snooper can't break Diffie-Hellman. In an active attack (man-in-the-middle), quantum crypto fails as well: I just put a machine in the middle that acts as A to B and B to A, receive one pad from A and send a completely different one to B, and go on my merry way, transparently reencrypting anything passing through.

      Hence, the only reason not to use Diffie-Hellman (or some other kind of exchange) is if public key encryption is rendered insecure, or if the symmetric crypto used after the hybrid stage is weak to the level that it can be guessed. Quantum computers can do the former, but we don't have them yet (serious decoherence problems), and in any event, it seems like it would be much cheaper to invent a public key crypto/key exchange algorithm that cannot be inverted in BQP, instead of making an entirely different network. As for the latter, good luck using academic breaks to guess AES keys.

      If the quantum crypto black box exchanges AES keys instead of one-time pads, then the second reason disappears. All you're left with is that it's worth it to use quantum crypto if adversaries can break any key exchange algorithm you might otherwise use. To use a lot of money to build a network on the remote chance that someone somewhere might have a kilo-qubit quantum computer (or Janek's chip) seems... out of proportion to the actual risk.

    8. Re:Excuse me, but... by drrobin_ · · Score: 1

      But say you have two black boxes. The first uses Diffie-Hellman to exchange a key for subsequent AES encryption; the second exchanges a one time pad using quantum cryptography. What's the advantage of the second? In a passive attack (snooping alone), the snooper can't break Diffie-Hellman. In an active attack (man-in-the-middle), quantum crypto fails as well: I just put a machine in the middle that acts as A to B and B to A, receive one pad from A and send a completely different one to B, and go on my merry way, transparently reencrypting anything passing through.

      You can't perform a man-in-the-middle attack with quantum crypto because the one-time-pads are exchanged in advance. You can't send an OTP with the message, you have to share it in a secure manner at some previous time. In the quantum crypto case, you would create and distribute the entangled particles ahead of time, then use the OTP to send a strong symmetric crypto key and encrypt your normal communication with that.

      You can't intercept that one-time-pad key transmission because, if you did, you wouldn't be able to reproduce the OTP to re-encrypt your man-in-the-middle key to be sent to the other party. While quantum crypto doesn't prevent interference, it makes it impossible for the interference to not be noticed. That is its advantage.

      --
      to accept the praise of personal wisdom is an affront to the very ideal i hold dear.
    9. Re:Excuse me, but... by Antique+Geekmeister · · Score: 1

      It can be used against "you must give Microsoft all your master private keys" approaches, such as Palladium turned out to be. (It was later renamed Trusted Computing, and has turned out to have quite a few profound flaws.)

    10. Re:Excuse me, but... by kvezach · · Score: 2, Interesting

      Let's consider two cases here. The first is where you transmit the photons over a secure channel so nobody can tamper with them. In that case, delaying versus not delaying doesn't grant any advantage, and you could just as well transmit the OTP classically (in that case, the secure channel being a courier or something).

      That leaves the case where the channel is insecure. Doing the quantum transmission in one go falls to the man-in-the-middle attack I've detailed: I establish a computer in between, receive A's photons and send my own photons in its stead. I can't clone the photons, but I don't need to: I simply establish one OTP with A (A thinks he's sending that OTP to B), and another OTP with B (B thinks this is A's OTP), and transparently decrypt/encrypt what comes later.
      Your countermeasure is to break the protocol into two steps. As far as I understand, you're saying that because the photons are sent ahead of time, you can't tinker with them because entanglement happens without a connection. But this too falls to the MITM attack. Say A sends a bunch of entangled photons to B, then waits a week, then sets their states according to the QC protocol. What I do, as a man in the middle, is to accept A's photons, send my own to B, and wait a week. When the second stage commences, I read off the states, just like B would do with A's photons, then set the states (using entanglement) of the photons I sent to B.

      In order to know that I'm not B, you have to send something in advance, securely. The key doesn't have to be very long - password-authenticated key agreement methods work very well for this purpose, as they can't be cracked offline (usual caveats regarding quantum computers applying). The same holds for quantum crypto: you have to send at least some photons to B in such a way that you know they reach B and not myself. Quantum crypto detects if I'm fiddling with the photons themselves, but in the man-in-the-middle attack I've shown above, I'm not doing that. The photons that A sends to me, thinking I'm B, are never tinkered with except by the recipient (me). The photons I send to B, making B think I'm A, are never tinkered with except by the recipient (B) either.

    11. Re:Excuse me, but... by Anonymous Coward · · Score: 0

      If you insert a MITM system on the line, the receiving end will receive the message later than anticipated due to delays in the MITM.

    12. Re:Excuse me, but... by nacturation · · Score: 1

      That leaves the case where the channel is insecure. Doing the quantum transmission in one go falls to the man-in-the-middle attack I've detailed: I establish a computer in between, receive A's photons and send my own photons in its stead. I can't clone the photons, but I don't need to: I simply establish one OTP with A (A thinks he's sending that OTP to B), and another OTP with B (B thinks this is A's OTP), and transparently decrypt/encrypt what comes later.

      If you're able to convince Alice that you're Bob and convince Bob that you're Alice, then no method of securing data is safe from that MITM attack. That's a fundamental trust issue which cannot be solved by any technology.

      If Alice thinks you're Bob, then having Alice whisked to you in one of the NSA's black helicopters and personally hand you the data doesn't really matter, does it? You've already intercepted it, Alice totally trusts you, and you could then copy the data, head over to Bob's place in the NSA's black helicopter and personally deliver it to Bob because Bob totally trusts you and thinks you're Alice.

      To call that a weakness of quantum crypto is either ignorance or a strawman.

      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
    13. Re:Excuse me, but... by thethibs · · Score: 1

      They refer to it as a "Trusted Repeater Paradigm" precisely because you can do a man-in-the-middle attack. The repeater is doing man-in-the-middle forwarding with the exposed key. That's why it has to be trusted.

      I'm at a loss to find a use case for this.

      You need a secured repeater/router every 25 to 50 km, carrying a signal using an expensive technology whose justification can only be that the path between nodes can't be secured. There's a bit of tension between those two.

      So where would you use this that a secure repeater network can be put in place but you can't carry a CD full of OTP every couple of months?

      --
      I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
    14. Re:Excuse me, but... by Anonymous Coward · · Score: 0

      Because carrying CD's full of OTP is just so practical - especially when done by horseback.

  4. This is only a publicity stunt by gweihir · · Score: 0, Troll

    Nobody needs quantum key exchange (no, it is not even Cryptography, despite the claims). The data in these links needs to be encrypted with an ordinary cipher anyways, so there really is no need to uses something flashy for the key exchange. In addition, nobody knows whether quantum transmission is really as secure as claimed. These are theoretical predictions from a physical theory, and so far all of these have proven to be only partially accurate.

    Doing this the conventional way is cheap, fast, reliable and with a known and scalable security level. Doing this the quantum way is plain stupid, except in a laboratory for research purposes.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:This is only a publicity stunt by Anonymous Coward · · Score: 0

      You're an idiot.
      It's a fact that using Quantum Key Exchange allows for the exchangers to detect if there's a third party listening up on the exchanged keys, thus allowing them to switch channels where it is safe to exchange keys.
      Please kill yourself or simply not reproduce to help and improve this planet's gene pool.

    2. Re:This is only a publicity stunt by gweihir · · Score: 1, Funny

      What you call a "fact" is a conjecture. Wanting something to be true does not make it so.

      Also you do not understand the security model. The assumption is not that "channels are switched",
      as there are no redundant channels in a standard deployment. The Assumption is that the ability
      to detect evasdropping will prevent people from trying.

      Interesting dicrepancy between knowledge of the subject matter and level of aggressiveness
      in your posting. I suggest seeking professional help.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  5. You have said this before, multiple times by Anonymous Coward · · Score: 0

    How karma whore can you get?

    I first read the 10 comments so far, thought "Why are these so similar..." and realized that 3 out of the 10 comments so far are yours and they all have just the same content.

    1. Re:You have said this before, multiple times by gweihir · · Score: 1, Informative

      And if you look at them, one is an original post and the other two are replies. Knowing how to read is more than just knowing the letters.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  6. Bunch of new problems with quantum cryptography by getuid() · · Score: 3, Informative

    From what I've been told (I am a physics major, but I don't work in quantum cryptography as my main activity), there's a bunch of other weaknesses inherent to quantum encryption methods.

    For example, qubits are mostly transfered through some optical medium. At the receiving end, at some point, they are detected in one way or the other. "Detecting" means they alter the state of the detector in a measurable way. And there are some ideas (maybe even implementations?) of attacks that try to measure the alteration of the detector immediately after the detection, for example by probing with a laser pulse that follows the qubit pulse.

    Now due to some limitations of the physics of light pulses, this is something that, if implemented, is very difficult to defend against, since the light always goes both ways. It is also a kind of attack that could not be implemented against "classic" information transmission channels...
     
    ...I really find it interesting that every new technology seems to have its inherent weaknisses at one spot or the other -- kinda feels comfortable to know that "There is no silver bullet" still holds... :-)

    1. Re:Bunch of new problems with quantum cryptography by Anonymous Coward · · Score: 2, Informative

      Actually, light does not necessarily go both ways: you can have it go only one way using an "isolator". These are cheap fibre components that are used very commonly. Of course there are some implementation weaknesses in quantum cryptogrophy, an article that examines various protocols is: http://arxiv.org/abs/0802.4155

    2. Re:Bunch of new problems with quantum cryptography by gweihir · · Score: 1

      Interesting. This detector probing could break the whole thing. Just shows my point that the security claims of "Quantum Key Exchange" (no crypto here) are not up to cryptographic standards, despite me being moderated down above for saying so. Some people seem to really, really want their castle in the sky.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:Bunch of new problems with quantum cryptography by QuantumV · · Score: 1

      Interesting. This detector probing could break the whole thing..

      Yes, it could if if devices allow for this. This has been known for years and no modern device that lets this happen will be taken seriously.

  7. Porn drives the internet by Anonymous Coward · · Score: 0

    Did anyone else notice that the acronym is pronounced "SEE COCK"? Once again, porn drives the development of the internet.

  8. AES-128 *is* stronger now than AES-256!!! by PeterM+from+Berkeley · · Score: 1

    The parent is correct. I have verified this via
    https://cryptolux.org/FAQ_on_the_attacks

    Per that FAQ, AES-128 is in fact stonger.

    PLEASE MOD PARENT UP!!

    --PeterM

    1. Re:AES-128 *is* stronger now than AES-256!!! by red_blue_yellow · · Score: 1

      AES-128 is in fact stonger.

      Well, in some scenarios it is. The attack is a related key attack (sort of like what can be used against WEP). However, it's still quite strong. From the page:

      Q.: Is this attack practical?

      A.: No. Even after improvements we are still over 2^100 encryptions, which is beyond the computational power of the human kind. Moreover this attack works in a related key attack model which assumes a more powerful attacker than the single key model.

      --
      A neutral communications medium is essential. It is the basis of science, by which humankind should decide what is true.
  9. Maginot Line by sagman · · Score: 1

    Maginot Line, folks. Point-to-point encryption is one (important) element of a business network, but it's not sufficient to secure the business network. As such, its implementation would need to be assessed with respect to the total network security budget.

  10. The switches are still trusted by Animats · · Score: 2, Interesting

    This system still assumes the switches are trusted. The point-to-point links have quantum encryption, but that doesn't help in networks with enough stations to need routers.

    From a crypto management point of view, secure links between two fixed points are easy. One time keys will work. Networks are much more difficult.

  11. Securing a network that has Windows machines... by Anonymous Coward · · Score: 0

    ...attached to it is precisely as useful as sterilizing your dick before you stick it into someone with herpes.

  12. For Those Asking "What's the Point?" by iateyourcookies · · Score: 1

    For Those Asking "What's the Point?"... the detail is in the name. This network is being used to distribute encryption keys (not the content), while the network speeds may not look impressive at first glance, current high end RSA key is only 2048 bits long. A key every second on prototype tech really isn't too shabby. A single key can be used for an entire conversation. Someone else also pointed out that the problem with current crypto isn't that it can be broken, rather that there are ways around it. These ways all involve discovering the key somehow, rather than by brute force. Using a quantum network to distribute the key means that you can guarantee that the key you have hasn't been eavesdropped upon. Public/private key encrption has its own methods to deal with this, but this may not always be appropriate. If this allows guaranteed key security then you can use much simpler symmetric encryption.

    1. Re:For Those Asking "What's the Point?" by owlstead · · Score: 1

      Some remarks:
      - quantum key distro is not safe from side channel attacks, in other words, you can get around quantum cryptography as well
      - key management is much more important than key distribution
      - RSA 2048 is now considered to provide minimum security, not "high end" security
      - using a single key for an unbounded conversation is not safe
      - the key distro does not cover authentication, so some sort of authentication (e.g. asymmetric crypto) is still needed

  13. What is the value of OTP in modern secure systems? by Anonymous Coward · · Score: 1, Interesting

    All the quantum component of these systems do is generate the same pairs of random bits between exactly two systems. Its no more complicated than this.

    There is an obvious problem in that there is no "quantum trust" scheme possible to know exactly "what" is on either end of the system.

    Thus we must still rely on some form of "classical" secret key to enable either side to trust the other.

    These systems have the benefit that:

    A. Easedropping on an established link can be detected -- in practice active MITM attempts with a recovered secret key can likely be cloaked as some sort of network issue or sneaked into a maintenance window.

    B. Crptoanalysis is more difficult because the OTP data is mixed with the classical source out of band.

    However the security of any system is always dependent on its weakest link. Assuming the quantum part of the system works exactly as advertised (There have already been a number of oversights in this department) the system is hardly infallable or unbreakable because secrets are still managed using the same "classical" methods they always have.

    A modern zero-knowledge system share many of the same benefits of quantum crypto without dedicated fibre rings. Heck if people really wanted this for secure communications all they need to do is put the same random bits on a few TB disk drives and ferry them back and forth under armed guard once a year. You can talk 24/7 for years and not get close to reusing any bits, have MORE security and save quite a lot of money in the process.

  14. Crypto Obsolete? by Graphene · · Score: 1

    Isn't the idea of quantum crypto and even crypto in general seriously in doubt given the advent of the "First Electronic Quantum Processor" (see recent /. posting) Granted, the first processor is only 2qb, but once it's scaled to 8qb won't it be able to crack pretty much any crypto?