Slashdot Mirror

← Back to Stories (view on slashdot.org)

Behind the First Secure Quantum Crypto Network

Posted by Soulskill on from the not-just-really-really-small-keys dept.

schliz writes "Researchers behind the world's largest quantum encrypted network said the technology could secure business networks inside six years. The prototype Quantum Key Distribution network was built by the Secure Communication Based On Quantum Cryptography (SECOQC) group last year. It is described in a journal paper published by the Institute of Physics this week, which includes details on how it is based on the trusted-repeater paradigm."

11 of 51 comments (clear)

  1. Not at those speeds by Architect_sasyr · · Score: 3, Insightful

    If they're getting 1kbps over 25km, I find it hard to believe that they will get it up to metropolitan speeds necessary in a few years. They've got decent funding and obviously have invested a fair bit of money into this, but for those speeds you might as well add tampering sensors to some tempest-rated conduit and run fiber. If they make significant speed improvements within 6 years, then I will be proven wrong, but I've seen nothing in the papers to suggest they can (I've been following this idea for a couple of years now).

    --
    Me failed English...
    FreeBSD over Linux. If my comments seem odd, this may explain...
    1. Re:Not at those speeds by hedwards · · Score: 2, Interesting

      Not necessarily, it depends what they're doing with it. This strikes me as an excellent way of distributing keys off band. From what I can tell they're just promising to secure the networks in that time, and that's possible with what they've got. Theoretically speaking.

      Well, that and ensuring that the keys are unobserved.

    2. Re:Not at those speeds by gweihir · · Score: 2, Insightful

      There is nothing excellent about it. Perhaps the mort important weakness is that you cannot really route traffic, but need point-to-point links. If you look at what made the Internet great, you can see that this is a show-stopper. In addition the claimed security is wishful thinking. All pysical theories have proven inaccurate so far. This could fall over with one PhD student having a bright idea.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:Not at those speeds by gweihir · · Score: 2, Interesting

      Quantum mechanics has been tested over several decades and has been found to describe the world we live in very accurately. Any post-quantum deviations would be very minor.

      I agree to that. However a very minor deviation could be enough. Cryptography is very, very sensitive to information leaks, far more than pysical measurements. This could well mean that you can break messages later. And, incidentially, you still have a conventional network and conventional encryption for the actual message. This means you have to maintain two networks and one of them is pretty expensive.

      Here is a thought experiment for the key exchange: Say you can exchange 1kB of key material per second. Alternatively, say you have 1TB disks with one-time pads as key sources. This gives you enough key material for 31 years at the speed of the quantum link. Now, do you suppose creating these HDDs is cheaper or building and operating the quantum link is cheaper? I would say the pre-arranged one-time pads are several orders of magnitude cheaper. In addition, they are more reliable, easier to secure, well understood and use only proven technology.

      If you really, really need high security, one-time pads do the job relatively cheap and with known properties. If you need more regular security, conventional encryption is fine. Quantum key exchange has no place in this.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  2. Excuse me, but... by kvezach · · Score: 4, Informative

    ... what's the point of this network? The weakness of current crypto isn't that someone will break it to decrypt in feasible time, but rather what happens outside of the crypto itself. No perfectly secure quantum network can stop worms or social engineering attacks, and as far as cryptographic algorithms themselves go, AES-256 and RSA-3072 is strong enough.

    Now, if suddenly everybody had a quantum computer that could break RSA in polytime, there might be a point to this, but they don't, so there isn't - not that I can see.

    1. Re:Excuse me, but... by reashlin · · Score: 3, Insightful

      Now, if suddenly everybody had a quantum computer that could break RSA in polytime, there might be a point to this, but they don't, so there isn't - not that I can see.

      If suddenly is in say 10 years time. Then doing this research that will be much more feasible in 6 years time seems pretty smart to me. Just because the technology isnt here now doesn't mean it isnt worth preparing for its arrival

    2. Re:Excuse me, but... by Anonymous Coward · · Score: 2, Funny

      .AES-256 and RSA-3072 is strong enough..

      AES-256?
      You mean AES-110, right?

    3. Re:Excuse me, but... by kvezach · · Score: 2, Interesting

      Let's consider two cases here. The first is where you transmit the photons over a secure channel so nobody can tamper with them. In that case, delaying versus not delaying doesn't grant any advantage, and you could just as well transmit the OTP classically (in that case, the secure channel being a courier or something).

      That leaves the case where the channel is insecure. Doing the quantum transmission in one go falls to the man-in-the-middle attack I've detailed: I establish a computer in between, receive A's photons and send my own photons in its stead. I can't clone the photons, but I don't need to: I simply establish one OTP with A (A thinks he's sending that OTP to B), and another OTP with B (B thinks this is A's OTP), and transparently decrypt/encrypt what comes later.
      Your countermeasure is to break the protocol into two steps. As far as I understand, you're saying that because the photons are sent ahead of time, you can't tinker with them because entanglement happens without a connection. But this too falls to the MITM attack. Say A sends a bunch of entangled photons to B, then waits a week, then sets their states according to the QC protocol. What I do, as a man in the middle, is to accept A's photons, send my own to B, and wait a week. When the second stage commences, I read off the states, just like B would do with A's photons, then set the states (using entanglement) of the photons I sent to B.

      In order to know that I'm not B, you have to send something in advance, securely. The key doesn't have to be very long - password-authenticated key agreement methods work very well for this purpose, as they can't be cracked offline (usual caveats regarding quantum computers applying). The same holds for quantum crypto: you have to send at least some photons to B in such a way that you know they reach B and not myself. Quantum crypto detects if I'm fiddling with the photons themselves, but in the man-in-the-middle attack I've shown above, I'm not doing that. The photons that A sends to me, thinking I'm B, are never tinkered with except by the recipient (me). The photons I send to B, making B think I'm A, are never tinkered with except by the recipient (B) either.

  3. Bunch of new problems with quantum cryptography by getuid() · · Score: 3, Informative

    From what I've been told (I am a physics major, but I don't work in quantum cryptography as my main activity), there's a bunch of other weaknesses inherent to quantum encryption methods.

    For example, qubits are mostly transfered through some optical medium. At the receiving end, at some point, they are detected in one way or the other. "Detecting" means they alter the state of the detector in a measurable way. And there are some ideas (maybe even implementations?) of attacks that try to measure the alteration of the detector immediately after the detection, for example by probing with a laser pulse that follows the qubit pulse.

    Now due to some limitations of the physics of light pulses, this is something that, if implemented, is very difficult to defend against, since the light always goes both ways. It is also a kind of attack that could not be implemented against "classic" information transmission channels...
     
    ...I really find it interesting that every new technology seems to have its inherent weaknisses at one spot or the other -- kinda feels comfortable to know that "There is no silver bullet" still holds... :-)

    1. Re:Bunch of new problems with quantum cryptography by Anonymous Coward · · Score: 2, Informative

      Actually, light does not necessarily go both ways: you can have it go only one way using an "isolator". These are cheap fibre components that are used very commonly. Of course there are some implementation weaknesses in quantum cryptogrophy, an article that examines various protocols is: http://arxiv.org/abs/0802.4155

  4. The switches are still trusted by Animats · · Score: 2, Interesting

    This system still assumes the switches are trusted. The point-to-point links have quantum encryption, but that doesn't help in networks with enough stations to need routers.

    From a crypto management point of view, secure links between two fixed points are easy. One time keys will work. Networks are much more difficult.