Hackers Eavesdrop On Quantum Crypto With Lasers

Martin Hellman writes "According to an article in Nature magazine, quantum hackers have performed the first 'invisible' attack on two commercial quantum cryptographic systems. By using lasers on the systems — which use quantum states of light to encrypt information for transmission —' they have fully cracked their encryption keys, yet left no trace of the hack.'"

Lessons

[QuantumG]

Gee, this technology is really underwhelming isn't it? It's almost like theoretical claims rarely match up with reality and creating something that delivers security takes years of dedicated effort in an open environment.

Re:Lessons

[neumayr]

The underlying principle still is valid, those people exploited a technical loophole - in a process that's part of

[..] years of dedicated effort in an open environment.

Re:Lessons

They said that to read the Quantum bit, you would have to change its state and that would be detectable.
Well if its been broken , and that is not the case, then all wet dreams of safe key exchange dissipate, and good old copper or optical fiber is just as good.

And if quantum states are not infinite, then instant deciphering also goes out the window, although parallel decoding is still very attractive for n-round ciphers.

Hats off to the clever dudes who did this work.

Re:Lessons

[buchner.johannes]

And that's why quantum based voting fails. No citizen can verify that they don't just use classic computers.

Re:Lessons

[Artifakt]

Should it be called just a loophole?
          Actually getting a physical object to behave like quantum entanglement is present is a challenging task, much like getting an object to reliably store data in a form that doesn't degrade with repeated access in the first place. There are only a few ways to store data in forms that can take 100,000+ access cycles, give the date back quickly enough to be useful to other parts of the system, or have low enough rates of corruption to be genuinely useful to the user. When you factor in costs, the choices get more limited - after 50+ years of development, it's still general practice to compromise and use slow methods of storage for much of the storage needed. With data storage, nature seems to be insisting - fast, cheap, reliable - pick any two of three (at best).
          Even if the underlying principle (as you put it) says there must exist some methods that aren't vulnerable to this sort of attack, turning those methods into engineering processes may entail other problems so great that no one would want to develop those lines of research unless they were forced out of other, originally more attractive options. This may well be a problem that comes back in one form or another for decades.

Re:Lessons

"pick any two of three" - such statements are always trivially true in the sense that we face trade-offs and can spend money only once.
But ten years ago people would have called the stuff we've got now both cheap, reliable and fast. Something worth reflecting on.

Re:Lessons

[Interoperable]

It's a pretty damn big loophole. They used a 1 mW beam which is about as powerful as a laser pointer. That's many orders of magnitude larger than a single-photon level signal and should be very easy to detect. Not noticing a milliwatt of light hitting the detector in a quantum scheme is something like leaving a key written in plain text on a sticky note on your monitor and being shocked when your key is "hacked."

Re:Lessons

[Ungrounded+Lightning]

The underlying principle still is valid, those people exploited a technical loophole ...

As I recall, the underlying principle of quantum cryptography was that you can't intercept the information in the FIRST PLACE to make a clone of it. These guys intercepted it, cloned the information from it, then made a signal that fooled the receiving detector.

The idea was that your signal either encoded a bit on a single photon as 0/90 degrees or +-45 degrees. The receiver had to know (from a previously distributed symmetric key and some additional synchronizing info which might be photonically transmitted) whether to route the photon to a detector that looked for one modulation or the other - because looking with the wrong kind of detector produces a random number rather than recovering the information. You can cover for some bit lossage by sending data redundantly. But you can't send it SO redundantly that it can be decoded without advance knowledge of how to look.

So the fact that "Eve" was able to fool the receiver with incoherent light pulses tells me these so-called quantum crypto systems are either doing SOMETHING ELSE or sending the information so redundantly that it can be recovered without the knowledge of what angles to use to look at it.

Re:Lessons

[Ungrounded+Lightning]

Upon further reading I see that the quantum cryptosystems are doing key exchange - so they don't have a shared secret from which to generate a shared idea of which polarization to use when looking. They have to throw away half the bits due to looking wrong and sort it out later.

The flaw is still partly rooted in their excessive redundancy to cover for sufficiently large losses in the data path. But the crack also depends on being able to stimulate "Bob"'s receiver by something that does not correspond to a correctly-polarized copy of Eve's reception of the original signal.

Re:pwned

[neumayr]

Not really. From the article:

"We have exploited a purely technological loophole that turns a quantum cryptographic system into a classical system, without anyone noticing," says Makarov.

Re:pwned

[yahwotqa]

From TFA:

Quantum cryptography is often touted as being perfectly secure. It is based on the principle that you cannot make measurements of a quantum system without disturbing it.

So, I guess the encryption system used here isn't really "quantum", since above doesn't apply, is it?

It seems that you could detect this

[MichaelSmith]

Eve gets round this constraint by 'blinding' Bob's detector — shining a continuous, 1-milliwatt laser at it.

So Bob could just detect the blinding signal and stop transmitting.

Re:It seems that you could detect this

[Haedrian]

I'm sure its not as simple as that. Then agian I didn't understand half the technical stuff of this article.

Re:It seems that you could detect this

[PseudonymousBraveguy]

Yes, and if I understand the article correctly, the manufacturers developped a patch to fix the hole.

However, the hack shows (once again), that a system may be secure in theory, but actual implementations of that system may, and will, have bugs that render them insecure. This negates one of the most strong arguments for quantum crypto, i.e. the "proveable" security. If that argument does not hold, you could as well use any common "classical" key exchange algorithm, which also delivers "good, but not 100%" practical security, does not need fixed point-to-point fiber and expensive equipment, and is probably much better tested than the quantum systems.

Re:It seems that you could detect this

[ByteSlicer]

So Bob could just detect the blinding signal and stop transmitting.

Alice is the transmitter, Bob is the receiver (from A to B, see?).

Re:It seems that you could detect this

[Threni]

Exactly - existing systems are 'good enough for now', and it's the protocols (swapping keys, trusting people etc) which are hard. You can invent hard and harder systems but without extra work on the protocols/implementations they add nothing of value.

Re:It seems that you could detect this

[MichaelSmith]

So Bob could just detect the blinding signal and stop transmitting.

Alice is the transmitter, Bob is the receiver (from A to B, see?).

Yes I can see my mistake, though once Bob knows the link is compromised he can ignore the contents, so the hacker can't predict his behaviour. Also Bob could use a different channel to notify Alice of the problem.

Re:It seems that you could detect this

Dunno if Bob was transmitting to begin with.

Anyhow, Bob should be able to tell between the quantum and classic (fallback/compatibility?) mode and tell Alice which mode he's receiving the message in. (Perhaps by sending a parallel return signal that's either quantum or classic itself.) If Alice figures out that there's a mismatch between the way she's sending it and how Bob is getting it, then both Alice and Bob should know that the gig is up and perhaps Eve is lurking around somewhere.

As it is right now, Bob can't tell the difference and tell Alice what message mode he's getting. So they're both blind to whether or not Eve is listening. It's more of a [hardware/firmware/current implementation] failure then overall method failure.

Re:It seems that you could detect this

[beelsebob]

This negates one of the most strong arguments for quantum crypto, i.e. the "proveable" security

No it doesn't – it just makes the software more expensive to write. It's entirely possible to write software that has key properties proved to be correct and bug free, it's just hard, time consuming, and done by people who get paid a very large amount of money.

Re:It seems that you could detect this

[PseudonymousBraveguy]

No it doesn't – it just makes the software more expensive to write. It's entirely possible to write software that has key properties proved to be correct and bug free,

It's not only the software. There's a lot of hardware involved, most of which could have bugs of some kind (e.g. for this hack you'd have to prove that your sensor can reliably detect that it's still in "quantum mode"). And after you have proven a lot of properties off all your hard- and software, you'll have to prove that all those properties are actually sufficient for achieving perfect security.

Re:It seems that you could detect this

[ByteSlicer]

And what if the hacker doesn't send any singal to Bob, so the line is quiet? Bob would never know Alice is sending a key, and therefore never warn her.
Of course she could use some secure side channel to tell Bob she's sending a key, but that could be hacked as well...

Re:It seems that you could detect this

[PseudonymousBraveguy]

Actually quantum crypto requires Bob to communicate with Alice over an authenticated channel anyways (e.g. to check which polarisation filter was used for each measurement, and to check for eavesdropper). This channel can trivially be used to signal failures and/or attacs. (However, quantum crypto does not tell you where to find a perfectly secure authenticated channel)

Re:It seems that you could detect this

[sjames]

No it doesn't – it just makes the software more expensive to write. It's entirely possible to write software that has key properties proved to be correct and bug free, it's just hard, time consuming, and done by people who get paid a very large amount of money.

And then gets undercut by slightly cheaper snake oil coded by the lowest bidder in a sweatshop. Everyone cheers the invisible hand and the triumph of the free market, especially Eve.

Re:It seems that you could detect this

This just goes to show that determination is more powerful than reality.

So OK...

[hyades1]

...maybe they've cracked it in this universe, but what about all the others?

Re:So OK...

[thijsh]

I would take a look, but I'm too afraid I'll kill the cat... And you all know how much Slashdot-geeks love that inter-dimensional pussy.

Re:So OK...

I would take a look, but I'm too afraid I'll kill the cat...

Well,I chucked the cat into a wheely bin, and was afraid if I looked back and opened the lid that the cat would either be alive or dead. So I just walked on.

Re:So OK...

[MarkRose]

That's going to take some time. None of the other universes have sharks or ill-tempered mutant sea bass to control the lasers.

Re:So OK...

Fry: Far out! So there really is an infinite number of universes?
Professor Hubert Farnsworth: No, just the two.
Fry: Oh, well. I guess that's enough.

Re:So OK...

love that inter-dimensional pussy.

Ohhhh yeahhh... =D

Re:So OK...

[CeruleanDragon]

Only the Kirk-loving Trekkie Slashdotters. :)

Re:pwned

[Unipuma]

If you read the article, you'll notice that the 'hack' is a classic man in the middle attack, and the receiving end can receive both classic and quantum messages. The man in the middle (after reading the quantum message) passes it on as a classic message, and the receiving device does not give a warning that the message received is a classic message, instead of a quantum message.

So it's really an design error on the device side, not a true hack in that quantum states were undisturbed regardless of reading them.

Re:pwned

[elFisico]

Mod parent up!!

And add this citation to the article text!!! *eyeroll*

not really that bad

[mogness]

The problem isn't really with quantum encryption, it's with the technical implementation. And anyway, according to the article, they've already figured out a way to detect the hack and defeat it, so it's still pretty solid.

Makorov informed both companies of the details of the hack before publishing, so that patches could made, avoiding any possible security risk.

Re:not really that bad

[DrXym]

"And anyway, according to the article, they've already figured out a way to detect the hack and defeat it, so it's still pretty solid."

if (continuousLaserBeam) hack = true;

Re:not really that bad

[boxwood]

Yeah the good guys inform the company of the hack. The question is how many bad guys were aware of this before now, and for how long?

It took these guys two months in a university lab to figure this out. How long do you suppose it took the NSA (and their counterparts in other countries) who have much bigger budgets?

This research proves that if you're using these devices, the NSA has your data.

Re:not really that bad

[DoofusOfDeath]

they've already figured out a way to detect the hack and defeat it, so it's still pretty solid.

Perhaps, but there's a larger issue. Quantum crypto was supposed to be the end of the story, iirc. It was supposed to be theoretically impossible to crack. Discussion over.

Now, it appears that quantum crypto is engaged in the same kind of more arms race that other crypto mechanism are subject to. So it might be pretty solid, but it's apparently no silver bullet.

Re:not really that bad

It was supposed to be theoretically impossible to crack without being detected
There is a way to detect it. Hence, its still correct.

Re:not really that bad

[Rich0]

Yup. The detectability is the whole point of quantum crypto.

You don't send secrets over quantum crypto. You send encryption keys, and then if they weren't intercepted you use those keys to send encrypted secrets over a channel of your choosing. If the keys are intercepted you simply discard them - an unused encryption key is just a random number, so nothing is lost.

It almost sounds to me like a bunch of vendors decided to turn quantum crypto into a marketing term, without thinking hard about security. If the devices didn't continuously perform tests that are certain to detect interception per the laws of physics, then the protection is worthless. They're merely depending on using an uncommon line protocol to make interception difficult.

Re:not really that bad

[noidentity]

The problem isn't really with quantum encryption, it's with the technical implementation.

Yes, exactly. This is like saying that one-time pad encryption has been broken because someone found a bug in an implementation (or rather, an implementation of something other than one-time pad encryption).

Re:pwned

[vlad30]

The bigger they are the harder they fall or in encryption the more complicated the easier to crack

Re:pwned

[PseudonymousBraveguy]

No, it IS a huge problem. If you turn a quantum computing system into a classical system, you basically revert it to sending the key in plaintext. While it does not break the theory of quantum encryption, breaking all (commonly) available implementations of quantum crypto should be enough to be qualified as "huge kick in the balls".

It is not quantum "crypto"

It is quantum-secure-transmission. That is that you theoretically detect (article non withstanding) when somebody attempt to eavesdrop your transmission. But the bits are plaintext (or encrypted by the start and end machines before the secure quantum transmission but not by the protocol itself).

Description of the hack by its authors

[romiz]

There are some photographs of the hacked hardware and the hacking tools on the page of the researchers.

A massive implementation flaw?

[Securityemo]

So, the attack works like this: the middle man sends a continuous laser down to one of the recievers, and simultaneously reads off the transmitted photons (disrupting their state). When "blinded" by this laser light, the reciever still reads the information from the transmitted photon data, but ignores it's quantum state. I don't know the limitations and techniques behind constructing quantum-state detecting photon recievers, but this just has to be a flaw in this particular construction? Maybe the state detector gets overloaded? In any case, it seems the system has been "patched" already.

Re:A massive implementation flaw?

Please shine a laser on that apostrophe that mysteriously appeared in your possessive pronoun. How come people can master quantum physics but are utterly baffled and confounded by the apostrophe?

Re:A massive implementation flaw?

[Securityemo]

I have not "mastered quantum physics", I simply understand single-photon quantum state checked lines in the context of computer security. Thus, I get to manhandle grammar however I wish.

Re:A massive implementation flaw?

[Vadim+Makarov]

The attack workflow has been slightly simplified for the hews article. The actual Eve's workflow is: 1. Blind Bob with a continuous laser, 2. Intercept all photons coming from Alice using a copy of Bob's setup, 3. Every time Eve has a detection, she activates another laser to send a strong light pulse to Bob that tricks Bob's detectors to produce the same detection outcome. I wish there were 4. Profit!, but as for now our lab is running out of grant money with no other funding in sight :)).

A new name

Quantum hackers?

Quackers!

Quantum is for Quacks

This is what you get when even educated men can't make sense of your technology.

Pretty obvious now we need to return to traditional cryptosystems such as rot13 etc.
Arguably not the most secure, but it is efficient. And for military use, where security
requirements are higher, triple-rot13 is an option.

Re:Quantum is for Quacks

[Antarius]

Triple-rot13 just made me choke on my drink.


Posting this reply in Double-rot13 to ensure only the intended recipients can read it.

Re:Quantum is for Quacks

Nah, double should do it :)

Re:Quantum is for Quacks

[whitesea]

This is what you get when even educated men can't make sense of your technology.

Pretty obvious now we need to return to traditional cryptosystems such as rot13 etc. Arguably not the most secure, but it is efficient. And for military use, where security requirements are higher, triple-rot13 is an option.

No, quadruple ROT-13 is the best.

Re:Quantum is for Quacks

The post above seems to be encrypted with ROT-26, I can't read it!

Re:Quantum is for Quacks

[athe!st]

!ti edoced nac tneipicer dednetni eht tub eno on ylerus ,gniod ma I sa egassem ruoy tpyrcne ot refas raf si ti ,dewalf si noitseggus ruoY

Commercial Systems

[iYk6]

I was surprised to discover that there were commercial systems of quantum cryptography. Quantum cryptography is academic at this point. It is not as strong as old fashioned cryptography (like AES) and is much more expensive. Then I realized that there is no reason that someone can't use both. It would be pretty ridiculous if someone were using quantum cryptography as their only security, and not encrypting the data first with old fashioned cryptography.

Re:Commercial Systems

[PseudonymousBraveguy]

Quantum cryptography is academic at this point. It is not as strong as old fashioned cryptography (like AES) and is much more expensive. Then I realized that there is no reason that someone can't use both.

Quantum crypto (at this point) is a key exchange mechanism. Thus, it doesn't compare to AES at all. You HAVE to use quantum crypto together with a classical exncryption algorithm. However, if you use quantom crypto you care about 100% theoretical security. Else you would simply use DH or any other well-known classical key exchange. And if you care about 100% theoretical security, there is no alternative to OTP.

Re:Commercial Systems

[KiloByte]

Except that to be able to use quantum crypto at all, you need to provide a physical way to pass the quantum state. And with that requirement, why won't you just pass the key the good old fashioned way? Strictly more secure, and much cheaper.

Re:Commercial Systems

[Sycraft-fu]

Well I'd hazard a guess that most people who are buying in to this don't know what the fuck they are doing. They are the types that believe the NSA has secret evil cracking machines that ban break all current crypto (and that the NSA gives a shit about what they are doing). They also hear stories about amazin' new unbreakable quantum crypto. They see it on the market and say "We need to have that!"

For that matter, I don't know if these products are actual quantum crypto. Just because they call it that doesn't mean it is.

Re:Commercial Systems

[julesh]

Except that to be able to use quantum crypto at all, you need to provide a physical way to pass the quantum state. And with that requirement, why won't you just pass the key the good old fashioned way? Strictly more secure, and much cheaper.

More secure? Hardly. All you have to do is eavesdrop on the key exchange and you have the key. In a real world scenario, typically this means bribing a few security guards, breaking into one of the communicators' homes or offices and retrieving the key from their computer, or intercepting a message sent over a physical line, probably encrypted via a non-100%-reliable cryptographic system, with the (at least) theoretical possibility that the encryption on the key exchange can be broken.

In a properly implemented quantum crypto system, this is theoretically impossible: the key passes directly from one endpoint to the other, and any interference between the two is easily detectable. It isn't stored for longer than the message takes to be sent, so breaking in to retrieve it is impractical. Done properly, the quantum crypto system is as secure as it is possible to be. As it happens, the system here was not done properly; it failed to detect interference on the line (and as ability to detect interference is, essentially, the point of quantum crypto, this is bad news).

Re:Commercial Systems

[Rakshasa+Taisab]

Quantum crypto is about passing a key and being sure it wasn't read by a third party (or borking if it has been). Old fashion plaintext passing of that key does not have that particular property which makes it _NOT_ more secure even if it is cheaper.

That the system would have an error mode where it just starts ignoring the overloaded quantum state sensor seems like braindead design to me...

Re:Commercial Systems

[DMiax]

And with that requirement, why won't you just pass the key the good old fashioned way? Strictly more secure, and much cheaper.

Because it is not strictly more secure? Any hack that works on quantum crypto will also work on classical cryptography. All they showed here is that it is hard to get a system working properly with all safeguards (or, simply, that commercially available implementations are not that good).

Re:Commercial Systems

[KiloByte]

If your endpoint has been compromised, there isn't anything you can do.

Re:Commercial Systems

In a real world scenario, typically this means bribing a few security guards, breaking into one of the communicators' homes or offices and retrieving the key from their computer, or intercepting a message sent over a physical line

Using the old fashioned way, you divide the key into 5 or 6 pieces before it leaves the cryptosystem, you distribute responsibility of the pieces. The pieces are stored on devices, and given to guards.

The guards have physical possession of the devices, but not the PIN number for that piece.

None of the pieces assist in reassembling the key without all other pieces present.

Key pieces are not brought back together until brought to the destination system's crypto module.

Nothing other than dedicated crypto modules ever have access to the key for securing your initial key exchange, and these get kept locked up.

Security guards protect physical access to the communication endpoints, but do not possess the credentials to activate them; plus multiple combinations and keys are required to even open the safe with any hardware required for securing further key exchanges.

You can perform key rollovers whether you use quantum or traditional crypto. You transmit the new public key digitally signed with the old private key, over a message encrypted with the current session key.

Then you transmit the new symmetric key, encrypted with the peer's new public key, in a message encrypted with the current symmetric key.

If your adversary can compromise crypto equipment under high security, quantum crypto won't protect you.

The benefits of quantum crypto are mostly theoretical.

However, obviously someone believes the technology is more proven than it is, as they're trying to base commercial systems on the promise.

If they are relying on quantum key exchange as their only security of the key exchange, at this point, they are foolish.

Re:Commercial Systems

[IndustrialComplex]

(and that the NSA gives a shit about what they are doing)

Well for one, it isn't generally the NSA that 'gives a shit', it's other agencies.

Two: If you make it a point to collect and store everything, even if it isn't of immediate interest to you NOW, it might be LATER.

Re:Commercial Systems

[kvezach]

But that's also rather strange. For quantum crypto to make sense, there must be an adversary who can crack Diffie-Hellman (or the key exchange of your choice), but who isn't able to just physically get on the line and insert a man-in-the-middle device. Even if you have perfect quantum crypto, unless you and your intended other party shares a secret, it's impossible to determine if the key negotiation is between you and your intended other party or with Mallory masquerading as that other party, impersonating you to the other party.

That threat model appears to be irrational. Ordinary inside jobs, industrial espionage, whatnot, can't splice in a man-in-the-middle but they can't break DH either - and if quantum computers become prevalent and DH can be easily broken, one can just shift to some post-quantum PK method like McEliece or NTRU.
On the other hand, if the messages are being read by the NSA (who might be able to break DH), quantum crypto won't help, since the NSA could just dig up the cable somewhere and insert a man-in-the-middle device.

That leaves the option where you do have a shared secret. In that case, simply make the shared secret the key for a symmetric key cryptosystem, or if you have the bandwidth, use a one-time pad. QC's only advantage in that case would seem to be that the adversary has no way of stealing the "key" or "pad" without tampering with the cable or compromising one of the endpoints.

(I assume that the communication is being done on a dedicated line, since one can't do quantum crypto over the internet. I also assume that "key exchange" is of the kind where a passive listener has to solve a hard problem to get the key - DH is such a method, but there are others.)

Re:Commercial Systems

[QuantumBeep]

-1 Offtopic: the plot of the last Pirates of the Caribbean movie isn't relevant.

Re:pwned

[PseudonymousBraveguy]

So it's really an design error on the device side, not a true hack in that quantum states were undisturbed regardless of reading them.

As long as the attacer only wants to get the key, he does not care if this is a "true" hack (which would require a substantial change in our understanding of quantum physics) or a "cheaing" hack that only breaks the implementation. The major selling point of quantum crypto is the "100% security". If it's only "100% minus any bugs in the implementation" (which it obviously is), I could as well use a classical key exchange mechanism.

Re:pwned

[foobsr]

"100% security" ... "100% minus any bugs in the implementation"

I truly wonder if there is anything like "100% security". Probably if there is no 'security' at all (if it is not needed? impossible to observe?).

CC.

Re:pwned

I thought the point of quantum encryption was that it could not be attacked by a man in the middle without revealing that an attack took place. Seems like it was compromised in an unexpected way.

Re:pwned

Since one of the goals of a quantum cryptographic system is to prevent just that then this is a major failure in the design.

a kick in the balls

[davidwr]

A kick in the balls (breaking all current implementations) is not the same as cutting them out and mounting them in a trophy case (proving there can be no secure implementation).

Either one hurts though.

alice and bob

[brainscauseminds]

Poor Alice and Bob, they do not have a chance ever to live normal lives without hordes of geeky cryptographers debating/fighting over every bloody bit they exchange.

Re:alice and bob

[Provocateur]

...until they met Ted and Alice, the couple that moved in next door. Then the sex became even more interesting.

(boy I feel so old)

Re:alice and bob

I thought next door was Carol and David? Maybe on the other side.

And the government...

[son.of.sun]

... enacts laws that the person must de-crypt the message if required or get jailed. Lazy bums.

Well, there's always the "Gitmo" attack

[davidwr]

the more complicated the easier to crack

You know, the one that involves "encouraging" someone to give up the keys or to hell with the keys, just "extract" the original message.

Too bad for those using the Gitmo attack that torture isn't a reliable way to extract information.

Re:Well, there's always the "Gitmo" attack

[stonewallred]

So you say. In reality, torture does work wonders, and provides really solid information. Problem is that true torture is not quick, easy or cheap. It requires a great deal of time, energy and information. Everyone has some breaking point and finding that point using the right key is paramount. While some folks might resist physical pain for long periods of time, the same person may break within minutes if subjected to sensory deprivation or spiders or being in very tight confinement. Threat of death might not phase a person, but the threat of their loved ones' deaths or their pet's death might break them immediatley. So the time it takes, probing for the weakness and figuring out the right pressure is what makes torture ineffective, especially in time sensitive matters, not the "inability" to extract the information.

Re:Well, there's always the "Gitmo" attack

[tibit]

You would be right if you weren't so wrong :(

The problem with torture is that it has a way of making up information where there is none. If you're convinced your guy has the information, but he doesn't, then torture is an element of a random story generator. And there's pretty much no way of telling the quality of information that you receive.

Case in point: I think that a big problem with some Gitmo inmates is that they were set up by bounty hunters, and they are simply wrong people in a wrong place at the wrong time. Torture is useless here, because they know nothing in the first place, and the "solid information" they provide is solidly random, if that.

Re:Well, there's always the "Gitmo" attack

[maxwell+demon]

Too bad for those using the Gitmo attack that torture isn't a reliable way to extract information.

While it's not reliable in general, it is reliable in cases where you can easily check whether the information given to you is correct. Which is the case for cryptographic keys, but not for the original message. Unless, of course, he doesn't have the key himself (I couldn't give you the key used for the latest https session with my bank, even if I wanted to; torture certainly wouldn't help either).

Re:Well, there's always the "Gitmo" attack

[TheCarp]

You have evidence of that? I am not actually aware of any incidents where this was shown to be the case... and many incidents where information was given up without torture.

Generally speaking, torture is used to produce confessions and convictions no matter what, not to produce truth. Thats how its been used for a long time now, its what the techniques were developed to produce.

SO far the only "evidence" to the contrary has been by the Dick Cheney's vague "trust us this works" statement that he conveniently couldn't elaborate on.

-Steve

Re:Well, there's always the "Gitmo" attack

[radtea]

While it's not reliable in general, it is reliable in cases where you can easily check whether the information given to you is correct.

You realize you've just defined extracting information under torture as an NP-Complete problem... and then implied that this was the "easy" case.

Re:Well, there's always the "Gitmo" attack

If someone gives you what they know to be false information under the impression that this will somehow relieve the torture, you’re doing it wrong. False information is worse than no information. For the prisoner, not for you. For you it’s just a delay.

Re:Well, there's always the "Gitmo" attack

[Tacvek]

Not quite.

He was describing a system that gives a result probabilistically, with the probability of a correct response being proportional to the ease of verifying it.
There are two cases, one in which the result can be easilly verified. That case would be NP, and realistically BPP. The other case has no easy way to verify, making it emphatically not NP, but the exact category is not determined. Needless to say though that it has problems much harder than NP-complete problems.

Re:Well, there's always the "Gitmo" attack

[Raenex]

You can make it easy. If you're willing to undergo an hour of torture without cracking then you can keep your secret key (if you have it).

Re:Well, there's always the "Gitmo" attack

[stonewallred]

No, that is why the disclaimer is that it is not easy, quick or cheap. Any and all information has to be verified, every time. And brute force pain is never as efficient as using what causes the subject the most fear or torment mentally, rather than emotionally. You are thinking pliers and blowtorches in a dimly lit basement, to extract solid information in a short period of time when it is actually usable. That type doesn't work that well. I am speaking of methodical, relentless psychological torture done over months and years, where the victim is relieved of any and all information, by trained professionals who use every trick and technique available. Good analogy is you are thinking of dynamite to blow up the rock, while I am using water to slow erode it away. My way will work, every time, but the costs and ROI is usually not worth it, and it is never quick.

Re:Well, there's always the "Gitmo" attack

[maxwell+demon]

While it's not reliable in general, it is reliable in cases where you can easily check whether the information given to you is correct.

You realize you've just defined extracting information under torture as an NP-Complete problem... and then implied that this was the "easy" case.

Nowhere did I say or imply that it's the "easy case"; the only place I used "easy" was in the condition. What I said is it's the reliable case (i.e. the one where you can generally expect to eventually get some useful result).

Oh, and you mixed up "NP" and "NP-complete"; the latter means that it's not only NP, but you can reduce all NP problems to it. I don't think you can reduce the travelling salesman problem to torture. :-)

Re:Well, there's always the "Gitmo" attack

[tibit]

Nope.

You torture them because you believe they have the information. As long as you hold on to that belief no matter what (IOW, you're stupid even when told so), then there's nothing for the prisoner to do other than to make stuff up. If they don't, they will presumably die -- they don't have the information in the first place.

So, it's not a delay if you torture someone who feeds you misinformation for lack of the real information you seek. It's your problem, not prisoner's problem. You will either kill them, or get misinformation, but no matter what you won't get the information you want if they don't have it.

Re:Well, there's always the "Gitmo" attack

[tibit]

Logic whoosh.

No matter how uneasy, not-quick and not-cheap the torture is, you won't get information that isn't there. That's all I claim, yet you somehow feel the need to muddy the waters.

I'm very clear: I claim that there is/was a bunch of people in Gitmo who in fact know nothing, and who are held solely on an informant's paid (in money or in kind) claim that they, to the contrary, do know something.

You can have $1 billion per detainee and use all the tricks that anyone knows, or had known (think ancient tribes who maybe had better/other tricks we haven't found yet) -- if the detainee doesn't know, you won't get to know either. You may kill the detainee, break the bank, go insane, what the eff ever. The only way to get the information you seek is if the detainee has infinite lifetime, and he/she starts enumerating all possible stories. By the infinite monkey theorem, you will get what you're looking for, but it's hard to say whether it'll happen before our Universe dies a heat death.

If you argue otherwise, you should hand your geek card back.

Re:Well, there's always the "Gitmo" attack

[stonewallred]

Once again, you are claiming snatching folks up and subjecting them to harsh physical interrogations as being inefficient. And attempting to set up a strawman claiming I disagree. I stated, twice IIRC, that torture does work. If you are going to go to the trouble to engage in what works, then your targets are going to have the information you want to know. And as far as the detainees at gitmo, none of them were tortured in the sense I describe. They were basically brutalized and physically hurt, not tortured in the sense of extracting, verifying and stripping them of every piece of knowledge they may have. Thankfully, there are some few folks in the US government that will draw a line occasionally and say certain things are just wrong. Not as often or as for as much stuff as they should, but enough that the torture I described would be very unlikely to happen under our government. You are the one trying to cloud the issue by interjecting the idea that the subject doesn't know the information and other attempts. Give it up and call it quits. Plus, I have no geek card to give up. I am not a geek, but I do learn from this site and get a great deal of amusement from a lot of posts. Raw and uncensored is the way to read /.

Re:Well, there's always the "Gitmo" attack

[tibit]

I'm not claiming that it doesn't work universally. But it can only work when the subject knows what you're after. What you're saying that it universally works, or else I just don't understand your rather plain words. It can't be true, unless you can magically ensure that everyone knows everything.

I think I have an example that shows cracks in your argument. Say I supposedly broke into a safe, containing highly sensitive papers, that uses 1000th through 2000th decimal digits of PI as the combination. From other good sources you know that it can be shown that the suspect had the combination memorized and not written down, and someone trusted told you that it could be me breaking in. You want to interrogate me, using torture as applicable, to show that I indeed knew those digits -- ergo I'd be likely to have broken in (very few people know so many digits of PI, and fewer still are expected to be picked up by your trusted source).

Now the truth is that I don't know those digits, and I'm very bad at memorization so it'd be pretty hopeless to expect me to know those cold, even though I in principle could come up with a way of computing them with paper and pencil.

So you work me hard ("correctly" as you say), and after a while perhaps I could, maybe, get at those numbers if tortured long enough and in the right way, but it'd be completely false that I knew those numbers before the interrogation started. So even though you got some information out of me, it's completely useless, and you have little in the way of knowing: you've changed your subject.

Even by-the-book torture alters the subject of your observation, and sometimes that's enough to completely fool oneself: you get verifiably good information, but it's still completely false inasmuch as it pertains to the ultimate reason for the interrogation. I could perhaps give you the digits of PI, but I didn't know them before the ordeal has started, so I couldn't use them to break into the safe. Similarly, some people may start to recall certain things if you use proper techniques, but they could have been well unaware that they even knew such things before hand -- so they could have been unable to use such knowledge, even if it turned out they had it. Sometimes it's the knowledge you're after, sometimes it's the knowledge of having knowledge. Different things, of course.

So you have to be very careful, as you obviously know.

Re:Well, there's always the "Gitmo" attack

[radtea]

I actually debated with myself if it was NP or NP-complete or NP-hard, and I'll stand by the NP-Complete designation. If you tortured a travelling salesman for the optimal route he could easily spit out (along with his teeth, presumably) various possibles, which you could then "easily check" (including keeping an eye out for repetitions, of course.) Ergo: NP-Complete.

I also debated with myself about the word "easy", which is why I put it in scare-quotes. By "easy" I meant "imaginable that you might get reliable information from" as opposed to the far more typical "hard" case where you have a vanishingly small chance of that.

Torture is in general an unreliable epistemological method, and I stand by my analysis that your suggestion amounts to arguing that the only case where torture might be considered to produce reliable information is indeed NP-complete.

I will also note that even in cases where the results of torture or the threat of torture can easily be checked, they rarely are: do you think the Inquisitors who showed Galilleo the instruments of torture bothered to check if the phases of Venus were consistent with Venus and the Sun moving around the Earth in circular orbits? Or that they looked through any telescope to see if the moons of Jupiter were astronomical objects rather than optical artifacts as some people wanted to believe?

The object of torture is not now and never has been to determine the truth.

The purpose of torture is the pyschological gratification of the torturer, and the social objectification of the tortured.

Re:Well, there's always the "Gitmo" attack

[maxwell+demon]

I actually debated with myself if it was NP or NP-complete or NP-hard, and I'll stand by the NP-Complete designation. If you tortured a travelling salesman for the optimal route he could easily spit out (along with his teeth, presumably) various possibles, which you could then "easily check" (including keeping an eye out for repetitions, of course.) Ergo: NP-Complete.

I also explicitly noted the exception that the tortured person has to know the answer for reliably getting a result (OK, strictly speaking, I only made that restriction for cryptographic keys). Since a salesman (or anyone else) generally doesn't know the optimal solution to the travelling salesman problem, torturing him will not reliably get you the correct solution, despite being able to check the solution. Therefore getting information through torture is not NP-hard, and therefore also not NP-complete.

The object of torture is not now and never has been to determine the truth.

In most cases it hasn't been. But I know of at least one case of (threatened) torture where the objective was to actually get information (about where an abducted child was hidden, after the abductor already admitted he had done it). And it was actually successful (well, sort of: the child was already dead by then).

Re:Well, there's always the "Gitmo" attack

Right, and there is a chance that everybody in prison is innocent, you don't know for sure, but you can know pretty damn sure. Nothing is 100%! NOTHING!

Re:Well, there's always the "Gitmo" attack

[radtea]

Since a salesman (or anyone else) generally doesn't know the optimal solution to the travelling salesman problem, torturing him will not reliably get you the correct solution, despite being able to check the solution.

Sure it will. It'll just take a very long time.

And since you never really know if the person you're torturing has the information you want--and in all practical cases your degree of uncertainty is extremely large, so this isn't some semantic quibble about "really knowing"--you never know if you're trying to solve an NP-complete problem or not. Good luck wit that.

Re:pwned

[sortius_nod]

Unfortunately without that caveat the article isn't as scary.

Come on editors, Do a better job, don't just put the article through, read it yourself.

quantum hackers?

[dominious]

oh boy, am I getting old?

Thuc pham chuc nang

Tham my vien
Thuc pham chuc nang
Dong ho
Van phong pham
Chan ga goi
Hoa tuoi
May hut am
May chieu
Camera quan sat
May phat dien
Tong dai
May Massage

Re:Thuc pham chuc nang

[VincenzoRomano]

Really neat, really.

Re:Thuc pham chuc nang

[couchslug]

Where's an Arc Light strike when you need one?

Is anyone REALLY surprised?

[Phoenix]

And here is the biggest problem with dealing with anything that evolves. Someone or something else will come along and evolve a way to defeat it. This happens in the world of biological viruses and bacteria, this happens in the world of animals, this happens in the world of Electronic Viruses and Spyware, and this happens with encryption.

I remember when the contest was to crack either the 56-bit or the 64-bit (do not remember exactly which) and it was done in a matter of days and not the years it was thought of happening in.

I remember when 8 character alpha numeric passwords were thought to be enough to be secure.

My brother-in-law at the NSA who works on securing the Government's firewalls says that it is an uphill battle at best.

I can honestly say that none of the stories of anything getting cracked surprises me any more. It seems that it is not a question of "if" it can be cracked, but "when" and "how quickly".

Re:Is anyone REALLY surprised?

[Fnord666]

And here is the biggest problem with dealing with anything that evolves. Someone or something else will come along and evolve a way to defeat it. This happens in the world of biological viruses and bacteria, this happens in the world of animals, this happens in the world of Electronic Viruses and Spyware, and this happens with encryption. e

xcept that in cryptography that doesn't always happen.

Re:Is anyone REALLY surprised?

[luther349]

agreed. any sort of crypt can eventually be cracked.its jts just how it is.

Re:Is anyone REALLY surprised?

I hope you meant "crypt" instead of "crypto", because thats the more important thing here. Nothing is safe, you just make it safe enough. Every time you walk near somebody and most things, there is risk you will lose your life. Eventually you will die, you might be robbed, your heart could break, your shins can implode. Even with a perfectly implemented encryption system there is still a non-zero chance that a key can be guessed, but you assume a much higher risk with much more important things every day and don't care.

Re:Is anyone REALLY surprised?

[sjames]

The method at the theoretical level isn't breakable, but actual real world implementations are. Either people re-use the OTP or the pad itself is intercepted. The interception starts with the sender presuming it's absolutely safe/

Re:Is anyone REALLY surprised?

[jd]

any sort of crypt can eventually be cracked

And that is what makes the undead so dangerous.

Re:Is anyone REALLY surprised?

[jd]

One suggestion for "practical unbreakable OTPs" was to gather noise from live radio astronomical observations. Alice sends to Bob the pseudo-random radio source location and the precise time to start gathering the OTP. This information need only be secure until that start time plus the baseline for the observers. After that, the pad is no longer retrievable by any third party. Since the pad itself is never transmitted, the risk of the OTP falling into the wrong hands is greatly reduced.

This is, admittedly, much harder to set up, but I can easily imagine that this would be preferred at a listening post (especially remote ones) over quantum cryptography because it'll work over any distance provided the radio source is above the horizon to both observers at the time of interest.

There may be other ways of independently synthesizing identical OTPs with minimal information needing to be exchanged to do so. Quantum Cryptography will, doubtless, eventually exceed even the theoretical best of such methods but at present I'm getting the feeling that QC is still too new and that there are too many glitches that haven't been ironed out.

Re:pwned

[Z00L00K]

Which also means that it may end up being more predictable and sensitive to attack.

As soon as a crypto is predictable the road left to crack a given message is shorter. Not that it's easy, it will still require some computing power.

There's still better privacy

[VincenzoRomano]

Don't write or talk anything. None will intercept it.

Re:There's still better privacy

[John+Hasler]

> Don't write or talk anything. None will intercept it.

They are working on that...

Re:There's still better privacy

[ProgramErgoSum]

I am not talking or writing but, I am 'thinking'. Perhaps, there is some work in progress there too. Ha ! But, I am dreaming. oh, that has been cracked by Dom and his team quite some time ago. http://en.wikipedia.org/wiki/Inception_(film)/

Re:There's still better privacy

[beschra]

[curse you, comment parser! you won't let me post an empty reply!]

Obligatory

[ewhenn]

There is a crack, a crack in everything, that's how the light gets in.

Can we get truth in advertizing?

[BlueCoder]

How about hacked quantum systems downgraded to std transmission?

There was no hacking of quantum crypto here.

Why 'hackers' and not 'researchers'?

[RevWaldo]

Even respecting the working-all-day-and-night-in-the-basement-computer-lab origin of the term, using 'hacker' in the article seems like a blatant attempt to jazz it up, making it at first glance seem to be more about something akin to bank heist than a story about funded researches working in a university lab trying to find flaws in a security system, with the manufacturer's full approval to boot.

.

Re:Why 'hackers' and not 'researchers'?

[Vadim+Makarov]

with the manufacturer's full approval to boot

I'm not sure the manufacturers would approve the existence of our lab if they could dictate it. Thankfully we are independent and need not seek their approval. The manufacturers did appreciate responsible disclosure, though. I don't know how this hacking affects their business in the short term (may as well be detrimental to sales), even though it is surely good for business in the long term as it leads to more secure systems.

Re:Why 'hackers' and not 'researchers'?

[RevWaldo]

(A reply from the man himself - Cheers!) I didn't intend to imply you're lab was working for the manufacturers. There are certainly many manufacturers who do *not* encourage others to try and find flaws in their products, much less appreciate them for pointing them out; quite the opposite it usually seems. That's all I meant by your group having their "approval". (And by "funded" I meant as opposed to some guy in his garage figuring out how to jailbreak a smartphone.) I was more questioning the use of language in the article, but since your group uses the term hacking in reference to its own work its probably fair for the writer to use it as well.

.

The USA Industry & Congress....

[OldHawk777]

The USA Defense Industry and Congress will write a law that will prevent anyone (except .Com, .Gov & .Mil) from criminally hacking qEncrypt, making USAll safe from Norwegian Hacker Scientist. Also, US, EU, RU, CN... people and governments will be happy to comply with more legal control.

%~P=WeRFycked+*

Re:pwned

[Muad'Dave]

Scotty: "The more complicated the plumbing, the easier it is to stop up the drain."

You'd think double would be enough

[maweki]

You'd think double would be enough

Re:You'd think double would be enough

[AbrasiveCat]

Well, double for the military info. The bad guys would never figure out what we meant.

Re:pwned

[maxwell+demon]

Well, there are several points here:

• Every cryptographic security is only up to possible bugs in the implementation (remember the Debian ssh problem?), so exactly 100% security is impossible. However, one difference betweeen the classical and quantum case is that in the quantum case any possible exploit has to be "online" (i.e. you have to actually intercept the actual sent message and manage to manipulate the receiving system), while for classical key exchange the breaking can also be after the fact (i.e. if all you want is the exchanged information, you can passively record all data and then try to break it afterwards). This means that
  1. all communications performed before that exploit was found remains secure (unlike classical protocols where you only need the recorded data to apply any exploit), and
  2. since the attacker has to manipulate the systems during operation, as soon the exploit is known you can take additional measures in order to detect it (e.g. in this case, I think it should be quite easy to detect a relatively strong laser which is continuously shining at the receiving device), thus detecting whether someone tries to exploit it (unlike classical systems, where you have no clue if someone tries to attack your cryptographic system). That is, instead of replacing your whole cryptographic infrastructure (which may be expensive), you can simply add detectors for the manipulation needed for the exploit, so that you only transmit confidential information in case the exploit isn't applied.
• As the article mentions, the commercial systems add the quantum cryptography on top of the classical cryptography. So if the quantum cryptography is broken, you still have the security of the classical system. On the other hand, if the classical system used is broken (be it because the underlying cryptographic scheme is broken, or be it by exploiting a bug in the specific implementation) then you still have the security of the quantum cryptography.

Re:pwned

[maxwell+demon]

Actually, it should be quite easy to reveal that someone continuously shines a laser on your system. It's just that no one up to now thought about that possible attack vector, therefore no one tested for it. I'm pretty sure that future versions of the cryptographic device will detect that attack.

Besides detecting the laser directly, maybe a strategy to prevent this type of attack would be to generate additional quantum signals for Bob's detector inside Bob's device and testing that the detector correctly detects them (this would not only detect this specific attack, but any attack which turns Bob's detector into a classical one).

no trace

'they have fully cracked their encryption keys, yet left no trace of the hack.'

It is only because nobody recognized the couple of fins lying around as evidence.

Tank

Unfortunately, not everyone has the space required for an aquarium to contain the sharks with those fricken lasers.

Quantum Key Generation

[Doc+Ruby]

I'm more interested in quantum computing to generate encryption keys that can't be broken by other quantum computing. Is there even a theoretical model for that?

Also, trained to lie to torturers

[davidwr]

There are two other problems besides people with no information:

- People who have been trained to resist torture long enough for their information to become useless.
- People who have been trained to feed misinformation after "sufficient" torture so they sound credible.

Offtopic for laughs:

then torture is an element of a random story generator.

So THAT'S how come the slush pile is so big!

Article Makes No Sense

[SeekerDarksteel]

The article is either missing massive details or these researchers are vastly overstating the power of their technique. The entire _point_ of quantum key exchange is that if Eve intercepts the signal she cannot tell if she read a 0 or a 1 because she does not know which basis the 0 or 1 was generated in. Even IF Eve passed a 1 along every time she read a 1, when Alice and Bob go to do the basis comparison over the standard channel they will notice errors because Eve read the signal in the wrong basis and passed along an incorrect value.

I've tried reading the actual journal paper, but unfortunately they just seem to handwave this problem away. Maybe there's a reason they can, but its sure as hell not explained as far as I can see unless they're assuming Eve has also compromised the classical channel as well as the quantum channel.

Re:Article Makes No Sense

[Vadim+Makarov]

As you correctly notice, Eve does not know Alice's basis and will half the time choose a wrong basis for measurement. We just bite the problem from the other end: we make sure Bob's basis always matches Eve's. Alice and Bob always compare their bases after the transmission and then discard the bits where their bases did not match. During this comparison all bits where Eve has chosen a wrong basis will be discarded. What remains in the key are the bits where Alice, Eve and Bob all have the same basis.

We had to be a bit concise in the article because of Nature's 1500 words limit on the content, but I think we do explain the above :).

Re:Article Makes No Sense

[SeekerDarksteel]

Ok, I must be missing how exactly you're controlling Bob's basis then. I guess that's what your blinding trick is supposed to be doing, but my physics is too weak to understand why. (I studied QC from a computer engineer standpoint, not a physics standpoint). My impression from the Nature article was that you could force Bob to see a 0 or a 1. If that's all you could do, then Eve's interference would have been detectable since she would have passed on bad bits when Alice and Bob's bases agreed but Eve's didn't.

Re:Article Makes No Sense

[Vadim+Makarov]

Good. We are not controlling Bob's basis: he chooses his detection basis randomly. What we do is to send a bright-light state that does not cause a detection event if Bob chooses a basis not matching Alice's, but causes a detection event in a specific detector if Bob chooses the same basis as Eve. See figure 2 in the paper for illustration. Thus, half the time our bright-light state failes to induce any detection, which translates to just 50% detection efficiency. This would be a problem if Bob's photon detectors (unblinded, not under attack) were 100% efficient and the transmission fibre were lossless, which is however not the case. The photon detectors are normally only about 10% efficient, and there is typically a few dB loss in the fibre between Alice and Bob. Thus Eve can easily hide her 50% (in)efficiency in all practical cases.

In schemes where Bob uses "passive basis choice" (not in commercial systems but in many research setups) we can choose the detection basis for Bob and have 100% click efficiency.

Re:Article Makes No Sense

[SeekerDarksteel]

Ah, ok. That's making a lot more sense. It really didn't come across in the Nature article that way to me. But I guess that's scientific reporting for ya, :P

Re:pwned

[WED+Fan]

Why the GP was modded troll is beyond me. This is a "huge kick in the balls". Isn't the point of QC to make it easy to detect if someone has even listened in, let alone broken anything? I'd have to say that what it means is the current implementation of QC is an epic fail. Back to the old drawing board.

Re:pwned

[radtea]

So it's really an design error on the device side, not a true hack in that quantum states were undisturbed regardless of reading them.

Thanks for pointing that out! It makes the system so much more secure, knowing that...

This is a "true hack" in the same way that the cost of sending a mission to Mars is a "real problem": scientists and engineers often want to simplify the world by restricting the domain of "real problems" to ones they know how to solve. But reality doesn't care about human domain boundaries.

In this case, they have hacked the system, which has the effect of being able to read the communications that pass through it. No cryto system is more secure than the least secure channel, and they have demonstrated that even though part of the system is 100% secure the rest is pretty easily hackable. This will always be the case with quantum crypto so long as it has to interface with the classical world at some point.

Re:pwned

[nospam007]

Inigo:
You keep using that word. I do not think it means what you think it means.

Re:pwned

[jonaskoelker]

not a true hack in that quantum states were undisturbed regardless of reading them.

Dammit, I had hoped to base my perpetuum mobile on these hackers' violation of the laws of physics :(

'invisible'? Is this science or marketing?

taking advantage of an implementation loophole isn't exactly 'invisible' (even given that they used quotation marks around 'invisible').

Re:pwned

[thoromyr]

What struck me as significant was the summary states they hacked a commercial crypto system. In other words, the implication is that someone could buy this system and think they are secure, but they can still be invisibly and undetectably hacked. Undetectable by this system is what is important -- it doesn't matter to me if some *other* system can detect the hack if the one I'm *using* doesn't.

Or to put it another way, a perfect encryption system has yet to be demonstrated. Vendors will still be happy to sell you their perfect system.

Or to put it a third way, the difference between theory and practice is

The Martin Hellman???

[colordev]

Quantum computers will cripple 'his' PKI system, but now he got to announce the cripplement of quantum cryptography

What flavors have the hackers copied?

[celtic_hackr]

I'm curious, how many flavors does this hack comes in?

Re:pwned

[GameboyRMH]

This wouldn't even work if this quantum link weren't so simple. This system is at least as simple as a serial link, and what they've done is like unplugging that link from the intended recipient computer and plugging it into their own.

It looks like the only real security in the system 100% depended on MITMs being impossible - which is still true (from what I understand) - they've just diverted the traffic altogether rather than doing a MITM.

If there were any authentication involved or the data being sent was actually encrypted this would be a non-issue.

Re:pwned

[arose]

One time pad with a truly random key. Getting good entropy is a problem, but not a deal breaker. Key exchange is the weak point (quantum crypto is supposed to fix that, but who can afford dedicated, well guarded fiber from each location to each location? or have a working system for that matter...), but with with multi-gigabyte MicroSD it is a realistic alternative to symmetric encryption for reasonably sized messages.

Re:pwned

[arose]

all communications performed before that exploit was found remains secure (unlike classical protocols where you only need the recorded data to apply any exploit)

That isn't necessarily the case for side channel attacks, as the side channel to capture isn't known in advance of exploits. Similarly man in the middle attacks need to be live.

Re:pwned

[alexborges]

The thing is that in a good QCS, you should be able to tell if Eve is arround. This guys did this without anyone noticing. Yes, its an ugly hack, it does not change the beautiful math behind QC. But hell, last I checked, this is how cracking works.

Re:pwned

[BlackBloq]

The only true way to secure a system is with a large data key that only exists offline. Would be cool if the key is generated by an offline "seeding" machine. I would "dock" all the systems in the same room and create at least 32GB keys and put them on super fast Compact flash cards. Different keysets for each computer. Systems that need to have a secure connection need the keys fedexed or brought by hand.

Re:pwned

[maxwell+demon]

That's also not 100% secure. Are you 100% sure there's nobody ad fedex who might open that fedex letter, copy the key, and then close the letter again? And sending a messenger isn't secure either: How do you know the messenger wasn't bribed by Eve to give her a copy of the key? Even if you personally go there, there may still be some vulnerability. E.g. if you can't go there in one day and sleep in a hotel, someone at the hotel might copy the key while you sleep.

Yes, it's getting increasingly improbable, but the probability never goes to zero. On the other hand, costs go up, and as soon as the cost is larger than the cost of a stolen key, you'll simply not use that method.

you forgot one important "if"

You can make it easy. If you're willing to undergo an hour of torture without cracking then you can keep your secret key (if you have it).

You forgot...

"if you survive."

Re:pwned

[Peach+Rings]

You mean with that caveat?

Re:pwned

[Vadim+Makarov]

I'm not sure what's your concern, but this is not a man-in-the-middle attack. We do intercept-resend in the quantum channel (photons) but leave the classical channel alone, just listen to it. Of course Alice and Bob do authentication of the classical channel (this is a part of the QKD protocol), but that passes just fine as we do not alter the classical authenticated traffic.

So you exploited TWO flaws.

[Ungrounded+Lightning]

We are not controlling Bob's basis: he chooses his detection basis randomly. What we do is to send a bright-light state that does not cause a detection event if Bob chooses a basis not matching Alice's, but causes a detection event in a specific detector if Bob chooses the same basis as Eve.

So you're actually exploiting the combination TWO flaws:

  - One in Bob's detector - which you can get to efficiently mimic the reception you achieved despite your lack of knowledge of Bob's expected polarization.

  - One in the protocol - which has so much redundancy attempting to cover for far more than 50% bit loss - and for the receiver's own lack of synchronization with the transmitter's polarization basis selection - that you can discard half the bits due to your own wrong guesses and still echo enough bits to give Bob the information he needs to handshake with Alice and convince the pair of them that things are just fine.

Re:So you exploited TWO flaws.

[Vadim+Makarov]

Your first item is correct, however for the second one I think you need to study a good description of the QKD protocol.

The QKD protocol is designed to cope with a huge bit loss, both due to detector inefficiency and the loss in the fiber line; in fact, in a typical setup only 1 in 1000 Alice's photon's may be detected by Bob. The loss in the line is the killer item: the best optical fiber is has loss about 0.2 dB per km. This means over 50 km, nine out of ten photons sent by Alice will be lost. (In our attack Eve can just gain all this loss to her advantage, by placing her intercept unit close to Alice and getting all ten photons.) Other losses and inefficiencies come in addition to the line loss.

The transmitter (Alice) and the receiver (Bob) cannot synchronize their basis selection in advance, but they have to choose them randomly and independently (so that Eve does not know either if the bases), otherwise QKD just cannot be secure. They synchronize the bases only after the photon transmission.

Re:So you exploited TWO flaws.

[Ungrounded+Lightning]

Thanks. (I figured that out after posting. B-b ).

If I've got it correctly:

  - Normally Bob loses 50% of the bits by not being aligned with Alice.
  - Eve loses 50% of the bits by not being aligned with Alice, then
  - Bob loses 50% of the bits by not being aligned with Alice, but
  - The classical signal from Eve to Bob is strong and does not lose
      (a significant number of) bits in the Eve->Bob stretch of fiber.
      This (along with other allowances in the system for photon loss
      due to the weak single-photon nature of the quantum signal) makes
      up for the extra 50% (3dB) loss due to the extra stage of random
      choice of polarization alignment.

So the weakness I perceived in the original signal's acceptance of
a large amount of loss is actually also cracked by the classical-
signal hack of the receiver to NOT trigger on a wrong-orientation
signal, rather than being an inherent flaw in the cryptosystem
if the detector were operating according to the assumptions.

Have I got that right?

(Also: I take it that having Eve send a handfull of photons
trying to make up for the extra 3dB of loss would be detected -
when (unlike the hacked classical signal) Bob detected random
junk when he and Eve had mismatched polarization?)

Re:So you exploited TWO flaws.

[Vadim+Makarov]

Generally you're thinking along the right lines, but if this stuff makes you vibe so much I would recommend to start reading original research literature at this point. J. Cryptology 5, 3 (1992) is a good starting paper, then you can move on to recent articles.

Re:pwned

[Ungrounded+Lightning]

However, one difference betweeen the classical and quantum case is that in the quantum case any possible exploit has to be "online" (i.e. you have to actually intercept the actual sent message and manage to manipulate the receiving system), while for classical key exchange the breaking can also be after the fact (i.e. if all you want is the exchanged information, you can passively record all data and then try to break it afterwards).

But note that these systems only use quantum encryption to perform a key exchange (generation of a shared secret key). The actual data exchanges are then done using the shared session key and ordinary cryptography. Thus the data exchange can be recorded for later attack on the ordinary cryptosystem. The quantum system (provided it is working correctly) just assures that the shared key has to be found by cyphertext analysis and/or guessing, rather than non-real-time compromise of the key exchange itself.

Re:pwned

[maxwell+demon]

But the quantum-generated key is used as one-time pad, which is provably secure as long as the key isn't revealed. At least that's how it is supposed to be done (I don't know the specific device, but I can't imagine them doing it differently).