Hackers Eavesdrop On Quantum Crypto With Lasers

Martin Hellman writes "According to an article in Nature magazine, quantum hackers have performed the first 'invisible' attack on two commercial quantum cryptographic systems. By using lasers on the systems — which use quantum states of light to encrypt information for transmission —' they have fully cracked their encryption keys, yet left no trace of the hack.'"

Re:pwned

[neumayr]

Not really. From the article:

"We have exploited a purely technological loophole that turns a quantum cryptographic system into a classical system, without anyone noticing," says Makarov.

Re:pwned

[yahwotqa]

From TFA:

Quantum cryptography is often touted as being perfectly secure. It is based on the principle that you cannot make measurements of a quantum system without disturbing it.

So, I guess the encryption system used here isn't really "quantum", since above doesn't apply, is it?

It seems that you could detect this

[MichaelSmith]

Eve gets round this constraint by 'blinding' Bob's detector — shining a continuous, 1-milliwatt laser at it.

So Bob could just detect the blinding signal and stop transmitting.

Re:It seems that you could detect this

[PseudonymousBraveguy]

Yes, and if I understand the article correctly, the manufacturers developped a patch to fix the hole.

However, the hack shows (once again), that a system may be secure in theory, but actual implementations of that system may, and will, have bugs that render them insecure. This negates one of the most strong arguments for quantum crypto, i.e. the "proveable" security. If that argument does not hold, you could as well use any common "classical" key exchange algorithm, which also delivers "good, but not 100%" practical security, does not need fixed point-to-point fiber and expensive equipment, and is probably much better tested than the quantum systems.

Re:It seems that you could detect this

[PseudonymousBraveguy]

No it doesn't – it just makes the software more expensive to write. It's entirely possible to write software that has key properties proved to be correct and bug free,

It's not only the software. There's a lot of hardware involved, most of which could have bugs of some kind (e.g. for this hack you'd have to prove that your sensor can reliably detect that it's still in "quantum mode"). And after you have proven a lot of properties off all your hard- and software, you'll have to prove that all those properties are actually sufficient for achieving perfect security.

Re:It seems that you could detect this

[PseudonymousBraveguy]

Actually quantum crypto requires Bob to communicate with Alice over an authenticated channel anyways (e.g. to check which polarisation filter was used for each measurement, and to check for eavesdropper). This channel can trivially be used to signal failures and/or attacs. (However, quantum crypto does not tell you where to find a perfectly secure authenticated channel)

So OK...

[hyades1]

...maybe they've cracked it in this universe, but what about all the others?

Re:So OK...

[thijsh]

I would take a look, but I'm too afraid I'll kill the cat... And you all know how much Slashdot-geeks love that inter-dimensional pussy.

Re:Lessons

[neumayr]

The underlying principle still is valid, those people exploited a technical loophole - in a process that's part of

[..] years of dedicated effort in an open environment.

Re:pwned

[Unipuma]

If you read the article, you'll notice that the 'hack' is a classic man in the middle attack, and the receiving end can receive both classic and quantum messages. The man in the middle (after reading the quantum message) passes it on as a classic message, and the receiving device does not give a warning that the message received is a classic message, instead of a quantum message.

So it's really an design error on the device side, not a true hack in that quantum states were undisturbed regardless of reading them.

not really that bad

[mogness]

The problem isn't really with quantum encryption, it's with the technical implementation. And anyway, according to the article, they've already figured out a way to detect the hack and defeat it, so it's still pretty solid.

Makorov informed both companies of the details of the hack before publishing, so that patches could made, avoiding any possible security risk.

Re:not really that bad

[DrXym]

"And anyway, according to the article, they've already figured out a way to detect the hack and defeat it, so it's still pretty solid."

if (continuousLaserBeam) hack = true;

Re:not really that bad

[boxwood]

Yeah the good guys inform the company of the hack. The question is how many bad guys were aware of this before now, and for how long?

It took these guys two months in a university lab to figure this out. How long do you suppose it took the NSA (and their counterparts in other countries) who have much bigger budgets?

This research proves that if you're using these devices, the NSA has your data.

Re:pwned

[PseudonymousBraveguy]

No, it IS a huge problem. If you turn a quantum computing system into a classical system, you basically revert it to sending the key in plaintext. While it does not break the theory of quantum encryption, breaking all (commonly) available implementations of quantum crypto should be enough to be qualified as "huge kick in the balls".

Description of the hack by its authors

[romiz]

There are some photographs of the hacked hardware and the hacking tools on the page of the researchers.

Quantum is for Quacks

This is what you get when even educated men can't make sense of your technology.

Pretty obvious now we need to return to traditional cryptosystems such as rot13 etc.
Arguably not the most secure, but it is efficient. And for military use, where security
requirements are higher, triple-rot13 is an option.

Commercial Systems

[iYk6]

I was surprised to discover that there were commercial systems of quantum cryptography. Quantum cryptography is academic at this point. It is not as strong as old fashioned cryptography (like AES) and is much more expensive. Then I realized that there is no reason that someone can't use both. It would be pretty ridiculous if someone were using quantum cryptography as their only security, and not encrypting the data first with old fashioned cryptography.

Re:Commercial Systems

[PseudonymousBraveguy]

Quantum cryptography is academic at this point. It is not as strong as old fashioned cryptography (like AES) and is much more expensive. Then I realized that there is no reason that someone can't use both.

Quantum crypto (at this point) is a key exchange mechanism. Thus, it doesn't compare to AES at all. You HAVE to use quantum crypto together with a classical exncryption algorithm. However, if you use quantom crypto you care about 100% theoretical security. Else you would simply use DH or any other well-known classical key exchange. And if you care about 100% theoretical security, there is no alternative to OTP.

Re:Commercial Systems

[KiloByte]

Except that to be able to use quantum crypto at all, you need to provide a physical way to pass the quantum state. And with that requirement, why won't you just pass the key the good old fashioned way? Strictly more secure, and much cheaper.

Re:Commercial Systems

[julesh]

Except that to be able to use quantum crypto at all, you need to provide a physical way to pass the quantum state. And with that requirement, why won't you just pass the key the good old fashioned way? Strictly more secure, and much cheaper.

More secure? Hardly. All you have to do is eavesdrop on the key exchange and you have the key. In a real world scenario, typically this means bribing a few security guards, breaking into one of the communicators' homes or offices and retrieving the key from their computer, or intercepting a message sent over a physical line, probably encrypted via a non-100%-reliable cryptographic system, with the (at least) theoretical possibility that the encryption on the key exchange can be broken.

In a properly implemented quantum crypto system, this is theoretically impossible: the key passes directly from one endpoint to the other, and any interference between the two is easily detectable. It isn't stored for longer than the message takes to be sent, so breaking in to retrieve it is impractical. Done properly, the quantum crypto system is as secure as it is possible to be. As it happens, the system here was not done properly; it failed to detect interference on the line (and as ability to detect interference is, essentially, the point of quantum crypto, this is bad news).

Re:Commercial Systems

In a real world scenario, typically this means bribing a few security guards, breaking into one of the communicators' homes or offices and retrieving the key from their computer, or intercepting a message sent over a physical line

Using the old fashioned way, you divide the key into 5 or 6 pieces before it leaves the cryptosystem, you distribute responsibility of the pieces. The pieces are stored on devices, and given to guards.

The guards have physical possession of the devices, but not the PIN number for that piece.

None of the pieces assist in reassembling the key without all other pieces present.

Key pieces are not brought back together until brought to the destination system's crypto module.

Nothing other than dedicated crypto modules ever have access to the key for securing your initial key exchange, and these get kept locked up.

Security guards protect physical access to the communication endpoints, but do not possess the credentials to activate them; plus multiple combinations and keys are required to even open the safe with any hardware required for securing further key exchanges.

You can perform key rollovers whether you use quantum or traditional crypto. You transmit the new public key digitally signed with the old private key, over a message encrypted with the current session key.

Then you transmit the new symmetric key, encrypted with the peer's new public key, in a message encrypted with the current symmetric key.

If your adversary can compromise crypto equipment under high security, quantum crypto won't protect you.

The benefits of quantum crypto are mostly theoretical.

However, obviously someone believes the technology is more proven than it is, as they're trying to base commercial systems on the promise.

If they are relying on quantum key exchange as their only security of the key exchange, at this point, they are foolish.

a kick in the balls

[davidwr]

A kick in the balls (breaking all current implementations) is not the same as cutting them out and mounting them in a trophy case (proving there can be no secure implementation).

Either one hurts though.

alice and bob

[brainscauseminds]

Poor Alice and Bob, they do not have a chance ever to live normal lives without hordes of geeky cryptographers debating/fighting over every bloody bit they exchange.

Why 'hackers' and not 'researchers'?

[RevWaldo]

Even respecting the working-all-day-and-night-in-the-basement-computer-lab origin of the term, using 'hacker' in the article seems like a blatant attempt to jazz it up, making it at first glance seem to be more about something akin to bank heist than a story about funded researches working in a university lab trying to find flaws in a security system, with the manufacturer's full approval to boot.

.

Re:Why 'hackers' and not 'researchers'?

[Vadim+Makarov]

with the manufacturer's full approval to boot

I'm not sure the manufacturers would approve the existence of our lab if they could dictate it. Thankfully we are independent and need not seek their approval. The manufacturers did appreciate responsible disclosure, though. I don't know how this hacking affects their business in the short term (may as well be detrimental to sales), even though it is surely good for business in the long term as it leads to more secure systems.

Re:pwned

[maxwell+demon]

Well, there are several points here:

• Every cryptographic security is only up to possible bugs in the implementation (remember the Debian ssh problem?), so exactly 100% security is impossible. However, one difference betweeen the classical and quantum case is that in the quantum case any possible exploit has to be "online" (i.e. you have to actually intercept the actual sent message and manage to manipulate the receiving system), while for classical key exchange the breaking can also be after the fact (i.e. if all you want is the exchanged information, you can passively record all data and then try to break it afterwards). This means that
  1. all communications performed before that exploit was found remains secure (unlike classical protocols where you only need the recorded data to apply any exploit), and
  2. since the attacker has to manipulate the systems during operation, as soon the exploit is known you can take additional measures in order to detect it (e.g. in this case, I think it should be quite easy to detect a relatively strong laser which is continuously shining at the receiving device), thus detecting whether someone tries to exploit it (unlike classical systems, where you have no clue if someone tries to attack your cryptographic system). That is, instead of replacing your whole cryptographic infrastructure (which may be expensive), you can simply add detectors for the manipulation needed for the exploit, so that you only transmit confidential information in case the exploit isn't applied.
• As the article mentions, the commercial systems add the quantum cryptography on top of the classical cryptography. So if the quantum cryptography is broken, you still have the security of the classical system. On the other hand, if the classical system used is broken (be it because the underlying cryptographic scheme is broken, or be it by exploiting a bug in the specific implementation) then you still have the security of the quantum cryptography.

Re:Well, there's always the "Gitmo" attack

[tibit]

You would be right if you weren't so wrong :(

The problem with torture is that it has a way of making up information where there is none. If you're convinced your guy has the information, but he doesn't, then torture is an element of a random story generator. And there's pretty much no way of telling the quality of information that you receive.

Case in point: I think that a big problem with some Gitmo inmates is that they were set up by bounty hunters, and they are simply wrong people in a wrong place at the wrong time. Torture is useless here, because they know nothing in the first place, and the "solid information" they provide is solidly random, if that.

Tank

Unfortunately, not everyone has the space required for an aquarium to contain the sharks with those fricken lasers.

Re:Lessons

[Interoperable]

It's a pretty damn big loophole. They used a 1 mW beam which is about as powerful as a laser pointer. That's many orders of magnitude larger than a single-photon level signal and should be very easy to detect. Not noticing a milliwatt of light hitting the detector in a quantum scheme is something like leaving a key written in plain text on a sticky note on your monitor and being shocked when your key is "hacked."

Article Makes No Sense

[SeekerDarksteel]

The article is either missing massive details or these researchers are vastly overstating the power of their technique. The entire _point_ of quantum key exchange is that if Eve intercepts the signal she cannot tell if she read a 0 or a 1 because she does not know which basis the 0 or 1 was generated in. Even IF Eve passed a 1 along every time she read a 1, when Alice and Bob go to do the basis comparison over the standard channel they will notice errors because Eve read the signal in the wrong basis and passed along an incorrect value.

I've tried reading the actual journal paper, but unfortunately they just seem to handwave this problem away. Maybe there's a reason they can, but its sure as hell not explained as far as I can see unless they're assuming Eve has also compromised the classical channel as well as the quantum channel.

Re:Article Makes No Sense

[Vadim+Makarov]

Good. We are not controlling Bob's basis: he chooses his detection basis randomly. What we do is to send a bright-light state that does not cause a detection event if Bob chooses a basis not matching Alice's, but causes a detection event in a specific detector if Bob chooses the same basis as Eve. See figure 2 in the paper for illustration. Thus, half the time our bright-light state failes to induce any detection, which translates to just 50% detection efficiency. This would be a problem if Bob's photon detectors (unblinded, not under attack) were 100% efficient and the transmission fibre were lossless, which is however not the case. The photon detectors are normally only about 10% efficient, and there is typically a few dB loss in the fibre between Alice and Bob. Thus Eve can easily hide her 50% (in)efficiency in all practical cases.

In schemes where Bob uses "passive basis choice" (not in commercial systems but in many research setups) we can choose the detection basis for Bob and have 100% click efficiency.

Re:pwned

[WED+Fan]

Why the GP was modded troll is beyond me. This is a "huge kick in the balls". Isn't the point of QC to make it easy to detect if someone has even listened in, let alone broken anything? I'd have to say that what it means is the current implementation of QC is an epic fail. Back to the old drawing board.

Re:pwned

[GameboyRMH]

This wouldn't even work if this quantum link weren't so simple. This system is at least as simple as a serial link, and what they've done is like unplugging that link from the intended recipient computer and plugging it into their own.

It looks like the only real security in the system 100% depended on MITMs being impossible - which is still true (from what I understand) - they've just diverted the traffic altogether rather than doing a MITM.

If there were any authentication involved or the data being sent was actually encrypted this would be a non-issue.

Re:Well, there's always the "Gitmo" attack

[tibit]

Logic whoosh.

No matter how uneasy, not-quick and not-cheap the torture is, you won't get information that isn't there. That's all I claim, yet you somehow feel the need to muddy the waters.

I'm very clear: I claim that there is/was a bunch of people in Gitmo who in fact know nothing, and who are held solely on an informant's paid (in money or in kind) claim that they, to the contrary, do know something.

You can have $1 billion per detainee and use all the tricks that anyone knows, or had known (think ancient tribes who maybe had better/other tricks we haven't found yet) -- if the detainee doesn't know, you won't get to know either. You may kill the detainee, break the bank, go insane, what the eff ever. The only way to get the information you seek is if the detainee has infinite lifetime, and he/she starts enumerating all possible stories. By the infinite monkey theorem, you will get what you're looking for, but it's hard to say whether it'll happen before our Universe dies a heat death.

If you argue otherwise, you should hand your geek card back.

Re:So you exploited TWO flaws.

[Vadim+Makarov]

Your first item is correct, however for the second one I think you need to study a good description of the QKD protocol.

The QKD protocol is designed to cope with a huge bit loss, both due to detector inefficiency and the loss in the fiber line; in fact, in a typical setup only 1 in 1000 Alice's photon's may be detected by Bob. The loss in the line is the killer item: the best optical fiber is has loss about 0.2 dB per km. This means over 50 km, nine out of ten photons sent by Alice will be lost. (In our attack Eve can just gain all this loss to her advantage, by placing her intercept unit close to Alice and getting all ten photons.) Other losses and inefficiencies come in addition to the line loss.

The transmitter (Alice) and the receiver (Bob) cannot synchronize their basis selection in advance, but they have to choose them randomly and independently (so that Eve does not know either if the bases), otherwise QKD just cannot be secure. They synchronize the bases only after the photon transmission.