Slashdot Mirror

← Back to Stories (view on slashdot.org)

Commercial Quantum Cryptography System Hacked

Posted by Soulskill on from the superposition-of-safe-and-unsafe dept.

KentuckyFC writes "Any proof that quantum cryptography is perfect relies on idealized assumptions that don't always hold true in the real world. One such assumption is related to the types of errors that creep into quantum messages. Alice and Bob always keep a careful eye on the level of errors in their messages because they know that Eve will introduce errors if she intercepts and reads any of the quantum bits in a message. So a high error rate is a sign that the message is being overheard. But it is impossible to get rid of errors entirely, so Alice and Bob have to tolerate a small level of error. This level is well known. Various proofs show that if the quantum bit error rate is less than 20 percent, then the message is secure. However, these proofs assume that the errors are the result of noise from the environment. Now, physicists have come up with an attack based on the realization that Alice also introduces errors when she prepares the required quantum states to send to Bob. This extra noise allows Eve to intercept some of the quantum bits, read them and then send them on, in a way that raises the error rate to only 19.7 percent. In this kind of 'intercept and resend attack,' the error rate stays below the 20 percent threshold and Alice and Bob are none the wiser, happily exchanging keys while Eve listens in unchallenged. The physicists say they have successfully used their hack on a commercial quantum cryptography system from the Geneva-based startup ID Quantique."

33 of 117 comments (clear)

  1. Wouldn't it be better... by jd · · Score: 3, Funny

    ...to e-mail Alice and Bob, rather than advertise that their love-letters are being snooped on?

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    1. Re:Wouldn't it be better... by SomeJoel · · Score: 3, Funny

      I'm not even sure why Eve cares... unless she is Bob's wife, or Alice's husband (Alice still calls "her" Steve).

      --
      <Complete your profile by adding a signature!>
    2. Re:Wouldn't it be better... by SomeJoel · · Score: 2, Informative

      Alice is a man.

      I disagree, as per TFS:

      Alice also introduces errors when she prepares the required quantum states to send to Bob

      --
      <Complete your profile by adding a signature!>
    3. Re:Wouldn't it be better... by obarel · · Score: 2, Interesting

      It's about Alice Cooper.

      "she" is a typo (extra 's').

      Bob is Bob Ezrin.

    4. Re:Wouldn't it be better... by WrongSizeGlass · · Score: 2, Funny

      Excellent 70's rock reference. You deserve a point for "great memory" ;-)

  2. I seem to remember... by razathorn · · Score: 2, Insightful

    ...stopping reading the blurb on slashdot last week about the new position based system being secure because the people who previously said it wasn't secure changed their mind and said it was provably secure and then proceeded to use the words "cannot easily" to justify it being secure. Now, this week I see a commercial system that has been cracked because some how thresholds of likely hood were once again used. Anyone else see a trend?

  3. So, quantum cryptography is fundamentally flawed? by Anonymous Coward · · Score: 2, Insightful

    If this article is correct, all an eavesdropper has to know is the proper error threshold to stay under to remain undetected.

    Doesn't seem so secure to me.

  4. Re:the less sensational headline... by Ethanol-fueled · · Score: 3, Funny

    They could develop more sophisticated measurement techniques, similar to those utilized in modern data/telecom, as error thresholds become lower.

    They could call it the Quantum Bit Error Rate Test, or Q-BERT for short.

  5. Quantum Bullshit by sexconker · · Score: 2, Interesting

    The core idea of using quantum communication security (or, in general, quantum communication) is that you'll be able to tell when the message has been altered.

    All a man in the middle attack has to do is read the message, recreate it, and send out a spoofed message instead of the original message.

    Reading the message is trivial.

    Recreating the message, while introducing tolerable levels of noise is trivial once you have the key. Alice does it all the time.

    Blocking the original message is not trivial, but it is also not hard. It just requires physical access to the network. Be it jamming a wireless signal, splicing your attack node between two routers, whatever.

    Sending out the spoofed message is trivial. The internet is slow and laggy. You can easily read, alter, and resend the message without the delay being noticed.

    The only thing stopping a man in the middle attack is the need to have the key to resign an altered message as to make it appear that it came from Alice. This is a key-sharing problem. All digital security problems boil down to a key-sharing problem.

    The only thing the quantum nature of communication adds is the ability to detect when people might be listening. This only gets around eavesdropping, not an actual MITM attack.
    Indeed, the quantum nature of the "security", as this paper shows, actually opens the door to attacks, as the communication medium is not perfect and there is now a threshold for tolerable noise. Attacks can play around in that threshold all day long.

    1. Re:Quantum Bullshit by arndawg · · Score: 2, Informative

      It's not just that you can tell when a message have been altered. It's that you can tell if someone have been eavesdropping.

    2. Re:Quantum Bullshit by fuzzyfuzzyfungus · · Score: 2, Insightful

      In a sense, though it is called "cryptography", quantum crypto is basically about link integrity detection, rather than anything resembling cryptography in the classical sense.

      Basically, if you have a fiber run that you want to make sure nobody is tapping, you can either station trustworthy guys with guns every few yards along its length or you can put a quantum crypto box at each end. Given that the guys-with-guns approach is largely impractical(especially for buried or undersea lines) the potential to get the same effect just by putting a pricey network box on each end is rather attractive. Almost wholly unlike classical crypto, which is designed around keeping information useless without the key, even across known-untrusted links.

    3. Re:Quantum Bullshit by Hurricane78 · · Score: 2, Informative

      All a man in the middle attack has to do is read the message, recreate it, and send out a spoofed message instead of the original message.

      Reading the message is trivial.

      You don’t understand quantum physics AT ALL, do you? Or you’re just a troll.

      Read up on entanglement.

      There is no way to recreate the message. Because you can’t entangle the photons again. It’s literally physically impossible.

      --
      Any sufficiently advanced intelligence is indistinguishable from stupidity.
    4. Re:Quantum Bullshit by Interoperable · · Score: 3, Informative

      Sending out the spoofed message is trivial.

      No it isn't. It's impossible to do it with better than 50% accuracy, which will make the man-in-the-middle very, very detectable. None of the useful information is ever sent using quantum bits, it's only one-time-pad style key. If a man-in-the-middle is detected, the key is not used and no secure information is breached. I mentioned it in an above post, but the best that a "hacker" could ever do is get a few random bits of information out of every hundred, even with this attack. That isn't enough information about the key to extract any information about the message.

      Alice and Bob compare measurement results before send the message. There is theoretically no way to intercept and resend bits or eavesdrop without introducing errors.

      --
      So if this is the future...where's my jet pack?
    5. Re:Quantum Bullshit by Interoperable · · Score: 2, Informative

      I was basing my description on the BB84 cryptographic protocol. That protocol does not use an entangling source, rather it sends single q-bits along a quantum channel to be detected by Bob. I interpreted a man-in-the-middle attack to be an intercept-resend attack in that channel. So:

      Ideal: Alice --------> Bob

      MITM: Alice ------> detect - read - resend ------> Bob

      If the channel is noise-free, the detectors are ideal and the states are prepared perfectly, this is theoretically secure against if error rates are lower than 20%. The article exploits imperfectly prepared states in a first-generation commercial system to gain full access to information using an elaborate intercept resend attack.

      A system that uses entangled sources is employed to boost transmission distances by sending entangled pairs to Alice and Bob from a central source, thus reducing distances:

      Alice ------- Pair Source -------> Bob

      In simple schemes, the source has to be trusted because it is vulnerable to MITM attacks; however, the scheme can be secured using more elaborate techniques. For example, if Alice and Bob each generate an entangled pair and send one side of those pairs to a central location, then no party at that location can break into the information. This is called entanglement swapping.

      The system developed by Id Quantique is a very simplistic implementation of the BB84 protocol using time-bin encoded q-bits. It uses no entangled pairs, just a source at Alice and a detector at Bob. It uses imperfect sources, detectors and channels and is in no way theoretically secure against all attacks.

      I once attended a presentation made by an Id Quantique representative to a room of experts (among them was Brassard, one of the "B"s of the BB84 protocol). The representative made a list of what was needed to build a quantum cryptography system. It included: books on TCP/IP protocols, Linux driver manuals and fiber optic cable. Absent was a source of quantum light (they use weak lasers, not true quantum sources), or a text on quantum optics.

      The point was that the commercial systems are not attempting to implement the elaborate privacy-increasing techniques that are being thought out by the academics in quantum information. They are simple, first-generation devices that aren't trying to keep up with attacks devised by the academic community.

      Quantum cryptography absolutely can be theoretically secure if proper sources and detectors are used. Such sources are difficult to build and are very expensive at the moment but much effort is being directed towards that goal. The other side of the coin is that much effort is going into determining exactly what attacks can be leveled against particular imperfections in equipment and how those attacks can be countered.

      --
      So if this is the future...where's my jet pack?
  6. Sure, sure, paint me as the bad one again by Anonymous Coward · · Score: 5, Funny

    Really, is a little fidelity in this relationship too much to ask for? I've caught Bob kissing that skank Alice so many fucking times and he always says he's sorry and he'll stop seeing her, but still I can tell they're exchanging information through hidden channels.

    But what I really hate is when people act like I'm so unreasonable by trying to find out what is going on and who my allegedly significant other is seeing behind my back. What the fuck.

    -
    Cryptographically Signed,

    Eve.

    (Inspired by xkcd, of course.)

  7. I don't think "prove" means what you think... by pla · · Score: 4, Interesting

    Various proofs show that if the quantum bit error rate is less than 20 percent, then the message is secure. However, these proofs assume that the errors are the result of noise from the environment.
    Then they do not "prove" anything.

    When you start from a false premise, you produce "garbage", not "proofs" (Actually, you can produce some really useful counterfactuals that way, but you wouldn't present it in the context of a proof of the original concept). Particularly when talking about security, what moron would assume any sources of error come from the environment rather than the attacker???

    1. Re:I don't think "prove" means what you think... by Opportunist · · Score: 4, Funny

      Errors are inevitable. It's a little something called the Heisenberg Uncertainty Principle. Have you heard of it? No?

      I guess the correct answer is maybe. But only possibly so.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:I don't think "prove" means what you think... by Interoperable · · Score: 3, Insightful

      Those "morons" have doctorates in math and physics. What do you have?

      The idea is that if you can account for all known systemic noise sources then anything left will be from the attacker. The proofs set bounds for what error thresholds rule out the possibility of an attacker under given, known sources of noise in the system. The proofs are not wrong, they were simply done using particular sets of assumptions. If those assumptions are not applicable to a particular system, then obviously those calculations wouldn't be used.

      It astounds me that people think they know better than an entire discipline and even more so that they get modded up for doing it. But then again...it is the internet.

      --
      So if this is the future...where's my jet pack?
    3. Re:I don't think "prove" means what you think... by pla · · Score: 2, Interesting

      It astounds me that people think they know better than an entire discipline and even more so that they get modded up for doing it. But then again...it is the internet.

      Funny thing about the internet... Believe it or not, some of us do actually count as experts in the domain of knowledge in question, fully capable of calling BS even on all those magically-always-right PhDs out there.

      In this case, I can't claim myself an expert (merely have a minor in math, concentrating on, of all things, proof theory). But I stand by my statement - A proof with easily violated premises doesn't "prove" anything. It may remain valid for some subset of input sets, but validity does not equal truth. And when your input set equals the real world, you can't just arbitrarily constrain it and still call it true.

    4. Re:I don't think "prove" means what you think... by Interoperable · · Score: 4, Informative

      I happen to have have read a number of such papers because it is related to the field that I work in and I have some idea of what is involved in determining bounds on error rates. They are absolutely proofs in the very strictest sense of the word. They state up-front what the assumptions are and derive rigorous proofs within the conditions that were laid out.

      The mathematical premises are completely sound. The only question is what physical system the assumptions used to arrive at those premises apply to. The idealized system is clearly laid out in the paper and can be assessed for how applicable it is to a given physical system. To say that the premises are unsound because the simplifying assumptions may not apply to real systems is to reject any mathematical analysis of the physical world.

      You are confusing the ideas of a premise in mathematics and an assumption in physics. What has been done is the different between a correct analysis of an idealized system. What you claim is that an incorrect analysis of a realistic model has occurred, which is incorrect.

      --
      So if this is the future...where's my jet pack?
    5. Re:I don't think "prove" means what you think... by Interoperable · · Score: 2, Insightful

      It's not the questioning of conclusions that I disagree with. Scientists love informed debate, but don't appreciate being called "morons." Anyone with the insight about the discipline to make a shrewd observation about the correctness of the work would recognize that the people involved are not morons.

      It's important to keep an open mind, but the vast, vast majority of "OMG, how can you sheeple be so stupid?" posts about quantum physics can be safely ignored without any loss to the body of knowledge.

      --
      So if this is the future...where's my jet pack?
  8. Isn't this obvious? by mrsteveman1 · · Score: 5, Funny

    Eve is a fucking spy, arrest her.

    I'm not too sure about Alice and Bob either, seems they're always around when these things happen.

    1. Re:Isn't this obvious? by Actually,+I+do+RTFA · · Score: 2, Funny

      Eve is a fucking spy, arrest her.

      Eve is clearly spying on fucking, but it's not clear that she herself is fucking to do so.

      --
      Your ad here. Ask me how!
    2. Re:Isn't this obvious? by MRe_nl · · Score: 4, Funny

      It's not that easy.

      She's only called Eve online.

      --
      "Kill 'em all and let Root sort 'em out"
  9. Re:the less sensational headline... by palegray.net · · Score: 2, Insightful

    The ability to control external noise in real-world operating environments, at least to the degree necessary to mitigate this issue, would seem to represent a rather nasty challenge. This may be a severely constraining factor on the potential for practical usefulness of quantum cryptography, at least for the time being.

    --
    512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
  10. Re:the less sensational headline... by WrongSizeGlass · · Score: 4, Funny

    A 20% error rate isn't good enough to launch a missile, but it's better than a weatherman's accuracy. This tells us that Alice, Bob and Eve don't work for NORAD or the National Weather Service. That narrows down the field considerably. It won't be long before their identities are discovered, posted on TMZ and they won't need these silly quantum encrypted messages anymore.

  11. any lock made by a man by circletimessquare · · Score: 4, Insightful

    can be broken by a man

    depending upon your current situation in life, this is either a wonderfully hopeful or horribly depressing realization

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  12. NIST achieved 99% detection efficiency last month by ortholattice · · Score: 4, Interesting

    One the main contributors to the error rate is the photon detection efficiency, where 80% or better is considered "good". In a major breakthrough last month, NIST (yes, the National Institute of Standards and Technology, not some startup company's marketing hype) has achieved a record single-photon detection rates of 99% - and possibly better, since there currently exists no metrology to test that level of efficiency. So in terms of that source of error, things are looking up.

  13. A flaw....but fixable.... by Dthief · · Score: 2, Informative
    Insightful FTA:

    Moreover, in our attack, Eve only sends two states to Bob. Alice and Bob can detect this attack by estimating the statistics of the four BB84 states. Note that, once a security loophole has been found, it is often easy to develop countermeasures. However, the unanticipated attacks are the most fatal ones.

    --
    www.RacquetUp.org - Helping Detroit Youth
  14. Re:NIST achieved 99% detection efficiency last mon by ortholattice · · Score: 2, Informative
    But at what dark-count rate? There are always trade-offs.

    The dark count is essentially zero. That's what makes this breakthrough so impressive.

    FTA I linked:

    "When these detectors indicate they've spotted a photon, they're trustworthy. They don't give false positives," says Nam, a physicist with NIST's Optoelectronics division. "Other types of detectors have really high gain so they can measure a single photon, but their noise levels are such that occasionally a noise glitch is mistakenly identified as a photon. This causes an error in the measurement. Reducing these errors is really important for those who are doing calculations or communications."

  15. Re:So, quantum cryptography is fundamentally flawe by TheLink · · Score: 4, Insightful

    Thing is nowadays TB drives are quite cheap. Generate a huge OTP, spread it over three drives at A, spread it over another three drives and send all three to B via three different couriers/paths. Add ECC if you want.

    If they all made it safely without interception. You've got your secure channel. 1TB/128kbps = 2 years. 1TB/256kbps = 1 year.

    You could send more than one set of drives. When they all arrive, you tell the "B" let's start with drive set #5.

    --
  16. Re:the less sensational headline... by bertok · · Score: 2, Interesting

    The ability to control external noise in real-world operating environments, at least to the degree necessary to mitigate this issue, would seem to represent a rather nasty challenge. This may be a severely constraining factor on the potential for practical usefulness of quantum cryptography, at least for the time being.

    Can someone explain to me why anybody is even bothering with this technology?

    Are existing cryptographic algorithms so untrustworthy that it's better to use an untested technology that a) makes the already very expensive line equipment significantly more expensive, b) may prevent the use of certain kinds of repeaters or active splices, c) is so insanely complex that nobody except a select few physicists understand the details.

    Also, unlike current cryptographic techniques, quantum cryptography is strictly one hop instead of end-to-end, which is a big issue in many cases, like when one ISP tunnels their data over another ISP's link.

    More importantly, it doesn't actually encrypt any of the data in the traditional sense. The data goes across the wire unencrypted, the quantum system just detects a man-in-the-middle attack. If someone comes up with a technique for reading the data without interference (like the article says), then you're screwed. With a traditional crypto solution, it might be sufficient to just increase the key size parameter in a config file somewhere!

    I don't see how this can compete with standard crypto. If someone is that paranoid, it should be more than enough to just nest a couple of different algorithms together, and use the maximum keysizes for all of them. There's just no way anybody is breaking that at 2Tbps line rates any time soon, no matter what conspiracy theories you subscribe to about the NSA's capabilities!

    Think about it this way: with traditional crypto, it's at least possible, in principle, for an end-user to use an open source software stack using an open, publicly tested algorithm, and completely verify the implementation. With quantum crypto, you get a black box with some physics in it that no IT administrator will understand and be able to test. It'll send data unencrypted across a wire that you now hope is hack proof. For all anybody knows, it'll be sending data as-is with no protection, and nobody will be able to even tell. If you were the NSA and wanted access to fibre optic links, wouldn't this be the best thing ever?

  17. Dump Alice by fyoder · · Score: 2, Funny

    I say Bob should dump Alice and go with Eve. Bad girls are hot.

    Though dumped good girls can be trouble as well, so the original problem remains.

    Sadly, as long as Eve (or Alice) are sufficiently determined to intercept Bob's communications, he's got problems. The only answer may be to become a celibate monk in a monastery committedly observing a vow of silence.

    --
    Loose lips lose spit.